New PEAR / Apache2Triad Exploit
File: go-pear.php
Affects: v0.2.2 (May affect other versions)
Date: 6th January 2006
Issue Description:
====================================
A vulnerability exists within version 0.2.2 of go-pear.php, part of PHP's PEAR
Package.
The problem lies in the scripts capacity to utilize a proxy server.
An attacker can take advantage of this option by providing it with a malicious
proxy server
that is configured to redirect the original request to another file server.
By simply mirroring the requested content from the intended file server
the attacker can assure the script continues running uninterrupted.
Hosting a modified version of "Tar.php" and pre pending code to the
extractModify() function
will allow the attacker to run any PHP code of their choosing. This occurs
because go-pear uses
"Tar.php" to extract all the packages it previously retrieved, in doing so it
invokes the now
compromised version of extractModify().
=====================================
Scope:
=====================================
This vulnerability has the most serious implications for Apache2Triad users
as the go-pear.php script is installed by default and is accessible at
http://www.yoursite.com/php/pear/go-pear.php
=====================================
Recommendation:
=====================================
Regular PEAR users should simply update to the latest version available
at http://pear.php.net
Apache2Triad users who simply wish to address this issue should do the
following:
[1] Go to your apache2triad directory
[2] Navigate to \php\pear
[3] Rename or delete the "go-pear.php" file
=====================================
Discovered By: Gammarays