90% of programs made in PHP5 and prior Full Path Disclosure vuln.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: 90% of programs made in PHP5 and prior Full Path Disclosure vuln.
From: sirdarckcat@xxxxxxxxx
Date: 14 May 2006 06:16:28 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

:Introduction:

Normally one of the last steps when accessing to a web-server is to find the 
url where the web is installed (more common in RFD).

This may be a hard step, if the RPD is the only bug in that server, but PHP 
programs have functions that unexpectedly can return lots of errors.

**** ATTENTION ****
This is a design Error made by the programmers of the affected php programms, 
PHP language by it is safe.
*******************

Normally a Full Path Disclosure is not dangerous, but in this case the 90% of 
the programs written in PHP are vulnerable.

This is a list of 21 tested programs, in their last release at 13/05/06, 19 are 
vulnerable:

-paFileDB    -    Affected
-PhpWiki     -    Affected (GET Data)
-CuteNews    -    Affected (GET Data)
-SMF         -    Affected (GET POST & COOKIE)
-phpBB       -    Not Affected
-phpNuke     -    Affected
-myBB        -    Affected (POST Data)
-phpMyAdmin  -    Affected
-PHProxy     -    Affected (Cookie & Post Data)
-phpSurveyor -    Affected
-vBulletin   -    Affected (POST Data)
-PunBB       -    Affected (POST Data)
-XMB         -    Affected (just some files)
-IPB         -    Not Affected (some cases)
-Quick Forum -    Affected
-FreeScene   -    Affected (POST Data)
-EBB         -    Affected (just some files)
-tinyBB      -    Affected (no filters xD)
-SciELO      -    Affected (GET Data)
-XOOPS       -    Affected (POST Data)
-SquirrelMail-    Affected

The design-error AMAZINGLY USED is when you parse an Array into a function that 
spect a STRING.

The mainly bug in PHP found was:
PHPSESSID *or equivalent* equal to a null-array.

when calling the function session_start(); will return an error like:

Warning: session_start(): The session id contains invalid characters, valid 
characters are only a-z, A-Z and 0-9 in /%path%/test.php on line 3

** NOTE **
This error also appears when calling with no value (that also bypass filters).

This will also bypass all cleaning functions as:

-htmlentities
-urlencode
-etc..

returning "specting T_STRING" error.

:Solution:

The only way to detect is to add to your filter the condition is_array().

Also, you have to clean with this all parameters incoming from 
$_REQUEST(cookie,get and post)

:Other Solution:

Disabling all errors and warnings in php.ini

:Dangereous?:

No, but a Path Disclosure can reveal sensitive information.

:Impact:

The path may contain the username of the account, includes file and path, 
version of software, drive were web is installed, etc..

:Note:

I repeat. THIS IS NOT DANGEROUS, its only an aditional help you are giving to 
hackers that already have access to your server.

:Research made by:
sirdarckcat 

elhacker.net

Prev by Date: Re: PHPBB 2.0.20 persistent issues with avatars
Next by Date: XSS in FreeTextBox and FCKEditor Basic Toolbar Selection
Previous by thread: Re: JDK 1.4.2_11, 1.5.0_06, unsigned applets consuming all free harddisk space
Next by thread: Re: 90% of programs made in PHP5 and prior Full Path Disclosure vuln.
Index(es):
- Date
- Thread