<<< Date Index >>>     <<< Thread Index >>>

PHP APC vulnerable to local attacks



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

PHP APC is an opcode cache for PHP, or, as the developers say: "APC is a
free, open, and robust framework for caching and optimizing PHP
intermediate code."

http://pecl.php.net/package/APC

While at least some of its developers do not consider this an issue
(based on the assumption that "it is pretty well understood that opcode
caches need a better defined environment than the chaos of a general
mass vhosting ISP"), it is not documented and not neccessarily known
that PHP APC does not provide safety measures against local attacks.

According to one of the developers, in a multi-user environment, attacks
that users can currently carry out  against other local users are
* filling the user cache
* constantly delete the cache
both of which may lead to a DoS situation.

In addition, there's a cross site scripting issue which comes into play
when you have local users which are able to create files and cause those
to be cached, and a server admin later visits the apc.php web interface
which comes with PHP APC. See below for further information on this
specific issue.




Cross Site Scripting vulnerability in PHP-APC

PHP APC 3.1.1, 3.0.19 and probably earlier versions of PHP-APC are
subject to a cross site scripting vulnerability which can be triggered
by local users.

This issue is caused by insufficient validation of path and file names
which are displayed to an authenticated admin when viewing the 'System
Cache Entries' and 'User Cache Entries' sections on the apc.php web
management interface.

This issue can be exploited in all environments which different access
levels for the PHP APC admin and other users with local write permissions
apply.

A malicious user with local write access (such as an FTP user on shared
hosting environments) may create two directories
  </
  a><script>alert("XSS")</
and create a file named
  script>.php
in the latter directory, then access this file via HTTP. If PHP-APC is
active on this host, this file may have been cached and will then be
listed on the apc.php web interface to a logged in admin. In this
harmless example, the injected script code will display a javascript
alert window. However, the attacker could also use this vulnerability to
steal the PHP APC admins' session data from within the domain apc.php is
invoked in, as well as all other attacks cross site scripting allows for.

This issue has been fixed in PHP APC CVS.
http://cvs.php.net/viewvc.cgi/pecl/apc/apc.php?r1=3.73&r2=3.74

Report by Moritz Naumann, Naumann IT Consulting & Services, Berlin, Germany.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREKAAYFAklL9CcACgkQn6GkvSd/BgzKzwCaApHUNViTrP37L07R5PNYd91x
TEMAn3wlCWIv0zLdB0mPLJ+irNnPkeJk
=URtO
-----END PGP SIGNATURE-----