Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 112482 - www-apps/phpsysinfo Multiple vulnerabilities
Summary: www-apps/phpsysinfo Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.hardened-php.net/advisory_...
Whiteboard: B2 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-11-13 22:53 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-11-22 14:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Ebuild for =dev-php/phpsysinfo-2.4.1 (phpsysinfo-2.4.1.ebuild,1.08 KB, application/octet-stream)
2005-11-15 19:40 UTC, Vic Fryzel (shellsage) (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-13 22:53:04 UTC
-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
                        Hardened PHP Project 
                        www.hardened-php.net 
 
                      -= Security  Advisory =- 
 
 
     Advisory: Multiple vulnerabilities in phpSysInfo  
 Release Date: 2005/11/13 
Last Modified: 2005/11/12  
       Author: Christopher Kunz <christopher.kunz@hardened-php.net> 
  Application: phpSysInfo 2.4 and prior  
     Severity: Cross-Site Scripting, HTTP Response Splitting, 
               Arbitrary local file inclusion 
         Risk: Medium  
Vendor Status: Vendor has released an updated version.  
   References: http://www.hardened-php.net/advisory_222005.81.html 
 
Overview: 
 
   phpSysInfo is a PHP script that displays information about the host being 
   accessed. It will displays things like Uptime, CPU, Memory, SCSI, IDE, PCI, 
   Ethernet, Floppy, and Video Information. 
   A number of holes - all of them attributed to a rather crude (and unneeded) 
   register_globals emulation - allow for arbitrary file inclusion, amongst  
   other things. 
 
       
Details: 
 
   It is important to note that due to the nature of phpSysInfo, it is 
unlikely 
   to be run inside an open_basedir, since most of the information the 
software 
   obtains is from the /proc or /etc directories. Furthermore, few admin- 
   istrators will restrict its access to PHP's shell functions, since a such 
   restriction would render the software unusable. In fact, the author 
requires 
   that safe_mode be set to Off and no other restrictions be imposed on the 
PHP 
   installation. 
    
   A hole that was reported in CVE-2003-0536 and is reported as "fixed" in the 
   phpSysInfo README still persists. The reason for this problem lies in the 
   incorrect handling of variables by the "globalization layer" implemented in 
   phpSysInfo's index.php - quote: 
           if (!empty($HTTP_GET_VARS)) while (list($name, $value) =  
            each($HTTP_GET_VARS)) $$name = $value; 
           if (!empty($HTTP_POST_VARS)) while (list($name, $value) =  
            each($HTTP_POST_VARS)) $$name = $value; 
   As the interested reader will easily see, this two-liner overwrites the 
   complete scope, including the superglobal variable $_SERVER. By injecting 
   a local path name into $_SERVER['HTTP_ACCEPT_LANGUAGE'], an attacker can 
now 
   include arbitrary files. If they have a way to create content on the target  
   server (such as an entry in syslog or the web server log file), they can 
use 
   this to execute arbitrary code. 
   In the Debian Sarge package, injecting only HTTP_ACCEPT_LANGUAGE is suffi- 
   cient - the current source tree (phpsysinfo-dev from sf.net) requires the 
   attacker to additionally inject the $lng parameter. 
   Example: /index.php?_SERVER[HTTP_ACCEPT_LANGUAGE]=../../README%00 
            /index.php?_SERVER[HTTP_ACCEPT_LANGUAGE]=../../README%00&lng=../../ 
            README%00 
             
   The variable $sensor_program is set in config.php, but can be overwritten 
   since config.php is actually included *before* reglobalization takes place. 
   With this variable, arbitrary file inclusion is possible on some platforms, 
   dependant on the local realpath() implementation. 
   Example: /index.php?sensor_program=lmsensors.inc.php/../../README%00 
    
   Additionally, $sensor_program can *still* be used to inject active contents 
   into the page, known as Cross-Site Scripting. This issue was discussed in  
   CVE-2005-0870 and still exists. The other XSS holes mentioned in that ad- 
   visory are still valid, too. They can be abused with register_globals Off, 
   this is different from the advisory by ISS. It is, however, not exploitable 
   on Debian systems. 
   An additional attack vector for Cross-Site Scripting attacks is the 
variable 
   $VERSION, which is used for the version string displayed on the bottom of  
   each page. 
   Example: /index.php?VERSION=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E 
    
   A fairly unknown attack class is so-called HTTP Response Splitting, an at- 
   tack that allows for "selective defacement" of web pages by poisoning for- 
   warding or reverse proxies. An explanation of this attack class is beyond 
   the scope of this advisory, a whitepaper can be obtained at [1].  
   Using HTTP Response Splitting, arbitrary strings can be injected into the 
   variable $charset, which is meant to include a value such as "iso-8859-1" 
 
   or similar, but is only set to a value inside a language include file if a 
   language in fact requires a character set different from iso-8859-1. In all 
   other cases, it can be set via the URL. This variable is fed to a header() 
   call without any additional checks. By breaking up the argument with \r\n, 
   the attacker can inject a complete second HTTP response. This response is 
   the only one that will be returned by any intermediate proxy, showing what- 
   ever HTML the attacker injected previously. 
   Example: 
   /index.php?charset=%0d%0aContent-Length:
%200%0d%0a%0d%0aHTTP/1.1%20200%20OK% 
   0d%0aContent-Type:%20text/html%0d%0aContent-Length:
%2019%0d%0a%0d%0a<html>Ha 
   cked!</html> 
   This example will print out a simple (and invalid) HTML page containing 
only 
   the string "Hacked!" if the victim accesses the phpSysInfo instance from 
be- 
   hind a proxy. Direct access will probably yield an empty page, since many  
   browsers do not know how to handle more than one response to a HTTP 
request. 
                
 
Proof of Concept: 
 
   The examples above should provide you with enough PoC to validate the ex- 
   istance of the vulnerabilities. 
       
 
Disclosure Timeline: 
 
   10. November 2005 - Bug disclosed to vendor. 
   10. November 2005 - Updated version 2.4 released. 
   11. November 2005 - 2.4 does not seem to fix - own patch sent to vendor. 
   12. November 2005 - New updated version 2.4.1 fixes the issues. 
   13. November 2005 - Public disclosure. 
 
 
Credits: 
 
   All vulnerabilities were investigated by the Hardened-PHP Project. Credit 
to 
   referred vulnerabilities goes to the original authors, as mentioned on CVE. 
    
 
Recommendation: 
 
   We have provided a bugfix to the vendor, which, in addition to their own 
   fix, will be included in version 2.4.1 of phpSysInfo. 
   We also recommend installing the Hardening Patch for PHP which would have 
   mitigated the response splitting problem (by not allowing multiline 
headers) 
   and the $_SERVER overwriting issues (by not allowing certain superglobals 
to 
   be overwritten from the outside). 
   If you want to fix the issue yourself, just comment out the lines mentioned 
   in an earlier paragraph of this advisory and selectively infer the 
variables 
   $_REQUEST['lng'] and $_REQUEST['template'] from the outside. 
   Additionally, access to the includes/ directory should be restricted by 
   appropriate means, e.g. a .htaccess file. 
 
 
CVE Information: 
 
   The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
   assigned the name CVE-2005-3347 to the file inclusion issue and the name 
   name CVE-2005-3348 to the HTTP response splitting problem. 
    
 
References: 
 
   [1] 
http://www.packetstormsecurity.org/papers/general/whitepaper_httprespons 
       e.pdf 
   [2] http://phpsysinfo.sourceforge.net/ 
 
 
Plug: 
 
   You can discuss this and other vulnerabilities in our forum at  
   http://forum.hardened-php.net/ - an up-to-date list of advisories can be 
   found at http://www.hardened-php.net/. 
 
 
GPG-Key: 
 
   http://www.hardened-php.net/hardened-php-signature-key.asc 
 
   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key 
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1 
 
Copyright 2005 Christopher Kunz / Hardened PHP Project. All rights reserved. 
 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.0.6 (GNU/Linux) 
Comment: For info see http://www.gnupg.org 
 
iD8DBQFDdyOFRDkUzAqGSqERAt9KAJ4uCXhrcapN/zxWDS6n7y8ezp6xsQCgw28i 
HSdHc4zKJ8aCj5gSC8Zxlj4= 
=XRw5 
-----END PGP SIGNATURE-----
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-11-14 00:52:24 UTC
Please bump to version 2.4.1
Comment 2 Vic Fryzel (shellsage) (RETIRED) gentoo-dev 2005-11-15 19:40:53 UTC
Created attachment 72981 [details]
Ebuild for =dev-php/phpsysinfo-2.4.1

Sending ebuild per jaervosz's request.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-11-18 04:58:08 UTC
Apparently egroupware and phpgroupware include phpsysinfo... (source: Debian DSA
898-1 and 899-1)
Comment 4 Stuart Herbert (RETIRED) gentoo-dev 2005-11-20 03:57:41 UTC
phpsysinfo 2.4.1 is now in Portage.  Note that it has now moved to www-apps/
category

egroupware bundles an older copy of phpsysinfo, which does not seem to be
vulnerable to this specific attack.

phpgroupware hasn't been released in over 12 months, and their home page is
currently down.  phpgroupware is now masked, and will be removed in a couple of
weeks.  

Best regards,
Stu
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-20 04:09:37 UTC
Arches please test and mark stable. 
Comment 6 Jason Wever (RETIRED) gentoo-dev 2005-11-20 09:01:24 UTC
Stable on SPARC
Comment 7 Petteri Räty (RETIRED) gentoo-dev 2005-11-20 10:16:06 UTC
x86 done
Comment 8 Simon Stelling (RETIRED) gentoo-dev 2005-11-20 11:06:28 UTC
amd64 stable
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2005-11-20 13:11:52 UTC
stable on ppc64 
Comment 10 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-11-20 14:31:14 UTC
stable on alpha
Comment 11 Joe Jezak (RETIRED) gentoo-dev 2005-11-20 14:49:24 UTC
Marked ppc stable.
Comment 12 Guy Martin (RETIRED) gentoo-dev 2005-11-21 03:06:43 UTC
Stable on hppa.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-21 03:13:34 UTC
This one is ready for GLSA. 
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-22 14:28:54 UTC
GLSA 200511-18