logo Home

Untitled Document

Home > Archives Advisories > Articles

Untitled Document

Untitled Document

Unauthorized reading files on phpSysInfo
Date: 2003-04-27

Author : Ripe <ripe@7a69ezine.org>


+ Type: To gain visiblity.

+ Software: phpSysInfo.

+ Verions: until 2.1 (current version).

+ Exploit: Yes (but only local).

+ Autor: Albert Puigsech Galicia

+ Contact: ripe@7a69ezine.org


PhpSysInfo is a litle PHP script destined to show system information.
It shows data like CPU or memory usage, Disk usage, PCI, ethernet, and IDE
information, etc. Visit project website on http://phpsysinfo.sourceforge.net
for more info.


PhpSysInfo uses a template system using 'template' variable, and a
languaje system using 'lng' variable. These variables are used to complete
a file path without check if it contains the '..' especial directory, allowing
to read any file on system as webserver user.


The exploit of this vulnerability require write access on a local
directory where webserver can read files.

On template case, phpSysInfo cheks only if template exists. To do
it only check if 'templates/$template' exists.

---/ index.php /---

if (!((isset($template) && file_exists("templates/$template")) || $template ==
'xml')) {
// default template we should use if we don't get a argument.
$template = 'classic';

---/ index.php /---

Exactly the same on languaje selection system.

---/ index.php /---

if (!(isset($lng) && file_exists('./includes/lang/' . $lng . '.php'))) {
$lng = 'en';
// see if the browser knows the right languange.
$plng = split(',', $HTTP_ACCEPT_LANGUAGE);
if(count($plng) > 0) {
while(list($k,$v) = each($plng)) {
$k = split(';', $v, 1);
$k = split('-', $k[0]);
if(file_exists('./includes/lang/' . $k[0] . '.php')) {
$lng = $k[0];

---/ index.php /---

'template, variable will be used to use the file
'./templates/$template/form.tpl' and './templates/$template/box.tpl'
for template stuff, so is necesary ti create the symlinks to read
any file allowed to webserver.

local ~$ ln -s /etc/passwd /tmp/form.tpl
local ~$ ln -s /etc/passwd /tmp/box.tpl


'lng' variable is used on this peace of code:

---/ index.php /---

require('./includes/lang/' . $lng . '.php'); // get our language include

---/ index.php /---

It allow us, as the same way as 'template' to read a file on
the system.

local ~$ ln -s /etc/passwd /tmp/p.php


But it also allow to execute arbitrary PHP code, creating the php
file firts.

local ~$ echo "<?php phpinfo() ?>" > /tmp/p.php


The use of '.' php function to concat strings remote exploit for
this vulnerable php script, because we cant use %00 to end the string.


There is not an oficial patch, but is easy to code it adding some
regex on the code to filter '..' content on 'template' and 'lng' variables.

> Albert Puigsech Galicia (7a69)
> http://ripe.7a69ezine.org


arrowSearch Advisories


Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.


About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy