2. Tech
  3. PHP remote arbitrary file reading and directory traversal vulnerability

PHP remote arbitrary file reading and directory traversal vulnerability

xiaoxiao2021-03-06  42

Release Date: 2004-12-16

Update Date: 2004-12-17

Affected system: PHP PHP 5.0.2PHP PHP 5.0.1PHP PHP 5.0.0.3.8PHP PHP 4.3.7PHP PHP 4.3.6 Unaffected System: PHP PHP 5.0.3PHP PHP 4.3.10 Description: -------------------------------------------------- ---------------------------- PHP is a popular web server-side programming language.

PHP exists input verification vulnerabilities, and remote attackers can use this vulnerability to read system file content and conduct directory traversal attacks.

The problem is that addslashes () has problems, and addslashes () is used to filter user input. When "ON" is set in Magic_QUOTES_GPC, it will be filtered, but because Null bytes are incorrect by addslashes () encoding If the user input is used by include () or reguire (), it may cause an attacker to read any files of the file system.

Problem Second, the upload path traversal problem, PHP automatically filter the uploaded file name data, delete data before the slash or backslash, but if the file uploaded by the attacker contains single quotes, the web service sets Magic_quotes to ON, or Perform addsLashs () operations for upload file names, then prefix a backslash before single quotes, so the Windows system can cause directory traversal problems, resulting in file upload to any directory of the system.

<* Source: Daniel Fabian (D.fabian@sec-consult.com) Link: http://marc.theaimsgroup.com/? L = bugtraq & m = 110321976808504 & w = 2 *>

testing method:----------------------------------------------- ---------------------------------

caveat

The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk!

Daniel Fabian (D.fabian@sec-consult.com) provides the following test methods:

If there is a PHP script:

>

Malicious attackers can submit the following URL to get the file content:

http://localhost/phpscript.php? whatver = .. / .. / .. / .. / boot.ini% 00

Suggest:------------------------------------------------ -------------------------------- Manufacturer patch:

PHP --- Current manufacturers have released upgrade patches to fix this security issue, please go to the vendor's homepage to upgrade to PHP 4.3.10 or version 5.0.3:

http://www.php.net/

转载请注明原文地址:https://www.9cbs.com/read-79073.html

9cbs

New Post(0)