[ http://www.rootshell.com/ ]

Whilst perusing various things included with the PHP distribution, I
noticed that there was a gaping security hole in a few of the example
scripts, specifically mlog.html and mylog.html, which allow any remote user
to read any arbitrary file on the system. (which is readable to the user
that httpd and thus PHP are running as) To top it all off, this exploit is
really easy to accomplish.

The problem lies in the line:

<?include "$screen">

in both mlog.html and mylog.html.  The idea is to include a file for each
type of logging stats, however, there is no escaping of slashes, so one can
specify any file on the system.

The exploit for dummies:

http://some.stupid.isp.net/~dumbuser/cool-logs/mlog.html?screen=[fully
qualified path to any file on the system]

useful files to see are /etc/hosts.allow, /etc/passwd (for unshadowed
systems..) and just about anything else.

Temporary fix:

insert the line

<?ereg_replace("/","",$screen);>

just before the <?include... line.

This problem exists in the most current distribution of PHP; I'm willing to
bet that it's been around for a while.  Hopefully, it will be officially
fixed soon... ;)

bryan


---------------------------------------------------------------------------------


I wrote that fix without testing it... it does not work, I'm just a little
slow sometimes... ;)

Instead of using the ereg_replace line I submitted before, use the
following block of code, again, right before <?include... line.

<?if(ereg("\/",$screen)) {
        echo "Permission denied: path may not contain slashes.";
        Exit;
        }
>

Sorry about that... this has been confirmed on my machine and does work.

bryan