Update on PHP/FI hole

Shamanski (jshaman@M-NET.ARBORNET.ORG)
Wed, 16 Apr 1997 21:01:12 -0400

============================================================================
[DiS] Advisory 97-347.1
Issue date: April 16, 1997
Topic: REMOTE Vulnerability in PHP/FI
----------------------------------------------------------------------------

A vulnerability has been found by DiS in PHP/FI, a NCSA httpd cgi enhancment.
This vulnerability allows unauthorized users to view arbitrary file contents
on the machine running httpd by sending the file name wishing to be displayed
as the QUERY_STRING.

I. Exploit

simply use any web browser to send the following URL:

http://boogered.system.com/cgi-bin/php.cgi?/file/to/view

Note: this exploit has not been tested on a system that has compiled
PHP/FI as an apache module. This information may or may not
be applicable on such a system.

II. Impact

Remote, unauthorized users can view arbitrary file contents on the
system with the same privileges as the httpd (HTTP daemon) child process.

III. Solution

The author has propsed the following sollution:

>> ...The workaround is to set the following in php.h
>>
>> #define PATTERN_RESTRICT ".*\\.phtml$"
>>
>> This will limit the php.cgi parser to only display files ending in .phtml
>>
>> The exact same adviasory applies to any other parser someone might decide
>> to stick in their cgi-bin directory. This is in no way specific to PHP/FI.
>>
>> You can also avoid the problem by using either CGI redirection or
>> by using the Apache module version.
>>
>> -Rasmus

----------------------------------------------------------------------------

The current PHP/FI distribution may be obtained from http://www.vex.net/php

J-Man Th' Shaman [DiGiTAL iNFORMATiON SOCiETY]
jshaman@m-net.arbornet.org
jamin@avatar.ml.org