NYCPHP Meetup

[Tim Gales]

I was searching the SANS Institute's website looking for reported
(purported) PHP bugs.

When up popped s blurb about CAN-2003-0863. I knew that CANs are only
candidates for becoming a CVE (common vulnerability and exposure) but the
following made me want to look into it further.

"CAN-2003-0863" "The php_check_safe_mode_include_dir function in
fopen_wrappers.c of PHP 4.3.x returns a success value (0) when the
safe_mode_include_dir variable is not specified in configuration, which
differs from the previous failure value and may allow remote attackers to
exploit file include vulnerabilities in PHP applications."

clicking on the link
(http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0863)

took me to a page which gave the origin of the 'bug' report as coming from
http://marc.theaimsgroup.com/?l=bugtraq&m=105839111204227 

And clicking on that link provided an email written by 
Michal Krause and dated 2003-07-16 7:46:43 
subject line:  "PHP safe mode broken".

In the body of the email Krause states:
"This behaviour could make older working setups insecure after upgrading
to PHP 4.3.x.

I tried to report this bug to PHP developers twice in last weeks, but I
didn't receive any answer."

I can remember thinking this looks bleak for me (as I had 
already upgraded from 4.2.2) and how could I mend my "broken safe mode".

I thought to myself surely something as important as this will show up if
I search http://lists.php.net -- but I couldn't find any mention of it.

Then I thought maybe there was a response to his post. So, I went back to
bugtraq link above. There was indeed a response from Krause himself
stating:

"To test it[his patch], create simple PHP script owned by some regular
user, which will try to include /etc/passwd for example.

<?
echo("trying to read /etc/passwd");
include("/etc/passwd");
?>  

This script should fail on safe mode error (when safe mode is enabled, of
course). "

I couldn't believe my eyes -- this guy had it 180 degrees backwards -- or
did he? I searched Google again and found more about "CAN-2003-0863". I
think I got something different than what comes up now -- namely
http://xforce.iss.net/xforce/xfdb/12714 But that web page looks pretty
authoritative (after all ISS is the home of "X-Force Research"-- with a
name like that how could it be wrong?)

The ISS web page states:

"Platforms Affected: 
Linux Any version
PHP 4.3 to 4.3.2
Unix Any version
Windows Any version


Remedy: 


No remedy available as of July 2003.


Consequences: 
Bypass Security "

I'll just stop here -- I  have already gone on too long.

Anyway its no wonder people think PHP has security problems.

(also I apologize for going on and on -- but this gets me upset)


T. Gales & Associates
'Helping People Connect with Technology'

http://www.tgaconnect.com