PHP是一款流行的网络编程语言。 PHP在处理会话信息的功能函数实现上存在漏洞,远程攻击者可能利用漏洞获得敏感信息或向非授权位置写入文件。 session.save_path可以设置在ini_set(), session_save_path()函数中,在session.save_path必须包含保存tmp文件路径的数据,但session.save_path的语法为: [/PATH] 或者 [N;/PATH] N是字符串。 如: 1. session_save_path("/DIR/WHERE/YOU/HAVE/ACCESS") 2. session_save_path("5;/DIR/WHERE/YOU/HAVE/ACCESS") 和 3. session_save_path("/DIR/WHERE/YOU/DONT/HAVE/ACCESS\0;/DIR/WHERE/YOU/HAVE/ACCESS") PHP520 ext/session/session.c [START]代码- -1477-1493---: PHP_FUNCTION(session_save_path) { zval **p_name; int ac = ZEND_NUM_ARGS(); char *old; if (ac < 0 || ac > 1 || zend_get_parameters_ex(ac, &p_name) == FAILURE) WRONG_PARAM_COUNT; old = estrdup(PS(save_path)); if (ac == 1) { convert_to_string_ex(p_name); zend_alter_ini_entry("session.save_path", sizeof("session.save_path"), Z_STRVAL_PP(p_name), Z_STRLEN_PP(p_name), PHP_INI_USER, PHP_INI_STAGE_RUNTIME); } RETVAL_STRING(old, 0); } - -1477-1493---PHP520 ext/session/session.c...
PHP是一款流行的网络编程语言。 PHP在处理会话信息的功能函数实现上存在漏洞,远程攻击者可能利用漏洞获得敏感信息或向非授权位置写入文件。 session.save_path可以设置在ini_set(), session_save_path()函数中,在session.save_path必须包含保存tmp文件路径的数据,但session.save_path的语法为: [/PATH] 或者 [N;/PATH] N是字符串。 如: 1. session_save_path("/DIR/WHERE/YOU/HAVE/ACCESS") 2. session_save_path("5;/DIR/WHERE/YOU/HAVE/ACCESS") 和 3. session_save_path("/DIR/WHERE/YOU/DONT/HAVE/ACCESS\0;/DIR/WHERE/YOU/HAVE/ACCESS") PHP520 ext/session/session.c [START]代码- -1477-1493---: PHP_FUNCTION(session_save_path) { zval **p_name; int ac = ZEND_NUM_ARGS(); char *old; if (ac < 0 || ac > 1 || zend_get_parameters_ex(ac, &p_name) == FAILURE) WRONG_PARAM_COUNT; old = estrdup(PS(save_path)); if (ac == 1) { convert_to_string_ex(p_name); zend_alter_ini_entry("session.save_path", sizeof("session.save_path"), Z_STRVAL_PP(p_name), Z_STRLEN_PP(p_name), PHP_INI_USER, PHP_INI_STAGE_RUNTIME); } RETVAL_STRING(old, 0); } - -1477-1493---PHP520 ext/session/session.c [END] 值设置为hash_memory(但在这之前,safe_mode和open_basedir会检查这个值),并且如果用户启动了会话(如session_start()),那么PS_OPEN_FUNC(files)函数会检查来自session.save_path的值。 - -242-300--- Code from PHP520 ext/session/mod_files.c [START] PS_OPEN_FUNC(files) { ps_files *data; const char *p, *last; const char *argv[3]; int argc = 0; size_t dirdepth = 0; int filemode = 0600; if (*save_path == '\0') { /* if save path is an empty string, determine the temporary dir */ save_path = php_get_temporary_directory(); } /* split up input parameter */ last = save_path; p = strchr(save_path, ';'); while (p) { argv[argc++] = last; last = ++p; p = strchr(p, ';'); if (argc > 1) break; } argv[argc++] = last; if (argc > 1) { errno = 0; dirdepth = (size_t) strtol(argv[0], NULL, 10); if (errno == ERANGE) { php_error(E_WARNING, "The first parameter in session.save_path is invalid"); return FAILURE; } } if (argc > 2) { errno = 0; filemode = strtol(argv[1], NULL, 8); if (errno == ERANGE || filemode < 0 || filemode > 07777) { php_error(E_WARNING, "The second parameter in session.save_path is invalid"); return FAILURE; } } save_path = argv[argc - 1]; data = emalloc(sizeof(*data)); memset(data, 0, sizeof(*data)); data->fd = -1; data->dirdepth = dirdepth; data->filemode = filemode; data->basedir_len = strlen(save_path); data->basedir = estrndup(save_path, data->basedir_len); PS_SET_MOD_DATA(data); return SUCCESS; } - -242-300--- Code from PHP520 ext/session/mod_files.c [END] 由于在session.save_path中NULL直接在";"之前,strchr()没有注意";",所以就变成路径/DIR/WHERE/YOU/DONT/HAVE/ACCESS,而造成safe_mode和open_basedir限制,获得敏感信息或向非授权位置写入文件。 PHP PHP 5.2 <a href="http://cvs.php.net/viewcvs.cgi/php-src/NEWS" target="_blank">http://cvs.php.net/viewcvs.cgi/php-src/NEWS</a>