ush.it - a beautiful place

PHP5 Globals Vulnerability

January 25, 2006 at 9:30 pm - Filed under aa, bb - 769 words, reading time ~2 minutes - Permalink - Comments

PHP5 Globals Vulnerability: with ?GLOBALS[foobar] you can set the value of the un-initialized $foobar variable.

PHP5 Globals Vulnerability

 Name              PHP5 Globals Vulnerability
 Systems Affected  PHP5 (verified on 5.1.1 and 5.1.2)
 Severity          Critical
 Vendor            www.php.net
 Advisory          http://www_ush_it/2006/01/25/php5-globals-vulnerability/
 Author            Francesco "aScii" Ongaro (ascii at katamail . com)
 Date              20060125

I. BACKGROUND

PHP is the well known widely-used general-purpose scripting language
that is especially suited for Web development and can be embedded
into HTML.

II. DESCRIPTION

Everybody knows the GLOBALS vulnerability, this is a serious bug and
can leak in a lot of different bugs in applications otherwise secure.

(Text from http://www.hardened-php.net/advisory_202005.79.html)
> In PHP5 < = 5.0.5 it is possible to register f.e. the global
> variable $foobar [..] by supplying a GPC variable called
> 'GLOBALS[foobar]'.

As i was saying everybody knows this, except me : ) While conducing some
VA and code review on PmWiki i rediscovered this independently. More
details on this can be found in "PmWiki Multiple Vulnerabilities".
(http://www_ush_it/2006/01/24/pmwiki-multiple-vulnerabilities/)

Trying to replicate the PmWiki bug on various PHP versions i discovered
it was in realty also a PHP bug (in fact the PmWiki bug itself is PHP
version dependent), but while it was supposed to affect only < = 5.0.5
we reproduced the same results in theorically safe PHP versions.

!! Note: There has been some updates, read the first comment! !!

Lately we produced a (22 bytes long) POC to test the PHP vulnerability
separately and we had the confirm that this bug is still here.

Will this advisory produce a third line in the changelog after these?

5.0.4 Fixed bug #31440 ($GLOBALS can be overwritten via GPC when
register_globals is enabled). (Ilia)

5.1.0 Fixed possible GLOBALS variable override when register_globals are
ON. (Ilia, Stefan)

If GLOBALS can override GLOBALS you could inject a variable into _POST
by _GET or set _SESSION['logged_in'] to TRUE by _GET, this is a bad
scenario for your uber-secured web application.

III. ANALYSIS

Check your own with this simple POC:

$ cat > foo.php < < EOF

<?php echo $foobar; ?>

EOF

Then query foo.php?GLOBALS[foobar]=HELLO

If the poc prints out HELLO your php version is vulnerable.

Here the results i collected:

Branch 4, register_globals ON: fixed and no effect
5.0.5 win, register_globals ON: affected, WORKS!
5.1.1 win, register_globals ON: affected, WORKS!
5.1.1 unix, register_globals ON: affected, WORKS!
5.1.2 unix, register_globals ON: affected, WORKS!

Testing needed on 5.1.0 and 4.x versions.

You can play around with this using some code like this:
<?php print_r($GLOBALS); ?>

IV. DETECTION

PHP 5.1.1 and 5.1.1 is vulnerable (this advisory).
PHP < = 4.3.10 should be vulnerable (bug discovered by Stefan Esser).
PHP <= 5.0.5 is vulnerable (bug discovered by Stefan Esser).
Older version not verified. PHP 5.1.0 not verified.

V. WORKAROUND

Register global off will fix. This php code will mitigate this bug.

// put this code before everything
if (isset($HTTP_POST_VARS['GLOBALS']) || isset($_POST['GLOBALS']) ||
    isset($HTTP_POST_FILES['GLOBALS']) || isset($_FILES['GLOBALS']) ||
    isset($HTTP_GET_VARS['GLOBALS']) || isset($_GET['GLOBALS']) ||
    isset($HTTP_COOKIE_VARS['GLOBALS']) || isset($_COOKIE['GLOBALS'])) {
 trigger_error('Is this a GLOBAL GPC hacking attemp?', E_USER_ERROR);
}

For deeper fixage wait for an official patch.

VI. VENDOR RESPONSE

This is a known bug in PHP <= 5.0.5, that seems to be still effective
in PHP 5.1.1 and 5.1.2. I'll wait for official and Stefan Esser
responses.

!! Note: There has been some updates, read the first comment! !!

Note: 

VII. CVE INFORMATION

No CVE at this time.

VIII. DISCLOSURE TIMELINE

20060119 Bug discovered
20060119 Internal release
20060125 Initial release (only on ush.it)
20060127 Initial release (only on sikurezza.org)
20060128 Public release

IX. CREDIT

Francesco "aScii" Ongaro is credited with the discovery of this vulnerability.

Many thanks to:

koba (who committed the VA on PmWiki, sikurezza.org)
Stefano Di Paola (testing on multiple vers. and poc, wisec.it)
Patrick R. Michaud (testing on 5.1.2, the PmWiki vendor)
Ethan (testing 5.1.1)
Saidone (testing 5.1.2)

X. LEGAL NOTICES

Copyright (c) 2005 Francesco "aScii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Reed's Alert! Got something burning? Tell USH team.
THP USH (HTTPS) Wisec DigitalBullets TheHackersPlace network