Several problems in CARE 2002 ------------------------------------- # What is CARE 2002? CARE 2002 is a free software package for hospitals. It's based on php + mysql. For further information visit <http://www.care2x.com/>. #### include + NULL problem #### # Problem description There are several include statements which use variables passed by the user. So if register_globals is on and magic_quotes_gpc is off you are able to read any file on the webserver: ./main/cafenews.php: [...] include("../language/".$lang."/lang_".$lang."_newsdummy.php"); [...] If $lang contains NULL (aka \0 or %00) the include statement ignores everything after the NULL and includes the file. Here's some metacode explaining the behavior: foobar.php looks like this: <?php include("../".$input."blubb"); ?> Calling the file with the following parameter: foobar.php?input=bla%00bla results in (with enabled magic_quotes_gcp): <br /> <b>Warning</b>: Failed opening '../bla\0blablubb' for inclusion (include_path='.:/usr/local/lib/php') in <b>/home/user/public_html/foobar.php</b> on line <b>2</b><br /> This doesn't seem to be exploitable, but what happens, if magic_quotes_gcp is turned off (like on php.ini-recommened, for performance reasons, without pointing to THIS kind of problem)?: <br /> <b>Warning</b>: Failed opening '../bla' for inclusion (include_path='.:/usr/local/lib/php') in <b>/home/user/public_html/foobar.php</b> on line <b>2</b><br /> Huh?! Did you get it? Everything after NULL (%00) is ignored! So what can we do now? We can take a look at the avaiable users: foobar.php?input=../../../etc/passwd%00 Voila... You can open every file you want. Ok, not every file. It has to be readable by the http-user, like wwwrun or www. # And the solution? One can test, if a file exists with the function file_exists(). This function doesn't ignore the characters after NULL. On the other side, one could try to avoid using userdata to open a file. In CARE 2002 and other webapps, you are often faced to this kind of problem while handling language or themes files. # Fix? The authors will release a new version (1.0.0.2) at <http://www.care2x.com/>. The best way for a admin is, to enable magic_quotes_gpc and/or other security related options in php. For further information take a look at: <http://php.net/security> . Other options, like enable_safe_mode or open_base_dir helps you too, to keep your server privacy if you can't trust the executed phpcode. #### missing addslashes() #### # Problem description None of the data passed (there are just a few exeptions) to the mysqld is checked for control characters like ', " et al. So one is able to commit injected sql queries. The problem exists, when magic_quotes_gpc is turned off. For further information about dangerous sql queries see: *<http://www.php.net/manual/en/security.database.php#security.database.sql-injection>. * <http://www.google.com/search?q=sql+injection+problem> # And the solution? One can use addslashes() for _every_ data a user enters and is submitted to the database. Lazy people hope, that magic_quotes_gpc is enabled. Never expect, that an admin configured a webserver correct, try to start the security at application level. # Fix? Within the new release, the author fixed the problems. Turn magic_quotes_qpc on! ##### Credits ##### Thanks skyp, for cross reading the text. For the german-speaking folk: <http://bluephod.net/> Sorry for the broken lines I hate webmailer :). -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 16:55:52 PDT