Jump to content


Popular Content

Showing content with the highest reputation on 10/24/2019 in all areas

  1. 1 point
    Sadly PHP continues to show how not to write code, especially if you use it and not want to give free shells to all. A couple of weeks ago, neex, dropped a bug on the PHP sec bug list that detailed a rather ugly condition in fpm_main.c This function assumes that the env_path_info has a prefix that equals that of the php script being called. Now usually we'd validate this, but no, this is where they failed to abide by dem rules and this led to an invalid pointer. Add a newline character and a skip, hop and a jump later and boom, RCE. A lot of people who use PHP-FPM have configs like try_files $uri $uri/ /index.php$is_args$args;) and this is where the issue comes in. The code before the patch was path_info = env_path_info ? env_path_info + pilen - slen : NULL; tflag = (orig_path_info != path_info); That's pretty crap, you assume so much here and this is why it should have been path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL; tflag = path_info && (orig_path_info != path_info); Neex published his exploit yesterday after the PHP crew stopped arguing about how bad it was and made the patch and I thought I'd build the exploit and see what we could do to detect it. Running it is simple once you have your Go environment up and running, and all it needs is a url and php file. What I wanted to see was the URI sent, so rather than supply a legitimate resource, I opted for a non-existent one. As you can see, he is appending PHP%0Ais_the_shittiest_lang.php? and a load of Q's to the supplied URL. On the server side, you see So relatively easy to see and block in the original format, which most skids wont change. Here's a Cloudflare rule to block it Hope this is of some help to someone?
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy