I have only one superstition. Touch all the bases when I hit a home run.
Babe Ruth
<?phpob_start();$http_status_codes=array( 100 =>'Continue', 101 =>'Switching Protocols', 102 =>'Processing', 200 =>'OK', 201 =>'Created', 202 =>'Accepted', 203 =>'Non-Authoritative Information', 204 =>'No Content', 205 =>'Reset Content', 206 =>'Partial Content', 207 =>'Multi-Status', 300 =>'Multiple Choices', 301 =>'Moved Permanently', 302 =>'Found', 303 =>'See Other', 304 =>'Not Modified', 305 =>'Use Proxy', 306 =>'unused', 307 =>'Temporary Redirect', 400 =>'Bad Request', 401 =>'Authorization Required', 402 =>'Payment Required', 403 =>'Forbidden', 404 =>'Not Found', 405 =>'Method Not Allowed', 406 =>'Not Acceptable', 407 =>'Proxy Authentication Required', 408 =>'Request Time-out', 409 =>'Conflict', 410 =>'Gone', 411 =>'Length Required', 412 =>'Precondition Failed', 413 =>'Request Entity Too Large', 414 =>'Request-URI Too Large', 415 =>'Unsupported Media Type', 416 =>'Requested Range Not Satisfiable', 417 =>'Expectation Failed', 418 =>'unused', 419 =>'unused', 420 =>'unused', 421 =>'unused', 422 =>'Unprocessable Entity', 423 =>'Locked', 424 =>'Failed Dependency', 425 =>'No code', 426 =>'Upgrade Required', 500 =>'Internal Server Error', 501 =>'Method Not Implemented', 502 =>'Bad Gateway', 503 =>'Service Temporarily Unavailable', 504 =>'Gateway Time-out', 505 =>'HTTP Version Not Supported', 506 =>'Variant Also Negotiates', 507 =>'Insufficient Storage', 508 =>'unused', 509 =>'unused', 510 =>'Not Extended',);$err_status_codes = array('100'=>array('Continue',''),'101'=>array('Switching Protocols',''),'102'=>array('Processing',''),'200'=>array('OK',''),'201'=>array('Created',''),'202'=>array('Accepted',''),'203'=>array('Non-Authoritative Information',''),'204'=>array('No Content',''),'205'=>array('Reset Content',''),'206'=>array('Partial Content',''),'207'=>array('Multi-Status',''),'300'=>array('Multiple Choices',''),'301'=>array('Moved Permanently','The document has moved <a href="THEREQUESTURI">here</a>.'),'302'=>array('Found','The document has moved <a href="THEREQUESTURI">here</a>.'),'303'=>array('See Other','The answer to your request is located <a href="THEREQUESTURI">here</a>.'),'304'=>array('Not Modified',''),'305'=>array('Use Proxy','This resource is only accessible through the proxy THEREQUESTURIYou will need to configure your client to use that proxy.'),'307'=>array('Temporary Redirect','The document has moved <a href="THEREQUESTURI">here</a>.'),'400' =>array('Bad Request','Your browser sent a request that this server could not understand.'),'401' =>array('Authorization Required','This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g.,bad password),or your browser doesn\'t understand how to supply the credentials required.'),'402' =>array('Payment Required','INTERROR'),'403' =>array('Forbidden','You don\'t have permission to access THEREQUESTURI on this server.'),'404' =>array('Not Found','We couldn\'t find <acronym title="THEREQUESTURI">that uri</acronym>on our server,though it\'s most certainly not your fault.'),'405' =>array('Method Not Allowed','The requested method THEREQMETH is not allowed for the URL THEREQUESTURI.'),'406' =>array('Not Acceptable','An appropriate representation of the requested resource THEREQUESTURI could not be found on this server.'),'407' =>array('Proxy Authentication Required','This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g.,bad password),or your browser doesn\'t understand how to supply the credentials required.'),'408' =>array('Request Time-out','Server timeout waiting for the HTTP request from the client.'),'409' =>array('Conflict','INTERROR'),'410' =>array('Gone','The requested resourceTHEREQUESTURIis no longer available on this server and there is no forwarding address. Please remove all references to this resource.'),'411' =>array('Length Required','A request of the requested method GET requires a valid Content-length.'),'412' =>array('Precondition Failed','The precondition on the request for the URL THEREQUESTURI evaluated to false.'),'413' =>array('Request Entity Too Large','The requested resource THEREQUESTURI does not allow request data with GET requests,or the amount of data provided in the request exceeds the capacity limit.'),'414' =>array('Request-URI Too Large','The requested URL\'s length exceeds the capacity limit for this server.'),'415' =>array('Unsupported Media Type','The supplied request data is not in a format acceptable for processing by this resource.'),'416' =>array('Requested Range Not Satisfiable',''),'417' =>array('Expectation Failed','The expectation given in the Expect request-header field could not be met by this server. The client sent <code>Expect:</code>'),'422' =>array('Unprocessable Entity','The server understands the media type of the request entity,but was unable to process the contained instructions.'),'423' =>array('Locked','The requested resource is currently locked. The lock must be released or proper identification given before the method can be applied.'),'424' =>array('Failed Dependency','The method could not be performed on the resource because the requested action depended on another action and that other action failed.'),'425' =>array('No code','INTERROR'),'426' =>array('Upgrade Required','The requested resource can only be retrieved using SSL. The server is willing to upgrade the current connection to SSL,but your client doesn\'t support it. Either upgrade your client,or try requesting the page using https://'),'500' =>array('Internal Server Error','INTERROR'),'501' =>array('Method Not Implemented','GET to THEREQUESTURI not supported.'),'502' =>array('Bad Gateway','The proxy server received an invalid response from an upstream server.'),'503' =>array('Service Temporarily Unavailable','The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.'),'504' =>array('Gateway Time-out','The proxy server did not receive a timely response from the upstream server.'),'505' =>array('HTTP Version Not Supported','INTERROR'),'506' =>array('Variant Also Negotiates','A variant for the requested resource <code>THEREQUESTURI</code>is itself a negotiable resource. This indicates a configuration error.'),'507' =>array('Insufficient Storage','The method could not be performed on the resource because the server is unable to store the representation needed to successfully complete the request. There is insufficient free space left in your storage allocation.'),'510' =>array('Not Extended','A mandatory extension policy in the request is not accepted by the server for this resource.'));if (isset($_SERVER['REDIRECT_STATUS'])) $err_code = $_SERVER['REDIRECT_STATUS'];$err_req_meth = $_SERVER['REQUEST_METHOD'];$err_req = htmlentities(strip_tags($_SERVER['REQUEST_URI']));$err_phrase = $err_status_codes[$err_code][0];$err_body = str_replace( array('INTERROR','THEREQUESTURI','THEREQMETH'),array('The server encountered an internal error or misconfiguration and was unable to complete your request.',$err_req,$err_req_meth),$err_status_codes[$err_code][1]);@header("HTTP/1.1 $err_code $err_phrase",1);@header("Status:$err_code $err_phrase",1);if ( $err_code=='400'||$err_code=='403'||$err_code=='405'||$err_code[0]=='5'){@header("Connection:close",1);if ($err_code == '405') @header('Allow:GET,HEAD,POST,OPTIONS,TRACE');echo "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html>\n<head>\n<title>{$err_code}{$err_phrase}</title>\n<h1>{$err_phrase}</h1>\n<p>{$err_body}<br>\n</p>\n</body></html>"} else echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xml:lang="en"lang="en"><head><title>'.$err_code.' '.$err_phrase.'</title><meta http-equiv="content-type"content="text/html;charset=UTF-8"/></head><body><h1>'.$err_code.' '.$err_phrase.'</h1><hr /><p>'.$err_body.'<br /></p><pre>'.print_r($_SERVER,1).'</pre></body></html>';?>If you enjoyed this post,make sure you subscribe to my RSS feed!
I am not a PHP person (move a Java expert)
The problem is at line 150. You have XSS,insecure error reporting and information leakage:
XSS because print_r($_SERVER,1) will output the PATH_INFO AND REQUEST_URI.
You can include Path parameter in the url such that the XSS in included as follows:
http://www.google.com/app/vulnerable.php;alert('XSS‘)?…
You also have an insecure error reporting and information leakage because
“$_SERVER”will output:
Taken from http://php.net/manual/en/reserved.variables.server.php
‘PHP_SELF’
The filename of the currently executing script,relative to the document root. For instance,$_SERVER['PHP_SELF'] in a script at the address http://example.com/test.php/foo.bar would be /test.php/foo.bar. The __FILE__ constant contains the full path and filename of the current (i.e. included) file. If PHP is running as a command-line processor this variable contains the script name since PHP 4.3.0. Previously it was not available.
‘argv’
Array of arguments passed to the script. When the script is run on the command line,this gives C-style access to the command line parameters. When called via the GET method,this will contain the query string.
‘argc’
Contains the number of command line parameters passed to the script (if run on the command line).
‘GATEWAY_INTERFACE’
What revision of the CGI specification the server is using;i.e. ‘CGI/1.1′.
‘SERVER_ADDR’
The IP address of the server under which the current script is executing.
‘SERVER_NAME’
The name of the server host under which the current script is executing. If the script is running on a virtual host,this will be the value defined for that virtual host.
‘SERVER_SOFTWARE’
Server identification string,given in the headers when responding to requests.
‘SERVER_PROTOCOL’
Name and revision of the information protocol via which the page was requested;i.e. ‘HTTP/1.0′;
‘REQUEST_METHOD’
Which request method was used to access the page;i.e. ‘GET’,‘HEAD’,‘POST’,‘PUT’.
Note:
PHP script is terminated after sending headers (it means after producing any output without output buffering) if the request method was HEAD.
‘REQUEST_TIME’
The timestamp of the start of the request. Available since PHP 5.1.0.
‘QUERY_STRING’
The query string,if any,via which the page was accessed.
‘DOCUMENT_ROOT’
The document root directory under which the current script is executing,as defined in the server’s configuration file.
‘HTTP_ACCEPT’
Contents of the Accept:header from the current request,if there is one.
‘HTTP_ACCEPT_CHARSET’
Contents of the Accept-Charset:header from the current request,if there is one. Example:‘iso-8859-1,*,utf-8′.
‘HTTP_ACCEPT_ENCODING’
Contents of the Accept-Encoding:header from the current request,if there is one. Example:‘gzip’.
‘HTTP_ACCEPT_LANGUAGE’
Contents of the Accept-Language:header from the current request,if there is one. Example:‘en’.
‘HTTP_CONNECTION’
Contents of the Connection:header from the current request,if there is one. Example:‘Keep-Alive’.
‘HTTP_HOST’
Contents of the Host:header from the current request,if there is one.
‘HTTP_REFERER’
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this,and some provide the ability to modify HTTP_REFERER as a feature. In short,it cannot really be trusted.
‘HTTP_USER_AGENT’
Contents of the User-Agent:header from the current request,if there is one. This is a string denoting the user agent being which is accessing the page. A typical example is:Mozilla/4.5 [en] (X11;U;Linux 2.2.9 i586). Among other things,you can use this value with get_browser() to tailor your page’s output to the capabilities of the user agent.
‘HTTPS’
Set to a non-empty value if the script was queried through the HTTPS protocol.
Note:Note that when using ISAPI with IIS,the value will be off if the request was not made through the HTTPS protocol.
‘REMOTE_ADDR’
The IP address from which the user is viewing the current page.
‘REMOTE_HOST’
The Host name from which the user is viewing the current page. The reverse dns lookup is based off the REMOTE_ADDR of the user.
Note:Your web server must be configured to create this variable. For example in Apache you’ll need HostnameLookups On inside httpd.conf for it to exist. See also gethostbyaddr().
‘REMOTE_PORT’
The port being used on the user’s machine to communicate with the web server.
‘SCRIPT_FILENAME’
The absolute pathname of the currently executing script.
Note:
If a script is executed with the CLI,as a relative path,such as file.php or ../file.php,$_SERVER['SCRIPT_FILENAME'] will contain the relative path specified by the user.
‘SERVER_ADMIN’
The value given to the SERVER_ADMIN (for Apache) directive in the web server configuration file. If the script is running on a virtual host,this will be the value defined for that virtual host.
‘SERVER_PORT’
The port on the server machine being used by the web server for communication. For default setups,this will be ’80′;using SSL,for instance,will change this to whatever your defined secure HTTP port is.
‘SERVER_SIGNATURE’
String containing the server version and virtual host name which are added to server-generated pages,if enabled.
‘PATH_TRANSLATED’
Filesystem- (not document root-) based path to the current script,after the server has done any virtual-to-real mapping.
Note:As of PHP 4.3.2,PATH_TRANSLATED is no longer set implicitly under the Apache 2 SAPI in contrast to the situation in Apache 1,where it’s set to the same value as the SCRIPT_FILENAME server variable when it’s not populated by Apache. This change was made to comply with the CGI specification that PATH_TRANSLATED should only exist if PATH_INFO is defined. Apache 2 users may use AcceptPathInfo = On inside httpd.conf to define PATH_INFO.
‘SCRIPT_NAME’
Contains the current script’s path. This is useful for pages which need to point to themselves. The __FILE__ constant contains the full path and filename of the current (i.e. included) file.
‘REQUEST_URI’
The URI which was given in order to access this page;for instance,‘/index.html’.
‘PHP_AUTH_DIGEST’
When doing Digest HTTP authentication this variable is set to the ‘Authorization’header sent by the client (which you should then use to make the appropriate validation).
‘PHP_AUTH_USER’
When doing HTTP authentication this variable is set to the username provided by the user.
‘PHP_AUTH_PW’
When doing HTTP authentication this variable is set to the password provided by the user.
‘AUTH_TYPE’
When doing HTTP authenticated this variable is set to the authentication type.
‘PATH_INFO’
Contains any client-provided pathname information trailing the actual script filename but preceding the query string,if available. For instance,if the current script was accessed via the URL http://www.example.com/php/path_info.php/some/stuff?foo=bar,then $_SERVER['PATH_INFO'] would contain /some/stuff.
‘ORIG_PATH_INFO’
Original version of ‘PATH_INFO’before processed by PHP.
The script tags around the “alert(‘xss’)”were removed.
Billy,
One more thing I spotted.
Denial of Service
According to http://ilia.ws/archives/66-Security-Implications-of-var_exportprint_r.html
********************************************************************************
The print_r() function is similar in function,except the returned data is intended for debugging and not storage. As with var_export() by passing a 2nd optional parameter you can force the data to be returned as a string rather then dumped to screen.
Herein lies the problem,when it comes to storing the data,this is done by enabling output buffering of the content without a set buffer size limit. Consequently,by forcing the function to generate a massive string it is possible to launch a denial of service attack aimed at exhausting both processor and memory.
Some of you are probably thinking this is pretty hard to accomplish via user input,requiring hundreds of megabytes of data to be delivered,but this couldn’t be further from the truth. To successfully complete such as an attack all you need is to submit a post request which takes just 1 line of code to generate:
PHP:
This will force PHP to create a 20,000 dimensional array,causing the generated output for var_export($foo,1);or print_r($foo,1);to take hundreds of megabytes,eventually leading to PHP crash. The actual size of the request is a mere 40 kilobytes.
*****************************************************************************
So an attacker could create a 20,000 dimensional array as one of the HTTP headers and cause a denial of service.
Regards,
Abe
[...] Bases [...]