Search This Blog

Sunday, December 21, 2008

[UNIX] PHP APC Vulnerable to Local Attacks

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

PHP APC Vulnerable to Local Attacks
------------------------------------------------------------------------


SUMMARY

<http://pecl.php.net/package/APC> PHP APC is an opcode cache for PHP, or,
as the developers say: "APC is a free, open, and robust framework for
caching and optimizing PHP intermediate code." A cross site scripting
issue which comes into play when you have local users which are able to
create files and cause those to be cached by the PHP APC, and a server
admin later visits the apc.php web interface which comes with PHP APC.

DETAILS

Vulnerable Systems:
* PHP APC version 3.1.1
* PHP APC version 3.0.19

Cross Site Scripting vulnerability in PHP-APC
PHP-APC is subject to a cross site scripting vulnerability which can be
triggered by local users.

This issue is caused by insufficient validation of path and file names
which are displayed to an authenticated admin when viewing the 'System
Cache Entries' and 'User Cache Entries' sections on the apc.php web
management interface.

This issue can be exploited in all environments which different access
levels for the PHP APC admin and other users with local write permissions
apply.

A malicious user with local write access (such as an FTP user on shared
hosting environments) may create two directories
</
a><script>alert("XSS")</
and create a file named
script>.php
in the latter directory, then access this file via HTTP. If PHP-APC is
active on this host, this file may have been cached and will then be
listed on the apc.php web interface to a logged in admin. In this harmless
example, the injected script code will display a javascript alert window.
However, the attacker could also use this vulnerability to steal the PHP
APC admins' session data from within the domain apc.php is invoked in, as
well as all other attacks cross site scripting allows for.

This issue has been fixed in PHP APC CVS.
<http://cvs.php.net/viewvc.cgi/pecl/apc/apc.php?r1=3.73&r2=3.74>
http://cvs.php.net/viewvc.cgi/pecl/apc/apc.php?r1=3.73&r2=3.74


ADDITIONAL INFORMATION

The information has been provided by <mailto:security@moritz-naumann.com>
Moritz Naumann.

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: