Reflected XSS in .phar 404 page
| Sec Bug #74782 | Reflected XSS in .phar 404 page | ||||
|---|---|---|---|---|---|
| Submitted: | 2017-06-19 18:15 UTC | Modified: | 2018-01-16 09:06 UTC | ||
| From: | passownz at gmail dot com | Assigned: | stas (profile) | ||
| Status: | Closed | Package: | PHAR related | ||
| PHP Version: | 5.6.30 | OS: | |||
| Private report: | No | CVE-ID: | 2018-5712 | ||
[2017-06-19 18:15 UTC] passownz at gmail dot com
Description: ------------ Hi, When creating a .phar file and configuring apache to handle phar files using php, when accessing invalid page the page name is reflected back to the user in the 404 response. this user input is not being sanitized and therefor it is vulnerable to a reflected XSS. meaning, every site which configured to run .phar files using php is vulnerable.
Patches
74782patch (last revision 2018-10-22 05:52 UTC by 1246196870 at qq dot com)Pull Requests
History
AllCommentsChangesGit/SVN commits
[2017-06-19 21:24 UTC] stas@php.net
[2017-06-20 06:40 UTC] passownz at gmail dot com
I just added the (ar) file to the php5.6.conf file in the apache mods-enabled dir as follows: <FilesMatch ".+\.ph(ar|p[3457]?|t|tml)$"> SetHandler application/x-httpd-php </FilesMatch> Thanks.[2017-06-20 07:35 UTC] stas@php.net
[2017-06-20 07:35 UTC] stas@php.net
-Status: Open +Status: Feedback
[2017-06-20 07:58 UTC] passownz at gmail dot com
-Status: Feedback +Status: Open
[2017-06-20 07:58 UTC] passownz at gmail dot com
REQUEST: ----------------------- GET /myapp.phar/%3cscript%3ealert()%3c/script%3e HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 RESPONSE: -------------- HTTP/1.0 404 Not Found Date: Tue, 20 Jun 2017 07:52:21 GMT Server: Apache/2.4.7 (Ubuntu) Content-Length: 138 Connection: close Content-Type: text/html; charset=UTF-8 <html> <head> <title>File Not Found</title> </head> <body> <h1>404 - File /<script>alert()</script> Not Found</h1> </body> </html> The root cause of the vulnerability is when php generates .phar files it also adds a piece of code that handles the case where the requested file in the archive couldn't be found, as can be seen in the following code snippet: $a = realpath(Extract_Phar::$temp . DIRECTORY_SEPARATOR . $pt); if (!$a || strlen(dirname($a)) < strlen(Extract_Phar::$temp)) { header('HTTP/1.0 404 Not Found'); echo "<html>\n <head>\n <title>File Not Found<title>\n </head>\n <body>\n <h1>404 - File ", $pt, " Not Found</h1>\n </body>\n</html>"; exit; } $pt variable contains the user's requested page, and as can be seen it is being echoed back as is in the 404 response.[2017-06-20 08:05 UTC] passownz at gmail dot com
Some more info, this is how i created the phar file: <?php $srcRoot = "~/myapp/src"; $buildRoot = "~/myapp/build"; $phar = new Phar($buildRoot . "/myapp.phar", FilesystemIterator::CURRENT_AS_FILEINFO | FilesystemIterator::KEY_AS_FILENAME, "myapp.phar"); $phar["index.php"] = file_get_contents($srcRoot . "/index.php"); $phar["common.php"] = file_get_contents($srcRoot . "/common.php"); $phar->setStub($phar->createDefaultStub("index.php")); copy($srcRoot . "/config.ini", $buildRoot . "/config.ini");[2017-07-01 19:51 UTC] passownz at gmail dot com
[2017-07-02 20:33 UTC] stas@php.net
-Assigned To: +Assigned To: stas
[2017-07-03 08:42 UTC] passownz at gmail dot com
[2017-07-03 08:44 UTC] passownz at gmail dot com
[2017-07-31 06:53 UTC] passownz at gmail dot com
[2018-01-02 04:27 UTC] stas@php.net
-Status: Assigned +Status: Closed
[2018-01-16 09:06 UTC] kaplan@php.net
-CVE-ID: needed +CVE-ID: 2018-5712