Vigil@nce - suPHP: code execution via suPHP_PHPPath
February 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can create a .htaccess file setting an
environment variable, that is transmitted by suPHP to the PHP
interpreter, in order to execute code with privileges of the
Apache service.
Impacted products: PHP, Unix (platform)
Severity: 2/4
Creation date: 10/02/2014
DESCRIPTION OF THE VULNERABILITY
The suPHP tool, composed of the mod_suphp Apache module and of a
suid program, can be used to run PHP scripts with rights of their
owner.
Since version 0.7.0, the administrator can also configure it to
display the source code of PHP files with the extension .phps for
example:
AddType application/x-httpd-php-source .phps
suPHP_AddHandler application/x-httpd-php-source
suPHP_PHPPath /usr/local/bin/php
In this case, suPHP executes the /usr/local/bin/php file to
generate the source code with syntax highlighting. However,
environment variables are not reset before starting the child
process.
A local attacker can therefore create a .htaccess file setting an
environment variable, that is transmitted by suPHP to the PHP
interpreter, in order to execute code with privileges of the
Apache service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/suPHP-code-execution-via-suPHP-PHPPath-14195