Bug 799187 - (CVE-2012-1172) CVE-2012-1172 php: $_FILES array indexes corruption
CVE-2012-1172 php: $_FILES array indexes corruption
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120301,repor...
: Security
Depends On: 816639 819855 819856 830727 830728 830729 830730
Blocks: 782956 835958 835959 835960
  Show dependency treegraph
 
Reported: 2012-03-02 00:03 EST by Kurt Seifried
Modified: 2015-11-24 10:04 EST (History)
9 users (show)

See Also:
Fixed In Version: php 5.3.11, php 5.4.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-27 13:08:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
PHP Bug Tracker 54374 None None None Never
PHP Bug Tracker 55500 None None None Never

  None (edit)
Description Kurt Seifried 2012-03-02 00:03:24 EST
This issue was reported by Neale Poole

From http://www.php.net/ChangeLog-5.php#5.4.0
Fixed bug #55500 (Corrupted $_FILES indices lead to security concern).

The bug is still locked. However a writeup is available from Neale Poole at:

https://nealpoole.com/blog/2011/10/directory-traversal-via-php-multi-file-uploads/

Summary

Scripts using PHP 5.3 that accept multiple file uploads in a single request are potentially vulnerable to a directory traversal attack. Information about the mechanism for attack (corrupting array indices in $_FILES) has been publicly available since at least March 2011 June 2009. [1] [2] [3] [4] I submitted Sec Bug #55500 to point out the potential for directory traversal on August 24th, 2011.

[Note: I've been informed that a similar attack using the same vector was mentioned in the PHP Bug Tracker in September 2009. [5]]

[Update: As of January 1st 2012, a fix for this issue has been committed for PHP 5.4 and trunk in SVN r321664]

More details are available at: http://isisblogs.poly.edu/2011/08/11/php-not-properly-checking-params/

A source code patch is available at http://svn.php.net/viewvc/php/php-src/trunk/main/rfc1867.c?r1=321634&r2=321664&pathrev=321664

--- php/php-src/trunk/main/rfc1867.c	2012/01/01 13:15:04	321634
+++ php/php-src/trunk/main/rfc1867.c	2012/01/01 23:54:25	321664
@@ -942,6 +942,10 @@
				}
								tmp++;
											}
+														/* Brackets should always be closed */
+														   	    	   if(c != 0) {
+																   	       skip_upload = 1;
+																	       		      }
 																			        }
 
			total_bytes = cancel_upload = 0;
Comment 1 Kurt Seifried 2012-03-12 22:30:51 EDT
As far as I can tell this only affects the 5.4 beta, I'll check our RPMs as time permits.
Comment 2 Jan Lieskovsky 2012-04-18 05:01:03 EDT
Upstream patch:
http://svn.php.net/viewvc?view=revision&revision=321664

Novell Bugzilla record:
https://bugzilla.novell.com/show_bug.cgi?id=752030
Comment 3 Jan Lieskovsky 2012-04-18 05:01:50 EDT
Possible reproducer (from https://bugzilla.novell.com/show_bug.cgi?id=752030#c2):

TEST_PHP_EXECUTABLE=/usr/bin/php TEST_PHP_CGI_EXECUTABLE=/usr/bin/php-cgi
./run-tests.php ~/work/php5/752030/bug55500.phpt
Comment 4 Vincent Danen 2012-04-26 11:09:26 EDT
PHP 5.3.11 and 5.4.1 fix this:

Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172).

as per:

http://www.php.net/archive/2012.php#id2012-04-26-1
Comment 5 Vincent Danen 2012-04-26 11:10:38 EDT
Created php tracking bugs for this issue

Affects: fedora-all [bug 816639]
Comment 6 Fedora Update System 2012-05-06 22:48:33 EDT
php-5.3.11-1.fc15, php-eaccelerator-0.9.6.1-9.fc15.3, maniadrive-1.2-32.fc15.3 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2012-05-06 22:49:31 EDT
php-5.3.11-1.fc16, php-eaccelerator-0.9.6.1-9.fc16.3, maniadrive-1.2-32.fc16.3 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-05-07 00:17:38 EDT
php-5.4.1-1.fc17, maniadrive-1.2-38.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Tomas Hoger 2012-05-15 10:06:52 EDT
Upstream PHP bugs:
  https://bugs.php.net/bug.php?id=54374
  https://bugs.php.net/bug.php?id=55500
Comment 13 errata-xmlrpc 2012-06-27 11:52:20 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1047 https://rhn.redhat.com/errata/RHSA-2012-1047.html
Comment 14 errata-xmlrpc 2012-06-27 11:52:57 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1046 https://rhn.redhat.com/errata/RHSA-2012-1046.html
Comment 15 errata-xmlrpc 2012-06-27 11:54:09 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1045 https://rhn.redhat.com/errata/RHSA-2012-1045.html

Note You need to log in before you can comment on or make changes to this bug.