PHP News - 04 July 2018

PHP Changelog - https://php.net

• PHP 7.3.0 alpha 1 & 2 released

  • 07 Jun 2018: PHP 7.3.0 alpha 1 Released
  • 21 Jun 2018: PHP 7.3.0 alpha 2 Released
  • https://github.com/php/php-src/blob/php-7.3.0alpha2/UPGRADING
    • Backward Incompatible Changes
      • (Line 33) Core: Interpretation of indented end label in heredoc/nowdoc.
      • (Line 60) PDO/MySQL: Prepared stmts now report fractional seconds for DATETIME/TIME/TIMESTAMP columns.
    • New Features
      • (Line 78) Core: Closing marker for heredoc/nowdoc may be indented.
      • (Line 106) Core: New CompileError exception.
    • Changed Functions
      • (Line 171) JSON: New JSON_THROW_ON_ERROR flag allows json_encode() and json_decode() to throw JsonException on error instead of just setting global error state to be retrieved by json_last_error().
    • New Functions
      • (Line 248) Standard: Added is_countable() function. See https://wiki.php.net/rfc/is-countable

• 21 Jun 2018: PHP 7.2.7 Released

  • http://www.php.net/ChangeLog-7.php#7.2.7
  • CLI Server: Fixed bug #76333 (PHP built-in server does not find files if root path contains special characters).
    • https://bugs.php.net/bug.php?id=76333

• 25 Jun 2018: PHP 7.1.19 Released

  • http://www.php.net/ChangeLog-7.php#7.1.19
  • Standard: Fixed bug #76335 ("link(): Bad file descriptor" with non-ASCII path).
    • Also fixed in PHP 7.2.7
    • https://bugs.php.net/bug.php?id=76335

CVE (Common Vulnerabilities and Exposures) - https://cve.mitre.org

• 09 Apr 2018: CVE-2018-9857

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9857
  • PHP Scripts Mall Match Clone Script 1.0.4 has XSS via the search field to searchbyid.php (aka the "View Search By Id" screen).
  • https://www.exploit-db.com/exploits/44486/
    • Use Microsoft Edge or Firefox. Chrome blocks XSS attack.
    • Go to https://www.phpscriptsmall.com/product/match-clone/, User Demo, Search (menu), click View Search By Id link (http://74.124.215.220/~matridemo/multi-religion/searchbyid.php)
    • Put <script>alert('PHP July 2018')</script>

• 22 Dec 2016: CVE-2016-10033

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033

  • The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

  • Vulnerability

    • setFrom: https://github.com/PHPMailer/PHPMailer/blob/v5.2.17/class.phpmailer.php#L1018

    • validateAddress: https://github.com/PHPMailer/PHPMailer/blob/v5.2.17/class.phpmailer.php#L1068

    • Validation does not cover use case where email address has quotation marks. This allows additional parameters to be injected in the address in the form: "Attacker \" -Param2 -Param3"@test.com

    • mailSend: https://github.com/PHPMailer/PHPMailer/blob/v5.2.17/class.phpmailer.php#L1445

    • Demo

      $params = sprintf('-f%s', $this->Sender);
      $params:
      -f"evil\" -oQ/tmp/ -X/var/www/html/asg1/demo/footer.php sender"@vulnerable.com
      
      // This will cause sendmail to execute with (other options omitted for brevity):
      Arg no. 0 = [/usr/sbin/sendmail] // binary
      Arg no. 1 = [-fevil\] // set sender name
      Arg no. 2 = [-oQ/tmp/] // set queue group
      Arg no. 3 = [-X/var/www/html/cs4239-asg1-patch/footer.php] // path of log file
      Arg no. 4 = [-sender"@vulnerable.com] // invalid option

  • Patch in PHPMailer 5.2.18

    • https://github.com/PHPMailer/PHPMailer/compare/v5.2.17...v5.2.18#diff-ace81e501931d8763b49f2410cf3094dR1446

    • escapeshellarg function applied on the sender email address in PHPMailer::mailSend()

    • Demo

      $params = sprintf('-f%s', escapeshellarg($this->Sender));
      $params: // note the single quotes
      -f'"evil\" -oQ/tmp/ -X/var/www/html/cs4239-asg1-patch/footer.php sender"@vulnerable.com'
      
      // This will cause sendmail to execute with (other options omitted for brevity):
      Arg no. 0 = [/usr/sbin/sendmail]
      Arg no. 1 = [-f"evil\" -oQ/tmp/ -X/var/www/html/cs4239-asg1-patch/footer.php sender"@vulnerable.com] // valid email local-part within quotes

  • Bypass

    • Patch incomplete, leading to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10045
    • Another patch via PHPMailer 5.2.20
    • https://github.com/PHPMailer/PHPMailer/compare/v5.2.18...v5.2.20#diff-ace81e501931d8763b49f2410cf3094dR1484
    • Adding of isShellSafe method to prevent usage of single quotes to bypass v5.2.18 patch.