php-5.2.9.2,[PHP]PHP小于5.2.9版本号的Windows版本存在本地漏洞

已经证实在小于5.2.9版本号的Windows版PHP中，存在一个安全模式下的本地旁路漏洞。

这个漏洞是因为Windows系统和Linux/UNIX系统对待目录的不同造成的(\和/的区别)。

原文内容：

Abysssec Inc Public Advisory

Title : PHP <= 5.2.9 SafeMod Bypass Vulnerability

Affected Version : Tested on 5.2.8, 5.2.6 but previous versions maybe be afftect

Vendor Site :

Vulnerability Discoverd by :

Description :

Here is another safemod bypass vulnerability exist in php <= 5.2.9 on windows .

the problem comes from OS behavior - implement and interfacing between php

and operation systems directory structure . the problem is php won't tell difference

between directory browsing in linux and windows this can lead attacker to ability

execute his / her commands on targert machie even in SafeMod On (php.ini setting) .

Vulnerability :

in linux when you want open a directory for example php directory you need

to go to /usr/bin/php and you can't use \usr\bin\php . but windows won't tell

diffence between slash and back slash it means there is no didffrence between

c:\php and c:/php , and this is not vulnerability but itself but because of this simple

php implement "\" character can escape safemode using function like excec .

PoC / Exploit :

orginal : /safemod-windows.zip

mirror :

note : this vulnerabities is just for educational purpose and showing vulnerability exist

so author will be not be responsible for any damage using this vulnerabilty.

for more information visit Abysssec.com

feel free to contact me at admin [at] abysssec.com