undefined | Better HN

0 pointsxorcist11y ago0 comments

I would like to reply to this but it is very hard to understand what you are alluding to. What is this software that one fifth of companies run and why is technically savvy in scare quotes, along with some veiled reference to something called spray-and-pray?

It's really impossible to understand you, but fastcgi_params does not put attacker controlled data into environment variables (without the quotes). That much is clear so normal usage of fastcgi is not in danger.

0 comments

5 comments · 2 top-level

moduloo11y ago· 2 in thread

> but fastcgi_params does not put attacker controlled data into environment variables

it does

https://gist.github.com/anonymous/ea60dc2915eccf0b803e

xorcistOP11y ago

It looks like you have dumped the a PHP global variable, possibly $_ENV. Do you know of any circumstances where _ENV, or any other PHP variable with potentially untrusted data, is passed in environment variables?

moduloo11y ago

i'm working on it it, but it looks like it works only under rare conditions

patio1111y ago· 1 in thread

I will try being maximally explicit.

What is this software that one fifth of companies run

A ridiculously popular application, written in PHP, which is widely useful to software companies (among others).

why is technically savvy in scare quotes

I originally wrote "startup" then thought "Actually, this is deployed by a lot of people who aren't startups or who are only arguably startups, hmm, that is an unproductive debate, let's just say what I mean then move on."

some veiled reference to something called spray-and-pray?

Many applications have a well-known set of URLs associated with them. A spray-and-pray exploit is one which you can just fire at a well-known URL at every machine which responds to port 80 in IP4 space. The reason I am not identifying the vulnerable software written in PHP is that it would allow any script kiddie smart enough to text edit the existing exploit scripts to exploit that software as an additional vector.

fastcgi_params does not put attacker controlled data into environment variables (without the quotes)

I'm absolutely positive that fastcgi_params does indeed clobber $_ENV with attacker supplied data if PHP is configured as described above. I am less strongly confident that some configurations of PHP will allow $_ENV to get to at least some subprocesses. I am absolutely confident that some configurations of PHP will not allow you to set $_ENV nor set environmental variables. I have figured out ways to configure it which put the fastcgi_params in $_SERVER but not $_ENV and, separately, in $_ENV but not in environment variables passed to subprocesses. I'm aware of a PHP command which the documentation suggests defaults to passing $_ENV as actual environment variables to subprocesses but which I have not been able to verify actually works as the documentation says, due to it being 6 AM in the morning local time and me having insufficient motivation to continue finding more reasons to justify the conclusion that this bug is very, very bad news and bash needs to get patched immediately everywhere.

xorcistOP11y ago

> I'm absolutely positive that fastcgi_params does indeed clobber $_ENV with attacker supplied data if PHP is configured as described above.

This is irrelevant. There is no known hole with global variables containing untrusted data.

> I am less strongly confident that some configurations of PHP will allow $_ENV to get to at least some subprocesses.

This could be relevant, if it is indeed passed in the environment.

However I can find no reference in the PHP documentation to this. That does not count for much, admittedly, and I am not very fluent in PHP. If this is real then it is a problem for many people so please share.

> I'm aware of a PHP command which the documentation suggests defaults to passing $_ENV as actual environment variables to subprocesses

Please spell it out already. I've been testing for the better part of two hours to find what you are alluding to, but I have no idea if I'm wasting my time or not.

j / k navigate · click thread line to collapse

0 comments

5 comments · 2 top-level

moduloo11y ago· 2 in thread

> but fastcgi_params does not put attacker controlled data into environment variables

it does

https://gist.github.com/anonymous/ea60dc2915eccf0b803e

xorcistOP11y ago

moduloo11y ago

i'm working on it it, but it looks like it works only under rare conditions

patio1111y ago· 1 in thread

I will try being maximally explicit.

What is this software that one fifth of companies run

A ridiculously popular application, written in PHP, which is widely useful to software companies (among others).

why is technically savvy in scare quotes

some veiled reference to something called spray-and-pray?

fastcgi_params does not put attacker controlled data into environment variables (without the quotes)

xorcistOP11y ago

> I'm absolutely positive that fastcgi_params does indeed clobber $_ENV with attacker supplied data if PHP is configured as described above.

This is irrelevant. There is no known hole with global variables containing untrusted data.

> I am less strongly confident that some configurations of PHP will allow $_ENV to get to at least some subprocesses.

This could be relevant, if it is indeed passed in the environment.

> I'm aware of a PHP command which the documentation suggests defaults to passing $_ENV as actual environment variables to subprocesses

Please spell it out already. I've been testing for the better part of two hours to find what you are alluding to, but I have no idea if I'm wasting my time or not.

j / k navigate · click thread line to collapse