Lab Notes

Help Net Security has released details of a Mac OS X web server exploit that can be used to reveal the source code of PHP and other web applications. This is troublesome because a typical PHP application includes things like database server passwords. Apple has already patched the vulnerability in Security Update 2004-12-02.

The exploit is based on how Apple mapped the HFS+ file system, which includes multi-forked files, onto the POSIX file access routines, which have no concept of multi-forked files. In order to be able to access data forks and resource forks using these routines, Apple created special file suffixes. Say you have a file called "/Users/chris/stuff.txt", you can access the data fork of the file by opening it as "/Users/chris/stuff.txt/..namedfork/data", and the resource fork by opening the file as "/Users/chris/stuff.txt/..namedfork/rsrc".

This file opening scheme can be exploited because web servers determine how to treat a file based on its file suffix. Thus, the file "example.php" will be sent to the PHP processor and treated as an executable script. However, if an attacker requests the file "example.php/..namedfork/data", the web server will treat it as a text file and simply send its contents to the attacker, exposing whatever secrets may be in the file.

In addition to the Apple fix, 4D has an updated version of WebSTAR available.