0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@ionis_h

cve-2018-7600がphp5.3.29+drupal7.57でも動くのか今更やってみた

0
Last updated at Posted at 2018-05-09

既にPoCも検証記事も良いものが多数出ているのですが、「古いphp(5.3.29)+Drupal7(7.57)」でも発生するのか、なんとなく気になったので、やってみました。

参考

Dockerfile

https://github.com/docker-library/drupal/blob/ff8962fc943001457c6919fa42e3d875b9fab9f7/7/fpm-alpine/Dockerfile
を少し変更して使いました

# https://github.com/docker-library/drupal/blob/ff8962fc943001457c6919fa42e3d875b9fab9f7/7/fpm-alpine/Dockerfileを変更
# from https://www.drupal.org/docs/8/system-requirements/drupal-8-php-requirements
FROM cespi/php-5.3:apache-latest

# install the PHP extensions we need
# postgresql-dev is needed for https://bugs.alpinelinux.org/issues/3642
RUN set -ex \
        && apk add --no-cache --virtual .build-deps \
                coreutils \
                freetype-dev \
                libjpeg-turbo-dev \
                libpng-dev \
                postgresql-dev \
                mysql-dev \
        && docker-php-ext-configure gd \
                --with-freetype-dir=/usr/include/ \
                --with-jpeg-dir=/usr/include/ \
                --with-png-dir=/usr/include/ \
        && docker-php-ext-install -j "$(nproc)" \
                gd \
                pdo_mysql \
                pdo_pgsql \
                zip \
        && runDeps="$( \
                scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
                        | tr ',' '\n' \
                        | sort -u \
                        | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
        )" \
        && apk add --virtual .drupal-phpexts-rundeps $runDeps \
        && apk del .build-deps

WORKDIR /var/www/html

# https://www.drupal.org/node/3060/release
ENV DRUPAL_VERSION 7.57

RUN curl -fSL "https://ftp.drupal.org/files/projects/drupal-${DRUPAL_VERSION}.tar.gz" -o drupal.tar.gz \
        && tar -xz --strip-components=1 -f drupal.tar.gz \
        && rm drupal.tar.gz \
        && chown -R apache:apache sites modules themes

ビルド&起動

$ docker build -t php5.3-drupal7.57 .
$ docker run --rm -p 8888:80 -it php5.3-drupal7.57 /bin/sh
# php -v
PHP 5.3.29 (cli) (built: Mar  2 2018 05:47:50) 
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2014 Zend Technologies
# head CHANGELOG.txt 

Drupal 7.57, 2018-02-21
-----------------------
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2018-001.
# apache2-foreground

Drupalの設定

Webブラウザから127.0.0.1:8888にアクセスをすると、設定画面になる
自分しかアクセスしない+すぐに消すので、適当に設定していく
スクリーンショット 2018-05-09 16.24.43.png

Database typeはSQLiteに
スクリーンショット 2018-05-09 16.24.53.png

Check for updates automaticallyは今回は不要なのでチェックを外しておく
スクリーンショット 2018-05-09 16.27.21.png

PoC実行

PoCのHOSTだけ、以下のように変更して実行

HOST="http://127.0.0.1:8888/"

$ python poc.py 
uid=100(apache) gid=101(apache) groups=82(www-data),101(apache),101(apache)
[{"command":"settings","settings":{"basePath":"\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"X7siR-pLKNCRutCt9skQo7pL26N7ii6s4n90_B67xHM"}},"merge":true},{"command":"insert","method":"replaceWith","selector":null,"data":"","settings":{"basePath":"\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"X7siR-pLKNCRutCt9skQo7pL26N7ii6s4n90_B67xHM"}}}]

1行目のようにidが表示されている

試しに対策済みのDrupal7でやってみる

Dockerfileのバージョン指定部分のみを変更してビルドして、上記と同様にDrupalを起動させて実行

ENV DRUPAL_VERSION 7.58

(略)

$ python poc.py 
[{"command":"settings","settings":{"basePath":"\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"_YA9HSTEjkHjriAROnCyQtDwtuGFtfm55o4OV6-9xaY"}},"merge":true},{"command":"insert","method":"replaceWith","selector":null,"data":"\u003Cdiv class=\u0022messages error\u0022\u003E\n\u003Ch2 class=\u0022element-invisible\u0022\u003EError message\u003C\/h2\u003E\n \u003Cul\u003E\n  \u003Cli\u003E\u003Cem class=\u0022placeholder\u0022\u003ENotice\u003C\/em\u003E: Undefined index: #value in \u003Cem class=\u0022placeholder\u0022\u003Efile_ajax_upload()\u003C\/em\u003E (line \u003Cem class=\u0022placeholder\u0022\u003E263\u003C\/em\u003E of \u003Cem class=\u0022placeholder\u0022\u003E\/var\/www\/html\/modules\/file\/file.module\u003C\/em\u003E).\u003C\/li\u003E\n  \u003Cli\u003E\u003Cem class=\u0022placeholder\u0022\u003ENotice\u003C\/em\u003E: Undefined index: #suffix in \u003Cem class=\u0022placeholder\u0022\u003Efile_ajax_upload()\u003C\/em\u003E (line \u003Cem class=\u0022placeholder\u0022\u003E281\u003C\/em\u003E of \u003Cem class=\u0022placeholder\u0022\u003E\/var\/www\/html\/modules\/file\/file.module\u003C\/em\u003E).\u003C\/li\u003E\n \u003C\/ul\u003E\n\u003C\/div\u003E\n\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E","settings":{"basePath":"\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"_YA9HSTEjkHjriAROnCyQtDwtuGFtfm55o4OV6-9xaY"}}}]

idは出てない

結果

古くても刺さる

古いPHP環境を用意するのが一番大変な作業でしたね。。。

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?