In suEXEC_Daemon mode of the LiteSpeed web server spawns one PHP master process during startup. It is running as root and accepts LSAPI requests, which in turn specify what user under the script should run. The LSAPI request is authenticated with a MAC, which is based on pre-shared random key between the the PHP and the web server. The researchers found that the Litespeed PHP SAPI module did not clear this secret in its child processes so it was available in the PHP process memory space of the child processes. The fixed versions of PHP are 5.5.31, 5.6.17, and 7.0.2.
dcdfba0d864d56f1eab83f8a2d054770a95e1e8eb5d10e504881b19b952d0a78
In suEXEC_Daemon mode of the LiteSpeed web server spawns one PHP master
process during startup. It is running as root and accepts LSAPI
requests, which in turn specify what user under the script should run.
The LSAPI request is authenticated with a MAC, which is based on
preshared random key between the the PHP and the web server.
We found, the Litespeed PHP SAPI module did not clear this secret in its
child processes so it was available in the PHP process memory space of
the child processes.
The fix is available with the commit
https://github.com/php/php-src/commit/c60d4b97707c513ee8b554eecf1c5c653cae5998#diff-19cd0c042863b5e723b785a39a866a25
The fixed versions of PHP are: 5.5.31, 5.6.17 and 7.0.2.
More information:
http://www.search-lab.hu/about-us/news/111-some-unusual-vulnerabilities-in-the-php-engine
Imre Rad
Search-Lab Ltd.
http://www.search-lab.hu/
http://www.scademy.com/