exploit the possibilities

PHP LiteSpeed suEXEC_Daemon Secret Disclosure

PHP LiteSpeed suEXEC_Daemon Secret Disclosure
Posted Jan 25, 2016
Authored by Imre Rad

In suEXEC_Daemon mode of the LiteSpeed web server spawns one PHP master process during startup. It is running as root and accepts LSAPI requests, which in turn specify what user under the script should run. The LSAPI request is authenticated with a MAC, which is based on pre-shared random key between the the PHP and the web server. The researchers found that the Litespeed PHP SAPI module did not clear this secret in its child processes so it was available in the PHP process memory space of the child processes. The fixed versions of PHP are 5.5.31, 5.6.17, and 7.0.2.

tags | advisory, web, root, php, info disclosure
MD5 | d25313bc2ac96b7c25905a3525cc4e8e

PHP LiteSpeed suEXEC_Daemon Secret Disclosure

Change Mirror Download
In suEXEC_Daemon mode of the LiteSpeed web server spawns one PHP master
process during startup. It is running as root and accepts LSAPI
requests, which in turn specify what user under the script should run.
The LSAPI request is authenticated with a MAC, which is based on
preshared random key between the the PHP and the web server.

We found, the Litespeed PHP SAPI module did not clear this secret in its
child processes so it was available in the PHP process memory space of
the child processes.

The fix is available with the commit
https://github.com/php/php-src/commit/c60d4b97707c513ee8b554eecf1c5c653cae5998#diff-19cd0c042863b5e723b785a39a866a25
The fixed versions of PHP are: 5.5.31, 5.6.17 and 7.0.2.

More information:
http://www.search-lab.hu/about-us/news/111-some-unusual-vulnerabilities-in-the-php-engine

Imre Rad
Search-Lab Ltd.
http://www.search-lab.hu/
http://www.scademy.com/
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close