SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP Flaw in parse_str() May Let Remote Users Turn register_globals On
SecurityTracker Alert ID:  1015131
SecurityTracker URL:  http://securitytracker.com/id/1015131
CVE Reference:   CVE-2005-3389   (Links to External Site)
Updated:  Nov 10 2005
Original Entry Date:  Nov 1 2005
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4 - 4.4.0, 5 - 5.0.5
Description:   A vulnerability was reported in PHP in the parse_str() function. A remote user may be able to turn the register_globals directive on.

The parse_str() does not properly process input data when called with only one parameter. In this case, the function internally turns the register_globals flag on and then off. A remote user may be able to trigger a memory_limit request termination during such a call to the parse_str() function by sending an excessive number of request variables to consume enough memory. This may cause the register_globals flag to be left on.

The specific impact depends on the PHP applications that use the affected function.

The original advisory is available at:

http://www.hardened-php.net/advisory_192005.78.html

Stefan Esser of the Hardened-PHP Project reported this vulnerabilities.

Impact:   A remote user may be able to turn the register_globals flag on. The specific impact depends on the PHP applications that use the affected function.
Solution:   The vendor has issued a fixed version (4.4.1), available at:

http://www.php.net/downloads.php#v4

No solution was available at the time of this entry for PHP 5.

Vendor URL:  www.php.net/ (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 10 2005 (Red Hat Issues Fix) PHP Flaw in parse_str() May Let Remote Users Turn register_globals On
Red Hat has released a fix for Red Hat Enterprise Linux 2.1.
Nov 11 2005 (Red Hat Issues Fix) PHP Flaw in parse_str() May Let Remote Users Turn register_globals On
Red Hat has released a fix for Red Hat Enterprise Linux 3 and 4.



 Source Message Contents

Subject:  [Full-disclosure] Advisory 19/2005: PHP register_globals Activation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: PHP register_globals Activation Vulnerability in parse_str()
 Release Date: 2005/10/31
Last Modified: 2005/10/31
       Author: Stefan Esser [sesser@hardened-php.net]

  Application: PHP4 <= 4.4.0
               PHP5 <= 5.0.5
     Severity: Unsafe termination of parse_str() may result in the 
               register_globals directive turned back on
         Risk: Low
Vendor Status: Vendor has released a bugfixed PHP 4 version
   References: http://www.hardened-php.net/advisory_192005.78.html


Overview:

   PHP is a widely-used general-purpose scripting language that is
   especially suited for Web development and can be embedded into HTML.

   During the development of the Hardening-Patch which adds security 
   hardening features to the PHP codebase, several vulnerabilities 
   within PHP were discovered. This advisory describes one of these 
   flaws concerning a weakness in the implementation of the parse_str()
   function. Under certain conditions triggering the memory_limit
   request shutdown during a parse_str() call will result in the core
   of PHP believing that the register_globals directive is turned on
   (for the rest of the lifetime of the involved webserver process).

   This may allow an attacker to exploit security flaws in PHP 
   applications that exist due to uninitialised global variables.


Details:

   When parse_str() is called with only one parameter it parses the
   supplied string, as if it were the query string passed via a URL 
   and sets variables in the global scope. This is achieved by 
   internally switching register_globals on, while the string is
   parsed.
   
   Unfortunately it could be possible for an external attacker to 
   trigger the memory_limit request termination during such a call
   to parse_str() by sending a lot of request variables to consume
   enough memory to trigger the limit. (It is described elsewhere
   how it is possible to consume a lot of memory with a small 
   request body). If the request shutdown is executed during the
   call to parse_str() the register_globals flag is left on, for
   the rest of the lifetime of the involved webserver process.
   
   Because the flag is only internally changed and this has nothing
   todo with setting ini variables, the script is not able to detect
   that register_globals is on in an easy way. This tricks a lot of
   register_globals deregistration layers, because they usually
   only get activated when the ini_get() functions returns that
   register_globals is turned on.
   
   This vulnerability is rated low, because calls to parse_str() 
   with only one parameter are very rare. Additionally even if
   register_globals is turned on without the script knowing, this
   is only a security problem if the affected script does not
   properly intialise it's variables.


Proof of Concept:

   The Hardened-PHP project is not going to release exploits for any
   of these vulnerabilities to the public.


Recommendation:

   It is strongly recommended to upgrade to the new PHP-Releases as
   soon as possible, because it also fixes a few vulnerabilities,
   that are rated critical. Additionally we always recommend to
   run PHP with the Hardening-Patch applied.


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFDZh0ORDkUzAqGSqERAkJ8AKDJzbJ+v0YD7RQbePeFnUH6sgkSRQCgw82n
Jwa8tdVX+CzgBbyVAuAAtbQ=
=Qo+A
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC