[php-maint] Re: another batch of php security issues for review
joey at infodrom.org
Fri Sep 1 07:56:10 UTC 2006
Moritz Muehlenhoff wrote:
> Martin Schulze wrote:
> > > CVE-2006-4020 (scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier,
> > > allows ...)
> > >
> > > "buffer underflow" could lead to code execution, though it
> > > isn't clear exactly how exploitable it is. according to the
> > > patch:
> > >
> > > http://bugs.php.net/bug.php?id=38322
> > >
> > > looks like an off-by-one type error, with a simple enough fix,
> > > anyway.
> > No, this is a non-issue. It requires a malicious PHP script to work.
> > The attacker could just use popen(), system() or any other means PHP
> > offers.
> We should fix this, it can be leveraged into code injection and there
> seem to be applications, which use it in a vulnerable manner.
> Also, the patch is easy to review and self-contained.
Please explain which application that is not written to exploit
this or another PHP bug contains PHP code like the following:
$object_zval = $eip_hop_over.$ptr_to_obj_handlers.$eip_hop_over.
$str = str_repeat($ptr_to_ptr_to_zval,20);
It's not as if sscanf( "a ", '%1$s', $str); per se opens a remote
code execution vulnerability, there are factors that also need
to be included - and they are only included if the PHP script is
written to exploit this one specifically.
If you come from outside of Finland, you live in wrong country.
-- motd of irc.funet.fi
More information about the pkg-php-maint