[php-maint] Bug#507101: php5 dba ext: the inifile handler for the dba functions can be used to truncate a file

Raphael Geissert atomo64 at gmail.com
Fri Nov 28 01:56:59 UTC 2008


Source: php5
Version: 5.2.0-1
Severity: important
Tags: security patch

Hi,

When an invalid key is used when calling dba_replace on a dba inifile resource 
it leads to file truncation.

Example from SecurityReason[1]:
> # cat /www/dba.ham.php
> <?php
> $source=dba_open("/www/about.ini", "wlt", "inifile");
> dba_replace("\0","/www/",$source);
> ?>
> # php /www/dba.ham.php
> # cat /www/about.ini
> #

A patch is available at [2].
Note: this issue also affects php4, as shipped in etch.

[1]http://securityreason.com/achievement_securityalert/58
[2]http://cvs.php.net/viewvc.cgi/php-src/ext/dba/libinifile/inifile.c?r1=1.14.2.1.2.4&r2=1.14.2.1.2.5

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20081127/b2ba37fd/attachment.pgp 


More information about the pkg-php-maint mailing list