]>
Commit | Line | Data |
---|---|---|
614e82b5 ER |
1 | PHP 5.2.x Remote Code Execution Vulnerability |
2 | ||
3 | http://securityvulns.ru/docs27701.html | |
4 | http://www.securityfocus.com/archive/1/521695 | |
5 | http://www.securityfocus.com/bid/52065 | |
6 | http://xforce.iss.net/xforce/xfdb/73286 | |
7 | ||
8 | Description: | |
9 | ||
10 | If PHP bails out in startup stage before setting PG(modules_activated) | |
11 | to 1, the filter_globals struct is not cleaned up on shutdown stage. | |
12 | The subsequence request will use uncleaned value in filter_globals | |
13 | struct. With special crafted request, this problem can lead to | |
14 | information disclosure and remote code execution. | |
15 | ||
16 | Only apache modules SAPI are found to vulnerable to this problem. | |
17 | While other SAPIs are safe because a PHP process exits when PHP bails | |
18 | out before setting PG(modules_activated) to 1. | |
19 | ||
20 | This bug was fixed before releasing 5.3.0. | |
21 | http://svn.php.net/viewvc?view=revision&revision=279522. But the patch | |
22 | is not backported to 5.2 version as described in | |
23 | https://bugs.php.net/bug.php?id=47930 | |
24 | ||
25 | This patch backports it. | |
26 | Index: branches/PHP_5_3/ext/filter/filter.c | |
27 | =================================================================== | |
28 | --- branches/PHP_5_3/ext/filter/filter.c (revision 279521) | |
29 | +++ branches/PHP_5_3/ext/filter/filter.c (revision 279522) | |
30 | @@ -76,6 +76,7 @@ | |
31 | #endif | |
32 | ||
33 | static unsigned int php_sapi_filter(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC); | |
34 | +static unsigned int php_sapi_filter_init(TSRMLS_D); | |
35 | ||
36 | /* {{{ arginfo */ | |
37 | ZEND_BEGIN_ARG_INFO_EX(arginfo_filter_input, 0, 0, 2) | |
38 | @@ -270,7 +271,7 @@ | |
39 | REGISTER_LONG_CONSTANT("FILTER_FLAG_NO_RES_RANGE", FILTER_FLAG_NO_RES_RANGE, CONST_CS | CONST_PERSISTENT); | |
40 | REGISTER_LONG_CONSTANT("FILTER_FLAG_NO_PRIV_RANGE", FILTER_FLAG_NO_PRIV_RANGE, CONST_CS | CONST_PERSISTENT); | |
41 | ||
42 | - sapi_register_input_filter(php_sapi_filter); | |
43 | + sapi_register_input_filter(php_sapi_filter, php_sapi_filter_init); | |
44 | ||
45 | return SUCCESS; | |
46 | } | |
47 | @@ -339,6 +340,17 @@ | |
48 | } | |
49 | /* }}} */ | |
50 | ||
51 | +static unsigned int php_sapi_filter_init(TSRMLS_D) | |
52 | +{ | |
53 | + IF_G(get_array) = NULL; | |
54 | + IF_G(post_array) = NULL; | |
55 | + IF_G(cookie_array) = NULL; | |
56 | + IF_G(server_array) = NULL; | |
57 | + IF_G(env_array) = NULL; | |
58 | + IF_G(session_array) = NULL; | |
59 | + return SUCCESS; | |
60 | +} | |
61 | + | |
62 | static void php_zval_filter(zval **value, long filter, long flags, zval *options, char* charset, zend_bool copy TSRMLS_DC) /* {{{ */ | |
63 | { | |
64 | filter_list_entry filter_func; | |
65 | ||
66 | Property changes on: branches/PHP_5_3/ext/filter/filter.c | |
67 | ___________________________________________________________________ | |
68 | Modified: cvs2svn:cvs-rev | |
69 | ## -1 +1 ## | |
70 | -1.52.2.39.2.15 | |
71 | +1.52.2.39.2.16 | |
72 | \ No newline at end of property | |
73 | Index: branches/PHP_5_3/main/SAPI.c | |
74 | =================================================================== | |
75 | --- branches/PHP_5_3/main/SAPI.c (revision 279521) | |
76 | +++ branches/PHP_5_3/main/SAPI.c (revision 279522) | |
77 | @@ -326,6 +326,9 @@ | |
78 | sapi_module.activate(TSRMLS_C); | |
79 | } | |
80 | } | |
81 | + if (sapi_module.input_filter_init ) { | |
82 | + sapi_module.input_filter_init(TSRMLS_C); | |
83 | + } | |
84 | } | |
85 | ||
86 | /* | |
87 | @@ -392,6 +395,9 @@ | |
88 | sapi_module.activate(TSRMLS_C); | |
89 | } | |
90 | } | |
91 | + if (sapi_module.input_filter_init ) { | |
92 | + sapi_module.input_filter_init(TSRMLS_C); | |
93 | + } | |
94 | } | |
95 | ||
96 | ||
97 | @@ -925,13 +931,14 @@ | |
98 | return SUCCESS; | |
99 | } | |
100 | ||
101 | -SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC)) | |
102 | +SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC), unsigned int (*input_filter_init)(TSRMLS_D)) | |
103 | { | |
104 | TSRMLS_FETCH(); | |
105 | if (SG(sapi_started) && EG(in_execution)) { | |
106 | return FAILURE; | |
107 | } | |
108 | sapi_module.input_filter = input_filter; | |
109 | + sapi_module.input_filter_init = input_filter_init; | |
110 | return SUCCESS; | |
111 | } | |
112 | ||
113 | ||
114 | Property changes on: branches/PHP_5_3/main/SAPI.c | |
115 | ___________________________________________________________________ | |
116 | Modified: cvs2svn:cvs-rev | |
117 | ## -1 +1 ## | |
118 | -1.202.2.7.2.15.2.6 | |
119 | +1.202.2.7.2.15.2.7 | |
120 | \ No newline at end of property | |
121 | Index: branches/PHP_5_3/main/SAPI.h | |
122 | =================================================================== | |
123 | --- branches/PHP_5_3/main/SAPI.h (revision 279521) | |
124 | +++ branches/PHP_5_3/main/SAPI.h (revision 279522) | |
125 | @@ -192,7 +192,7 @@ | |
126 | SAPI_API void sapi_unregister_post_entry(sapi_post_entry *post_entry TSRMLS_DC); | |
127 | SAPI_API int sapi_register_default_post_reader(void (*default_post_reader)(TSRMLS_D)); | |
128 | SAPI_API int sapi_register_treat_data(void (*treat_data)(int arg, char *str, zval *destArray TSRMLS_DC)); | |
129 | -SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC)); | |
130 | +SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC), unsigned int (*input_filter_init)(TSRMLS_D)); | |
131 | ||
132 | SAPI_API int sapi_flush(TSRMLS_D); | |
133 | SAPI_API struct stat *sapi_get_stat(TSRMLS_D); | |
134 | @@ -259,6 +259,7 @@ | |
135 | int phpinfo_as_text; | |
136 | ||
137 | char *ini_entries; | |
138 | + unsigned int (*input_filter_init)(TSRMLS_D); | |
139 | }; | |
140 | ||
141 | ||
142 | ||
143 | Property changes on: branches/PHP_5_3/main/SAPI.h | |
144 | ___________________________________________________________________ | |
145 | Modified: cvs2svn:cvs-rev | |
146 | ## -1 +1 ## | |
147 | -1.114.2.1.2.3.2.7 | |
148 | +1.114.2.1.2.3.2.8 | |
149 | \ No newline at end of property | |
150 | Index: branches/PHP_5_3/main/php_content_types.c | |
151 | =================================================================== | |
152 | --- branches/PHP_5_3/main/php_content_types.c (revision 279521) | |
153 | +++ branches/PHP_5_3/main/php_content_types.c (revision 279522) | |
154 | @@ -75,7 +75,7 @@ | |
155 | { | |
156 | sapi_register_default_post_reader(php_default_post_reader); | |
157 | sapi_register_treat_data(php_default_treat_data); | |
158 | - sapi_register_input_filter(php_default_input_filter); | |
159 | + sapi_register_input_filter(php_default_input_filter, NULL); | |
160 | return SUCCESS; | |
161 | } | |
162 | /* }}} */ | |
163 | ||
164 | Property changes on: branches/PHP_5_3/main/php_content_types.c | |
165 | ___________________________________________________________________ | |
166 | Modified: cvs2svn:cvs-rev | |
167 | ## -1 +1 ## | |
168 | -1.32.2.1.2.4.2.2 | |
169 | +1.32.2.1.2.4.2.3 | |
170 | \ No newline at end of property |