projects / packages / php.git / blame
| Commit | Line | Data |
|---|---|---|
| 614e82b5 ER |
1 | PHP 5.2.x Remote Code Execution Vulnerability |
| 2 | ||
| 3 | http://securityvulns.ru/docs27701.html | |
| 4 | http://www.securityfocus.com/archive/1/521695 | |
| 5 | http://www.securityfocus.com/bid/52065 | |
| 6 | http://xforce.iss.net/xforce/xfdb/73286 | |
| 7 | ||
| 8 | Description: | |
| 9 | ||
| 10 | If PHP bails out in startup stage before setting PG(modules_activated) | |
| 11 | to 1, the filter_globals struct is not cleaned up on shutdown stage. | |
| 12 | The subsequence request will use uncleaned value in filter_globals | |
| 13 | struct. With special crafted request, this problem can lead to | |
| 14 | information disclosure and remote code execution. | |
| 15 | ||
| 16 | Only apache modules SAPI are found to vulnerable to this problem. | |
| 17 | While other SAPIs are safe because a PHP process exits when PHP bails | |
| 18 | out before setting PG(modules_activated) to 1. | |
| 19 | ||
| 20 | This bug was fixed before releasing 5.3.0. | |
| 21 | http://svn.php.net/viewvc?view=revision&revision=279522. But the patch | |
| 22 | is not backported to 5.2 version as described in | |
| 23 | https://bugs.php.net/bug.php?id=47930 | |
| 24 | ||
| 25 | This patch backports it. | |
| 26 | Index: branches/PHP_5_3/ext/filter/filter.c | |
| 27 | =================================================================== | |
| 28 | --- branches/PHP_5_3/ext/filter/filter.c (revision 279521) | |
| 29 | +++ branches/PHP_5_3/ext/filter/filter.c (revision 279522) | |
| 30 | @@ -76,6 +76,7 @@ | |
| 31 | #endif | |
| 32 | ||
| 33 | static unsigned int php_sapi_filter(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC); | |
| 34 | +static unsigned int php_sapi_filter_init(TSRMLS_D); | |
| 35 | ||
| 36 | /* {{{ arginfo */ | |
| 37 | ZEND_BEGIN_ARG_INFO_EX(arginfo_filter_input, 0, 0, 2) | |
| 38 | @@ -270,7 +271,7 @@ | |
| 39 | REGISTER_LONG_CONSTANT("FILTER_FLAG_NO_RES_RANGE", FILTER_FLAG_NO_RES_RANGE, CONST_CS | CONST_PERSISTENT); | |
| 40 | REGISTER_LONG_CONSTANT("FILTER_FLAG_NO_PRIV_RANGE", FILTER_FLAG_NO_PRIV_RANGE, CONST_CS | CONST_PERSISTENT); | |
| 41 | ||
| 42 | - sapi_register_input_filter(php_sapi_filter); | |
| 43 | + sapi_register_input_filter(php_sapi_filter, php_sapi_filter_init); | |
| 44 | ||
| 45 | return SUCCESS; | |
| 46 | } | |
| 47 | @@ -339,6 +340,17 @@ | |
| 48 | } | |
| 49 | /* }}} */ | |
| 50 | ||
| 51 | +static unsigned int php_sapi_filter_init(TSRMLS_D) | |
| 52 | +{ | |
| 53 | + IF_G(get_array) = NULL; | |
| 54 | + IF_G(post_array) = NULL; | |
| 55 | + IF_G(cookie_array) = NULL; | |
| 56 | + IF_G(server_array) = NULL; | |
| 57 | + IF_G(env_array) = NULL; | |
| 58 | + IF_G(session_array) = NULL; | |
| 59 | + return SUCCESS; | |
| 60 | +} | |
| 61 | + | |
| 62 | static void php_zval_filter(zval **value, long filter, long flags, zval *options, char* charset, zend_bool copy TSRMLS_DC) /* {{{ */ | |
| 63 | { | |
| 64 | filter_list_entry filter_func; | |
| 65 | ||
| 66 | Property changes on: branches/PHP_5_3/ext/filter/filter.c | |
| 67 | ___________________________________________________________________ | |
| 68 | Modified: cvs2svn:cvs-rev | |
| 69 | ## -1 +1 ## | |
| 70 | -1.52.2.39.2.15 | |
| 71 | +1.52.2.39.2.16 | |
| 72 | \ No newline at end of property | |
| 73 | Index: branches/PHP_5_3/main/SAPI.c | |
| 74 | =================================================================== | |
| 75 | --- branches/PHP_5_3/main/SAPI.c (revision 279521) | |
| 76 | +++ branches/PHP_5_3/main/SAPI.c (revision 279522) | |
| 77 | @@ -326,6 +326,9 @@ | |
| 78 | sapi_module.activate(TSRMLS_C); | |
| 79 | } | |
| 80 | } | |
| 81 | + if (sapi_module.input_filter_init ) { | |
| 82 | + sapi_module.input_filter_init(TSRMLS_C); | |
| 83 | + } | |
| 84 | } | |
| 85 | ||
| 86 | /* | |
| 87 | @@ -392,6 +395,9 @@ | |
| 88 | sapi_module.activate(TSRMLS_C); | |
| 89 | } | |
| 90 | } | |
| 91 | + if (sapi_module.input_filter_init ) { | |
| 92 | + sapi_module.input_filter_init(TSRMLS_C); | |
| 93 | + } | |
| 94 | } | |
| 95 | ||
| 96 | ||
| 97 | @@ -925,13 +931,14 @@ | |
| 98 | return SUCCESS; | |
| 99 | } | |
| 100 | ||
| 101 | -SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC)) | |
| 102 | +SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC), unsigned int (*input_filter_init)(TSRMLS_D)) | |
| 103 | { | |
| 104 | TSRMLS_FETCH(); | |
| 105 | if (SG(sapi_started) && EG(in_execution)) { | |
| 106 | return FAILURE; | |
| 107 | } | |
| 108 | sapi_module.input_filter = input_filter; | |
| 109 | + sapi_module.input_filter_init = input_filter_init; | |
| 110 | return SUCCESS; | |
| 111 | } | |
| 112 | ||
| 113 | ||
| 114 | Property changes on: branches/PHP_5_3/main/SAPI.c | |
| 115 | ___________________________________________________________________ | |
| 116 | Modified: cvs2svn:cvs-rev | |
| 117 | ## -1 +1 ## | |
| 118 | -1.202.2.7.2.15.2.6 | |
| 119 | +1.202.2.7.2.15.2.7 | |
| 120 | \ No newline at end of property | |
| 121 | Index: branches/PHP_5_3/main/SAPI.h | |
| 122 | =================================================================== | |
| 123 | --- branches/PHP_5_3/main/SAPI.h (revision 279521) | |
| 124 | +++ branches/PHP_5_3/main/SAPI.h (revision 279522) | |
| 125 | @@ -192,7 +192,7 @@ | |
| 126 | SAPI_API void sapi_unregister_post_entry(sapi_post_entry *post_entry TSRMLS_DC); | |
| 127 | SAPI_API int sapi_register_default_post_reader(void (*default_post_reader)(TSRMLS_D)); | |
| 128 | SAPI_API int sapi_register_treat_data(void (*treat_data)(int arg, char *str, zval *destArray TSRMLS_DC)); | |
| 129 | -SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC)); | |
| 130 | +SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC), unsigned int (*input_filter_init)(TSRMLS_D)); | |
| 131 | ||
| 132 | SAPI_API int sapi_flush(TSRMLS_D); | |
| 133 | SAPI_API struct stat *sapi_get_stat(TSRMLS_D); | |
| 134 | @@ -259,6 +259,7 @@ | |
| 135 | int phpinfo_as_text; | |
| 136 | ||
| 137 | char *ini_entries; | |
| 138 | + unsigned int (*input_filter_init)(TSRMLS_D); | |
| 139 | }; | |
| 140 | ||
| 141 | ||
| 142 | ||
| 143 | Property changes on: branches/PHP_5_3/main/SAPI.h | |
| 144 | ___________________________________________________________________ | |
| 145 | Modified: cvs2svn:cvs-rev | |
| 146 | ## -1 +1 ## | |
| 147 | -1.114.2.1.2.3.2.7 | |
| 148 | +1.114.2.1.2.3.2.8 | |
| 149 | \ No newline at end of property | |
| 150 | Index: branches/PHP_5_3/main/php_content_types.c | |
| 151 | =================================================================== | |
| 152 | --- branches/PHP_5_3/main/php_content_types.c (revision 279521) | |
| 153 | +++ branches/PHP_5_3/main/php_content_types.c (revision 279522) | |
| 154 | @@ -75,7 +75,7 @@ | |
| 155 | { | |
| 156 | sapi_register_default_post_reader(php_default_post_reader); | |
| 157 | sapi_register_treat_data(php_default_treat_data); | |
| 158 | - sapi_register_input_filter(php_default_input_filter); | |
| 159 | + sapi_register_input_filter(php_default_input_filter, NULL); | |
| 160 | return SUCCESS; | |
| 161 | } | |
| 162 | /* }}} */ | |
| 163 | ||
| 164 | Property changes on: branches/PHP_5_3/main/php_content_types.c | |
| 165 | ___________________________________________________________________ | |
| 166 | Modified: cvs2svn:cvs-rev | |
| 167 | ## -1 +1 ## | |
| 168 | -1.32.2.1.2.4.2.2 | |
| 169 | +1.32.2.1.2.4.2.3 | |
| 170 | \ No newline at end of property |