1 PHP 5.2.x Remote Code Execution Vulnerability
3 http://securityvulns.ru/docs27701.html
4 http://www.securityfocus.com/archive/1/521695
5 http://www.securityfocus.com/bid/52065
6 http://xforce.iss.net/xforce/xfdb/73286
10 If PHP bails out in startup stage before setting PG(modules_activated)
11 to 1, the filter_globals struct is not cleaned up on shutdown stage.
12 The subsequence request will use uncleaned value in filter_globals
13 struct. With special crafted request, this problem can lead to
14 information disclosure and remote code execution.
16 Only apache modules SAPI are found to vulnerable to this problem.
17 While other SAPIs are safe because a PHP process exits when PHP bails
18 out before setting PG(modules_activated) to 1.
20 This bug was fixed before releasing 5.3.0.
21 http://svn.php.net/viewvc?view=revision&revision=279522. But the patch
22 is not backported to 5.2 version as described in
23 https://bugs.php.net/bug.php?id=47930
25 This patch backports it.
26 Index: branches/PHP_5_3/ext/filter/filter.c
27 ===================================================================
28 diff -urNp -x '*.orig' php-5.2.17.org/ext/filter/filter.c php-5.2.17/ext/filter/filter.c
29 --- php-5.2.17.org/ext/filter/filter.c 2021-10-23 19:13:24.436458386 +0200
30 +++ php-5.2.17/ext/filter/filter.c 2021-10-23 19:13:27.149791720 +0200
31 @@ -76,6 +76,7 @@ filter_list_entry filter_list[] = {
34 static unsigned int php_sapi_filter(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC);
35 +static unsigned int php_sapi_filter_init(TSRMLS_D);
37 /* {{{ filter_functions[]
39 @@ -233,7 +234,7 @@ PHP_MINIT_FUNCTION(filter)
40 REGISTER_LONG_CONSTANT("FILTER_FLAG_NO_RES_RANGE", FILTER_FLAG_NO_RES_RANGE, CONST_CS | CONST_PERSISTENT);
41 REGISTER_LONG_CONSTANT("FILTER_FLAG_NO_PRIV_RANGE", FILTER_FLAG_NO_PRIV_RANGE, CONST_CS | CONST_PERSISTENT);
43 - sapi_register_input_filter(php_sapi_filter);
44 + sapi_register_input_filter(php_sapi_filter, php_sapi_filter_init);
48 @@ -302,6 +303,17 @@ static filter_list_entry php_find_filter
52 +static unsigned int php_sapi_filter_init(TSRMLS_D)
54 + IF_G(get_array) = NULL;
55 + IF_G(post_array) = NULL;
56 + IF_G(cookie_array) = NULL;
57 + IF_G(server_array) = NULL;
58 + IF_G(env_array) = NULL;
59 + IF_G(session_array) = NULL;
63 static void php_zval_filter(zval **value, long filter, long flags, zval *options, char* charset, zend_bool copy TSRMLS_DC) /* {{{ */
65 filter_list_entry filter_func;
66 diff -urNp -x '*.orig' php-5.2.17.org/main/SAPI.c php-5.2.17/main/SAPI.c
67 --- php-5.2.17.org/main/SAPI.c 2021-10-23 19:13:24.446458386 +0200
68 +++ php-5.2.17/main/SAPI.c 2021-10-23 19:13:27.149791720 +0200
69 @@ -323,6 +323,9 @@ SAPI_API void sapi_activate_headers_only
70 sapi_module.activate(TSRMLS_C);
73 + if (sapi_module.input_filter_init ) {
74 + sapi_module.input_filter_init(TSRMLS_C);
79 @@ -389,6 +392,9 @@ SAPI_API void sapi_activate(TSRMLS_D)
80 sapi_module.activate(TSRMLS_C);
83 + if (sapi_module.input_filter_init ) {
84 + sapi_module.input_filter_init(TSRMLS_C);
89 @@ -884,13 +890,14 @@ SAPI_API int sapi_register_treat_data(vo
93 -SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC))
94 +SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC), unsigned int (*input_filter_init)(TSRMLS_D))
97 if (SG(sapi_started) && EG(in_execution)) {
100 sapi_module.input_filter = input_filter;
101 + sapi_module.input_filter_init = input_filter_init;
105 diff -urNp -x '*.orig' php-5.2.17.org/main/SAPI.h php-5.2.17/main/SAPI.h
106 --- php-5.2.17.org/main/SAPI.h 2010-03-18 23:37:25.000000000 +0100
107 +++ php-5.2.17/main/SAPI.h 2021-10-23 19:13:27.149791720 +0200
108 @@ -188,7 +188,7 @@ SAPI_API int sapi_register_post_entry(sa
109 SAPI_API void sapi_unregister_post_entry(sapi_post_entry *post_entry TSRMLS_DC);
110 SAPI_API int sapi_register_default_post_reader(void (*default_post_reader)(TSRMLS_D));
111 SAPI_API int sapi_register_treat_data(void (*treat_data)(int arg, char *str, zval *destArray TSRMLS_DC));
112 -SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC));
113 +SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC), unsigned int (*input_filter_init)(TSRMLS_D));
115 SAPI_API int sapi_flush(TSRMLS_D);
116 SAPI_API struct stat *sapi_get_stat(TSRMLS_D);
117 @@ -259,6 +259,7 @@ struct _sapi_module_struct {
121 + unsigned int (*input_filter_init)(TSRMLS_D);
125 diff -urNp -x '*.orig' php-5.2.17.org/main/php_content_types.c php-5.2.17/main/php_content_types.c
126 --- php-5.2.17.org/main/php_content_types.c 2010-01-03 10:23:27.000000000 +0100
127 +++ php-5.2.17/main/php_content_types.c 2021-10-23 19:13:27.149791720 +0200
128 @@ -75,7 +75,7 @@ int php_startup_sapi_content_types(TSRML
130 sapi_register_default_post_reader(php_default_post_reader);
131 sapi_register_treat_data(php_default_treat_data);
132 - sapi_register_input_filter(php_default_input_filter);
133 + sapi_register_input_filter(php_default_input_filter, NULL);