]>
Commit | Line | Data |
---|---|---|
614e82b5 ER |
1 | PHP 5.2.x Remote Code Execution Vulnerability |
2 | ||
3 | http://securityvulns.ru/docs27701.html | |
4 | http://www.securityfocus.com/archive/1/521695 | |
5 | http://www.securityfocus.com/bid/52065 | |
6 | http://xforce.iss.net/xforce/xfdb/73286 | |
7 | ||
8 | Description: | |
9 | ||
10 | If PHP bails out in startup stage before setting PG(modules_activated) | |
11 | to 1, the filter_globals struct is not cleaned up on shutdown stage. | |
12 | The subsequence request will use uncleaned value in filter_globals | |
13 | struct. With special crafted request, this problem can lead to | |
14 | information disclosure and remote code execution. | |
15 | ||
16 | Only apache modules SAPI are found to vulnerable to this problem. | |
17 | While other SAPIs are safe because a PHP process exits when PHP bails | |
18 | out before setting PG(modules_activated) to 1. | |
19 | ||
20 | This bug was fixed before releasing 5.3.0. | |
21 | http://svn.php.net/viewvc?view=revision&revision=279522. But the patch | |
22 | is not backported to 5.2 version as described in | |
23 | https://bugs.php.net/bug.php?id=47930 | |
24 | ||
25 | This patch backports it. | |
26 | Index: branches/PHP_5_3/ext/filter/filter.c | |
27 | =================================================================== | |
f9fed404 AM |
28 | diff -urNp -x '*.orig' php-5.2.17.org/ext/filter/filter.c php-5.2.17/ext/filter/filter.c |
29 | --- php-5.2.17.org/ext/filter/filter.c 2021-10-23 19:13:24.436458386 +0200 | |
30 | +++ php-5.2.17/ext/filter/filter.c 2021-10-23 19:13:27.149791720 +0200 | |
31 | @@ -76,6 +76,7 @@ filter_list_entry filter_list[] = { | |
614e82b5 ER |
32 | #endif |
33 | ||
34 | static unsigned int php_sapi_filter(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC); | |
35 | +static unsigned int php_sapi_filter_init(TSRMLS_D); | |
36 | ||
f9fed404 AM |
37 | /* {{{ filter_functions[] |
38 | */ | |
39 | @@ -233,7 +234,7 @@ PHP_MINIT_FUNCTION(filter) | |
614e82b5 ER |
40 | REGISTER_LONG_CONSTANT("FILTER_FLAG_NO_RES_RANGE", FILTER_FLAG_NO_RES_RANGE, CONST_CS | CONST_PERSISTENT); |
41 | REGISTER_LONG_CONSTANT("FILTER_FLAG_NO_PRIV_RANGE", FILTER_FLAG_NO_PRIV_RANGE, CONST_CS | CONST_PERSISTENT); | |
42 | ||
43 | - sapi_register_input_filter(php_sapi_filter); | |
44 | + sapi_register_input_filter(php_sapi_filter, php_sapi_filter_init); | |
45 | ||
46 | return SUCCESS; | |
47 | } | |
f9fed404 | 48 | @@ -302,6 +303,17 @@ static filter_list_entry php_find_filter |
614e82b5 ER |
49 | } |
50 | /* }}} */ | |
51 | ||
52 | +static unsigned int php_sapi_filter_init(TSRMLS_D) | |
53 | +{ | |
54 | + IF_G(get_array) = NULL; | |
55 | + IF_G(post_array) = NULL; | |
56 | + IF_G(cookie_array) = NULL; | |
57 | + IF_G(server_array) = NULL; | |
58 | + IF_G(env_array) = NULL; | |
59 | + IF_G(session_array) = NULL; | |
60 | + return SUCCESS; | |
61 | +} | |
62 | + | |
63 | static void php_zval_filter(zval **value, long filter, long flags, zval *options, char* charset, zend_bool copy TSRMLS_DC) /* {{{ */ | |
64 | { | |
65 | filter_list_entry filter_func; | |
f9fed404 AM |
66 | diff -urNp -x '*.orig' php-5.2.17.org/main/SAPI.c php-5.2.17/main/SAPI.c |
67 | --- php-5.2.17.org/main/SAPI.c 2021-10-23 19:13:24.446458386 +0200 | |
68 | +++ php-5.2.17/main/SAPI.c 2021-10-23 19:13:27.149791720 +0200 | |
69 | @@ -323,6 +323,9 @@ SAPI_API void sapi_activate_headers_only | |
614e82b5 ER |
70 | sapi_module.activate(TSRMLS_C); |
71 | } | |
72 | } | |
73 | + if (sapi_module.input_filter_init ) { | |
74 | + sapi_module.input_filter_init(TSRMLS_C); | |
75 | + } | |
76 | } | |
77 | ||
78 | /* | |
f9fed404 | 79 | @@ -389,6 +392,9 @@ SAPI_API void sapi_activate(TSRMLS_D) |
614e82b5 ER |
80 | sapi_module.activate(TSRMLS_C); |
81 | } | |
82 | } | |
83 | + if (sapi_module.input_filter_init ) { | |
84 | + sapi_module.input_filter_init(TSRMLS_C); | |
85 | + } | |
86 | } | |
87 | ||
88 | ||
f9fed404 | 89 | @@ -884,13 +890,14 @@ SAPI_API int sapi_register_treat_data(vo |
614e82b5 ER |
90 | return SUCCESS; |
91 | } | |
92 | ||
93 | -SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC)) | |
94 | +SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC), unsigned int (*input_filter_init)(TSRMLS_D)) | |
95 | { | |
96 | TSRMLS_FETCH(); | |
97 | if (SG(sapi_started) && EG(in_execution)) { | |
98 | return FAILURE; | |
99 | } | |
100 | sapi_module.input_filter = input_filter; | |
101 | + sapi_module.input_filter_init = input_filter_init; | |
102 | return SUCCESS; | |
103 | } | |
104 | ||
f9fed404 AM |
105 | diff -urNp -x '*.orig' php-5.2.17.org/main/SAPI.h php-5.2.17/main/SAPI.h |
106 | --- php-5.2.17.org/main/SAPI.h 2010-03-18 23:37:25.000000000 +0100 | |
107 | +++ php-5.2.17/main/SAPI.h 2021-10-23 19:13:27.149791720 +0200 | |
108 | @@ -188,7 +188,7 @@ SAPI_API int sapi_register_post_entry(sa | |
614e82b5 ER |
109 | SAPI_API void sapi_unregister_post_entry(sapi_post_entry *post_entry TSRMLS_DC); |
110 | SAPI_API int sapi_register_default_post_reader(void (*default_post_reader)(TSRMLS_D)); | |
111 | SAPI_API int sapi_register_treat_data(void (*treat_data)(int arg, char *str, zval *destArray TSRMLS_DC)); | |
112 | -SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC)); | |
113 | +SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC), unsigned int (*input_filter_init)(TSRMLS_D)); | |
114 | ||
115 | SAPI_API int sapi_flush(TSRMLS_D); | |
116 | SAPI_API struct stat *sapi_get_stat(TSRMLS_D); | |
f9fed404 | 117 | @@ -259,6 +259,7 @@ struct _sapi_module_struct { |
614e82b5 ER |
118 | int phpinfo_as_text; |
119 | ||
120 | char *ini_entries; | |
121 | + unsigned int (*input_filter_init)(TSRMLS_D); | |
122 | }; | |
123 | ||
124 | ||
f9fed404 AM |
125 | diff -urNp -x '*.orig' php-5.2.17.org/main/php_content_types.c php-5.2.17/main/php_content_types.c |
126 | --- php-5.2.17.org/main/php_content_types.c 2010-01-03 10:23:27.000000000 +0100 | |
127 | +++ php-5.2.17/main/php_content_types.c 2021-10-23 19:13:27.149791720 +0200 | |
128 | @@ -75,7 +75,7 @@ int php_startup_sapi_content_types(TSRML | |
614e82b5 ER |
129 | { |
130 | sapi_register_default_post_reader(php_default_post_reader); | |
131 | sapi_register_treat_data(php_default_treat_data); | |
132 | - sapi_register_input_filter(php_default_input_filter); | |
133 | + sapi_register_input_filter(php_default_input_filter, NULL); | |
134 | return SUCCESS; | |
135 | } | |
136 | /* }}} */ |