Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 05 Jul 2014 20:07:24 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 191638] New: lang/php5 Patch for phpinfo() Type Confusion Infoleak Vulnerability and SSL Private Keys
Message-ID:  <bug-191638-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191638

            Bug ID: 191638
           Summary: lang/php5 Patch for phpinfo() Type Confusion Infoleak
                    Vulnerability and SSL Private Keys
           Product: Ports Tree
           Version: Latest
          Hardware: Any
                OS: Any
            Status: Needs Triage
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs@FreeBSD.org
          Reporter: logan@elandsys.com

Created attachment 144433
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=144433&action=edit
Fix adapted from upstream patch

Stefan Esser reports that:

[2014-06-23 07:13 UTC] stas@php.net
Description:
------------
Hey,

I recently discovered an easy to exploit arbitrary information leak
vulnerability in PHP. The information leak can be exploited by setting
PHP_SELF, PHP_AUTH_TYPE, PHP_AUTH_USER or PHP_AUTH_PW to non-string
variables before calling phpinfo().

When you look at the code from /ext/standard/info.c you will see that
the code simply trusts that the returned ZVALs are of type STRING. If
there are however integers the code will interpret the integer as a in
memory pointer and print out the binary string at that position.

        php_info_print_table_start();
        php_info_print_table_header(2, "Variable", "Value");
        if (zend_hash_find(&EG(symbol_table), "PHP_SELF",
sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
        }
        if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE",
sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
        }
        if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER",
sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
        }
        if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW",
sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
        }

He also has a short PoC here:

https://www.sektioneins.de/en/blog/14-07-04-phpinfo-infoleak.html

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-191638-13>