lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 12 Mar 2007 18:25:48 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite


Stefano Di Paola said:

>1. I search on google for import_request_variables advisories
>(nothing found)
>2. I search on php.net in changeLog for fixes (nothing found).

I can see why you weren't able to find anything.  However, there have
been a number of disclosures that are probably related - but these
were grep-and-gripe affairs in third party applications, where the
researcher didn't necessarily investigate *why* certain attacks
worked.

Grepping for superglobal names through CVE suggests the following PHP
application issues might be related to this behavior, although in some
cases it could just be some extract() or dynamic variable evaluation
or other method for overwriting critical variables:

CVE-2007-1024 - _SERVER[DOCUMENT_ROOT]
CVE-2006-4673 - _SERVER[REMOTE_ADDR]  (might be extract)
CVE-2006-4545 - _SERVER[DOCUMENT_ROOT]
CVE-2006-3798 - _SERVER, _ENV, _COOKIE (extract)
CVE-2006-1914 - GLOBALS, _SERVER
CVE-2005-4318 - _SERVER[REMOTE_ADDR]
CVE-2005-4317 - _SERVER[REMOTE_ADDR]
CVE-2005-3926 - _SERVER[REMOTE_ADDR]
CVE-2005-2574 -  _SERVER[REMOTE_ADDR] (extract)
CVE-2005-1996 - _SERVER[DOCUMENT_ROOT]
CVE-2005-3300 - _FILES
CVE-2007-0599 - SERVER
CVE-2006-5796 - _SESSION[docroot_path]
CVE-2006-5078 - _SESSION[dirMain]
CVE-2006-2828 - import_request_variables(), but not for superglobals

etc.


- Steve

Powered by blists - more mailing lists