lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201109231433.p8NEX4hS031827@sf01web3.securityfocus.com>
Date: Fri, 23 Sep 2011 14:33:04 GMT
From: cipri@...e.nl
To: bugtraq@...urityfocus.com
Subject: Security issue is_a function in PHP 5.3.7+

PHP 5.3.7 changed the behavior of the is_a() function, used to check if an object is an instance of a class, to call the __autoload() function. This causes a remote code execute problem when coupled with a standard library like PEAR that internally uses is_a to check if a returned variable is an Error object or not.

An unprotected __autoload() function that blindly includes based upon the variable it receives can be tricked into including a remote file by, for example, uploading a specially crafted file containing a link to a remote website.

Full explanation + code example has been posted on our website at http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/ and has been e-mailed to security@....net

-- 
Cipriano Groenendal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ