lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <45F2BE02.4020709@hardened-php.net>
Date: Sat, 10 Mar 2007 15:17:38 +0100
From: Stefan Esser <sesser@...dened-php.net>
To: Stefano Di Paola <stefano.dipaola@...ec.it>
Cc: phpsec <security@....net>, FD <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com
Subject: Re: PHP import_request_variables() arbitrary
 variable overwrite

Hello,

> PHP import_request_variables() arbitrary variable overwrite
>  Date              20060307
>   
I believe all dates in the advisory contain the wrong year...

> III. ANALYSIS
>
> import_request_variables() is not new to vulnerabilities: consider this
> change log entry for 24 Nov 2005, PHP 5.1.
>
> [quote]
> - Fixed potential GLOBALS overwrite via import_request_variables() and
>   possible crash and/or memory corruption. (Ilia)
> [/quote]
>   
Taking into account that the vulnerability you describe is fixed in
Hardened-PHP for years and that there is also a protection against this
in the Suhosin Extension you can be sure that this NOT a new
vulnerability (and that you are not the first one who found it...)

For the record, the same vulnerability was reported by me on the
23.10.2004 at 22:05 in a mail to security@....net (before I added the
protection to Hardened-PHP)
At that time the PHP developers considered it NOT A VULNERABILITY.

Well now the PHP developers have commited a fix for this to the PHP CVS,
crediting you instead of the original reporter (me) and as usual the fix
is only fixing a part of the problem.
(Hint: long names like HTTP_POST_VARS do exist...)

Stefan Esser
Hardened-PHP Project

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ