[<prev] [next>] [day] [month] [year] [list]
Message-ID: <56A64757.9010404@search-lab.hu>
Date: Mon, 25 Jan 2016 17:03:35 +0100
From: Imre RAD <imre.rad@...rch-lab.hu>
To: fulldisclosure@...lists.org
Subject: [FD] PHP LiteSpeed SAPI out of boundaries read due to missing input
validation
The LiteSpeed SAPI module in PHP did not sanitize several fields of the
LSAPI request correctly. In the source file sapi/litespeed/lsapilib.c,
the parseRequest function calculated addresses of thesevariables in the
following way:
pReq->m_pScriptFile = pReq->m_pReqBuf +
pReq->m_pHeader->m_scriptFileOff;
pReq->m_pScriptName = pReq->m_pReqBuf +
pReq->m_pHeader->m_scriptNameOff;
pReq->m_pQueryString = pReq->m_pReqBuf +
pReq->m_pHeader->m_queryStringOff;
pReq->m_pRequestMethod = pReq->m_pReqBuf +
pReq->m_pHeader->m_requestMethodOff;
These variables were then exported, so they become available in PHP code
through the $_SERVER array.
These offset fields (eg. m_scriptFileOff) of the header were not
validated at all, so a segmentation fault occured in the SAPI process
after it received an invalid value.
Access to the SAPI socket is a prerequisite of the attack.
The fix is available with the commit:
https://github.com/php/php-src/commit/08080c18f5f3700af6242a338a2698502207ed45
The fixed versions of PHP are: 5.5.31, 5.6.17 and 7.0.2.
Imre Rad
Search-Lab Ltd.
http://www.search-lab.hu/
http://www.scademy.com/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists