> PHP import_request_variables() arbitrary variable overwrite
> Date 20060307
>
I believe all dates in the advisory contain the wrong year...
> III. ANALYSIS
>
> import_request_variables() is not new to vulnerabilities: consider this
> change log entry for 24 Nov 2005, PHP 5.1.
>
> [quote]
> - Fixed potential GLOBALS overwrite via import_request_variables() and
> possible crash and/or memory corruption. (Ilia)
> [/quote]
>
Taking into account that the vulnerability you describe is fixed in
Hardened-PHP for years and that there is also a protection against this
in the Suhosin Extension you can be sure that this NOT a new
vulnerability (and that you are not the first one who found it...)
For the record, the same vulnerability was reported by me on the
23.10.2004 at 22:05 in a mail to security (at) php (dot) net [email concealed] (before I added the
protection to Hardened-PHP)
At that time the PHP developers considered it NOT A VULNERABILITY.
Well now the PHP developers have commited a fix for this to the PHP CVS,
crediting you instead of the original reporter (me) and as usual the fix
is only fixing a part of the problem.
(Hint: long names like HTTP_POST_VARS do exist...)
> PHP import_request_variables() arbitrary variable overwrite
> Date 20060307
>
I believe all dates in the advisory contain the wrong year...
> III. ANALYSIS
>
> import_request_variables() is not new to vulnerabilities: consider this
> change log entry for 24 Nov 2005, PHP 5.1.
>
> [quote]
> - Fixed potential GLOBALS overwrite via import_request_variables() and
> possible crash and/or memory corruption. (Ilia)
> [/quote]
>
Taking into account that the vulnerability you describe is fixed in
Hardened-PHP for years and that there is also a protection against this
in the Suhosin Extension you can be sure that this NOT a new
vulnerability (and that you are not the first one who found it...)
For the record, the same vulnerability was reported by me on the
23.10.2004 at 22:05 in a mail to security (at) php (dot) net [email concealed] (before I added the
protection to Hardened-PHP)
At that time the PHP developers considered it NOT A VULNERABILITY.
Well now the PHP developers have commited a fix for this to the PHP CVS,
crediting you instead of the original reporter (me) and as usual the fix
is only fixing a part of the problem.
(Hint: long names like HTTP_POST_VARS do exist...)
Stefan Esser
Hardened-PHP Project
[ reply ]