PHP Vulnerability N. 1 Sep 15 2004 04:59PM
Stefano Di Paola (stefano dipaola wisec it)
Hi all,
This summer i have been playing around with some php issue
and got some php vulnerabilities..

Let's go for the first one:

Title: php(super)info().
Affected: Php <= 5.0.1
Not Affected: it seems Php <= 4.1.2
Vulnerability Type: Exposure of sensitive informations
Vendor Status: Fix released on cvs.php.net


Bad array parsing in php_variables.c could lead to show arbitrary memory
content such as pieces of php code and other data.
This affects all GET, POST or COOKIES variables.


By appending to a GET/POST/COOKIE variable array a [ (open square
bracket) like abc[a][,
the length of the 'a' array element is set to the length of variable
name strlen("abc").

$ curl "http://www.example.com/phpinfo.php" -d `perl -e 'print
"f"x100;print "[g][=1"'`

where phpinfo.php is:

or some php file containing print_r function:

it will print the output similar to:
ffffffffffffffffffffffffffffffffffffffff] => Array

\0\0\0\0] => 1

As probably you might have noticed all the garbage shown is memory
content that could be everything (on the heap i suppose).

I have tried some request and it expose some piece of php code sometime.

Authors were contacted and they released a fix for this problem.

The problem is easy to fix.

Find and replace around line 136 for php 5.0.1 in main/php_variables.c

index_len = var_len = strlen(var);


index_len = var_len = strlen(index);
and compile again.

But if you're lazy the patch can be found on the CVS


Stefano Di Paola

Stefano Di Paola
Software Engineer

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus