BugTraq
PHP LiteSpeed SAPI out of boundaries read due to missing input validation Jan 25 2016 04:04PM
Imre RAD (imre rad search-lab hu)
The LiteSpeed SAPI module in PHP did not sanitize several fields of the
LSAPI request correctly. In the source file sapi/litespeed/lsapilib.c,
the parseRequest function calculated addresses of thesevariables in the
following way:

pReq->m_pScriptFile = pReq->m_pReqBuf +
pReq->m_pHeader->m_scriptFileOff;
pReq->m_pScriptName = pReq->m_pReqBuf +
pReq->m_pHeader->m_scriptNameOff;
pReq->m_pQueryString = pReq->m_pReqBuf +
pReq->m_pHeader->m_queryStringOff;
pReq->m_pRequestMethod = pReq->m_pReqBuf +
pReq->m_pHeader->m_requestMethodOff;

These variables were then exported, so they become available in PHP code
through the $_SERVER array.
These offset fields (eg. m_scriptFileOff) of the header were not
validated at all, so a segmentation fault occured in the SAPI process
after it received an invalid value.

Access to the SAPI socket is a prerequisite of the attack.

The fix is available with the commit:
https://github.com/php/php-src/commit/08080c18f5f3700af6242a338a26985022
07ed45
The fixed versions of PHP are: 5.5.31, 5.6.17 and 7.0.2.

Imre Rad
Search-Lab Ltd.
http://www.search-lab.hu/
http://www.scademy.com/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus