Back to list
PHP LiteSpeed SAPI out of boundaries read due to missing input validation
Jan 25 2016 04:04PM
Imre RAD (imre rad search-lab hu)
The LiteSpeed SAPI module in PHP did not sanitize several fields of the
LSAPI request correctly. In the source file sapi/litespeed/lsapilib.c,
the parseRequest function calculated addresses of thesevariables in the
pReq->m_pScriptFile = pReq->m_pReqBuf +
pReq->m_pScriptName = pReq->m_pReqBuf +
pReq->m_pQueryString = pReq->m_pReqBuf +
pReq->m_pRequestMethod = pReq->m_pReqBuf +
These variables were then exported, so they become available in PHP code
through the $_SERVER array.
These offset fields (eg. m_scriptFileOff) of the header were not
validated at all, so a segmentation fault occured in the SAPI process
after it received an invalid value.
Access to the SAPI socket is a prerequisite of the attack.
The fix is available with the commit:
The fixed versions of PHP are: 5.5.31, 5.6.17 and 7.0.2.
[ reply ]
Copyright 2010, SecurityFocus