Bug#507101: php5 dba ext: the inifile handler for the dba functions can be used to truncate a file

Raphael Geissert Thu, 27 Nov 2008 18:04:26 -0800

Source: php5
Version: 5.2.0-1
Severity: important
Tags: security patch

Hi,


When an invalid key is used when calling dba_replace on a dba inifile resource 
it leads to file truncation.

Example from SecurityReason[1]:
> # cat /www/dba.ham.php
> <?php
> $source=dba_open("/www/about.ini", "wlt", "inifile");
> dba_replace("\0","/www/",$source);
> ?>
> # php /www/dba.ham.php
> # cat /www/about.ini
> #

A patch is available at [2].
Note: this issue also affects php4, as shipped in etch.

[1]http://securityreason.com/achievement_securityalert/58
[2]http://cvs.php.net/viewvc.cgi/php-src/ext/dba/libinifile/inifile.c?r1=1.14.2.1.2.4&r2=1.14.2.1.2.5

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

signature.asc
Description: This is a digitally signed message part.

Bug#507101: php5 dba ext: the inifile handler for the dba functions can be used to truncate a file

Reply via email to