ID: 45555 Updated by: [EMAIL PROTECTED] Reported By: chris_se at gmx dot net -Status: Open +Status: Closed Bug Type: XMLRPC-EPI related Operating System: Irrelevant PHP Version: 5.2.6 New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Thanks for the patch. Previous Comments: ------------------------------------------------------------------------ [2008-07-18 11:41:08] chris_se at gmx dot net Description: ------------ If an invalid callback is passed to the xmlrpc_server_register_introspection_callback method, the method builds an error message in which it uses Z_STRVAL(php_function) where php_function may be an arbitrary zval (for example, an integer). But accepting arbitrary zvals is necessary because callbacks may be arrays or objects. This may lead to two problems: 1) Segfaults if something which when interpreted as a pointer in the zval struct is an invalid memory address. 2) Reading arbitrary process memory if an integer is passed that corresponds to a valid memory address. This does represent a very minor security problem (denial of service in case (1) and reading sensitive data from other process parts in case of (2) and e.g. a threaded webserver). I've written patches for PHP 5.3 and PHP 6 that solve this problem. The patch for PHP 5.3 doesn't apply to the PHP 5.2 branch but backporting should be trivial: http://www.christian-seiler.de/temp/xmlrpc-bug-5.3.patch http://www.christian-seiler.de/temp/xmlrpc-bug-6.patch Reproduce code: --------------- <?php $options = array (); $request = xmlrpc_encode_request ("system.describeMethods", $options); $server = xmlrpc_server_create (); xmlrpc_server_register_introspection_callback ($server, 1); $options = array ('output_type' => 'xml', 'version' => 'xmlrpc'); xmlrpc_server_call_method ($server, $request, NULL, $options) ?> ------------ other variant ---------- <?php define (VALID_MEM_ADDR, 0xXXXXXX); $options = array (); $request = xmlrpc_encode_request ("system.describeMethods", $options); $server = xmlrpc_server_create (); xmlrpc_server_register_introspection_callback ($server, VALID_MEM_ADDR); $options = array ('output_type' => 'xml', 'version' => 'xmlrpc'); xmlrpc_server_call_method ($server, $request, NULL, $options) ?> Expected result: ---------------- Warning: xmlrpc_server_call_method(): Error calling user introspection callback: 1() in %s on line 7 ------------ other variant ---------- Warning: xmlrpc_server_call_method(): Error calling user introspection callback: 0xXXXXXX() in %s on line 7 Actual result: -------------- Segmentation fault ------------ other variant ---------- Warning: xmlrpc_server_call_method(): Error calling user introspection callback: [Contents of string found at the specified memory address]() in %s on line 7 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=45555&edit=1
