ID: 8323 Updated by: jmoore Reported By: [EMAIL PROTECTED] Status: Open Bug Type: Reproduceable crash PHP Version: 4.0.3pl1 Assigned To: Comments: you should use PATH_INFO rather than PHP_SELF in this situation. Also having php/php.exe callable is a security risk without FORCE_CGI_REDIRECT enabled when compiling. - James Previous Comments: --------------------------------------------------------------------------- [2000-12-19 12:10:32] [EMAIL PROTECTED] How I found this: under Win32, when I use the $PHP_SELF env variable, it includes the path to PHP executable, so that if I use the $PHP_SELF var in myscript.phtml (I have .phtml mapped to PHP), e.g. http://myhost/myscript.phtml includes a form which has action="$PHP_SELF", the next URL I am thrown to is http://myhost/php/php.exe/myscript.phtml. Now, just remove the /myscript.phtml part and try to call http://myhost/php/php.exe. It takes about 10 seconds for PHP to crash, and a DrWatson log is generated. Apache terminates with 500 Internal Server Error, and "premature end of script headers" is found in error_log. The same also happens when trying to pass command-line vars, e.g. http://myhost/php/php.exe?-h. (php.exe -h works fine on the command line.) I am not sure if it can be tweaked in any way to actually execute commands or do anything else malicious, but perhaps you guys should look into this. Following is the DrWatson log for a call to http://myhost/php/php.exe. ========== Application exception occurred: App: (pid=1560) When: 12/19/2000 @ 19:09:40.239 Exception number: c0000005 (access violation) *----> System Information <----* Computer Name: KRABI User Name: SYSTEM Number of Processors: 1 Processor Type: x86 Family 6 Model 6 Stepping 0 Windows 2000 Version: 5.0 Current Build: 2195 Service Pack: 1 Current Type: Uniprocessor Free Registered Organization: Privador AS Registered Owner: Jaanus Kase *----> Task List <----* 0 Idle.exe 8 System.exe 136 SMSS.exe 164 csrss.exe 160 WINLOGON.exe 212 services.exe 224 LSASS.exe 388 svchost.exe 416 SPOOLSV.exe 444 Apache.exe 472 DNETC.exe 504 svchost.exe 528 mgabg.exe 564 regsvc.exe 592 Apache.exe 600 mstask.exe 884 WinMgmt.exe 916 mspmspsv.exe 252 explorer.exe 1100 pdesk.exe 1176 EM_EXEC.exe 1196 winampa.exe 1204 internat.exe 1036 AcroTray.exe 1120 Term.exe 1104 hc.exe 1420 Term.exe 1124 iexplore.exe 1180 ntvdm.exe 1216 OUTLOOK.exe 1108 msimn.exe 968 Far.exe 1040 hh.exe 1160 Far.exe 972 DRWTSN32.exe 1560 php.exe 1572 DRWTSN32.exe 0 _Total.exe (00400000 - 00405000) (77F80000 - 77FFA000) (10000000 - 10104000) (77E80000 - 77F35000) (77E10000 - 77E74000) (77F40000 - 77F7C000) (75050000 - 75058000) (75030000 - 75044000) (78000000 - 78046000) (77DB0000 - 77E0A000) (77D40000 - 77DB0000) (75020000 - 75028000) (77A50000 - 77B45000) (779B0000 - 77A45000) (1F7D0000 - 1F804000) (76B30000 - 76B6E000) (70BD0000 - 70C1C000) (71700000 - 7178A000) (69800000 - 69A42000) (780A0000 - 780B2000) (1F8C0000 - 1F8D6000) State Dump for Thread Id 0x1dc eax=005e74b8 ebx=100136a0 ecx=0012fdfc edx=005e3ac0 esi=fffffffe edi=00000000 eip=1008da97 esp=0012fd90 ebp=005e74b8 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000216 function: call_user_function_ex 1008da7a 56 push esi 1008da7b 57 push edi 1008da7c 6a00 push 0x0 1008da7e 50 push eax 1008da7f e84cabffff call ts_resource_ex (100885d0) 1008da84 8b4c2440 mov ecx,[esp+0x40] ss:00bfd367=???????? 1008da88 8b7c243c mov edi,[esp+0x3c] ss:00bfd367=???????? 1008da8c 8be8 mov ebp,eax 1008da8e 83c408 add esp,0x8 1008da91 c70100000000 mov dword ptr [ecx],0x0 ds:0012fdfc=00000000 FAULT ->1008da97 8a4708 mov al,[edi+0x8] ds:00acd5d6=?? 1008da9a 3c04 cmp al,0x4 1008da9c 0f8503010000 jne call_user_function_ex+0x135 (1008dba5) 1008daa2 8b07 mov eax,[edi] ds:00000000=???????? 1008daa4 8d542434 lea edx,[esp+0x34] ss:00bfd367=???????? 1008daa8 52 push edx 1008daa9 6a00 push 0x0 1008daab 50 push eax 1008daac e89f56ffff call zend_hash_index_find (10083150) 1008dab1 83c40c add esp,0xc 1008dab4 83f8ff cmp eax,0xff 1008dab7 750a jnz zend_llist_get_prev_ex+0xa3 (100939c3) *----> Stack Back Trace <----* FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name 005E74B8 005E0178 00000000 00000000 00010000 00000000 !call_user_function_ex 005E7500 00000000 00000000 00000000 00000000 00000000 <nosymbols> *----> Raw Stack Dump <----* 0012fd90 50 1d b5 00 fe ff ff ff - 94 fe 12 00 a0 36 01 10 P............6.. 0012fda0 38 32 03 78 ff ff ff ff - 94 fe 12 00 26 10 00 78 82.x........&..x 0012fdb0 08 00 00 00 0f 10 00 78 - 8f d9 08 10 40 6a 5e 00 .......x....@j^. 0012fdc0 00 00 00 00 00 00 00 00 - fc fd 12 00 fe ff ff ff ................ 0012fdd0 50 1d b5 00 01 00 00 00 - 00 00 00 00 78 01 5e 00 P...........x.^. 0012fde0 08 06 5e 00 a0 36 01 10 - d6 36 01 10 40 6a 5e 00 ..^..6...6..@j^. 0012fdf0 00 00 00 00 00 00 00 00 - 10 fe 12 00 00 00 00 00 ................ 0012fe00 24 ed fc 77 04 00 00 00 - 00 00 00 00 70 05 5e 00 $..w........p.^. 0012fe10 00 00 00 00 00 00 00 00 - 00 00 01 00 00 00 00 00 ................ 0012fe20 ac 2b 08 10 08 06 5e 00 - c8 36 b3 00 2c 76 5e 00 .+....^..6..,v^. 0012fe30 8c fe 12 00 6f 36 01 10 - 78 01 5e 00 a0 36 01 10 ....o6..x.^..6.. 0012fe40 01 00 00 00 ec 75 5e 00 - 00 00 00 00 b0 fe 12 00 .....u^......... 0012fe50 00 00 00 00 01 00 00 00 - ec 75 5e 00 90 fe 12 00 .........u^..... 0012fe60 34 4e 00 10 b0 ff 12 00 - 00 00 00 00 30 32 43 56 4N..........02CV 0012fe70 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 0012fe80 00 00 00 00 00 00 00 00 - 00 00 00 00 c8 36 b3 00 .............6.. 0012fe90 b8 74 5e 00 b0 fe 12 00 - 40 4e 00 10 80 3c 5e 00 .t^[EMAIL PROTECTED]<^. 0012fea0 e8 90 5e 00 f0 6f 5e 00 - 80 3c 5e 00 b8 74 5e 00 ..^..o^..<^..t^. 0012feb0 4c ff 12 00 de 19 40 00 - 00 00 00 00 cc 40 40 00 L.....@......@@. 0012fec0 19 00 00 00 00 00 00 00 - 00 00 00 00 00 f0 fd 7f ................ State Dump for Thread Id 0x638 eax=00540650 ebx=00000000 ecx=00413288 edx=00000000 esi=00d2ff68 edi=77e1844a eip=77e148fc esp=00d2ff24 ebp=00d2ff44 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 function: PtInRect 77e148d6 ff750c push dword ptr [ebp+0xc] ss:017fd51a=???????? 77e148d9 ff5508 call dword ptr [ebp+0x8] ss:017fd51a=???????? 77e148dc 817c2404cdabbadc ss:017fd4fb=???????? cmp dword ptr [esp+0x4],0xdcbaabcd 77e148e4 0f85c8690300 jne SetClassLongW+0x556 (77e4b2b2) 77e148ea 83c408 add esp,0x8 77e148ed 5d pop ebp 77e148ee c21400 ret 0x14 77e148f1 b89a110000 mov eax,0x119a 77e148f6 8d542404 lea edx,[esp+0x4] ss:017fd4fb=???????? 77e148fa cd2e int 2e 77e148fc c21000 ret 0x10 77e148ff b8cb110000 mov eax,0x11cb 77e14904 8d542404 lea edx,[esp+0x4] ss:017fd4fb=???????? 77e14908 cd2e int 2e 77e1490a c21000 ret 0x10 *----> Stack Back Trace <----* FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name 00D2FF44 1008E555 00D2FF68 00000000 00000000 00000000 user32!PtInRect 00D2FFB4 77E837CD 00B50C18 005E0178 005E0178 00B50C18 !zend_timeout 00D2FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!TlsSetValue --------------------------------------------------------------------------- ATTENTION! Do NOT reply to this email! To reply, use the web interface found at http://bugs.php.net/?id=8323&edit=2 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
