To clarify: AFAIK the exploit takes advantage of a buggy memchr() call in versions 4.0.6 and below. This vulnerability is exploitable remotely, no "upload" or local access is needed. I heard that the patch put into CVS a few days ago was just for RFC compliance... On Tuesday 26 February 2002 08:07 am, Olaf Kirch wrote: > > There is a bug in the php_split_mime function in PHP 3.x and 4.x. There > > is a working exploit floating around which provides a remote bindshell > > for PHP versions 4.0.1 to 4.0.6 with a handful of default offsets for > > different platforms. > > Blechch. This code is really icky. There's really an sprintf down there > in the code that looks bad (apart from a few other things that look bad). > But if I don't misread the patch, the sprintf is still there in 4.1.1. > > > Since the PHP developers commited another change to the affected > > source file (rfc1687.c) about two days ago, speculation is that there is > > yet another remote exploit. > > Not in the public CVS (has been removed?) > > Olaf
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 18:36:48 PST