> There is a bug in the php_split_mime function in PHP 3.x and 4.x. There is a > working exploit floating around which provides a remote bindshell for PHP > versions 4.0.1 to 4.0.6 with a handful of default offsets for different > platforms. Blechch. This code is really icky. There's really an sprintf down there in the code that looks bad (apart from a few other things that look bad). But if I don't misread the patch, the sprintf is still there in 4.1.1. > Since the PHP developers commited another change to the affected > source file (rfc1687.c) about two days ago, speculation is that there is yet > another remote exploit. Not in the public CVS (has been removed?) Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okirat_private +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 19:26:35 PST