Full Disclosure mailing list archives

By Date By Thread PHP LiteSpeed SAPI out of boundaries read due to missing input validation From: Imre RAD <imre.rad () search-lab hu>

Date: Mon, 25 Jan 2016 17:03:35 +0100

The LiteSpeed SAPI module in PHP did not sanitize several fields of the LSAPI request correctly. In the source file sapi/litespeed/lsapilib.c, the parseRequest function calculated addresses of thesevariables in the following way: pReq->m_pScriptFile = pReq->m_pReqBuf + pReq->m_pHeader->m_scriptFileOff; pReq->m_pScriptName = pReq->m_pReqBuf + pReq->m_pHeader->m_scriptNameOff; pReq->m_pQueryString = pReq->m_pReqBuf + pReq->m_pHeader->m_queryStringOff; pReq->m_pRequestMethod = pReq->m_pReqBuf + pReq->m_pHeader->m_requestMethodOff; These variables were then exported, so they become available in PHP code through the $_SERVER array. These offset fields (eg. m_scriptFileOff) of the header were not validated at all, so a segmentation fault occured in the SAPI process after it received an invalid value. Access to the SAPI socket is a prerequisite of the attack. The fix is available with the commit: https://github.com/php/php-src/commit/08080c18f5f3700af6242a338a2698502207ed45 The fixed versions of PHP are: 5.5.31, 5.6.17 and 7.0.2. Imre Rad Search-Lab Ltd. http://www.search-lab.hu/ http://www.scademy.com/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: PHP LiteSpeed SAPI out of boundaries read due to missing input validation Imre RAD (Jan 27)