|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
(#)Mordred Labs advisory - Integer overflow in PHP array_pad() function
sir.mordredhushmail.com
Date: Wed Apr 02 2003 - 05:46:02 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
//(#) Mordred Security Labs advisory
Release date: April 1, 2003
Name: Integer overflow in PHP array_pad() function
Versions affected: all versions
Risk: average
Author: Sir Mordred (mordreds-mail.com)
I. Description:
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
Please visit http://www.php.net for more information about PHP.
II. Details:
The function array_pad(array input, int pad_size, mixed pad_value) returns
a copy
of the input padded to size specified by pad_size with pad_value.
Unfortunately the implementation of this function suffers from an integer
overflow caused by
a very long second argument and could allow a local/remote attacker in
the worst case
to gain control over the web server.
The following short script will cause a httpd child to die:
$ cat t.php
<?php
array_pad(array(1,2,3), 0x40000003, "pad");
?>
III. Platforms tested
Linux 2.4 with Apache 1.3.27 / PHP 4.3.1
IV. Vendor response
Vendor has been contacted.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wmAEARECACAFAj6Kzo4ZHHNpci5tb3JkcmVkQGh1c2htYWlsLmNvbQAKCRAOkXvN4BZr
fK+sAKCEyIP0M6n390Siz9CFIwsUTVBX6QCeOT5GLt3Y1p3Xu+1ldtJZvu1vXYg=
=639h
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]