[Bug 191638] New: lang/php5 Patch for phpinfo() Type Confusion Infoleak Vulnerability and SSL Private Keys

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Jul 5 20:07:25 UTC 2014 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191638

            Bug ID: 191638
           Summary: lang/php5 Patch for phpinfo() Type Confusion Infoleak
                    Vulnerability and SSL Private Keys
           Product: Ports Tree
           Version: Latest
          Hardware: Any
                OS: Any
            Status: Needs Triage
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs at FreeBSD.org
          Reporter: logan at elandsys.com

Created attachment 144433
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=144433&action=edit
Fix adapted from upstream patch

Stefan Esser reports that:

[2014-06-23 07:13 UTC] stas at php.net
Description:
------------
Hey,

I recently discovered an easy to exploit arbitrary information leak
vulnerability in PHP. The information leak can be exploited by setting
PHP_SELF, PHP_AUTH_TYPE, PHP_AUTH_USER or PHP_AUTH_PW to non-string
variables before calling phpinfo().

When you look at the code from /ext/standard/info.c you will see that
the code simply trusts that the returned ZVALs are of type STRING. If
there are however integers the code will interpret the integer as a in
memory pointer and print out the binary string at that position.

        php_info_print_table_start();
        php_info_print_table_header(2, "Variable", "Value");
        if (zend_hash_find(&EG(symbol_table), "PHP_SELF",
sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
        }
        if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE",
sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
        }
        if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER",
sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
        }
        if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW",
sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
        }

He also has a short PoC here:

https://www.sektioneins.de/en/blog/14-07-04-phpinfo-infoleak.html

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list