HOME Community Articles Code Library People Mail Archive My Account Contribute PHP Jobs

Open Source Database Feature Comparison Matrix Try Declarative Programming with Annotations and Aspects Locate All Stored Procedures and Their Objects/SQL Tables Building a Stored Procedure Generator Making Tables Read-only in Oracle

24-hour Support Daily Backup Dedicated Servers JSP/Java Servlets PHP MySQL Streaming Audio/Video Telnet/SSH Unix Hosting 24-hour Support

From: Bug Database (php-dev <email protected>)
Date: 09/17/00

• Next message: Jani Taskinen: "[PHP-DEV] A fix to configure-system..(acinclude.m4).."
• Previous message: Bug Database: "[PHP-DEV] PHP 4.0 Bug #6361 Updated: unpack fails with 'H'"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ID: 6351
Updated by: stas
Reported By: jjaakkol <email protected>
Status: Closed
Bug Type: *General Issues
Assigned To:
Comments:

fixed in CVS.

Previous Comments:
---------------------------------------------------------------------------

[2000-08-27 07:29:20] jjaakkol <email protected>
This kind of "format bugs" have been exploited before.
At least wu-ftpd and proftpd have been vulnerable to format bugs. See BugTraq mailing list last july for details
(especially the thread "paper: format bugs").
I don't know for sure if this could be exploided in PHP, but my best guess is that it probably could be.

IMHO, the best fix would be to just use syslog("%s",string). You only need five more characters but no change in the
PHP-syslog function API.

---------------------------------------------------------------------------

[2000-08-27 06:03:48] stas <email protected>
Seems to be a real bug. We should or require parameters for %-s, or inhibit them at all, and use %s for it.

Contrary to what user says, I do not see a way to exploit it actively (like, for modifying any data on the server), but this can easily lead for crash, since garbage pointer is referenced.

---------------------------------------------------------------------------

[2000-08-25 08:22:27] jjaakkol <email protected>
syslog() function has a client given format string vulneralibity (this is actually
known, since there is a comment on this in the sources).

# cat test.php
<?php
syslog(5,"%s");
?>
 
# php4 test.php
Content-type: text/html
 
 
# tail -1 /var/log/messages
Aug 25 15:05:12 demonstration php4: U?åfì^HVS<u^Lf}^H^Bu^W?EüP?EøPj^BèÄ^^A

However, I guess that this could be exploited to gain access to PHP-server in scripts who syslog() some client given data. So this is a security problem too.

The simple fix is to change the line
php_syslog((*priority)->value.lval, (*message)->value.str.val);
in ext/standard/syslog.c to
php_syslog((*priority)->value.lval,"%s", (*message)->value.str.val);

---------------------------------------------------------------------------

Full Bug description available at: http://bugs.php.net/?id=6351

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>

• Next message: Jani Taskinen: "[PHP-DEV] A fix to configure-system..(acinclude.m4).."
• Previous message: Bug Database: "[PHP-DEV] PHP 4.0 Bug #6361 Updated: unpack fails with 'H'"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]