[UNIX] Integer overflow in PHP array_pad() function

• Previous message: support@securiteam.com: "[EXPL] Remote Multiple Buffer Overflow Vulnerabilities in Passlogd Sniffer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 6 Apr 2003 13:10:52 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Integer overflow in PHP array_pad() function
------------------------------------------------------------------------

SUMMARY

 <http://www.php.net > PHP is a widely-used general-purpose scripting
language that is especially suited for Web development and can be embedded
into HTML.
A buffer overflow in the array_pad function may enable users that can
execute PHP commands to gain administrative privileges.

DETAILS

The function array_pad(array input, int pad_size, mixed pad_value) returns
a copy of the input padded to size specified by pad_size with pad_value.

Unfortunately the implementation of this function suffers from an integer
overflow caused by a very long second argument and could allow a local or
remote attacker to gain control over the web server.

The following short script will cause an httpd child to die:

$ cat t.php
<?php
    array_pad(array(1,2,3), 0x40000003, "pad");
?>

Platforms tested:
Linux 2.4 with Apache 1.3.27 / PHP 4.3.1

Vendor status:
Vendor was contacted.

ADDITIONAL INFORMATION

This information has been provided by Sir Mordred
<mailto:mordred@s-mail.com)> mordred@s-mail.com.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: support@securiteam.com: "[EXPL] Remote Multiple Buffer Overflow Vulnerabilities in Passlogd Sniffer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]