@(#)Mordred Labs advisory - PHP for Win32: buffer overflow in openlog() function

From: sir.mordred@hushmail.com
Date: 03/27/03

  • Next message: Martin Schulze: "[SECURITY] [DSA 271-1] New ecartis and listar packages fix password change vulnerability"
    Date: Thu, 27 Mar 2003 07:53:54 -0800
    To: bugtraq@securityfocus.com
    From: <sir.mordred@hushmail.com>
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    //@(#) Mordred Security Labs advisory

    Release date: March 27, 2003
    Name: PHP for Windows - buffer overflow in openlog() function
    Versions affected: all versions for Windows platforms
    Risk: average
    Author: Sir Mordred (mordred@s-mail.com)

    I. Description:

    PHP is a widely-used general-purpose scripting language that is
    especially suited for Web development and can be embedded into HTML.
    Please visit http://www.php.net for more information about PHP.

    II. Details:

    There exists a classic stack overflow in the openlog() function and the
    following short script will illustrate this vulnerability:

    $ cat t1.php
    <?php
        openlog(str_repeat("X", 1500), LOG_PID, LOG_DAEMON);
    ?>

    III. Platforms tested

    Windows 200 with IIS 5.0 / PHP 4.3.1

    III. Workaround

    Not available at the time of writing.

    IV. Vendor

    PHP developers notified.

    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.2 (Java)
    Note: This signature can be verified at https://www.hushtools.com/verify

    wmAEARECACAFAj6DH5sZHHNpci5tb3JkcmVkQGh1c2htYWlsLmNvbQAKCRAOkXvN4BZr
    fN4fAJ9EhQBM1k8JukU4JjZ6VTVVi5k/IwCeO8GoK/V4zuG7HbAgXkb2CNlXelg=
    =t5SO
    -----END PGP SIGNATURE-----

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Big $$$ to be made with the HushMail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427


  • Next message: Martin Schulze: "[SECURITY] [DSA 271-1] New ecartis and listar packages fix password change vulnerability"

    Relevant Pages

    • Re: Parsing mbox files with Windows Php
      ... Php IMAP functions are well documented and easy to use. ... it appears that the Windows Php binary is unable to ... connect to an mbox file, so to make my job easy, I would have to ... (This second error is the one coming from the underlying c-client ...
      (comp.lang.php)
    • Re: PHP running exec() Windows program very slow in comparison to UNIX equivalent program
      ... So, by converting a VB6 DLL into a COM and calling the COM from PHP I am able to work around the speed limitations of swetest.exe, PHP, and Windows. ... I wrote a little program in VB5 that essentially does what this other compiled C Windows program does in just one of the loops that gets executed about 140 times. ... the other thing is how long it takes to to execute the program with those statements from a command prompt. ...
      (alt.php)
    • RE: phpBB Worm
      ... the getpwent function is not supported on Windows. ... it probably depends on the web server ... I looked at the decoded Perl script, ... was invoked by PHP, which should have the Web server's permissions, ...
      (Bugtraq)
    • Re: Parsing mbox files with Windows Php
      ... Php IMAP functions are well documented and easy to use. ... development machine that reads the Thunderbird folder structure, ... it appears that the Windows Php binary is unable to ... connect to an mbox file, so to make my job easy, I would have to ...
      (comp.lang.php)
    • Re: MS Access im Intranet / Internet
      ... Ich habe nichts gegen Webanwendungen, ... dass in Access als dafuer ... > MS Windows, MS IE. ... PHP oder ASP oder ASP.net ...
      (microsoft.public.de.access)