Re: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
- From: Eygene Ryabinkin <rea-sec@xxxxxxxxxxx>
- Date: Mon, 8 Dec 2008 13:49:03 +0300
Maksymilian, good day.
Sat, Dec 06, 2008 at 12:40:48PM -0700, cxib@xxxxxxxxxxxxxxxxxx wrote:
[ SecurityReason.com : PHP 5.2.6 SAPI php_getuid() overload ][...]
Using PHP 5.2.6, as a Apache module can bypass many security points.
Am I right that this vulnerability exists only in the Apache 1.x flavour
of the PHP module? The code in question that sets SG(server_context)
too late and initializes BG variable after the .htaccess processing
exists only in sapi/apache/mod_php5.c. For Apache 2.x module the
handler is 'php_handler', it lives in apache2{filter,handler}/sapi_apache2.c
and BG/SG(server_context) are initialized before .htaccess processing.
And to clarify a bit the overall picture: am I right that the purpose of
your sleep.php manipulations is to make Apache to invoke another "fresh"
child that will process error_log contents with errorneous value of
uid/gid = 0? It seems to me that the effect of the found vulnerability
can be shortly characterized as "the first request for the given Apache
child will have uid/gid = 0 as the values returned from 'php_getuid()'
in the code that handles .htaccess contents (to be precise, in the code
inside the function send_php() before the call to
apache_php_module_main(), the point where BG is really initialized by
PHP_RINIT_FUNCTION(basic))". Am I missing something?
Thank you!
--
Eygene
- Follow-Ups:
- Re: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
- From: Maksymilian Arciemowicz
- Re: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
- References:
- Prev by Date: RadAsm <=2.2.1.5 Local Command Execution
- Next by Date: [DSECRG-08-040] Multiple Local File Include Vulnerabilities in Xoops 2.3.x
- Previous by thread: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
- Next by thread: Re: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
- Index(es):
Relevant Pages
|
