[php-maint] Re: another batch of php security issues for review

Martin Schulze joey at infodrom.org
Mon Aug 28 14:21:12 UTC 2006 

sean finney wrote:
> hey joey et al,
> 
> going through the testing-security CVE list, i've found a few more
> unaddressed issues.  this time around i won't spend any time patching
> them until we agree which ones are issues and which ones are
> non-issues :)
> 
> CVE-2006-4023 (The ip2long function in PHP 5.1.4 and earlier may
> incorrectly validate ...)
> 
> 	with this one you could craft an aribtrary string that would
> 	"pass" the validation part of this function.  somethinig like
> 	1.2.3.4.[sql code], which if not properly sanitized later
> 	on could lead to various other problems.
> 
> 	the entry states that this is more likely a bug in any
> 	applications not performing further validation/sanitizing,
> 	and i tend to agree based on the php.net documentation, which
> 	states: "ip2long() should not be used as the sole form of IP
> 	validation. Combine it with long2ip()".
> 
> 	so i say non-issue

Agreed.

> CVE-2006-4020 (scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier,
> allows ...)
> 
> 	"buffer underflow" could lead to code execution, though it 
> 	isn't clear exactly how exploitable it is.  according to the
> 	patch:
> 
> 	http://bugs.php.net/bug.php?id=38322
> 
> 	looks like an off-by-one type error, with a simple enough fix, 
> 	anyway.

No, this is a non-issue.  It requires a malicious PHP script to work.
The attacker could just use popen(), system() or any other means PHP
offers.

> CVE-2006-3016 (Unspecified vulnerability in session.c in PHP before
> 5.1.3 has unknown ...)
> 
> 	gotta love the "unspecified".  looks like php doesn't perform
> 	checks on the session name, which can contain any number of
> 	malicious things and be used for sql injection, xss, etc.
> 
> 	not sure if this another shoot-yourself-in-the-foot issue or
> 	whether we should include the fix (which apparently is to only
> 	allow session names with alphanumeric characters)

Without more details I can't say more.  Hmm, it's said to be fixed in
http://www.ubuntu.com/usn/usn-320-1 but not mentioned inside.

> CVE-2006-3018 (Unspecified vulnerability in the session extension
> functionality in ...)
> 
> 	this seems similar to the above, only it can result in heap
> 	corruption, which makes me think that perhaps it's appropriate
> 	to fix it (though finding the fix will be less than fun)

If we had the fix, we could maybe think about attack vectors.  Right
now, nearly everything is unspecified and hence difficult to judge.

> CVE-2006-2660 (Buffer consumption vulnerability in the tempnam function
> in PHP 5.1.4 ...)
> 
> 	using a long enough path (>MAXPATHLEN) allows you to have 
> 	tempnam create a file without the temp extension.  sounds like
> 	another shoot yourself in the foot issue, since the local user
> 	could just as easily create the file manually, and if the
> 	tempnam function is taking unsanitized input, it's an 
> 	application error

"allows *local* users to bypass restrictions", for which tons of
methods exist.  Doesn't sound it would warrant an update.

> and i *think* that's it...

Fair enough.  Thanks a lot!

Regards,

	Joey

-- 
Beware of bugs in the above code; I have only proved it correct,
not tried it.  -- Donald E. Knuth

More information about the pkg-php-maint mailing list