[php-maint] Re: another batch of php security issues for review
sean finney
seanius at debian.org
Mon Aug 28 17:00:20 UTC 2006
On Mon, 2006-08-28 at 16:21 +0200, Martin Schulze wrote:
> > CVE-2006-4020 (scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier,
> > allows ...)
> No, this is a non-issue. It requires a malicious PHP script to work.
> The attacker could just use popen(), system() or any other means PHP
> offers.
although there seems to be a difference of opinion on the matter, i'm
going to side with your judgement. it would require if not a malicious
script, at least a criminally neglectful one. plus, less work for me :)
> > CVE-2006-3016 (Unspecified vulnerability in session.c in PHP before
> > 5.1.3 has unknown ...)
> >
> > gotta love the "unspecified". looks like php doesn't perform
> > checks on the session name, which can contain any number of
> > malicious things and be used for sql injection, xss, etc.
> >
> > not sure if this another shoot-yourself-in-the-foot issue or
> > whether we should include the fix (which apparently is to only
> > allow session names with alphanumeric characters)
>
> Without more details I can't say more. Hmm, it's said to be fixed in
> http://www.ubuntu.com/usn/usn-320-1 but not mentioned inside.
hmm... adam? my gut feeling is that this is a non-issue.
> > CVE-2006-3018 (Unspecified vulnerability in the session extension
> > functionality in ...)
> >
> > this seems similar to the above, only it can result in heap
> > corruption, which makes me think that perhaps it's appropriate
> > to fix it (though finding the fix will be less than fun)
>
> If we had the fix, we could maybe think about attack vectors. Right
> now, nearly everything is unspecified and hence difficult to judge.
it looks like it's caused by a possible double-close on an fd:
http://cvs.php.net/viewvc.cgi/php-src/ext/session/mod_files.c?r1=1.100.2.2&r2=1.100.2.3&pathrev=PHP_5_2
which would be easy enough to slide into 4.x. though it's not clear
that this is a security problem and not just a potential nasty bug.
sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20060828/6c7be9f3/attachment.pgp
More information about the pkg-php-maint
mailing list