[php-maint] Re: another batch of php security issues for review

sean finney seanius at debian.org
Mon Aug 28 17:00:20 UTC 2006 

On Mon, 2006-08-28 at 16:21 +0200, Martin Schulze wrote:
> > CVE-2006-4020 (scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier,
> > allows ...)

> No, this is a non-issue.  It requires a malicious PHP script to work.
> The attacker could just use popen(), system() or any other means PHP
> offers.

although there seems to be a difference of opinion on the matter, i'm
going to side with your judgement.  it would require if not a malicious
script, at least a criminally neglectful one.  plus, less work for me :)

> > CVE-2006-3016 (Unspecified vulnerability in session.c in PHP before
> > 5.1.3 has unknown ...)
> > 
> > 	gotta love the "unspecified".  looks like php doesn't perform
> > 	checks on the session name, which can contain any number of
> > 	malicious things and be used for sql injection, xss, etc.
> > 
> > 	not sure if this another shoot-yourself-in-the-foot issue or
> > 	whether we should include the fix (which apparently is to only
> > 	allow session names with alphanumeric characters)
> 
> Without more details I can't say more.  Hmm, it's said to be fixed in
> http://www.ubuntu.com/usn/usn-320-1 but not mentioned inside.

hmm... adam?  my gut feeling is that this is a non-issue.

> > CVE-2006-3018 (Unspecified vulnerability in the session extension
> > functionality in ...)
> > 
> > 	this seems similar to the above, only it can result in heap
> > 	corruption, which makes me think that perhaps it's appropriate
> > 	to fix it (though finding the fix will be less than fun)
> 
> If we had the fix, we could maybe think about attack vectors.  Right
> now, nearly everything is unspecified and hence difficult to judge.

it looks like it's caused by a possible double-close on an fd:

http://cvs.php.net/viewvc.cgi/php-src/ext/session/mod_files.c?r1=1.100.2.2&r2=1.100.2.3&pathrev=PHP_5_2

which would be easy enough to slide into 4.x.  though it's not clear
that this is a security problem and not just a potential nasty bug.


	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20060828/6c7be9f3/attachment.pgp

More information about the pkg-php-maint mailing list