Php substr_replace replaces specified location characters with memory corruption vulnerability

Php Tutorial substr_replace replacing specified location characters and memory corruption vulnerability

Tips and comments
Note: If start is a negative number and the length is less than or equal to start, the length is 0.

$ Username = "zongzi ";
Echo substr_replace ($ username, '**', '1', '2 ');

Definition and usage
The substr_replace () function replaces one part of the string with another.

Syntax
Substr_replace (string, replacement, start, length) parameter description
String is required. Specifies the string to be checked.
Replacement is required. Specifies the string to be inserted.
Start is required. Specifies where the string starts replacement.

Positive number-start replacement at the start offset
Negative number-replace with the start offset at the end of the string
0-START replacement at the first character in the string
 
Charlist is optional. Specifies the number of characters to replace.

Positive number-length of the string to be replaced
Negative number-Number of replaced characters starting from the end of the string
0-insert instead of replace
 
Function is the same as php substr_replace ()

'Parameter: content to be replaced, content to be replaced, start position, and length to be replaced

Function substr_replace (sourcecon, repcon, startx, lenx)
Dim reped
Reped = mid (sourcecon, startx, lenx) 'fetch the original content with the same length
Dim scleftx, scleft
Scleftx = startx-1
If scleftx <1 then
Scleft = ""
Else
Scleft = left (sourcecon, scleftx)
End if
Substr_replace = replace (sourcecon, reped, repcon, startx, 1)
Substr_replace = scleft & substr_replace
End function

() Memory interruption vulnerability
Bugraq id:
Cve id: cve-2010-2190
Cncve id: cncve-20102190
 
Vulnerability Release date:
Vulnerability Update Time:
 
Vulnerability cause
Design error
Hazard level
Low
 
IMPACT system
Php 5.2 <= 5.2.13
Php 5.3 <= 5.3.2
 
Unaffected system
 
Hazards
Remote Attackers can exploit this vulnerability to leak sensitive information.
 
Attack conditions
Attackers must access applications that use the substr_replace () function.
 
Vulnerability Information
Php is a popular network programming language.
The substr_replace () function of php has the information leakage problem:

Php_function (substr_replace)
{
...
If (zend_parse_parameters (zend_num_args () tsrmls_cc, "zzz | z", & str, & repl, & from, & len) = failure ){
Return;
    }
   
If (z_type_pp (str )! = Is_array ){
Convert_to_string_ex (str );
    }
If (z_type_pp (repl )! = Is_array ){
Convert_to_string_ex (repl );
    }
If (z_type_pp (from )! = Is_array ){
Convert_to_long_ex (from );
    }
If (argc> 3 ){
Separate_zval (len );
If (z_type_pp (len )! = Is_array ){
Convert_to_long_ex (len );
L = z_lval_pp (len );
        }
} Else {
If (z_type_pp (str )! = Is_array ){
L = z_strlen_pp (str );
        }
    }
If (z_type_pp (str) = is_string ){
If (
(Argc = 3 & z_type_pp (from) = is_array) |
(Argc = 4 & z_type_pp (from )! = Z_type_pp (len ))
){
Php_error_docref (null tsrmls_cc, e_warning, "'from' and 'len' should be of same type-numerical or array ");
Return_stringl (z_strval_pp (str), z_strlen_pp (str), 1 );
        }

Using different types of 'from' and 'len' parameters to call the substr_replace () function triggers the e_warning error. If php does not delete the call using the reference transfer function, the user space Error Processor will use this interrupt to change the 'str' parameter type. If the 'str' type is changed to the integer type, arbitrary memory leakage may occur. If 'str' is changed to an array, a hash table with an important memory offset may be leaked.