[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PHP LiteSpeed SAPI out of boundaries read due to missing input validation

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PHP LiteSpeed SAPI out of boundaries read due to missing input validation
From: Imre RAD <imre.rad@xxxxxxxxxxxxx>
Date: Mon, 25 Jan 2016 17:04:01 +0100

The LiteSpeed SAPI module in PHP did not sanitize several fields of the
LSAPI request correctly. In the source file sapi/litespeed/lsapilib.c,
the parseRequest function calculated addresses of thesevariables in the
following way:

    pReq->m_pScriptFile     = pReq->m_pReqBuf +
pReq->m_pHeader->m_scriptFileOff;
    pReq->m_pScriptName     = pReq->m_pReqBuf +
pReq->m_pHeader->m_scriptNameOff;
    pReq->m_pQueryString    = pReq->m_pReqBuf +
pReq->m_pHeader->m_queryStringOff;
    pReq->m_pRequestMethod  = pReq->m_pReqBuf +
pReq->m_pHeader->m_requestMethodOff;

These variables were then exported, so they become available in PHP code
through the $_SERVER array.
These offset fields (eg. m_scriptFileOff) of the header were not
validated at all, so a segmentation fault occured in the SAPI process
after it received an invalid value.

Access to the SAPI socket is a prerequisite of the attack.


The fix is available with the commit:
https://github.com/php/php-src/commit/08080c18f5f3700af6242a338a2698502207ed45
The fixed versions of PHP are: 5.5.31, 5.6.17 and 7.0.2.

Imre Rad
Search-Lab Ltd.
http://www.search-lab.hu/
http://www.scademy.com/

Prev by Date: [CORE-2016-0002] - Lenovo ShareIT Multiple Vulnerabilities
Next by Date: [security bulletin] HPSBGN03536 rev.1 - HP IceWall Products running OpenSSL, Remote and Local Denial of Service (DoS)
Previous by thread: [CORE-2016-0002] - Lenovo ShareIT Multiple Vulnerabilities
Next by thread: [security bulletin] HPSBGN03536 rev.1 - HP IceWall Products running OpenSSL, Remote and Local Denial of Service (DoS)
Index(es):
- Date
- Thread