MOPS-2010-028: PHP phar_wrapper_open_url Format String Vulnerabilities

Networks

Main Menu

PHP Planet Articles

MySQL Planet Articles

MOPS-2010-028: PHP phar_wrapper_open_url Format String Vulnerabilities

Friday, 14 May 2010 03:06

The new phar extension in PHP 5.3 contains several format string vulnerabilities in the internal phar_wrapper_open_url() function.

Affected versions

Affected is PHP 5.3

Credits

The vulnerability was discovered by Stefan Esser.

Detailed information

Within the phar_wrapper_open_url() function in ext/phar/stream. c there exist a three format string vulnerabilities in the error handling.

if (NULL == (idata = phar_get_or_create_entry_data(resource->host, host_len, internal_file, strlen(internal_file), mode, 0, &error, 1 TSRMLS_CC))) {
if (error) {
php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, error);
efree(error);
} else {
php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "phar error: file \"%s\" could not be created in phar \"%s\"", internal_file, resource->host);
}
efree(internal_file);
php_url_free(resource);
return NULL;
}
....
if ((FAILURE == phar_get_entry_data(&idata, resource->host, host_len, internal_file, strlen(internal_file), "r", 0,

Truncated by Planet PHP, read more at the original (another 8495 bytes)

read original article

Application Builder slowly growing< Prev		Next >MOPS-2010-027: PHP phar_parse_url Format String Vulnerabilities