Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:11368 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 22658 invoked by uid 1010); 20 Jul 2004 09:21:33 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 22632 invoked from network); 20 Jul 2004 09:21:33 -0000 Received: from unknown (HELO e-matters.de) (217.69.76.213) by pb1.pair.com with SMTP; 20 Jul 2004 09:21:33 -0000 Received: (qmail 15726 invoked by uid 0); 20 Jul 2004 09:19:42 -0000 Received: from p508d5c25.dip.t-dialin.net (HELO ?192.168.1.77?) (80.141.92.37) by /var/run/qmail-smtp.pid with SMTP; 20 Jul 2004 09:19:42 -0000 Message-ID: <40FCE41A.5080101@php.net> Date: Tue, 20 Jul 2004 11:21:30 +0200 User-Agent: Mozilla Thunderbird 0.7 (Windows/20040616) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Kamesh Jayachandran , internals@lists.php.net References: <1090312970.20797.200698630@webmail.messagingengine.com> In-Reply-To: <1090312970.20797.200698630@webmail.messagingengine.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Want to know about security vulnerablity that was fixed in PHP4.3.8 From: sesser@php.net (Stefan Esser) Hello, > 1)Only code that tries to create/initialize a Non-Persistent hash table > is vulnerable under certain cases. > True or False. False, anything that is not correctly initialised at the time the memory_limit request termination kicks in can potentially be exploited. This includes string pointers... > 2)How come some remote attacker can set the Destructor to point to the > function of his choice? When memory is allocated it usually contains the content of the time before it was the last time freed. In PHP this especially true because of the memory cache. So the attacker creates some memory block of the correct size and by freeing it, it ends up on top of the memory cache. > 3)Where can I get the patch for this vulnerablity for PHP-4.2.3. By downloading it from the distributor of your choice of by doinig a diff between 4.3.7 and 4.3.8 and incorporating the fixes into the older version. The PHP developers are not going to create a patch for a 2 year old version. > 4)Can some one point to the executable test case for this problem so > that I can test before and after incorporating the fix? Nice try. Until now noone has released an exploit for this bug to the public and therefore it is not a good idea to give one out at this time. For anyone into exploit developing there is already enough information in the advisory to create one. Stefan Esser PS: I am not going to answer any further mails about this.