Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:11787
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Message-ID: <410CE300.4040505@php.net>
Date: Sun, 01 Aug 2004 14:33:04 +0200
User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207)
MIME-Version: 1.0
To:  internals@lists.php.net
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Request: Support for a memory_limit exploit paper needed
From: sesser@php.net (Stefan Esser)

Hi,

I know that this is maybe a little bit off-topic, but I assume that most 
people on this list are used to compile PHP just for testing purposes.

I am currently planning to write a paper about the memory_limit security 
bug that was announced last month. Actually the paper will explain in 
detail what the bug is and how it can be exploited to execute arbitrary 
code.

The paper itself will be written because a few people requested it, a 
lot of media reported it as a buffer overflow (which is completely 
wrong) and just because I need some training in writing papers for 
university.

So if anyone here would like to support me writing this paper just grab 
a copy of http://security.e-matters.de/mlxdebug.tgz
This package has some special patches in it (for PHP 4.3.2-4.3.7) that 
write debug output for every emalloc/efree/erealloc and 
php_register_variable_ex call into a file within /tmp.

The package includes a description how the test works. It basicly 
consists of compiling PHP on your normal platform: f.e. OpenBSD Apache2 
CGI. You should just add --enable-memory-limit to your standard 
configure line and turn register_globals on. The rest is all explained 
in the package.

Stefan Esser

PS: those debug files would help me a lot to proof that a few things are 
easier than one thinks.