Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:11799
Return-Path: <helly@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 19073 invoked by uid 1010); 1 Aug 2004 21:50:33 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 19028 invoked from network); 1 Aug 2004 21:50:32 -0000
Received: from unknown (HELO jan.prima.de) (83.97.50.139)
  by pb1.pair.com with SMTP; 1 Aug 2004 21:50:32 -0000
Received: from ZARNIWOOP (p508EBB26.dip.t-dialin.net [::ffff:80.142.187.38])
  (AUTH: LOGIN tobi)
  by jan.prima.de with esmtp; Sun, 01 Aug 2004 21:48:20 +0000
Date: Sun, 1 Aug 2004 23:49:49 +0200
Reply-To: Marcus Boerger <helly@php.net>
X-Priority: 3 (Normal)
Message-ID: <1054076505.20040801234949@marcus-boerger.de>
To: Stefan Esser <sesser@php.net>
CC: internals@lists.php.net
In-Reply-To: <410CE300.4040505@php.net>
References: <410CE300.4040505@php.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Request: Support for a memory_limit exploit paper needed
From: helly@php.net (Marcus Boerger)

Hello Stefan,

basically you want to explain everybody how to use those millions
of unpatched servers.

marcus

Sunday, August 1, 2004, 2:33:04 PM, you wrote:

> Hi,

> I know that this is maybe a little bit off-topic, but I assume that most 
> people on this list are used to compile PHP just for testing purposes.

> I am currently planning to write a paper about the memory_limit security 
> bug that was announced last month. Actually the paper will explain in 
> detail what the bug is and how it can be exploited to execute arbitrary 
> code.

> The paper itself will be written because a few people requested it, a 
> lot of media reported it as a buffer overflow (which is completely 
> wrong) and just because I need some training in writing papers for 
> university.

> So if anyone here would like to support me writing this paper just grab 
> a copy of http://security.e-matters.de/mlxdebug.tgz
> This package has some special patches in it (for PHP 4.3.2-4.3.7) that 
> write debug output for every emalloc/efree/erealloc and 
> php_register_variable_ex call into a file within /tmp.

> The package includes a description how the test works. It basicly 
> consists of compiling PHP on your normal platform: f.e. OpenBSD Apache2 
> CGI. You should just add --enable-memory-limit to your standard 
> configure line and turn register_globals on. The rest is all explained 
> in the package.

> Stefan Esser

> PS: those debug files would help me a lot to proof that a few things are 
> easier than one thinks.




-- 
Best regards,
 Marcus                            mailto:helly@php.net