apache_request_headers is vulnerable to a remote exploit ochsff: Ok, so si

1. apache_request_headers is vulnerable to a remote exploit
2. ochsff: Ok, so since it's all over Twitter now, apache_request_headers is vulnerable to a remote exploitable heap buffer overflow&
3. ochsff: & but only applies if it's php-cgi and the script calls apache_request_headers(..) or one of its aliases.
4. ochsff: You can also abuse this as '99 stack buffer overflow, but then you'll run into the canary.
5. ochff: HTTP_X_TEST=A*256 php5-cgi <<< '<?= apache_request_headers() ?>' triggers the stack buffer overflow.
6. ochsff: Deploying PHP as (Fast)CGI is the only way to run it with lighttpd and some other web-servers. It's not that uncommon after all.
7. ochsff: Set up PHP per https://t.co/dwQR4bn4 and make a request with header "X-Test: A..A" to a script containing the fn.
8. ochsff: If you want it to be a heap buffer overflow, easy: just make sure the header name is longer than 128 characters.
9. ochsff: And the most embarrassing thing: I found that bug within 5 minutes of looking at PHP source the first time&
10. ochsff: & guided by their world-readable / public titles for "hidden" security bug tracker entries. :D
11. ochsff: Did I mention that this is an unpatched "half-day" and PHP 5.4.1 is affected?
12. ochsff: RT @notnyt: @brainsmoke I've been trying to get them to look at 61807 for a couple weeks. 4 line patch and its ignored. Cheers.
13.  
14. create a new version of this paste RAW Paste Data
15. ochsff: Ok, so since it's all over Twitter now, apache_request_headers is vulnerable to a remote exploitable heap buffer overflow& ochsff: & but only applies if it's php-cgi and the script calls apache_request_headers(..) or one of its aliases. ochsff: You can also abuse this as '99 stack buffer overflow, but then you'll run into the canary. ochff: HTTP_X_TEST=A*256 php5-cgi <<< '<?= apache_request_headers() ?>' triggers the stack buffer overflow. ochsff: Deploying PHP as (Fast)CGI is the only way to run it with lighttpd and some other web-servers. It's not that uncommon after all. ochsff: Set up PHP per https://t.co/dwQR4bn4 and make a request with header "X-Test: A..A" to a script containing the fn. ochsff: If you want it to be a heap buffer overflow, easy: just make sure the header name is longer than 128 characters. ochsff: And the most embarrassing thing: I found that bug within 5 minutes of looking at PHP source the first time& ochsff: & guided by their world-readable / public titles for "hidden" security bug tracker entries. :D ochsff: Did I mention that this is an unpatched "half-day" and PHP 5.4.1 is affected? ochsff: RT @notnyt: @brainsmoke I've been trying to get them to look at 61807 for a couple weeks. 4 line patch and its ignored. Cheers.