Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- apache_request_headers is vulnerable to a remote exploit
- ochsff: Ok, so since it's all over Twitter now, apache_request_headers is vulnerable to a remote exploitable heap buffer overflow&
- ochsff: & but only applies if it's php-cgi and the script calls apache_request_headers(..) or one of its aliases.
- ochsff: You can also abuse this as '99 stack buffer overflow, but then you'll run into the canary.
- ochff: HTTP_X_TEST=A*256 php5-cgi <<< '<?= apache_request_headers() ?>' triggers the stack buffer overflow.
- ochsff: Deploying PHP as (Fast)CGI is the only way to run it with lighttpd and some other web-servers. It's not that uncommon after all.
- ochsff: Set up PHP per https://t.co/dwQR4bn4 and make a request with header "X-Test: A..A" to a script containing the fn.
- ochsff: If you want it to be a heap buffer overflow, easy: just make sure the header name is longer than 128 characters.
- ochsff: And the most embarrassing thing: I found that bug within 5 minutes of looking at PHP source the first time&
- ochsff: & guided by their world-readable / public titles for "hidden" security bug tracker entries. :D
- ochsff: Did I mention that this is an unpatched "half-day" and PHP 5.4.1 is affected?
- ochsff: RT @notnyt: @brainsmoke I've been trying to get them to look at 61807 for a couple weeks. 4 line patch and its ignored. Cheers.
- create a new version of this paste RAW Paste Data
- ochsff: Ok, so since it's all over Twitter now, apache_request_headers is vulnerable to a remote exploitable heap buffer overflow& ochsff: & but only applies if it's php-cgi and the script calls apache_request_headers(..) or one of its aliases. ochsff: You can also abuse this as '99 stack buffer overflow, but then you'll run into the canary. ochff: HTTP_X_TEST=A*256 php5-cgi <<< '<?= apache_request_headers() ?>' triggers the stack buffer overflow. ochsff: Deploying PHP as (Fast)CGI is the only way to run it with lighttpd and some other web-servers. It's not that uncommon after all. ochsff: Set up PHP per https://t.co/dwQR4bn4 and make a request with header "X-Test: A..A" to a script containing the fn. ochsff: If you want it to be a heap buffer overflow, easy: just make sure the header name is longer than 128 characters. ochsff: And the most embarrassing thing: I found that bug within 5 minutes of looking at PHP source the first time& ochsff: & guided by their world-readable / public titles for "hidden" security bug tracker entries. :D ochsff: Did I mention that this is an unpatched "half-day" and PHP 5.4.1 is affected? ochsff: RT @notnyt: @brainsmoke I've been trying to get them to look at 61807 for a couple weeks. 4 line patch and its ignored. Cheers.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement