Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- The PHP max_input_vars 32bit / 64bit Information Leak Challenge
- ===============================================================
- With the introduction of PHP 5.3.9 there is now a max_input_vars INI
- directive in PHP that allows you to limit the number of variables
- that are accepted within one array level. The naming of this setting
- is a bit troubling, because it is wrong. This setting also does not
- affect the registration of numerical autoindicies.
- Suhosin-Extension has similar features for many years and they
- affect all variables.
- So by now we all know that the introduction of the max_input_vars
- feature introduced a critical remote code execution vulnerability
- that was backported into older PHP versions by RedHat, Debian,
- Centos and maybe others. Therefore it is a good time to upgrade.
- ---
- Within the XSS community it is common to have some challenges all
- the time to bypass filters or other kind of things. So now lets
- have a challenge in the world of PHP:
- Due to the new max_input_vars feature there is now the possibility
- to abuse an older problem in the code to detect with a single HTTP
- request if the remote system is running a 32 bit or a 64 bit PHP.
- Knowing this is not a critical security problem, but it allows
- attackers of remote memory corruption vulnerabilities to better
- prepare for the target. (This problem affects nearly all PHP
- applications).
- Putting out this challenge does not cause much danger to the PHP
- community. In the case of the 5.3.9 vulnerability the difference
- it makes is maybe one less SIGSEGV in the Apache log file, which
- is not a lot if the brute force exploit would leavel 4000 crashes
- anyway.
- So the challenge is:
- --------------------
- You have a web app with a PHP 5.3.10 powered HTML formular.
- Tell me how you can find out with a single HTTP request that the
- target is a 32 bit or a 64 bit server.
- A last tip: Disable Suhosin-Extension for tests, because it
- already protects you from this.
- Please do not discuss the results of this challenge online.
- I would like to see how many people see the problem and how
- many fail to see it, after I gave this info.
- Instead send your solution to stefan.esser@sektioneins.de
- BTW: You can win nothing except for the 14.99999999999999999999
- seconds of fame
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement