191638 – lang/php5 Patch for phpinfo() Type Confusion Infoleak Vulnerability and SSL Private Keys

Bug 191638 - lang/php5 Patch for phpinfo() Type Confusion Infoleak Vulnerability and SSL Private Keys

Summary: lang/php5 Patch for phpinfo() Type Confusion Infoleak Vulnerability and SSL P...

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	Alex Dupre

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-07-05 20:07 UTC by logan
Modified:	2014-07-06 15:11 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Fix adapted from upstream patch (2.26 KB, patch) 2014-07-05 20:07 UTC, logan	no flags	Details \| Diff
PHP 5.3 infoleak vulnerability patch (2.57 KB, patch) 2014-07-05 22:08 UTC, logan	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description logan 2014-07-05 20:07:24 UTC

Created attachment 144433 [details]
Fix adapted from upstream patch

Stefan Esser reports that:

[2014-06-23 07:13 UTC] stas@php.net
Description:
------------
Hey,

I recently discovered an easy to exploit arbitrary information leak
vulnerability in PHP. The information leak can be exploited by setting
PHP_SELF, PHP_AUTH_TYPE, PHP_AUTH_USER or PHP_AUTH_PW to non-string
variables before calling phpinfo().

When you look at the code from /ext/standard/info.c you will see that
the code simply trusts that the returned ZVALs are of type STRING. If
there are however integers the code will interpret the integer as a in
memory pointer and print out the binary string at that position.

        php_info_print_table_start();
        php_info_print_table_header(2, "Variable", "Value");
        if (zend_hash_find(&EG(symbol_table), "PHP_SELF",
sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
        }
        if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE",
sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
        }
        if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER",
sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
        }
        if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW",
sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
        }

He also has a short PoC here:

https://www.sektioneins.de/en/blog/14-07-04-phpinfo-infoleak.html

Comment 1 logan 2014-07-05 22:08:13 UTC

Created attachment 144436 [details]
PHP 5.3 infoleak vulnerability patch

Comment 2 commit-hook freebsd_committer

2014-07-06 14:42:34 UTC

A commit references this bug:

Author: flo
Date: Sun Jul  6 14:42:16 UTC 2014
New revision: 360913
URL: http://svnweb.freebsd.org/changeset/ports/360913

Log:
  Merge a patch from php 5.4/5.5 to fix a security vulnerability. No CVE has
  been assigned (yet?).

  More info on https://www.sektioneins.de/en/blog/14-07-04-phpinfo-infoleak.html

  PR:		191638
  Submitted by:	logan@elandsys.com

Changes:
  head/lang/php53/Makefile
  head/lang/php53/files/patch-ext_standard_info.c

Comment 3 Florian Smeets freebsd_committer

2014-07-06 15:11:10 UTC

Committed. Thanks!