It was discovered that function dba_replace() from dba extension of PHP 4.x/5.x will truncate INI file when it was asked to replace a non-existent key. Fix: The following patch adds the fixes both for 4.x and 5.x. This is the vulnerability checking bundle. Just extract and run 'make'. # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # test/Makefile # test/ham.php # test/test.ini # test/test.ini.orig # echo x - test/Makefile sed 's/^X//' >test/Makefile << '0d8f5a336dfc7f93d0f8ebb4026e4d46' Xall: test X Xtest: test.ini.orig ham.php X @cp -f test.ini.orig test.ini X @rm -f test.ini.lck X @php ham.php X @[ -s test.ini ] && \ X (echo "Not vulnerable: test.ini is not empty:"; cat test.ini) || \ X echo "Vulnerable: test.ini is empty." X @rm -f test.ini.lck 0d8f5a336dfc7f93d0f8ebb4026e4d46 echo x - test/ham.php sed 's/^X//' >test/ham.php << 'a7cabf122ec818d2261bc37c2f29880f' X<?php X$source=dba_open("test.ini", "wlt", "inifile"); Xdba_replace("\0","/www/",$source); X?> a7cabf122ec818d2261bc37c2f29880f echo x - test/test.ini sed 's/^X//' >test/test.ini << '0368deadfd01a6af1d47cb55f407fd28' XPATH=/ XCURR=. XHOME=/home/ 0368deadfd01a6af1d47cb55f407fd28 echo x - test/test.ini.orig sed 's/^X//' >test/test.ini.orig << 'd411974d83a21a1687635b704e038703' XPATH=/ XCURR=. XHOME=/home/ d411974d83a21a1687635b704e038703 exit --- test.shar ends here --- The following VuXML entry should be evaluated and added: How-To-Repeat: http://securityreason.com/achievement_securityalert/58
Responsible Changed From-To: freebsd-ports-bugs->ale Over to maintainer (via the GNATS Auto Assign Tool)
State Changed From-To: open->feedback ale, please patch both ports and forward this pr to me. Thanks.
State Changed From-To: feedback->open Patched in 4.x (5.x seen several vendor releases in the meantime), over to vuxml handler
Responsible Changed From-To: ale->miwi Patched in 4.x (5.x seen several vendor releases in the meantime), over to vuxml handler
pav 2009-03-24 17:02:45 UTC FreeBSD ports repository Modified files: databases/php4-dba Makefile Added files: databases/php4-dba/files patch-fix-dba_replace-truncation Log: - Fix bug when dba_replace() will truncate INI file when it was asked to replace a 52 non-existent key. PR: ports/129459 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Reviewed by: maintainer timeout (ale; 3 months) Security: http://www.securityfocus.com/archive/1/498746/30/0/threaded Revision Changes Path 1.2 +1 -0 ports/databases/php4-dba/Makefile 1.1 +17 -0 ports/databases/php4-dba/files/patch-fix-dba_replace-truncation (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed. Thanks!
miwi 2009-05-16 20:36:19 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: - Document php -- ini database truncation inside dba_replace() function PR: 129459 (based on) Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Revision Changes Path 1.1942 +35 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"