Bug 191638

Summary: lang/php5 Patch for phpinfo() Type Confusion Infoleak Vulnerability and SSL Private Keys
Product: Ports & Packages Reporter: logan
Component: Individual Port(s)Assignee: Alex Dupre <ale>
Status: Closed FIXED    
Severity: Affects Many People CC: ale, flo, logan, thierry
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Fix adapted from upstream patch
none
PHP 5.3 infoleak vulnerability patch none

Description logan 2014-07-05 20:07:24 UTC 
Created attachment 144433 [details]
Fix adapted from upstream patch

Stefan Esser reports that:

[2014-06-23 07:13 UTC] stas@php.net
Description:
------------
Hey,

I recently discovered an easy to exploit arbitrary information leak
vulnerability in PHP. The information leak can be exploited by setting
PHP_SELF, PHP_AUTH_TYPE, PHP_AUTH_USER or PHP_AUTH_PW to non-string
variables before calling phpinfo().

When you look at the code from /ext/standard/info.c you will see that
the code simply trusts that the returned ZVALs are of type STRING. If
there are however integers the code will interpret the integer as a in
memory pointer and print out the binary string at that position.

        php_info_print_table_start();
        php_info_print_table_header(2, "Variable", "Value");
        if (zend_hash_find(&EG(symbol_table), "PHP_SELF",
sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
        }
        if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE",
sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
        }
        if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER",
sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
        }
        if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW",
sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
            php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
        }

He also has a short PoC here:

https://www.sektioneins.de/en/blog/14-07-04-phpinfo-infoleak.html
Comment 1 logan 2014-07-05 22:08:13 UTC 
Created attachment 144436 [details]
PHP 5.3 infoleak vulnerability patch
Comment 2 commit-hook freebsd_committer freebsd_triage 2014-07-06 14:42:34 UTC 
A commit references this bug:

Author: flo
Date: Sun Jul  6 14:42:16 UTC 2014
New revision: 360913
URL: http://svnweb.freebsd.org/changeset/ports/360913

Log:
  Merge a patch from php 5.4/5.5 to fix a security vulnerability. No CVE has
  been assigned (yet?).

  More info on https://www.sektioneins.de/en/blog/14-07-04-phpinfo-infoleak.html

  PR:		191638
  Submitted by:	logan@elandsys.com

Changes:
  head/lang/php53/Makefile
  head/lang/php53/files/patch-ext_standard_info.c
Comment 3 Florian Smeets freebsd_committer freebsd_triage 2014-07-06 15:11:10 UTC 
Committed. Thanks!