Bugtraq mailing list archives
Re: @(#)Mordred Labs advisory - Integer overflow in PHP str_repeat() function
From: Jedi/Sector One <j () pureftpd org>
Date: Fri, 4 Apr 2003 00:10:32 +0200
On Thu, Apr 03, 2003 at 08:39:03AM +0200, Goran Krajnovic wrote:
This is a bit pointless, IMHO. 99% of PHP installations run the PHP code with the user-id of the web server process (usually a low privilege user like 'nobody' or 'apache').
[snip snip]
If an attacker has the opportunity to execude PHP code of his choice on a target server [1], he does not need to exploit a buffer overflow in PHP just to get the privileges of the web server user
You missed an important point. Hosting services offering a PHP interpreter to untrusted people rely on PHP features to restrict their field of action. Specifically, the open_basedir and safe_mode features are a must to avoid people going outside their home directory with PHP scripts. If arbitrary code can be run through a PHP vulnerability, these restrictions disappear. People can walk through files that are supposed to be inaccessible. Given that many people just chmod -R 777 their directories when their script doesn't work and leave plaintext SQL passwords everywhere, this is definitely ann issue. Also don't forget that all PHP extensions aren't always enabled. For instance, the socket extension is typically disabled by most hosting service providers for obvious reasons. Once and again, a vulnerability in the PHP interpreter can bypass this restriction and gain access to other machines of the LAN, run DOS agents, etc. Of course, one shouldn't rely 100% on PHP userland security barriers, this is where tools like NetBSD/OpenBSD's systrace can really add another efficient layer of security. -- __ /*- Frank DENIS (Jedi/Sector One) <j () 42-Networks Com> -*\ __ \ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' / \/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/
Current thread:
- @(#)Mordred Labs advisory - Integer overflow in PHP str_repeat() function Sir Mordred (Apr 02)
- Re: @(#)Mordred Labs advisory - Integer overflow in PHP str_repeat() function Goran Krajnovic (Apr 03)
- Re: @(#)Mordred Labs advisory - Integer overflow in PHP str_repeat() function Jedi/Sector One (Apr 04)
- Re: @(#)Mordred Labs advisory - Integer overflow in PHP str_repeat() function Javi Lavandeira (Apr 04)
- Re: @(#)Mordred Labs advisory - Integer overflow in PHP str_repeat() function Jon Ribbens (Apr 04)
- Re: @(#)Mordred Labs advisory - Integer overflow in PHP str_repeat() function Goran Krajnovic (Apr 03)