Vulnerability Development mailing list archives
Re: Rumours about Apache 1.3.22 exploits
From: Olaf Kirch <okir () caldera de>
Date: Tue, 26 Feb 2002 15:07:43 +0100
There is a bug in the php_split_mime function in PHP 3.x and 4.x. There is a working exploit floating around which provides a remote bindshell for PHP versions 4.0.1 to 4.0.6 with a handful of default offsets for different platforms.
Blechch. This code is really icky. There's really an sprintf down there in the code that looks bad (apart from a few other things that look bad). But if I don't misread the patch, the sprintf is still there in 4.1.1.
Since the PHP developers commited another change to the affected source file (rfc1687.c) about two days ago, speculation is that there is yet another remote exploit.
Not in the public CVS (has been removed?)
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
Current thread:
- Rumours about Apache 1.3.22 exploits Pedro Hugo (Feb 24)
- Re: Rumours about Apache 1.3.22 exploits nilton . gs . sc (Feb 25)
- RE: Rumours about Apache 1.3.22 exploits Pedro Hugo (Feb 25)
- RE: Rumours about Apache 1.3.22 exploits Nico Wieland (Feb 26)
- RE: Rumours about Apache 1.3.22 exploits Pedro Hugo (Feb 25)
- Re: Rumours about Apache 1.3.22 exploits H D Moore (Feb 25)
- php update (was Re: Rumours about Apache 1.3.22 exploits) Christopher McCrory (Feb 27)
- Re: Rumours about Apache 1.3.22 exploits Brandon (Feb 25)
- <Possible follow-ups>
- RE: Rumours about Apache 1.3.22 exploits Pedro Hugo (Feb 25)
- Re: Rumours about Apache 1.3.22 exploits Mike Tone (Feb 26)
- RE: Rumours about Apache 1.3.22 exploits Spare Cycles (Feb 27)
- Re: Rumours about Apache 1.3.22 exploits Olaf Kirch (Feb 27)
- Re: Rumours about Apache 1.3.22 exploits H D Moore (Feb 27)
- Re: Rumours about Apache 1.3.22 exploits nilton . gs . sc (Feb 25)