oss-sec mailing list archives
Re: CVE Request: PHP SoapClient's __call() type confusion through unserialize()
From: Moritz Muehlenhoff <jmm () debian org>
Date: Fri, 20 Mar 2015 23:46:29 +0100
On Fri, Mar 20, 2015 at 08:35:59PM +0100, Andrea Palazzo wrote:
Hi everyone, I'd like to request a CVE for the PHP Sec Bug #69085. Description: SoapClient's __call() method is prone to a type confusion vulnerability which can be used to gain remote code execution through unsafe unserialize() calls. Info: https://bugs.php.net/bug.php?id=69085
I'm adding security () php net to CC and I think it should become good practice on oss-security to keep them in CC for future PHP CVE requests. There has been a recent blog posting by a member of the PHP team (also CCed) on that topic: https://liorkaplan.wordpress.com/2015/03/19/cve-assignment-without-upstream-knowledge/ Cheers, Moritz
Current thread:
- CVE Request: PHP SoapClient's __call() type confusion through unserialize() Andrea Palazzo (Mar 20)
- Re: CVE Request: PHP SoapClient's __call() type confusion through unserialize() Moritz Muehlenhoff (Mar 20)
- Re: CVE Request: PHP SoapClient's __call() type confusion through unserialize() Tomas Hoger (Mar 30)
- Re: CVE Request: PHP SoapClient's __call() type confusion through unserialize() Tyler Hicks (Mar 30)
- Re: CVE Request: PHP SoapClient's __call() type confusion through unserialize() Lior Kaplan (Mar 30)
- Re: CVE Request: PHP SoapClient's __call() type confusion through unserialize() Tyler Hicks (Mar 30)