oss-sec mailing list archives
Re: CVE Request: PHP SoapClient's __call() type confusion through unserialize()
From: cve-assign () mitre org
Date: Mon, 1 Jun 2015 06:07:13 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SoapClient's __call() method
https://bugs.php.net/bug.php?id=69085
Use CVE-2015-4147 for: In soap.c:2906 if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp)==SUCCESS) { HashTable *default_headers = Z_ARRVAL_P(*tmp); the Z_ARRVAL_P macro is called on __default_headers assuming that it is an array without any actual check about it. Use CVE-2015-4148 for: very similiar issue located in do_soap_call() (called by __call(), indeed). soap.c:2754, in do_soap_call() if (call_uri == NULL) { call_uri = Z_STRVAL_PP(uri); } where uri comes from zend_hash_find(Z_OBJPROP_P(this_ptr), "uri", sizeof("uri"), (void *)&uri), line 2748. If the "uri" field has been previously unserialized as an int, this could still result in an info leak whereas the attacker would be able to control a str.val field of a zval. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVbC37AAoJEKllVAevmvmsAGAH/0VAsTceI7ulrHeNae0vC1oA S9oLx+y5HHec8FbcuEpV+ZGT+8CtQWLLsspujjSp6ZFkPcuYgnM3nBsP9cPqrgpv KJXHhoFfiaFCHIbX+SJxrd7ChHk/CFvqYK21h8PQEz/L16D86pk+wXieSXhkHUJY E90jG2pHKlJBQk0PCzipc3wQ7IbSrP71jIbxOJJ5f1PdIbeK838G80/XacpIE4Tn sR6qD+ICRW5OfT/Go1emFE8AngHT9yyAPPmeuc0FrzgumgsCJXdE9idR4cJby076 8w9C/mZ3G0Gwx5DL13s4Z7Q+DEZhwvDrqyh+zcdjz16hj76b1bfWizkfKfKf5vQ= =jLhj -----END PGP SIGNATURE-----
Current thread:
- Re: CVE Request: PHP SoapClient's __call() type confusion through unserialize() Tomas Hoger (Apr 09)
- Re: CVE Request: PHP SoapClient's __call() type confusion through unserialize() Tomas Hoger (May 27)
- <Possible follow-ups>
- Re: CVE Request: PHP SoapClient's __call() type confusion through unserialize() cve-assign (Jun 01)