The LiteSpeed SAPI module in PHP did not sanitize several fields of the LSAPI request correctly. In the source file sapi/litespeed/lsapilib.c, the parseRequest function calculated addresses of thesevariables in the following way: pReq->m_pScriptFile = pReq->m_pReqBuf + pReq->m_pHeader->m_scriptFileOff; pReq->m_pScriptName = pReq->m_pReqBuf + pReq->m_pHeader->m_scriptNameOff; pReq->m_pQueryString = pReq->m_pReqBuf + pReq->m_pHeader->m_queryStringOff; pReq->m_pRequestMethod = pReq->m_pReqBuf + pReq->m_pHeader->m_requestMethodOff; These variables were then exported, so they become available in PHP code through the $_SERVER array. These offset fields (eg. m_scriptFileOff) of the header were not validated at all, so a segmentation fault occured in the SAPI process after it received an invalid value. Access to the SAPI socket is a prerequisite of the attack. The fix is available with the commit: http://ift.tt/1QtdOMZ The fixed versions of PHP are: 5.5.31, 5.6.17 and 7.0.2. Imre Rad Search-Lab Ltd. http://ift.tt/23u5fZr http://www.scademy.com/
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment