Latest YouTube Video

Wednesday, January 27, 2016

[FD] PHP LiteSpeed SAPI out of boundaries read due to missing input validation

The LiteSpeed SAPI module in PHP did not sanitize several fields of the LSAPI request correctly. In the source file sapi/litespeed/lsapilib.c, the parseRequest function calculated addresses of thesevariables in the following way: pReq->m_pScriptFile = pReq->m_pReqBuf + pReq->m_pHeader->m_scriptFileOff; pReq->m_pScriptName = pReq->m_pReqBuf + pReq->m_pHeader->m_scriptNameOff; pReq->m_pQueryString = pReq->m_pReqBuf + pReq->m_pHeader->m_queryStringOff; pReq->m_pRequestMethod = pReq->m_pReqBuf + pReq->m_pHeader->m_requestMethodOff; These variables were then exported, so they become available in PHP code through the $_SERVER array. These offset fields (eg. m_scriptFileOff) of the header were not validated at all, so a segmentation fault occured in the SAPI process after it received an invalid value. Access to the SAPI socket is a prerequisite of the attack. The fix is available with the commit: http://ift.tt/1QtdOMZ The fixed versions of PHP are: 5.5.31, 5.6.17 and 7.0.2. Imre Rad Search-Lab Ltd. http://ift.tt/23u5fZr http://www.scademy.com/

Source: Gmail -> IFTTT-> Blogger

No comments: