Details of new PHP hole
Following up on last week's reports of a hole in PHP, Stefan Esser has published an advisory containing further details. He reports therein that the integer overflow in the ecalloc() function of ZendEngine1 can be provoked via special user data that are processed with the unserialize() PHP function. This function is used by PHP applications like phpBB2, Invision Board, vBulletin and Serendpity, among others, converting cookies used by the function into a proprietary format. Attackers can hence use specially prepared cookies to plant code and then execute them with the user's rights. Esser claims to have developed a proof-of-concept exploit that launches planted shell code. A similar hole in unserialize() was discovered in late 2004.
The flaw affects PHP 5 versions through 5.1.6 and PHP 4 through 4.3.0. Starting with 4.3.0, at least in PHP4, protection was implemented in the ZendEngine1 to guard against the consequences of integer overflows in ecalloc(), Essen writes in his report. He also notes that the flaw has been cleared from PHP CVS, but that no security update will be released. Users should instead apply the patch released by the Hardened PHP Project or wait for PHP 5.2.0. Esser plans to release his exploit once that version is available.
- PHP unserialize() Array Creation Integer Overflow, Advisory from Stefan Esser