Security update for Zend Platform
Security specialist Stefan Esser, best known for the Hardened PHP project, has reported six critical security holes in the session manager of Zend Platform. Zend Platform is a scalable production environment for PHP applications in corporate settings. The software enables session clustering, which is the forwarding of PHP session data within a cluster of computers.
It appears that the tool used for this, ZendSessionManager, and the "mod_cluster" module have problems in processing specially prepared session IDs. Null length IDs crash the manager and module in the same way that overlong ones do, Esser claims. The problem originates from a buffer overflow in the copying of the PHPSESSID using strncpy. Another buffer overflow emerges during later processing of the ID and could potentially be exploited to smuggle code into the system and then execute it. The flaw lies in the way in which Zend Platform uses the ID to save both the IP address of the relevant node and the file names for the session data. Attacks manipulating the part of the ID from which the file name is derived can lead to an overflow during the creation of the file name.
The manipulation of the part of the ID used to create file names could also potentially allow both access to arbitrary files on the server and "Remote File Inclusion." All Zend Platform versions through 2.2.1 are affected on all operating systems. The flaw has been corrected in the new version 2.2.1a.
- Zend Platform Multiple Remote Vulnerabilities, Flaw analysis from Stefan Esser