PHP ext/mysqli Format String Vulnerability

Credit: Stefan Esser
Risk: Low
Local: Yes
Remote: Yes
CWE: CWE-134

CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened-PHP Project -= Security Advisory =- Advisory: PHP ext/mysqli Format String Vulnerability Release Date: 2006/01/12 Last Modified: 2006/01/12 Author: Stefan Esser [sesser (at) hardened-php (dot) net [email concealed]] Application: PHP5.1 <= 5.1.1 Not Affected: PHP4, PHP 5.0.x PHP 5.1.x with Hardening-Patch Severity: A format string vulnerability in the exception handling of the new mysqli extension may result in remote code execution Risk: Low Vendor Status: Vendor has released a bugfixed version References: Overview: PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. During the development of the Hardening-Patch which adds security hardening features to the PHP codebase, several vulnerabilities within PHP were discovered. This advisory describes one of these flaws concerning a weakness in the mysqli extension. PHP5 comes with the new mysqli extension, which recently got a new error reporting feature using exceptions. When an exception for such an error is thrown the error message is used as format string. Depending on the situation and configuration, f.e. a malicious MySQL server or an erroneous SQL query (f.e. through SQL injection) can result in PHP reporting a (partly) user supplied error message, which can result in triggering the format string vulnerability, which can lead to remote code execution. Details: PHP's new mysqli extension recently got a new error reporting mode that is using PHP exceptions to report errors generated by the SQL server or errors that occured when a connection cannot be established. Because of a flaw in the way the format string functions where called when such an exception is thrown the error message is used as format string and might contain format string specifiers. Because this error message is generated by the mysql client library or the remote mysql server there are a number of ways a local or remote attacker can influence the content of the message to cause arbitrary format strings to be parsed. By default the reporting mode will not report failed SQL queries through this mechanism, but when it is enabled SQL injection vulnerabilities can be used by remote attackers to feed arbitrary format strings to PHP's internal implementation of the format string functions. These functions also support the %n specifier and therefore can be exploited in ways similar to the standard fmt string exploits. (With the little problem that the %n implementation in PHP is buggy and therefore does not behave in the normal way). In the default reporting mode an attacker has to be either local and try to connect to invalid hostnames or remote with control over the error messages returned by the mysql server. (malicious server or man in the middle attack). In all cases there is the potential for attacker controlled memory corruption that could even lead to remote code execution. The vulnerability is rated low risk, because it is believed to be hard for an external attacker to abuse this remotely. PHP servers using our Hardening-Patch are not exploitable because since the very beginning of the patch we have the %n format string specifier disabled, to protect against unknown format string vulnerabilites. Proof of Concept: The Hardened-PHP project is not going to release exploits for this vulnerability to the public. Recommendation: It is strongly recommended to upgrade to the latest appropriate PHP release as soon as possible, because it does not only fix this vulnerability, but finally comes with a HTTP Response Splitting protection. Additionally we always recommend to run PHP with the Hardening-Patch applied, because this vulnerability once again proved that our users are protected against unknown vulnerabilities before they become public knowledge. GPG-Key: pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2006 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see iD8DBQFDxpDMRDkUzAqGSqERAvRPAJ9rl/UP6jYWv4gvhA5WBgETAG4UKQCfVmnQ pynps3w+tBa+wi0y1WQ7rUo= =rdnA -----END PGP SIGNATURE-----

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023,


Back to Top