PHP 5.6.7 apache2handler remote code execution vulnerability

2015-04-17 / 2015-04-18
Credit: Marc
Risk: High
Local: No
Remote: Yes

CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Hello, PHP 5.4.40, 5.5.24 and 5.6.8 fixed a potential remote code execution vulnerability when used with the Apache 2.4 apache2handler. The issue is with Apache 2.4, the PHP apache2handler SAPI, and pipelined HTTP requests. Given a simple (just a single echo) PHP script the following results in segfaults, but not always: echo -e "GET /foo HTTP/1.1\nHost:\n\nGET /foo HTTP/1.1\nHost:\n\n" | netcat localhost 80 This is because after the first request, the interpreter is deinitialized (sapi_apache2.c line 679 calls php_apache_request_dtor), BUT contrary to the situation under Apache 2.2, Apache 2.4 does NOT call the pool cleanup function (php_server_context_cleanup) before the second request is processed - resulting in SG(server_context) still being non-NULL, which then makes the second request being handled as a subrequest (parent_req != NULL), skipping the call to php_apache_request_ctor - thus running the request in a deconfigured interpreter. (still private) Fixed by:;a=commit;h=809610f5ea38a83b284e1125d1fff129bdd615e7 +++ b/sapi/apache2handler/sapi_apache2.c @@ -688,6 +688,7 @@ zend_first_try { } zend_end_try(); } apr_brigade_cleanup(brigade); + apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup); } else { ctx->r = parent_req; } Marc.


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top