Re: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload

To: Maksymilian Arciemowicz <cxib@xxxxxxxxxxxxxxxxxx>
Subject: Re: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
From: Eygene Ryabinkin <rea-sec@xxxxxxxxxxx>
Date: Mon, 8 Dec 2008 16:47:36 +0300
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=Vk6gDbmapi1JrJ5sykfUISj6ghB+heDdJ1NhPyIkuP/oudZ9ruiihfekXmdX1pSYDqMBLTNQFUDFOEc7TA+F25NcOSWdqrjNdPZ7su+thcK09g0S6t9qoLhfBNy79cri9ZV/cXGZRYQlquA5QTfGpJfzE2CWznEL47ioM9bnJHI=;
In-reply-to: <493D1DBC.4060400@xxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200812061940.mB6JemE5002856@xxxxxxxxxxxxxxxxxxxxxx> <sqp89FAGtFIVr1Bhz/kFH6+7Yu4@DnrfhFPe1KmBT9SMnrHVxzpiU9A> <493D1DBC.4060400@xxxxxxxxxxxxxxxxxx>
Sender: rea-sec@xxxxxxxxxxx

Maksymilian,

Mon, Dec 08, 2008 at 02:14:36PM +0100, Maksymilian Arciemowicz wrote:
> > Sat, Dec 06, 2008 at 12:40:48PM -0700, cxib@xxxxxxxxxxxxxxxxxx wrote:
> >> [ SecurityReason.com : PHP 5.2.6 SAPI php_getuid() overload ]
> > [...]
> >> Using PHP 5.2.6, as a Apache module can bypass many security points.
> > 
> > Am I right that this vulnerability exists only in the Apache 1.x flavour
> > of the PHP module?  The code in question that sets SG(server_context)
> > too late and initializes BG variable after the .htaccess processing
> > exists only in sapi/apache/mod_php5.c.  For Apache 2.x module the
> > handler is 'php_handler', it lives in apache2{filter,handler}/sapi_apache2.c
> > and BG/SG(server_context) are initialized before .htaccess processing.
> 
> yes
> 
> BG(page_uid)=BG(page_gid)=0
> 
> should be -1
> 
> so
> 
> php_getuid() will return 0.
> 
> tested on apache 13 20 22

Yes, sorry: I missed the 'AllowOverride All' for my 2.2 testbed.

Once again, sorry for the confusion: the issue is here for 2.x too.
-- 
Eygene

References:
- SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
  - From: cxib
- Re: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
  - From: Eygene Ryabinkin
- Re: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
  - From: Maksymilian Arciemowicz

Prev by Date: Re: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
Next by Date: [SVRT-07-08] Vulnerability in Face Recognition Authentication Mechanism of Lenovo-Asus-Toshiba Laptops
Previous by thread: Re: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
Next by thread: [SECURITY] [DSA 1682-1] New squirrelmail packages fix cross site scripting
Index(es):
- Date
- Thread