Bug 172209

Summary: CVE-2005-3389 PHP parse_str can enable register_globals
Product: Red Hat Enterprise Linux 4 Reporter: Josh Bressers <bressers>
Component: phpAssignee: Joe Orton <jorton>
Status: CLOSED ERRATA QA Contact: David Lawrence <dkl>
Severity: low Docs Contact:
Priority: medium    
Version: 4.0CC: rspaulding
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20051031,source=fulldisclosure
Fixed In Version: RHSA-2005-838 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-11-10 19:17:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2005-11-01 16:08:05 UTC
The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called
with only one parameter, allows remote attackers to disable the
register_globals directive via inputs that cause a request to be terminated
due to the memory_limit setting, which causes PHP to set an internal flag that
enables register_globals and allows attackers to exploit vulnerabilities in
PHP applications that would otherwise be protected.

http://www.hardened-php.net/advisory_192005.78.html

This issue also affects RHEL2.1 and RHEL3

Comment 1 Red Hat Bugzilla 2005-11-10 19:07:02 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-831.html


Comment 2 Red Hat Bugzilla 2005-11-10 19:17:00 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-838.html


Comment 3 Taichi Yanagiya 2005-11-28 09:05:23 UTC
About php-4.1.2-2.3(RHEL2.1), the following sample script ends by segfault
when register_globals = On.

  http://jp.php.net/manual/en/print/function.parse-str.php
  Example 1. Using parse_str()
  --------
  <?php
  $str = "first=value&arr[]=foo+bar&arr[]=baz";
  parse_str($str);
  echo $first;  // value
  echo $arr[0]; // foo bar
  echo $arr[1]; // baz

  parse_str($str, $output);
  echo $output['first'];  // value
  echo $output['arr'][0]; // foo bar
  echo $output['arr'][1]; // baz

  ?>
  --------

I think that php-4.1.2-CVE-2005-3389.patch should be corrected as follows.

--- php-4.1.2/ext/standard/string.c.orig	2005-11-28 17:04:54.000000000 +0900
+++ php-4.1.2/ext/standard/string.c	2005-11-28 17:08:52.000000000 +0900
@@ -3108,8 +3108,10 @@
 
 	old_rg = PG(register_globals);
 	if(argCount == 1) {
-		PG(register_globals) = 1;
-		php_treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
+		zval tmp;
+		PG(register_globals) = 0;
+		Z_ARRVAL(tmp) = EG(active_symbol_table);
+		php_treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
 	} else 	{
 		PG(register_globals) = 0;
 		/* Clear out the array that was passed in. */

Thank you.


Comment 4 Taichi Yanagiya 2005-11-29 02:40:24 UTC
The change part of "register_globals" variable is deleted 
by the original php-4.1.2-CVE-2005-3389.patch,
both "if(PG(register_globals))" and "if(track_vars_array)" becomes effective
in main/php_variables.c::php_register_variable_ex().

I think it is necessary to set up "register_globals" appropriately or
to change php_register_variable_ex().