Bug 548532 (CVE-2009-4143)
| Summary: | CVE-2009-4143 php: $_SESSION usort() interruption corruption | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED DUPLICATE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | jorton, qe-baseos-apps |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4143 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-12-23 15:15:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Vincent Danen
2009-12-17 17:59:51 UTC
This issue is documented here, beginning at page 50: http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf Relevant upstream commit should be this: http://svn.php.net/viewvc?view=revision&revision=291681 + NEWS file updates in 291703 and 291804. More on using interruption flaws to compromise PHP interpreter from the script: http://www.suspekt.org/2009/08/12/state-of-the-art-post-exploitation-in-hardened-php-environments/ This flaw can be used by PHP script author to bypass restrictions such as safe_mode or open_basedir. Red Hat does not treat such issue as security flaws: https://bugzilla.redhat.com/show_bug.cgi?id=169857#c1 Additionally, fix in 5.2.12 adds protection for $_SESSION. In older PHP versions, usort() interruptions can be used to corrupt any array. *** This bug has been marked as a duplicate of bug 169857 *** |