Bug 172209 - CVE-2005-3389 PHP parse_str can enable register_globals
CVE-2005-3389 PHP parse_str can enable register_globals
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: php (Show other bugs)
4.0
All Linux
medium Severity low
: ---
: ---
Assigned To: Joe Orton
David Lawrence
impact=low,public=20051031,source=ful...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-01 11:08 EST by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2005-838
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-11-10 14:17:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2005-11-01 11:08:05 EST
The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called
with only one parameter, allows remote attackers to disable the
register_globals directive via inputs that cause a request to be terminated
due to the memory_limit setting, which causes PHP to set an internal flag that
enables register_globals and allows attackers to exploit vulnerabilities in
PHP applications that would otherwise be protected.

http://www.hardened-php.net/advisory_192005.78.html

This issue also affects RHEL2.1 and RHEL3
Comment 1 Red Hat Bugzilla 2005-11-10 14:07:02 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-831.html
Comment 2 Red Hat Bugzilla 2005-11-10 14:17:00 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-838.html
Comment 3 Taichi Yanagiya 2005-11-28 04:05:23 EST
About php-4.1.2-2.3(RHEL2.1), the following sample script ends by segfault
when register_globals = On.

  http://jp.php.net/manual/en/print/function.parse-str.php
  Example 1. Using parse_str()
  --------
  <?php
  $str = "first=value&arr[]=foo+bar&arr[]=baz";
  parse_str($str);
  echo $first;  // value
  echo $arr[0]; // foo bar
  echo $arr[1]; // baz

  parse_str($str, $output);
  echo $output['first'];  // value
  echo $output['arr'][0]; // foo bar
  echo $output['arr'][1]; // baz

  ?>
  --------

I think that php-4.1.2-CVE-2005-3389.patch should be corrected as follows.

--- php-4.1.2/ext/standard/string.c.orig	2005-11-28 17:04:54.000000000 +0900
+++ php-4.1.2/ext/standard/string.c	2005-11-28 17:08:52.000000000 +0900
@@ -3108,8 +3108,10 @@
 
 	old_rg = PG(register_globals);
 	if(argCount == 1) {
-		PG(register_globals) = 1;
-		php_treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
+		zval tmp;
+		PG(register_globals) = 0;
+		Z_ARRVAL(tmp) = EG(active_symbol_table);
+		php_treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
 	} else 	{
 		PG(register_globals) = 0;
 		/* Clear out the array that was passed in. */

Thank you.
Comment 4 Taichi Yanagiya 2005-11-28 21:40:24 EST
The change part of "register_globals" variable is deleted 
by the original php-4.1.2-CVE-2005-3389.patch,
both "if(PG(register_globals))" and "if(track_vars_array)" becomes effective
in main/php_variables.c::php_register_variable_ex().

I think it is necessary to set up "register_globals" appropriately or
to change php_register_variable_ex().

Note You need to log in before you can comment on or make changes to this bug.