Bug 172209 - CVE-2005-3389 PHP parse_str can enable register_globals
Summary: CVE-2005-3389 PHP parse_str can enable register_globals
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: php   
(Show other bugs)
Version: 4.0
Hardware: All Linux
medium
low
Target Milestone: ---
: ---
Assignee: Joe Orton
QA Contact: David Lawrence
URL:
Whiteboard: impact=low,public=20051031,source=ful...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-11-01 16:08 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHSA-2005-838
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-11-10 19:17:00 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:831 normal SHIPPED_LIVE Moderate: php security update 2005-11-10 05:00:00 UTC
Red Hat Product Errata RHSA-2005:838 normal SHIPPED_LIVE Moderate: php security update 2005-11-10 05:00:00 UTC

Description Josh Bressers 2005-11-01 16:08:05 UTC
The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called
with only one parameter, allows remote attackers to disable the
register_globals directive via inputs that cause a request to be terminated
due to the memory_limit setting, which causes PHP to set an internal flag that
enables register_globals and allows attackers to exploit vulnerabilities in
PHP applications that would otherwise be protected.

http://www.hardened-php.net/advisory_192005.78.html

This issue also affects RHEL2.1 and RHEL3

Comment 1 Red Hat Bugzilla 2005-11-10 19:07:02 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-831.html


Comment 2 Red Hat Bugzilla 2005-11-10 19:17:00 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-838.html


Comment 3 Taichi Yanagiya 2005-11-28 09:05:23 UTC
About php-4.1.2-2.3(RHEL2.1), the following sample script ends by segfault
when register_globals = On.

  http://jp.php.net/manual/en/print/function.parse-str.php
  Example 1. Using parse_str()
  --------
  <?php
  $str = "first=value&arr[]=foo+bar&arr[]=baz";
  parse_str($str);
  echo $first;  // value
  echo $arr[0]; // foo bar
  echo $arr[1]; // baz

  parse_str($str, $output);
  echo $output['first'];  // value
  echo $output['arr'][0]; // foo bar
  echo $output['arr'][1]; // baz

  ?>
  --------

I think that php-4.1.2-CVE-2005-3389.patch should be corrected as follows.

--- php-4.1.2/ext/standard/string.c.orig	2005-11-28 17:04:54.000000000 +0900
+++ php-4.1.2/ext/standard/string.c	2005-11-28 17:08:52.000000000 +0900
@@ -3108,8 +3108,10 @@
 
 	old_rg = PG(register_globals);
 	if(argCount == 1) {
-		PG(register_globals) = 1;
-		php_treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
+		zval tmp;
+		PG(register_globals) = 0;
+		Z_ARRVAL(tmp) = EG(active_symbol_table);
+		php_treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
 	} else 	{
 		PG(register_globals) = 0;
 		/* Clear out the array that was passed in. */

Thank you.


Comment 4 Taichi Yanagiya 2005-11-29 02:40:24 UTC
The change part of "register_globals" variable is deleted 
by the original php-4.1.2-CVE-2005-3389.patch,
both "if(PG(register_globals))" and "if(track_vars_array)" becomes effective
in main/php_variables.c::php_register_variable_ex().

I think it is necessary to set up "register_globals" appropriately or
to change php_register_variable_ex().



Note You need to log in before you can comment on or make changes to this bug.