An information disclosure flaw was found in the PHP mb_struct function. mb_strcut() returns garbage when the following conditions are met: 1. The value specified to length parameter exceeds the length of the subject string. 2. mbstring.internal_encoding is set to some single-byte encoding. The garbage may consist of uncleared part of the heap that has previously been used for some purpose, which could lead to unexpected information exposure. This only affects PHP 5.3 and above. This bug was originally reported to php upstream by Mateusz Kocielski. Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4156 to the above vulnerability Upstream bugs: http://bugs.php.net/bug.php?id=53273 http://bugs.php.net/bug.php?id=49354 Upstream patch: http://svn.php.net/viewvc/?view=revision&revision=305214 References: http://www.mandriva.com/en/security/advisories?name=MDVSA-2010:225 http://www.securityfocus.com/bid/44727 http://secunia.com/advisories/42135
Public PoC: Test script: --------------- <?php $b = "bbbbbbbbbbb"; str_repeat("THIS IS A SECRET MESSAGE, ISN'T IT?", 1); $var3 = mb_strcut($b, 0, 1000); echo $var3; ?> Expected result: ---------------- bbbbbbbbbbb Actual result: -------------- bbbbbbbbbbb??????D$Ј=m???=m?(?=m?`?=m??5<m??=m?THIS IS A SECRET MESSAGE, ISN'T IT??g?1@?=m?(?=m???=m?p?=m?var3
Created php tracking bugs for this issue Affects: fedora-all [bug 649186]
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4156 to the following vulnerability: Name: CVE-2010-4156 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4156 Assigned: 20101104 Reference: MLIST:[oss-security] 20101107 CVE Request: PHP 5.3.3, libmbfl, mb_strcut Reference: URL: http://www.openwall.com/lists/oss-security/2010/11/07/2 Reference: MLIST:[oss-security] 20101108 Re: CVE Request: PHP 5.3.3, libmbfl, mb_strcut Reference: URL: http://www.openwall.com/lists/oss-security/2010/11/08/13 Reference: MISC: http://pastie.org/1279428 Reference: MISC: http://pastie.org/1279682 Reference: BID:44727 Reference: URL: http://www.securityfocus.com/bid/44727 Reference: SECUNIA:42135 Reference: URL: http://secunia.com/advisories/42135 The mb_strcut function in Libmbfl 1.1.0, as used in PHP 5.3.x through 5.3.3, allows context-dependent attackers to obtain potentially sensitive information via a large value of the third parameter (aka the length parameter).
It seems this issue got introduced in the update of bundled libmbfl that happened between 5.3.2 and 5.3.3: http://svn.php.net/viewvc?view=revision&revision=296101
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0196 https://rhn.redhat.com/errata/RHSA-2011-0196.html
Statement: This issue did not affect the version of php packages as shipped with Red Hat Enterprise Linux 4, 5 or 6. It did affect the PHP 5.3 (php53) package on Red Hat Enterprise Linux 5.