Bug 548532 (CVE-2009-4143) - CVE-2009-4143 php: $_SESSION usort() interruption corruption
Summary: CVE-2009-4143 php: $_SESSION usort() interruption corruption
Keywords:
Status: CLOSED DUPLICATE of bug 169857
Alias: CVE-2009-4143
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-17 17:59 UTC by Vincent Danen
Modified: 2021-11-12 20:02 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-23 15:15:00 UTC


Attachments (Terms of Use)

Description Vincent Danen 2009-12-17 17:59:51 UTC
PHP 5.2.12 was released with the following reference:

Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check, identified by Stefan Esser. (CVE-2009-4143, Stas)

There is no referring bug report and I cannot currently find any further information on this issue.

Comment 1 Vincent Danen 2009-12-17 21:19:10 UTC
This issue is documented here, beginning at page 50:

http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf

Comment 2 Tomas Hoger 2009-12-22 14:25:39 UTC
Relevant upstream commit should be this:
  http://svn.php.net/viewvc?view=revision&revision=291681

+ NEWS file updates in 291703 and 291804.

Comment 3 Tomas Hoger 2009-12-23 15:03:00 UTC
More on using interruption flaws to compromise PHP interpreter from the script:

http://www.suspekt.org/2009/08/12/state-of-the-art-post-exploitation-in-hardened-php-environments/

Comment 4 Tomas Hoger 2009-12-23 15:15:00 UTC
This flaw can be used by PHP script author to bypass restrictions such as safe_mode or open_basedir.  Red Hat does not treat such issue as security flaws:

  https://bugzilla.redhat.com/show_bug.cgi?id=169857#c1

Additionally, fix in 5.2.12 adds protection for $_SESSION.  In older PHP versions, usort() interruptions can be used to corrupt any array.

*** This bug has been marked as a duplicate of bug 169857 ***


Note You need to log in before you can comment on or make changes to this bug.