PHP multipart/form-data remote DOS vulnerability-vulnerability warning-the black bar safety net

2015-05-16T00:00:00
ID MYHACK58:62201562479
Type myhack58
Reporter LiuShusheng_0_
Modified 2015-05-16T00:00:00

Description

PHP parse multipart/form-datahttp request the body part of the request header, the duplicate copy of the string resulting in DOS. A remote attacker by sending a maliciously constructed multipart/form-data requests, causing the server CPU resource is exhausted, so a remote DOS Server. Affect range: PHP all versions 0x01 vulnerability inlet PHP source code, in main/ rfc1867. c is responsible for parsing multipart/form-data Protocol DOS vulnerability appears in the main/rfc46675pxultipart_buffer_headers function. In a detailed analysis of the vulnerability function, the first analysis into the vulnerability function of the path. PHP parse multipart/form-data http request body of the entry function in SAPI_POST_HANDLER_FUNC(rfc1867. c in the function), The code is as follows. / Get the boundary / boundary= strstr(content_type_dup, "boundary"); if(! boundary) { intcontent_type_len = strlen(content_type_dup); char*content_type_lcase = estrndup(content_type_dup, content_type_len);

php_strtolower(content_type_lcase,content_type_len); boundary= strstr(content_type_lcase, "boundary"); if(boundary) { boundary= content_type_dup + (boundary - content_type_lcase); } efree(content_type_lcase); } if(! boundary || ! (boundary = strchr(boundary, '='))) { sapi_module. sapi_error(E_WARNING,"Missing boundary in multipart/form-data POST data"); return; } boundary++; boundary_len= strlen(boundary); ... ... while(! multipart_buffer_eof(mbuff TSRMLS_CC)) { charbuff[FILLUNIT]; charcd = NULL, param = NULL, filename = NULL, tmp = NULL; size_tblen = 0, wlen = 0; off_toffset;

zend_llist_clean(&header);

if(! multipart_buffer_headers(mbuff, &header TSRMLS_CC)) { gotofileupload_done; } SAPI_POST_HANDLER_FUNC function first parses the request boundary, the 0x02 vulnerability function multipart_buffer_headers execution logic Into the vulnerability Function, This paragraph first the analysis of vulnerability is a function of the execution logic, the next period according to the function execution logic a detailed analysis of the vulnerability principle. multipart_buffer_headers function source code is as follows: / parse headers / static intmultipart_buffer_headers(multipart_buffer self, zend_llist header TSRMLS_DC) { char*line; mime_header_entryprev_entry = {0}, entry; intprev_len, cur_len;

/didn't find boundary, abort / if(! find_boundary(self, self->boundary TSRMLS_CC)) { return0; }

/get lines of text, or CRLF_CRLF /

while((line = get_line(self TSRMLS_CC)) && line[0] != '\0' ) { /add header to table / charkey = line; charvalue = NULL;

if(php_rfc1867_encoding_translation(TSRMLS_C)) { self->input_encoding= zend_multibyte_encoding_detector(line, strlen(line), self->detect_order,self->detect_order_size TSRMLS_CC);

[1] [2] [3] [4] next