PHP是一款广泛使用的WEB开发脚本语言。
PHP sqlite_udf_decode_binary()存在缓冲区溢出,远程攻击者可利用此漏洞以应用程序进程权限执行任意指令。
sqlite_udf_decode_binary()函数不正确处理非法字符串,当传递字符串只包含单个\x01字符会调用sqlite_decode_binary()使用空字符串作为参数,但这个API函数不支持,它需要调用的字符串长度至少为1:
int sqlite_decode_binary(const unsigned char *in, unsigned char *out){
int i, e;
unsigned char c;
e = *(in++);
i = 0;
while( (c = *(in++))!=0 ){
if( c==1 ){
c = *(in++) - 1;
}
out[i++] = c + e;
}
return i;
}
当sqlite_decode_binary()使用空字符串调用,就会跳过ASCIIZ终止符而拷贝字节到目的区,直到遇到下个ASCIIZ字符。这类似标准的strcpy()溢出。
PHP PHP 5.1.6
PHP PHP 5.1.5
PHP PHP 5.1.4
PHP PHP 5.1.3
PHP PHP 5.1.3
PHP PHP 5.1.2
PHP PHP 5.1.1
PHP PHP 5.1
PHP PHP 5.0.5
PHP PHP 5.0.4
PHP PHP 5.0.3
升级到最新程序:
PHP PHP 5.2
* PHP PHP 5.2.1
<a href="http://www.php.net/downloads.php#v5" target="_blank">http://www.php.net/downloads.php#v5</a>
PHP PHP 4.4.4
* PHP PHP 4.4.5
<a href="http://www.php.net/downloads.php#v4" target="_blank">http://www.php.net/downloads.php#v4</a>
<?php
$z = "UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU";
$y = "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD