Ubuntu
php5 package

php safe mod bypass

Bug #356646 reported by nubuser
256
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: php5

PHP 5.2.6 (error_log) safe_mode bypass

http://www.milw0rm.com/exploits/7171

There is some kind of issue in PHP
we can run out memory even on SAFE_MODE
script simply allocate maximum of memory
and go to sleep for, let's say 9999999 seconds.
sleep() pass 'max_execution_time' setting.

http://www.milw0rm.com/exploits/5679

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The first issue is CVE-2008-5625. Updates are already out for that.

Changed in php5 (Ubuntu):
status: New → Confirmed
visibility: private → public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The second issue send this to the server:

$mLimit='512M';ini_set('memory_limit',$mLimit);if(!$mLimit = ini_get('memory_limit'))$mLimit = '2M';$mLimitInKb = substr($mLimit, 1)*1024*0.8;for($i=0;$i<$mLimitInKb;$i++)$m.=str_repeat('m',1024);sleep(99999999);

I don't see how this is a security issue. It is not a bug that max_execution_time doesn't count sleep.

Changed in php5 (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.