PHP 5.6.7 apache2handler remote code execution vulnerability

没穿底裤 2020年1月1日04:59:59评论405 views字数 1446阅读4分49秒阅读模式
摘要

Hello,PHP 5.4.40, 5.5.24 and 5.6.8 fixed a potential remote code execution vulnerability when used with the Apache 2.4 apache2handler.

Hello,

PHP 5.4.40, 5.5.24 and 5.6.8 fixed a potential remote code execution vulnerability when used with the Apache 2.4 apache2handler.

https://bugs.php.net/bug.php?id=69218

The issue is with Apache 2.4, the PHP apache2handler SAPI, and pipelined HTTP requests. Given a simple (just a single echo) PHP script http://example.com/foo the following results in segfaults, but not always:

echo -e "GET /foo HTTP/1.1/nHost: example.com/n/nGET /foo HTTP/1.1/nHost: example.com/n/n" | netcat localhost 80

This is because after the first request, the interpreter is deinitialized (sapi_apache2.c line 679 calls php_apache_request_dtor), BUT contrary to the situation under Apache 2.2, Apache 2.4 does NOT call the pool cleanup function (php_server_context_cleanup) before the second request is processed - resulting in SG(server_context) still being non-NULL, which then makes the second request being handled as a subrequest (parent_req != NULL), skipping the call to php_apache_request_ctor - thus running the request in a deconfigured interpreter.

https://bugs.php.net/bug.php?id=68486 (still private)

Fixed by:

http://git.php.net/?p=php-src.git;a=commit;h=809610f5ea38a83b284e1125d1fff129bdd615e7

+++ b/sapi/apache2handler/sapi_apache2.c

@@ -688,6 +688,7 @@ zend_first_try { } zend_end_try(); } apr_brigade_cleanup(brigade); + apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup); } else { ctx->r = parent_req; } 

Marc.

References:

https://bugs.php.net/bug.php?id=69218
https://bugs.php.net/bug.php?id=68486
http://git.php.net/?p=php-src.git;a=commit;h=809610f5ea38a83b284e1125d1fff129bdd615e7

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
没穿底裤
  • 本文由 发表于 2020年1月1日04:59:59
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   PHP 5.6.7 apache2handler remote code execution vulnerabilityhttp://cn-sec.com/archives/76333.html

发表评论

匿名网友 填写信息