96816 2003-03-25 17:47 /55 rader/ Sir Mordred <mordred@s-mail.com> Importerad: 2003-03-25 17:47 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <4142> Ärende: @(#)Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc() function ------------------------------------------------------------ //@(#) Mordred Security Labs advisory Release date: March 25, 2003 Name: Integer overflow in PHP socket_iovec_alloc() function Versions affected: < 4.3.2 Conditions: PHP must be compiled with --enable-sockets option, which is turned off by default Risk: average Author: Sir Mordred (mordred@s-mail.com) I. Description: PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Please visit http://www.php.net for more information about PHP. The PHP socket extension implements a low-level interface to the socket communication functions based on the popular BSD sockets, providing the possibility to act as a socket server as well as a client... To enable this extenstion PHP should be compiled with --enable-sockets option. II. Details: There exists an integer overflow in socket_iovec_alloc() function. When requestiong the following php script, a httpd child will die with the error message: child pid <pidnum> exit signal Segmentation fault (11) $ cat t.php <?php socket_iovec_alloc(0x20000000); ?> III. Platforms tested Linux 2.4 with Apache 1.3.27 / PHP 4.3.1 III. Workaround Don't use the sockets extension. IV. Vendor response Vendor notified, issue will be fixed in PHP 4.3.2. ________________________________________________________________________ This letter has been delivered unencrypted. We'd like to remind you that the full protection of e-mail correspondence is provided by S-mail encryption mechanisms if only both, Sender and Recipient use S-mail. Register at S-mail.com: http://www.s-mail.com (96816) /Sir Mordred <mordred@s-mail.com>/(Ombruten)