[16561] in bugtraq
Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through
daemon@ATHENA.MIT.EDU (Zeev Suraski)
Mon Sep 4 22:48:52 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=====================_-2071718724==_"
Message-Id: <4.3.2.7.2.20000904231640.03c11f40@mail.zend.com>
Date: Tue, 5 Sep 2000 01:35:03 +0300
Reply-To: zeev@zend.com
From: Zeev Suraski <zeev@ZEND.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0009032345020.2340-100000@thinkpad.php.net>
--=====================_-2071718724==_
Content-Type: text/plain; charset="us-ascii"; format=flowed
The initial fix published earlier did NOT fix the vulnerability that was
discovered, and could also cause crashes under certain circumstances. It
could also cause some applications to fail, due to a side effect that
prevents certain valid form variables from being processed correctly.
The correct, tested fixed file (without any side effects) is available at
http://cvsweb.php.net/viewcvs.cgi/~checkout~/php4/main/rfc1867.c?rev=1.45&content-type=text/plain
The diff against version 4.0.2 is available at:
http://cvsweb.php.net/viewcvs.cgi/php4/main/rfc1867.c.diff?r1=1.38%3Aphp_4_0_2&tr1=1.1&r2=text&tr2=1.45&diff_format=u
It is also attached to this message.
Thanks to James Moore for helping me test this fix.
Zeev
--=====================_-2071718724==_
Content-Type: application/octet-stream; name="rfc1867.c.diff"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="rfc1867.c.diff"
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PQpSQ1MgZmlsZTogL3JlcG9zaXRvcnkvcGhwNC9tYWluL3JmYzE4NjcuYyx2CnJl
dHJpZXZpbmcgcmV2aXNpb24gMS4zOApyZXRyaWV2aW5nIHJldmlzaW9uIDEuNDUKZGlmZiAtdSAt
cjEuMzggLXIxLjQ1Ci0tLSBwaHA0L21haW4vcmZjMTg2Ny5jCTIwMDAvMDgvMDYgMDY6NDA6MjgJ
MS4zOCBwaHBfNF8wXzIKKysrIHBocDQvbWFpbi9yZmMxODY3LmMJMjAwMC8wOS8wNCAyMjoyNjow
MQkxLjQ1CkBAIC0xNSw3ICsxNSw3IEBACiAgICB8IEF1dGhvcnM6IFJhc211cyBMZXJkb3JmIDxy
YXNtdXNAcGhwLm5ldD4gICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwKICAgICstLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tKwogICovCi0vKiAkSWQ6IHJmYzE4NjcuYyx2IDEuMzggMjAwMC8wOC8wNiAwNjo0MDoy
OCByYXNtdXMgRXhwICQgKi8KKy8qICRJZDogcmZjMTg2Ny5jLHYgMS40NSAyMDAwLzA5LzA0IDIy
OjI2OjAxIHplZXYgRXhwICQgKi8KIAogI2luY2x1ZGUgPHN0ZGlvLmg+CiAjaW5jbHVkZSAicGhw
LmgiCkBAIC0yOCwyOCArMjgsNTcgQEAKIAogCiAjZGVmaW5lIE5FV19CT1VOREFSWV9DSEVDSyAx
Ci0jZGVmaW5lIFNBRkVfUkVUVVJOIHsgaWYgKG5hbWVidWYpIGVmcmVlKG5hbWVidWYpOyBpZiAo
ZmlsZW5hbWVidWYpIGVmcmVlKGZpbGVuYW1lYnVmKTsgaWYgKGxidWYpIGVmcmVlKGxidWYpOyBp
ZiAoYWJ1ZikgZWZyZWUoYWJ1Zik7IGlmKGFycl9pbmRleCkgZWZyZWUoYXJyX2luZGV4KTsgcmV0
dXJuOyB9CisjZGVmaW5lIFNBRkVfUkVUVVJOIHsgaWYgKG5hbWVidWYpIGVmcmVlKG5hbWVidWYp
OyBpZiAoZmlsZW5hbWVidWYpIGVmcmVlKGZpbGVuYW1lYnVmKTsgaWYgKGxidWYpIGVmcmVlKGxi
dWYpOyBpZiAoYWJ1ZikgZWZyZWUoYWJ1Zik7IGlmKGFycl9pbmRleCkgZWZyZWUoYXJyX2luZGV4
KTsgemVuZF9oYXNoX2Rlc3Ryb3koJlBHKHJmYzE4NjdfcHJvdGVjdGVkX3ZhcmlhYmxlcykpOyBy
ZXR1cm47IH0KIAogLyogVGhlIGxvbmdlc3QgcHJvcGVydHkgbmFtZSB3ZSB1c2UgaW4gYW4gdXBs
b2FkZWQgZmlsZSBhcnJheSAqLwogI2RlZmluZSBNQVhfU0laRV9PRl9JTkRFWCBzaXplb2YoIlt0
bXBfbmFtZV0iKQogCitzdGF0aWMgdm9pZCBhZGRfcHJvdGVjdGVkX3ZhcmlhYmxlKGNoYXIgKnZh
cm5hbWUgUExTX0RDKQoreworCWludCBkdW1teT0xOworCisJemVuZF9oYXNoX2FkZCgmUEcocmZj
MTg2N19wcm90ZWN0ZWRfdmFyaWFibGVzKSwgdmFybmFtZSwgc3RybGVuKHZhcm5hbWUpKzEsICZk
dW1teSwgc2l6ZW9mKGludCksIE5VTEwpOworfQorCisKK3N0YXRpYyB6ZW5kX2Jvb2wgaXNfcHJv
dGVjdGVkX3ZhcmlhYmxlKGNoYXIgKnZhcm5hbWUgUExTX0RDKQoreworCXJldHVybiB6ZW5kX2hh
c2hfZXhpc3RzKCZQRyhyZmMxODY3X3Byb3RlY3RlZF92YXJpYWJsZXMpLCB2YXJuYW1lLCBzdHJs
ZW4odmFybmFtZSkrMSk7Cit9CisKKworc3RhdGljIHZvaWQgc2FmZV9waHBfcmVnaXN0ZXJfdmFy
aWFibGUoY2hhciAqdmFyLCBjaGFyICpzdHJ2YWwsIHp2YWwgKnRyYWNrX3ZhcnNfYXJyYXksIHpl
bmRfYm9vbCBvdmVycmlkZV9wcm90ZWN0aW9uIEVMU19EQyBQTFNfREMpCit7CisJaWYgKG92ZXJy
aWRlX3Byb3RlY3Rpb24gfHwgIWlzX3Byb3RlY3RlZF92YXJpYWJsZSh2YXIgUExTX0NDKSkgewor
CQlwaHBfcmVnaXN0ZXJfdmFyaWFibGUodmFyLCBzdHJ2YWwsIHRyYWNrX3ZhcnNfYXJyYXkgRUxT
X0NDIFBMU19DQyk7CisJfQorfQorCiAKLXN0YXRpYyB2b2lkIHJlZ2lzdGVyX2h0dHBfcG9zdF9m
aWxlc192YXJpYWJsZShjaGFyICpzdHJ2YXIsIGNoYXIgKnZhbCwgenZhbCAqaHR0cF9wb3N0X2Zp
bGVzIEVMU19EQyBQTFNfREMpCitzdGF0aWMgdm9pZCBzYWZlX3BocF9yZWdpc3Rlcl92YXJpYWJs
ZV9leChjaGFyICp2YXIsIHp2YWwgKnZhbCwgcHZhbCAqdHJhY2tfdmFyc19hcnJheSwgemVuZF9i
b29sIG92ZXJyaWRlX3Byb3RlY3Rpb24gRUxTX0RDIFBMU19EQykKK3sKKwlpZiAob3ZlcnJpZGVf
cHJvdGVjdGlvbiB8fCAhaXNfcHJvdGVjdGVkX3ZhcmlhYmxlKHZhciBQTFNfQ0MpKSB7CisJCXBo
cF9yZWdpc3Rlcl92YXJpYWJsZV9leCh2YXIsIHZhbCwgdHJhY2tfdmFyc19hcnJheSBFTFNfQ0Mg
UExTX0NDKTsKKwl9Cit9CisKKworc3RhdGljIHZvaWQgcmVnaXN0ZXJfaHR0cF9wb3N0X2ZpbGVz
X3ZhcmlhYmxlKGNoYXIgKnN0cnZhciwgY2hhciAqdmFsLCB6dmFsICpodHRwX3Bvc3RfZmlsZXMs
IHplbmRfYm9vbCBvdmVycmlkZV9wcm90ZWN0aW9uIEVMU19EQyBQTFNfREMpCiB7CiAJaW50IHJl
Z2lzdGVyX2dsb2JhbHMgPSBQRyhyZWdpc3Rlcl9nbG9iYWxzKTsKLQkKKwogCVBHKHJlZ2lzdGVy
X2dsb2JhbHMpID0gMDsKLQlwaHBfcmVnaXN0ZXJfdmFyaWFibGUoc3RydmFyLCB2YWwsIGh0dHBf
cG9zdF9maWxlcyBFTFNfQ0MgUExTX0NDKTsKKwlzYWZlX3BocF9yZWdpc3Rlcl92YXJpYWJsZShz
dHJ2YXIsIHZhbCwgaHR0cF9wb3N0X2ZpbGVzLCBvdmVycmlkZV9wcm90ZWN0aW9uIEVMU19DQyBQ
TFNfQ0MpOwogCVBHKHJlZ2lzdGVyX2dsb2JhbHMpID0gcmVnaXN0ZXJfZ2xvYmFsczsKIH0KIAog
Ci1zdGF0aWMgdm9pZCByZWdpc3Rlcl9odHRwX3Bvc3RfZmlsZXNfdmFyaWFibGVfZXgoY2hhciAq
dmFyLCB6dmFsICp2YWwsIHp2YWwgKmh0dHBfcG9zdF9maWxlcyBFTFNfREMgUExTX0RDKQorc3Rh
dGljIHZvaWQgcmVnaXN0ZXJfaHR0cF9wb3N0X2ZpbGVzX3ZhcmlhYmxlX2V4KGNoYXIgKnZhciwg
enZhbCAqdmFsLCB6dmFsICpodHRwX3Bvc3RfZmlsZXMsIHplbmRfYm9vbCBvdmVycmlkZV9wcm90
ZWN0aW9uIEVMU19EQyBQTFNfREMpCiB7CiAJaW50IHJlZ2lzdGVyX2dsb2JhbHMgPSBQRyhyZWdp
c3Rlcl9nbG9iYWxzKTsKLQkKKwogCVBHKHJlZ2lzdGVyX2dsb2JhbHMpID0gMDsKLQlwaHBfcmVn
aXN0ZXJfdmFyaWFibGVfZXgodmFyLCB2YWwsIGh0dHBfcG9zdF9maWxlcyBFTFNfQ0MgUExTX0ND
KTsKKwlzYWZlX3BocF9yZWdpc3Rlcl92YXJpYWJsZV9leCh2YXIsIHZhbCwgaHR0cF9wb3N0X2Zp
bGVzLCBvdmVycmlkZV9wcm90ZWN0aW9uIEVMU19DQyBQTFNfQ0MpOwogCVBHKHJlZ2lzdGVyX2ds
b2JhbHMpID0gcmVnaXN0ZXJfZ2xvYmFsczsKIH0KIApAQCAtNzEsNiArMTAwLDggQEAKIAlFTFNf
RkVUQ0goKTsKIAlQTFNfRkVUQ0goKTsKIAorCXplbmRfaGFzaF9pbml0KCZQRyhyZmMxODY3X3By
b3RlY3RlZF92YXJpYWJsZXMpLCA1LCBOVUxMLCBOVUxMLCAwKTsKKwogCWlmIChQRyh0cmFja192
YXJzKSkgewogCQlBTExPQ19aVkFMKGh0dHBfcG9zdF9maWxlcyk7CiAJCWFycmF5X2luaXQoaHR0
cF9wb3N0X2ZpbGVzKTsKQEAgLTc4LDcgKzEwOSw2IEBACiAJCVBHKGh0dHBfZ2xvYmFscykucG9z
dF9maWxlcyA9IGh0dHBfcG9zdF9maWxlczsKIAl9CiAKLQogCXB0ciA9IGJ1ZjsKIAlyZW0gPSBj
bnQ7CiAJbGVuID0gc3RybGVuKGJvdW5kYXJ5KTsKQEAgLTE3Nyw5ICsyMDcsOSBAQAogCQkJCQl9
CiAJCQkJCXMgPSBzdHJyY2hyKGZpbGVuYW1lYnVmLCAnXFwnKTsKIAkJCQkJaWYgKHMgJiYgcyA+
IGZpbGVuYW1lYnVmKSB7Ci0JCQkJCQlwaHBfcmVnaXN0ZXJfdmFyaWFibGUobGJ1ZiwgcysxLCBO
VUxMIEVMU19DQyBQTFNfQ0MpOworCQkJCQkJc2FmZV9waHBfcmVnaXN0ZXJfdmFyaWFibGUobGJ1
ZiwgcysxLCBOVUxMLCAwIEVMU19DQyBQTFNfQ0MpOwogCQkJCQl9IGVsc2UgewotCQkJCQkJcGhw
X3JlZ2lzdGVyX3ZhcmlhYmxlKGxidWYsIGZpbGVuYW1lYnVmLCBOVUxMIEVMU19DQyBQTFNfQ0Mp
OworCQkJCQkJc2FmZV9waHBfcmVnaXN0ZXJfdmFyaWFibGUobGJ1ZiwgZmlsZW5hbWVidWYsIE5V
TEwsIDAgRUxTX0NDIFBMU19DQyk7CiAJCQkJCX0KIAogCQkJCQkvKiBBZGQgJGZvb1tuYW1lXSAq
LwpAQCAtMTg5LDkgKzIxOSw5IEBACiAgICAgICAgICAgICAgICAgICAgICAgICBzcHJpbnRmKGxi
dWYsICIlc1tuYW1lXSIsIG5hbWVidWYpOwogICAgICAgICAgICAgICAgICAgICB9CiAJCQkJCWlm
IChzICYmIHMgPiBmaWxlbmFtZWJ1ZikgewotCQkJCQkJcmVnaXN0ZXJfaHR0cF9wb3N0X2ZpbGVz
X3ZhcmlhYmxlKGxidWYsIHMrMSwgaHR0cF9wb3N0X2ZpbGVzIEVMU19DQyBQTFNfQ0MpOworCQkJ
CQkJcmVnaXN0ZXJfaHR0cF9wb3N0X2ZpbGVzX3ZhcmlhYmxlKGxidWYsIHMrMSwgaHR0cF9wb3N0
X2ZpbGVzLCAwIEVMU19DQyBQTFNfQ0MpOwogCQkJCQl9IGVsc2UgewotCQkJCQkJcmVnaXN0ZXJf
aHR0cF9wb3N0X2ZpbGVzX3ZhcmlhYmxlKGxidWYsIGZpbGVuYW1lYnVmLCBodHRwX3Bvc3RfZmls
ZXMgRUxTX0NDIFBMU19DQyk7CisJCQkJCQlyZWdpc3Rlcl9odHRwX3Bvc3RfZmlsZXNfdmFyaWFi
bGUobGJ1ZiwgZmlsZW5hbWVidWYsIGh0dHBfcG9zdF9maWxlcywgMCBFTFNfQ0MgUExTX0NDKTsK
IAkJCQkJfQogCiAJCQkJCXN0YXRlID0gMzsKQEAgLTIyMSw3ICsyNTEsNyBAQAogCQkJCQl9IGVs
c2UgewogCQkJCQkJc3ByaW50ZihsYnVmLCAiJXNfdHlwZSIsIG5hbWVidWYpOwogCQkJCQl9Ci0J
CQkJCXBocF9yZWdpc3Rlcl92YXJpYWJsZShsYnVmLCBzLCBOVUxMIEVMU19DQyBQTFNfQ0MpOwor
CQkJCQlzYWZlX3BocF9yZWdpc3Rlcl92YXJpYWJsZShsYnVmLCBzLCBOVUxMLCAwIEVMU19DQyBQ
TFNfQ0MpOwogCQkJCQkKIAkJCQkJLyogQWRkICRmb29bdHlwZV0gKi8KIAkJCQkJaWYgKGlzX2Fy
cl91cGxvYWQpIHsKQEAgLTIyOSw3ICsyNTksNyBAQAogCQkJCQl9IGVsc2UgewogCQkJCQkJc3By
aW50ZihsYnVmLCAiJXNbdHlwZV0iLCBuYW1lYnVmKTsKIAkJCQkJfQotCQkJCQlyZWdpc3Rlcl9o
dHRwX3Bvc3RfZmlsZXNfdmFyaWFibGUobGJ1ZiwgcywgaHR0cF9wb3N0X2ZpbGVzIEVMU19DQyBQ
TFNfQ0MpOworCQkJCQlyZWdpc3Rlcl9odHRwX3Bvc3RfZmlsZXNfdmFyaWFibGUobGJ1Ziwgcywg
aHR0cF9wb3N0X2ZpbGVzLCAwIEVMU19DQyBQTFNfQ0MpOwogCQkJCQlpZigqcyAhPSAnXDAnKSB7
CiAJCQkJCQkqKGxvYzIgLSAxKSA9ICdcbic7CiAJCQkJCX0KQEAgLTI1Miw3ICsyODIsOSBAQAog
CQkJCX0KIAkJCQkqKGxvYyAtIDQpID0gJ1wwJzsKIAotCQkJCXBocF9yZWdpc3Rlcl92YXJpYWJs
ZShuYW1lYnVmLCBwdHIsIGFycmF5X3B0ciBFTFNfQ0MgUExTX0NDKTsKKwkJCQkvKiBDaGVjayB0
byBtYWtlIHN1cmUgd2UgYXJlIG5vdCBvdmVyd3JpdGluZyBzcGVjaWFsIGZpbGUKKwkJCQkgKiB1
cGxvYWQgdmFyaWFibGVzICovCisJCQkJc2FmZV9waHBfcmVnaXN0ZXJfdmFyaWFibGUobmFtZWJ1
ZiwgcHRyLCBhcnJheV9wdHIsIDAgRUxTX0NDIFBMU19DQyk7CiAKIAkJCQkvKiBBbmQgYSBsaXR0
bGUga2x1ZGdlIHRvIHBpY2sgb3V0IHNwZWNpYWwgTUFYX0ZJTEVfU0laRSAqLwogCQkJCWl0eXBl
ID0gcGhwX2NoZWNrX2lkZW50X3R5cGUobmFtZWJ1Zik7CkBAIC0zMTYsNyArMzQ4LDggQEAKIAkJ
CQkJCXBocF9lcnJvcihFX1dBUk5JTkcsICJPbmx5ICVkIGJ5dGVzIHdlcmUgd3JpdHRlbiwgZXhw
ZWN0ZWQgdG8gd3JpdGUgJWxkIiwgYnl0ZXMsIGxvYyAtIHB0ciAtIDQpOwogCQkJCQl9CiAJCQkJ
fQotCQkJCXBocF9yZWdpc3Rlcl92YXJpYWJsZShuYW1lYnVmLCBmbiwgTlVMTCBFTFNfQ0MgUExT
X0NDKTsKKwkJCQlhZGRfcHJvdGVjdGVkX3ZhcmlhYmxlKG5hbWVidWYgUExTX0NDKTsKKwkJCQlz
YWZlX3BocF9yZWdpc3Rlcl92YXJpYWJsZShuYW1lYnVmLCBmbiwgTlVMTCwgMSBFTFNfQ0MgUExT
X0NDKTsKIAogCQkJCS8qIEFkZCAkZm9vW3RtcF9uYW1lXSAqLwogCQkJCWlmKGlzX2Fycl91cGxv
YWQpIHsKQEAgLTMyNCw3ICszNTcsOCBAQAogCQkJCX0gZWxzZSB7CiAJCQkJCXNwcmludGYobGJ1
ZiwgIiVzW3RtcF9uYW1lXSIsIG5hbWVidWYpOwogCQkJCX0KLQkJCQlyZWdpc3Rlcl9odHRwX3Bv
c3RfZmlsZXNfdmFyaWFibGUobGJ1ZiwgZm4sIGh0dHBfcG9zdF9maWxlcyBFTFNfQ0MgUExTX0ND
KTsKKwkJCQlhZGRfcHJvdGVjdGVkX3ZhcmlhYmxlKGxidWYgUExTX0NDKTsKKwkJCQlyZWdpc3Rl
cl9odHRwX3Bvc3RfZmlsZXNfdmFyaWFibGUobGJ1ZiwgZm4sIGh0dHBfcG9zdF9maWxlcywgMSBF
TFNfQ0MgUExTX0NDKTsKIAkJCQl7CiAJCQkJCXp2YWwgZmlsZV9zaXplOwogCkBAIC0zMzcsNyAr
MzcxLDcgQEAKIAkJCQkJfSBlbHNlIHsKIAkJCQkJCXNwcmludGYobGJ1ZiwgIiVzX3NpemUiLCBu
YW1lYnVmKTsKIAkJCQkJfQotCQkJCQlwaHBfcmVnaXN0ZXJfdmFyaWFibGVfZXgobGJ1ZiwgJmZp
bGVfc2l6ZSwgTlVMTCBFTFNfQ0MgUExTX0NDKTsKKwkJCQkJc2FmZV9waHBfcmVnaXN0ZXJfdmFy
aWFibGVfZXgobGJ1ZiwgJmZpbGVfc2l6ZSwgTlVMTCwgMCBFTFNfQ0MgUExTX0NDKTsKIAogCQkJ
CQkvKiBBZGQgJGZvb1tzaXplXSAqLwogCQkJCQlpZihpc19hcnJfdXBsb2FkKSB7CkBAIC0zNDUs
NyArMzc5LDcgQEAKIAkJCQkJfSBlbHNlIHsKIAkJCQkJCXNwcmludGYobGJ1ZiwgIiVzW3NpemVd
IiwgbmFtZWJ1Zik7CiAJCQkJCX0KLQkJCQkJcmVnaXN0ZXJfaHR0cF9wb3N0X2ZpbGVzX3Zhcmlh
YmxlX2V4KGxidWYsICZmaWxlX3NpemUsIGh0dHBfcG9zdF9maWxlcyBFTFNfQ0MgUExTX0NDKTsK
KwkJCQkJcmVnaXN0ZXJfaHR0cF9wb3N0X2ZpbGVzX3ZhcmlhYmxlX2V4KGxidWYsICZmaWxlX3Np
emUsIGh0dHBfcG9zdF9maWxlcywgMCBFTFNfQ0MgUExTX0NDKTsKIAkJCQl9CiAJCQkJc3RhdGUg
PSAwOwogCQkJCXJlbSAtPSAobG9jIC0gcHRyKTsK
--=====================_-2071718724==_
Content-Type: text/plain; charset="us-ascii"; format=flowed
--
Zeev Suraski <zeev@zend.com>
http://www.zend.com/
--=====================_-2071718724==_--
