Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16481
HistoryMar 25, 2007 - 12:00 a.m.

MOPB-31-2007:PHP _SESSION Deserialization Overwrite Vulnerability

2007-03-2500:00:00
vulners.com
12
JSON

Summary

When register_globals is activated the deserialization of the session data can overwrite any global variable, including the _SESSION array. Because of its special implementation this can result in arbitrary code execution.
Affected versions

Affected are PHP 4 < 4.4.5 and PHP 5 < 5.2.1
Detailed information

The summary says it all. For further clarification test the exploit.
Proof of concept, exploit or instructions to reproduce

The attached proof of concept code uses the substr_compare() information leak vulnerability to determine the offset to the shellcode and to a writeable address containing a NULL pointer. It then uses the described vulnerability to overwrite the _SESSION array with a fake Hashtable and trigger code execution.
Notes

Under normal situations this vulnerability can only be exploited locally. However it might be possible for a remote attacker to use an application vulnerability to inject a session data file onto the server. Many applications already contained holes like this.

Through this vulnerability it is possible to execute arbitrary code on servers running such applications. The Suhosin Extension will protect you from this kind of attack in the default config, because session data is encrypted on the server and cannot be easily modified.

JSON