[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PHP LiteSpeed SAPI out of boundaries read due to missing input validation
The LiteSpeed SAPI module in PHP did not sanitize several fields of the
LSAPI request correctly. In the source file sapi/litespeed/lsapilib.c,
the parseRequest function calculated addresses of thesevariables in the
pReq->m_pScriptFile = pReq->m_pReqBuf +
pReq->m_pScriptName = pReq->m_pReqBuf +
pReq->m_pQueryString = pReq->m_pReqBuf +
pReq->m_pRequestMethod = pReq->m_pReqBuf +
These variables were then exported, so they become available in PHP code
through the $_SERVER array.
These offset fields (eg. m_scriptFileOff) of the header were not
validated at all, so a segmentation fault occured in the SAPI process
after it received an invalid value.
Access to the SAPI socket is a prerequisite of the attack.
The fix is available with the commit:
The fixed versions of PHP are: 5.5.31, 5.6.17 and 7.0.2.