[nylug-talk] month of PHP bugs

[Michael B Allen]

Hey,

That PHP security guy is posting a "month of PHP bugs". The
writeups are actually pretty well done. At least they explain the
problems well. But I want to post my understanding of some of these
"vulnerbilities" because using terms like 'Overflow' and 'Stack' and
'Vulnerbility' makes these sound like they're really serious. None of
these are remote exploits or serious (at least not the first four I
looked at). So for those of you using PHP don't run out and switch to
Python just yet.

Here's my understanding of the first four (I gave up after that):

1. MOPB-01-2007:PHP 4 Userland ZVAL Reference Counter Overflow
Vulnerability

This requires that the attacker be able to supply their own PHP script. If
that's the case, then wouldn't it be easier for the "attacker" to simply
call system('echo I'm in, bwahhahahaha!')?

2. MOPB-02-2007:PHP Executor Deep Recursion Stack Overflow

If a script gets caught in a deep recursion it overflows the stack. What
exactly does this guy expect to happen? Should the program stop and
print a message "Stack Overflow: Hey stupid, don't write programs that
get caught in an infinite recursion."?

3. MOPB-03-2007:PHP Variable Destructor Deep Recursion Stack Overflow

I fail to see how this is different from 2.

4. MOPB-04-2007:PHP 4 unserialize() ZVAL Reference Counter Overflow

This requires someone feed unchecked user supplied data to the
unserialize() function. The unserialize() function takes a string and
converts it into a bonified arbitrarily complex PHP variable. Anyone
stupid enough not to realize what the implications of explosing that
function to userland should not have access to computers. This is one
level up from sticking an HTLM form in front of the system() function.

Mike