Is IMP vulnerable to the PHP syslog() bug?

Chuck Hagenbuch chuck@horde.org
Thu, 26 Oct 2000 11:20:38 -0400 (EDT)

Previous message: [imp] Is IMP vulnerable to the PHP syslog() bug?
Next message: wv stores world writable files in /tmp
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Samuli Karkkainen <skarkkai@woods.iki.fi>:

> http://lwn.net/2000/1019/a/phpformatstring.php3 says:
> 
> "A web server having PHP installed and one or more PHP scripts is
> vulnerable to the problem if error logging is enabled in php.ini. Also
> any PHP script using the "syslog" command of PHP may be vulnerable,
> regardless of error logging."
> 
> If I understood correctly, the problem is following statements in PHP's
> C source:
> 
>   syslog(LOG_NOTICE, log_message);
> 
> Syslog(3) uses log_message as a printf() style "format" string and
> thus, obviously, if log_message can be controlled by an attacker, a
> vulnerability exists. To my understanding, the question would then be,
> does IMP ever pass an unsafe error string to PHP's syslog() function.

Given the above, if you have logging enabled, then someone may be able to
exploit the bug by providing a format string as a username.

-chuck

--
Charles Hagenbuch, <chuck@horde.org>
Many states consider gambling so immoral that they not only prohibit private
gambling organizations, they thoughtfully provide their own.

Previous message: [imp] Is IMP vulnerable to the PHP syslog() bug?
Next message: wv stores world writable files in /tmp
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]