PHP Header Function Space Trimming Buffer Overflow Vulnerability

Bugtraq ID:	23012
Class:	Boundary Condition Error
CVE:
Remote:	No
Local:	Yes
Published:	Mar 17 2007 12:00AM
Updated:	Mar 19 2007 05:44PM
Credit:	Stefan Esser is credited with the discovery of this vulnerability.
Vulnerable:	PHP PHP 5.2 + Debian Linux 4.0 sparc + Debian Linux 4.0 s/390 + Debian Linux 4.0 powerpc + Debian Linux 4.0 mipsel + Debian Linux 4.0 mips + Debian Linux 4.0 m68k + Debian Linux 4.0 ia-64 + Debian Linux 4.0 ia-32 + Debian Linux 4.0 hppa + Debian Linux 4.0 arm + Debian Linux 4.0 amd64 + Debian Linux 4.0 alpha + Debian Linux 4.0
Not Vulnerable:

PHP Header Function Space Trimming Buffer Overflow Vulnerability

PHP is prone to a buffer-overflow vulnerability because the application fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers.

An attacker can exploit this issue to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver, denying service to legitimate users.

PHP 5.2.0 is reported vulnerable; other versions may also be affected.

PHP Header Function Space Trimming Buffer Overflow Vulnerability

The following proof-of-concept exploit is available:

• /data/vulnerabilities/exploits/MOPB-25-2007.php

PHP Header Function Space Trimming Buffer Overflow Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].

PHP Header Function Space Trimming Buffer Overflow Vulnerability

References:

• MOPB-25-2007:PHP header() Space Trimming Buffer Underflow Vulnerability (Stefan Esser)
  
• PHP Homepage (PHP Group)