PHP S Data Type Serialization Format Heap Information Leak Vulnerability

Bugtraq ID:	23105
Class:	Boundary Condition Error
CVE:
Remote:	No
Local:	Yes
Published:	Mar 23 2007 12:00AM
Updated:	Jul 04 2008 03:40PM
Credit:	Stefan Esser is credited with the discovery of this vulnerability.
Vulnerable:	PHP PHP 5.2.1 + Ubuntu Ubuntu Linux 7.04 sparc + Ubuntu Ubuntu Linux 7.04 powerpc + Ubuntu Ubuntu Linux 7.04 i386 + Ubuntu Ubuntu Linux 7.04 amd64 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1
Not Vulnerable:	PHP PHP 5.2.2

PHP S Data Type Serialization Format Heap Information Leak Vulnerability

PHP 'S:' datatype serialization handler is prone to a heap-information leak.

The vulnerability arises because of a missing boundary check in the unserialization of escaped strings. A local attacker can exploit this issue to obtain sensitive information (such as heap offsets and canaries) that may aid in other attacks.

PHP 5.2.1 is affected.

PHP S Data Type Serialization Format Heap Information Leak Vulnerability

An exploit is available.

• /data/vulnerabilities/exploits/MOPB-29-2007.php

PHP S Data Type Serialization Format Heap Information Leak Vulnerability

Solution:
The vendor released an update to address this issue. Please see the references for more information.


PHP PHP 5.2.1

• PHP php-5.2.2-win32-installer.msi
  http://www.php.net/get/php-5.2.2-win32-installer.msi/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP S Data Type Serialization Format Heap Information Leak Vulnerability

References:

• PHP 5.2.2 Release Announcement (PHP)
  
• PHP Homepage (PHP)
  
• MOPB-29-2007:PHP 5.2.1 unserialize() Information Leak Vulnerability (PHP-Security)