Monday, March 24, 2008

PHP 5.2.5 and prior : *printf() Integer Overflow !

Hi folks, today I focused my attention on this topic: PHP 5.2.5 and prior sprintf() integer overflow. SecurityReasons discovered this important vulnerability and published the advisory on its own site, here.
*printf() is used to format strings.
Any C programmer knows that those functions assume long strings, and where it is necessary to limit or truncate the strings before passing it to memory. Usually those functions can trigger security holes in the form of overflows. The reason for this is really obvious: If the data that is being passed to memory comes as user supplied data, it needs to be treated before you pass it.

Following the complete advisor:

Again, it seems impossible that someone might find this kind of bugs; what I mean is that this vulnerability's typology  is pretty old (I'm referring to old C functions) and, so far, it should be a well known security background which everybody should have. I'm wondering what happen if the security engineers don't remember old and commons mistakes ? We will remake the same errors ?  Anyway, thank you to SecurityReason's guys who discovered this important vulnerability.

No comments: