Freely subscribe to our NEWSLETTER

This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

In a special configuration of Suhosin Extension, an attacker can
define a cookie, in order to generate a buffer overflow, leading
to a denial of service and possibly to code execution.

Severity: 2/4

Creation date: 19/01/2012

IMPACTED PRODUCTS

– PHP

DESCRIPTION OF THE VULNERABILITY

The Suhosin extension for PHP is for example used to check
parameters, and to encrypt cookies.

When the cookies encryption (suhosin.cookie.encrypt) is enabled,
the suhosin_encrypt_single_cookie() function encrypts the cookie
sent by the PHP code. However, if the cookie contains a null
(’\0’) character, the length of an array is incorrectly computed,
and a buffer overflow occurs.

In order to setup an attack:
– suhosin.cookie.encrypt has to be set (this is not the default
case), and
– suhosin.multiheader has to be set (this is not the default
case), and
– suhosin.*.disallow_nul has to be unset (this is not the default
case), and
– the attacker has to be able to inject a cookie in the PHP code,
for example via: header("Set-Cookie:" +
cookie_controlled_by_the_attacker);

In a special configuration of Suhosin Extension and with a special
PHP code, an attacker can therefore define a cookie, in order to
generate a buffer overflow, leading to a denial of service and
possibly to code execution.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/Suhosin-PHP-Extension-buffer-overflow-via-cookie-11309