Vigil@nce - PHP: format string attack via class name
January 2016 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a memory corruption, if he can transmit
malicious PHP code containing an invalid class name, in order to
trigger a denial of service, and possibly to run code.
– Impacted products: PHP.
– Severity: 1/4.
– Creation date: 28/12/2015.
DESCRIPTION OF THE VULNERABILITY
The PHP language supports dynamic class names:
$n = "MyClass";
$n::myFunction();
If the class name is invalid, the PHP interpreter calls
zend_throw_or_error() to display an error message. However, the
format string is missing.
An attacker can therefore generate a memory corruption, if he can
transmit malicious PHP code containing an invalid class name, in
order to trigger a denial of service, and possibly to run code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/PHP-format-string-attack-via-class-name-18600