PHP 代码执行和远程拒绝服务漏洞

漏洞ID	1112337	漏洞类型	资源管理错误
发布时间	2007-03-01	更新时间	2007-03-01
CVE编号	CVE-2006-1549	CNNVD-ID	CNNVD-200604-118
漏洞平台	PHP	CVSS评分	2.1

|漏洞来源

https://www.exploit-db.com/exploits/29693
https://www.securityfocus.com/bid/22766
https://cxsecurity.com/issue/WLB-2007030010
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-118

|漏洞详情

PHP4.4.2和5.1.2允许本地用户通过定义和执行递归函数造成崩溃(分段故障)。

|漏洞EXP

source: http://www.securityfocus.com/bid/22766/info

PHP is prone to a denial-of-service vulnerability because it fails to properly sanitize user-supplied input.

An attacker with permissions to execute PHP code on an affected computer may exploit this issue to crash PHP and kill all remaining webserver threads. This will result in denial-of-service conditions.

Although this issue is local in nature, a remote attacker may exploit it by using other latent vulnerabilities such as a remote file-include issues; other remote attack vectors are also possible.

This issue affects all versions of PHP. 

$ curl http://www.example.com/phpmyadmin/ -d a`php -r 'echo str_repeat("[a]",20000);'`=1

|受影响的产品

PHP PHP 5.2.1 + Ubuntu Ubuntu Linux 7.04 sparc + Ubuntu Ubuntu Linux 7.04 powerpc + Ubuntu Ubuntu Linux 7.04 i386

|参考资料

来源:VUPEN
名称:ADV-2006-1290
链接:http://www.frsirt.com/english/advisories/2006/1290
来源:XF
名称:php-function-dos(25704)
链接:http://xforce.iss.net/xforce/xfdb/25704
来源:BID
名称:22766
链接:http://www.securityfocus.com/bid/22766
来源:BUGTRAQ
名称:20060414Re:Re:function*()php/apacheCrashPHP4.4.2and5.1.2
链接:http://www.securityfocus.com/archive/1/archive/1/431018/100/0/threaded
来源:BUGTRAQ
名称:20060412Re:function*()php/apacheCrashPHP4.4.2and5.1.2
链接:http://www.securityfocus.com/archive/1/archive/1/430742/100/0/threaded
来源:BUGTRAQ
名称:20060410Re:function*()php/apacheCrashPHP4.4.2and5.1.2
链接:http://www.securityfocus.com/archive/1/archive/1/430598/100/0/threaded
来源:BUGTRAQ
名称:20060409function*()php/apacheCrashPHP4.4.2and5.1.2
链接:http://www.securityfocus.com/archive/1/archive/1/430453/100/0/threaded
来源:MISC
链接:http://www.php-security.org/MOPB/MOPB-02-2007.html
来源:OSVDB
名称:24485
链接:http://www.osvdb.org/24485
来源:SECTRACK
名称:1015880
链接:http://securitytracker.com/id?1015880
来源:SREASON
名称:676
链接:http://securityreason.