Is this serious? PHP <= 4.4.3 / 5.1.4 (objIndex) Local Buffer Overflow Exploit PoC

BianchiDude

Well-Known Member
PartnerNOC
Jul 2, 2005
619
0
166
Is this serious?
PHP <= 4.4.3 / 5.1.4 (objIndex) Local Buffer Overflow Exploit PoC

I have php 4.4.2, am I at risk?
# php -v
PHP 4.4.2
 

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
Just add sscanf to your php.ini disable_functions line, and you should be fine. It's not a very commonly used function.

This vulnerability also exists in PHP 4.4.3. Nevertheless you should upgrade to PHP 4.4.3, since several other security issues were fixed in that version.
 

BianchiDude

Well-Known Member
PartnerNOC
Jul 2, 2005
619
0
166
Have you been able to get that exploit to work?

I keep getting a segmentation fault

[/tmp]# php sscanf.php
Segmentation fault
 

darkkouta

Well-Known Member
May 12, 2006
55
0
156

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
Vulnearability is fixed in CVS.
Shame PHP hasn't mentioned when they're going to bother actually releasing a fixed version instead of leaving it to twiddle its thumbs in CVS, especially since it was reported to them so long ago.