Is this serious? PHP <= 4.4.3 / 5.1.4 (objIndex) Local Buffer Overflow Exploit PoC

[BianchiDude]

Is this serious?
PHP <= 4.4.3 / 5.1.4 (objIndex) Local Buffer Overflow Exploit PoC

I have php 4.4.2, am I at risk?
# php -v
PHP 4.4.2

 

[jamesbond]

Just add sscanf to your php.ini disable_functions line, and you should be fine. It's not a very commonly used function.

This vulnerability also exists in PHP 4.4.3. Nevertheless you should upgrade to PHP 4.4.3, since several other security issues were fixed in that version.

 

[BianchiDude]

Have you been able to get that exploit to work?

I keep getting a segmentation fault

[/tmp]# php sscanf.php
Segmentation fault

 

[darkkouta]

see

http://www.securityfocus.com/archive/1/442438

and

http://bugs.php.net/bug.php?id=38322

 

[chirpy]

Vulnearability is fixed in CVS.

Shame PHP hasn't mentioned when they're going to bother actually releasing a fixed version instead of leaving it to twiddle its thumbs in CVS, especially since it was reported to them so long ago.

 

[BianchiDude]

see

http://www.securityfocus.com/archive/1/442438

and

http://bugs.php.net/bug.php?id=38322

So it always gives a segmentation fault? Its not a security risk then, no?