From: geissert Operating system: * PHP version: Irrelevant Package: XMLRPC-EPI related Bug Type: Bug Bug description:null pointer deref when <methodName> is not set
Description: ------------ This is CVE-2010-0397, originally reported by Auke van Slooten at http://bugs.debian.org/573573 When processing an invalid (one without a <methodName>, required by the specs) XML-RPC request, the extension doesn't check for the NULL value returned by the xmlrpc library. This NULL is then passed to estrdup which dereferences the pointer, leading to a segmentation fault. This can easily be used to perform DoS attacks by crashing the server. I've already notified secur...@php.net, but since the issue is public there's no point in hiding it or the patch. The attached patch fixes the problem, which can also be found at: http://git.debian.org/?p=pkg-php/php.git;a=blob;f=debian/patches/CVE-2010-0397.patch;h=186b2166644c066f28f1ffb9195ffa9f5744a604;hb=HEAD Test script: --------------- <?php $method = ''; $req = '<?xml version="1.0"?><methodCall></methodCall>'; var_dump(xmlrpc_decode_request($req, $method)); var_dump($method); echo "Done\n"; ?> Expected result: ---------------- NULL NULL Done Actual result: -------------- Segmentation fault -- Edit bug report at http://bugs.php.net/bug.php?id=51288&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=51288&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=51288&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=51288&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=51288&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=51288&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=51288&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=51288&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=51288&r=needscript Try newer version: http://bugs.php.net/fix.php?id=51288&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=51288&r=support Expected behavior: http://bugs.php.net/fix.php?id=51288&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=51288&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=51288&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=51288&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=51288&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=51288&r=dst IIS Stability: http://bugs.php.net/fix.php?id=51288&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=51288&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=51288&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=51288&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=51288&r=mysqlcfg
