Sometime back we had come across this interesting vulnerability posted by a Chinese researcher in his blog, claiming to have found a zero day vulnerability in php 5.2.3.

We got a chance to dig a bit deeper into this and were able to reproduce the vulnerability based on the information provided in the blog. After investigation, we found that this vulnerablility affects not only verion 5.2.3 but also version 5.2.5. It is a heap overflow which can be triggered when a web server with PHP receives a malformed URI request, it can be a simple request like “GET /index.php/aa HTTP/1.1″ . Successful exploitation of this can result in arbitrary code execution with the privileges of the WEB Server.

This happens because the author misplaced the bracket resulting in miscalculation of the buffer which can result in a heap overflow. So fixing this issue is also simple viz: In \sapi\cgi\cgi-man.c do a grep for: “ptlen + env_path_info ? strlen(env_path_info) : 0;” , and replace this with “ptlen + (env_path_info ? strlen(env_path_info) : 0); ”

This is one of the classic examples of small human errors (which can sometime be even typos) that can result in vulnerabilities.

We had reported this issue to PHP dev team almost immediately after we had come to know about this issue in the wild and they’ve just come out with a patch for this. We highly recommend users to update with the latest version of PHP 5.2.6 released . This patch besides this issue, fixes a host of other security related fixes, some of which we deem as critical. This specific issue affects FastCGI packages of PHP.

This issue has been given the identifier CVE-2008-0599.

We shall continue to monitor this threat and update if we come across anything malicious.