Hello,
1)Only code that tries to create/initialize a Non-Persistent hash table
is vulnerable under certain cases.
True or False.
False, anything that is not correctly initialised at the time the
memory_limit request termination kicks in can potentially be exploited.
This includes string pointers...
2)How come some remote attacker can set the Destructor to point to the
function of his choice?
When memory is allocated it usually contains the content of the time
before it was the last time freed. In PHP this especially true because
of the memory cache. So the attacker creates some memory block of the
correct size and by freeing it, it ends up on top of the memory cache.
3)Where can I get the patch for this vulnerablity for PHP-4.2.3.
By downloading it from the distributor of your choice of by doinig a
diff between 4.3.7 and 4.3.8 and incorporating the fixes into the older
version. The PHP developers are not going to create a patch for a 2 year
old version.
4)Can some one point to the executable test case for this problem so
that I can test before and after incorporating the fix?
Nice try. Until now noone has released an exploit for this bug to the
public and therefore it is not a good idea to give one out at this time.
For anyone into exploit developing there is already enough information
in the advisory to create one.
Stefan Esser
PS: I am not going to answer any further mails about this.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
