Edit report at http://bugs.php.net/bug.php?id=51288&edit=1
ID: 51288 Updated by: fel...@php.net Reported by: geiss...@php.net Summary: null pointer deref when <methodName> is not set -Status: Open +Status: Assigned Type: Bug Package: XMLRPC-EPI related Operating System: * PHP Version: Irrelevant -Assigned To: +Assigned To: geissert New Comment: Go ahead and commit it. :) Previous Comments: ------------------------------------------------------------------------ [2010-03-13 03:20:54] geiss...@php.net The following patch has been added/updated: Patch Name: CVE-2009-3765 Revision: 1268446854 URL: http://bugs.php.net/patch-display.php?bug=51288&patch=CVE-2009-3765&revision=1268446854 ------------------------------------------------------------------------ [2010-03-13 03:20:02] geiss...@php.net Description: ------------ This is CVE-2010-0397, originally reported by Auke van Slooten at http://bugs.debian.org/573573 When processing an invalid (one without a <methodName>, required by the specs) XML-RPC request, the extension doesn't check for the NULL value returned by the xmlrpc library. This NULL is then passed to estrdup which dereferences the pointer, leading to a segmentation fault. This can easily be used to perform DoS attacks by crashing the server. I've already notified secur...@php.net, but since the issue is public there's no point in hiding it or the patch. The attached patch fixes the problem, which can also be found at: http://git.debian.org/?p=pkg-php/php.git;a=blob;f=debian/patches/CVE-2010-0397.patch;h=186b2166644c066f28f1ffb9195ffa9f5744a604;hb=HEAD Test script: --------------- <?php $method = ''; $req = '<?xml version="1.0"?><methodCall></methodCall>'; var_dump(xmlrpc_decode_request($req, $method)); var_dump($method); echo "Done\n"; ?> Expected result: ---------------- NULL NULL Done Actual result: -------------- Segmentation fault ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=51288&edit=1
