Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
 home presentation vulnerabilities documentation contact  
subscriber area subscriber area
free access free access
The Vigil@nce team watches vulnerabilities impacting your computers, and then offers solutions, a database and tools to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability

vulnerability note CVE-2012-0807

Suhosin PHP Extension: buffer overflow via cookie

Synthesis of the vulnerability

In a special configuration of Suhosin Extension, an attacker can define a cookie, in order to generate a buffer overflow, leading to a denial of service and possibly to code execution.
Severity: 2/4.
Creation date: 19/01/2012.

Impacted products

Description of the vulnerability

The Suhosin extension for PHP is for example used to check parameters, and to encrypt cookies.

When the cookies encryption (suhosin.cookie.encrypt) is enabled, the suhosin_encrypt_single_cookie() function encrypts the cookie sent by the PHP code. However, if the cookie contains a null ('\0') character, the length of an array is incorrectly computed, and a buffer overflow occurs.

In order to setup an attack:
 - suhosin.cookie.encrypt has to be set (this is not the default case), and
 - suhosin.multiheader has to be set (this is not the default case), and
 - suhosin.*.disallow_nul has to be unset (this is not the default case), and
 - the attacker has to be able to inject a cookie in the PHP code, for example via: header("Set-Cookie:" + cookie_controlled_by_the_attacker);

In a special configuration of Suhosin Extension and with a special PHP code, an attacker can therefore define a cookie, in order to generate a buffer overflow, leading to a denial of service and possibly to code execution.

Share this bulletin

Delicious Digg Facebook Google bookmarks LinkedIn Mail Reddit StumbleUpon Technorati Twitter Yahoo 

Complete Vigil@nce bulletin

Suhosin PHP Extension: buffer overflow via cookie

Characteristics

Title: Suhosin PHP Extension: buffer overflow via cookie.
Keywords: Extension PHP Set-Cookie Suhosin buffer cookie cookie_controlled_by_the_attacker disallow_nul overflow suhosin_encrypt_single_cookie.
Identifiers: BID-51574, CVE-2012-0807, MDVSA-2012:065, MDVSA-2012:071, openSUSE-SU-2012:0426-1, SUSE-SU-2012:0411-1, SUSE-SU-2012:0472-1, SUSE-SU-2012:0496-1, VIGILANCE-VUL-11309.

Information sources

Publications and announces

Solutions for this vulnerability

Patch or workaround

Supplements

Proof of concept

Exploit 0day or proof of concept

Computer vulnerabilities tracking service

Vigil@nce provides software vulnerabilities bulletins. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.



















Copyright 1999-2012 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française