CVE-2006-4625 Vulnerability not fixed on libapache2-mod-php4.3.10-20

To: debian-security@lists.debian.org
Subject: CVE-2006-4625 Vulnerability not fixed on libapache2-mod-php4.3.10-20
From: Etienne Carriere <etienne.carriere@rez-gif.supelec.fr>
Date: Fri, 18 May 2007 19:34:33 +0200
Message-id: <464DE3A9.90301@rez-gif.supelec.fr>

I discovered yesterday that on a server it is possible to override the
php_admin_value statements .After some researches,this correspond to the
CVE-2006-4625 vulnerability.I search in the DSA between Sept 2006 and
nowadays and I found no quotation about the fixation of the hole for php4 .

You will find attached a patch to this hole .

Best Regards,

Etienne Carriere

P.S : As I did not know the right manner to report a security bug, I
also open an BTS entry : #424937 .

--- Zend/zend_ini.c.old	2007-05-18 18:52:20.000000000 +0200
+++ Zend/zend_ini.c	2007-05-18 18:52:59.000000000 +0200
@@ -241,8 +241,8 @@
 {
 	zend_ini_entry *ini_entry;
 	TSRMLS_FETCH();
-
-	if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE) {
+	if (zend_hash_find(EG(ini_directives), name, name_length, (void**) &ini_entry)==FAILURE ||
+		(stage == ZEND_INI_STAGE_RUNTIME && (ini_entry->modifyable & ZEND_INI_USER) == 0)){ 
 		return FAILURE;
 	}

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: CVE-2006-4625 Vulnerability not fixed on libapache2-mod-php4.3.10-20
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: [SECURITY] [DSA 1293-1] New quagga packages fix denial of service
Next by Date: Re: CVE-2006-4625 Vulnerability not fixed on libapache2-mod-php4.3.10-20
Previous by thread: Re: [SECURITY] [DSA 1293-1] New quagga packages fix denial of service
Next by thread: Re: CVE-2006-4625 Vulnerability not fixed on libapache2-mod-php4.3.10-20
Index(es):
- Date
- Thread