Vigil@nce - PHP: denial of service via ZipArchive addGlob
July 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use the ZipArchive::addGlob() function in order to
stop the PHP interpreter.
Severity: 1/4
Creation date: 04/07/2011
IMPACTED PRODUCTS
– PHP
DESCRIPTION OF THE VULNERABILITY
The PHP ZipArchive module is used to create and read ZIP archives.
The ZipArchive::addGlob() function (exported, but undocumented)
adds files matching a pattern in a ZIP archive. For example:
zip->addGlob("*.txt", OPTIONS);
This function calls the C glob() function of the g/libc, in order
to obtain the list of files.
The C glob() function uses a "glob_t" structure to store state
information for the GLOB_ALTDIRFUNC and GLOB_APPEND options.
However, the PHP interface cannot initialize this structure. So,
when the GLOB_ALTDIRFUNC and GLOB_APPEND options are used in
ZipArchive::addGlob(), a memory corruption occurs in glob().
An attacker can therefore use the ZipArchive::addGlob() function
in order to stop the PHP interpreter.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/PHP-denial-of-service-via-ZipArchive-addGlob-10806