Summary

Since PHP 5.2.0 there is a new memory manager that allows exploiting of even one byte underflow vulnerabilities like the one described by this advisory.

When an all whitespace string is passed to the header() function this can result in a buffer underflow that allows code execution on atleast big endian systems like MacOS X on PPC.

Affected versions

Affected is PHP 5.2.0

Detailed information

PHP 5.2.0 comes with a brand new memory manager that is no longer a simple wrapper around malloc()/free() but implements a own heap implementation for the request memory pool. The new heap manager stores control information inbound and is therefore vulnerable to overflow attacks. Additionally it is unlike the previous memory manager vulnerable against one byte underflows...

Summary

The internal function array_user_key_compare() is used for example by the PHP function uksort(). Its purpose is to call the userspace array key comparison function with the keys to compare as parameters. When the called function returns both parameters are destructed even if the userspace handler created references. Because of this pointers to already destructed ZVALs are left in the symboltable which will result in an exploitable double DTOR situation that allows the execution of arbitrary code.

Affected versions

Affected are PHP 4 <= 4.4.6 and PHP 5 <= 5.2.1...

Summary

Internal session storage modules can reject session identifiers since PHP 5.2.0 when they contain for example characters consideres malicious. When the session extension gets notified that the session id is invalid, it fails to clear an already freed pointer to the invalid session identifier before calling the session identifier generator. When this generator triggers an error this can result in a double free that is easily exploitable locally and might be remotely exploitable.

Affected versions

Affected are PHP 5.2.0 and PHP 5.2.1...