Date: Mon, 5 Mar 2001 13:15:53 +0000 From: pre <pre@GEEKGANG.CO.UK> Subject: [GSA2001-01] PHP IMAP overflow fix problems To: BUGTRAQ@SECURITYFOCUS.COM This is a multi-part message in MIME format. --------------68F37704A906E5C477BFCC4B Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit geekgang Security Advisory [gsa2001-01] [www.geekgang.co.uk] © Copyright 2001 geekgang ID: geekgang GSA2001-01 01 v1.0 Topic: PHP IMAP overflow fix problems Status: Released 5th March, 2001 Author: pre [Abstract] PHP 4.0.4 contains a fix for a buffer overflow in the imap module. Unfortunately this fix breaks the imap module under some circumstances due to its interaction with the WU c-client library which PHP uses to implement the imap protocol. [Description] The imap module in PHP contained a buffer overflow in versions prior to 4.0.4, due to improper use of strcpy(). The fix in 4.0.4 resolves the strcpy() problem, but causes the imap module to fail under some circumstances. For example, the IMP WebMail system fails to work correctly under 4.0.4, so PHP 4.0.3 is extensively deployed for use with IMP. A number of WebMail systems are likely to be vulnerable to this issue. The PHP imap module relies on the WU c-client library to actually perform imap (and POP3, NNTP and local mailbox) requests. Additionally, the c-client library uses callbacks into PHP in order to ascertain the username and password for the requested connection. The patch in PHP 4.0.4 changed the behavior of the imap module such that the username and password is no longer stored beyond the initial imap_open() call. However, the c-client library may still call the callback function to retrieve the username and password outside of this call, which then returns garbage data. For example, the imap_reopen() function triggers this call sequence. This issue appears to be fixed in the current CVS version of PHP (I haven't tested it, just looked at the code). The gsa2001-01.diff patch against php-4.0.4pl1 reverts the imap module to 4.0.3 behavior, without reintroducing the buffer overflow. [Time-line] 20010226 Draft v0.1 20010226 Sent to Andi Gutmans (PHP) and <security@horde.org> (IMP) for comment 20010305 Release v1.0 [Disclaimer] THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. --------------68F37704A906E5C477BFCC4B Content-Type: text/plain; charset=us-ascii; name="gsa2001-01.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="gsa2001-01.diff" diff -ru php-4.0.4pl1/ext/imap/php_imap.c php-4.0.4pl1-patched/ext/imap/php_imap.c --- php-4.0.4pl1/ext/imap/php_imap.c Wed Oct 25 18:43:52 2000 +++ php-4.0.4pl1-patched/ext/imap/php_imap.c Mon Feb 26 13:17:08 2001 @@ -371,8 +371,8 @@ static void php_imap_init_globals(zend_imap_globals *imap_globals) { - imap_globals->imap_user=NIL; - imap_globals->imap_password=NIL; + imap_globals->imap_user[0] = 0; + imap_globals->imap_password[0] = 0; imap_globals->imap_folders=NIL; imap_globals->imap_sfolders=NIL; imap_globals->imap_alertstack=NIL; @@ -633,8 +633,11 @@ } } - IMAPG(imap_user) = estrndup(Z_STRVAL_PP(user), Z_STRLEN_PP(user)); - IMAPG(imap_password) = estrndup(Z_STRVAL_PP(passwd), Z_STRLEN_PP(passwd)); + strncpy(IMAPG(imap_user), Z_STRVAL_PP(user), IMAPSTRLEN); + strncpy(IMAPG(imap_password), Z_STRVAL_PP(passwd), IMAPSTRLEN); + + IMAPG(imap_user)[IMAPSTRLEN-1] = 0; + IMAPG(imap_password)[IMAPSTRLEN-1] = 0; #ifdef OP_RELOGIN /* AJS: persistent connection handling */ @@ -766,8 +769,6 @@ } else { #endif imap_stream = mail_open(NIL, Z_STRVAL_PP(mailbox), flags); - efree(IMAPG(imap_user)); - efree(IMAPG(imap_password)); if (imap_stream == NIL) { php_error(E_WARNING, "Couldn't open stream %s\n", (*mailbox)->value.str.val); diff -ru php-4.0.4pl1/ext/imap/php_imap.h php-4.0.4pl1-patched/ext/imap/php_imap.h --- php-4.0.4pl1/ext/imap/php_imap.h Tue Oct 17 16:42:05 2000 +++ php-4.0.4pl1-patched/ext/imap/php_imap.h Mon Feb 26 13:16:11 2001 @@ -13,6 +13,7 @@ extern zend_module_entry imap_module_entry; #define imap_module_ptr &imap_module_entry +#define IMAPSTRLEN 80 /* Data types */ @@ -140,8 +141,8 @@ PHP_FUNCTION(imap_mime_header_decode); ZEND_BEGIN_MODULE_GLOBALS(imap) - char *imap_user; - char *imap_password; + char imap_user[IMAPSTRLEN]; + char imap_password[IMAPSTRLEN]; STRINGLIST *imap_folders; STRINGLIST *imap_sfolders; STRINGLIST *imap_alertstack; --------------68F37704A906E5C477BFCC4B--