Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

php_echo is vulnerable to format string attacks! #5

Open
wizzwizz4 opened this issue Feb 21, 2020 · 1 comment
Open

php_echo is vulnerable to format string attacks! #5

wizzwizz4 opened this issue Feb 21, 2020 · 1 comment

Comments

@wizzwizz4
Copy link

solder::zend::php_echo is implemented as:

php_printf(c_message.as_bytes_with_nul().as_ptr() as *const i8);

but it should be something like:

php_printf(c_str!("%s"), c_message.as_bytes_with_nul().as_ptr() as *const i8);

(Please check that this works before using it; it's untested unsafe code interacting with C variadic arguments!)
@wizzwizz4
Copy link
Author

wizzwizz4 commented Feb 26, 2020
edited
Loading

I tested this code in my fork (SnAgCu, not the one on GitHub). I can't promise it is safe, but it prints the output and isn't vulnerable against format string attacks, so I'm tentatively calling it a success.

wizzwizz4 added a commit to wizzwizz4/solder that referenced this issue Feb 26, 2020
@wizzwizz4
Fix format string vulnerability (fixes killertux#5)
46c13b3
@wizzwizz4 wizzwizz4 mentioned this issue Feb 26, 2020
Open
roosterchicken pushed a commit to roosterchicken/solder that referenced this issue Feb 9, 2021
@wizzwizz4 @roosterchicken
Fix format string vulnerability (fixes killertux#5)
830c676
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wizzwizz4