Härnhammar wrote:
>Quoting "Herbold, John W." <JWHERBOLD_at_arkbluecross.com>:
>
>
>>>but PHP is NOT vulnerable to buffer overflows from PHP scripts
>>>
>>>
>>A quick search on Goggle for "PHP buffer overflow" shows otherwise.
>>
>>
>
>A program written in a scripting language might at some point send data to a program written in a compiled language. Common examples include MySQL and sendmail. Thus, if we only check what characters are used and not the length of data fields, people could conceivably crack a sendmail server through our script, even if they can't connect to it directly.
>
>Moral of the story: always check lengths as well, and avoid regular expression
>characters such as * or +, as they allow an unlimited amount of something.
>
>
>
Those are all bugs in the program being called. I see your point, but
the solution in this case is to patch the flawed program. Wrapping the
'real' program in fool-proof script-blankets is not only impossible, it
also requires indepth knowledge about the software being called. If you
have that knowledge you could easily patch the 'real' program instead.
On a side-note:
It's ofcourse never a good idea to pass user-supplied data to a program,
but that doesn't necessarily involve bugs for it to be exploitable. I
thought this was self-explanatory, but apparently I was wrong.
/Andreas
Received on Nov 25 2003
Intro
