PHP :: Bug #6351 :: '%'-characters in syslog()-function

Bug #6351	'%'-characters in syslog()-function
Submitted:	2000-08-25 08:22 UTC	Modified:	2000-09-17 17:10 UTC
From:	jjaakkol at cs dot helsinki dot fi	Assigned:
Status:	Closed	Package:	*General Issues
PHP Version:	4.0.1pl2	OS:	Any OS with syslog()
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	jjaakkol at cs dot helsinki dot fi
New email:
PHP Version:		OS:

New/Additional Comment:

[2000-08-25 08:22 UTC] jjaakkol at cs dot helsinki dot fi

syslog() function has a client given format string vulneralibity (this is actually
known, since there is a comment on this in the sources).

# cat test.php
<?php
syslog(5,"%s");
?>
 
# php4 test.php
Content-type: text/html
 
 
# tail -1 /var/log/messages
Aug 25 15:05:12 demonstration php4: U??f?^HVS<u^Lf}^H^Bu^W?E?P?E?Pj^B??^^A         

However, I guess that  this could be exploited to gain access to PHP-server in scripts who syslog() some client given data. So this is a security problem too.

The simple fix is to change the line 
php_syslog((*priority)->value.lval, (*message)->value.str.val);
in ext/standard/syslog.c to
php_syslog((*priority)->value.lval,"%s", (*message)->value.str.val);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-08-27 06:03 UTC] stas@php.net

Seems to be a real bug. We should or require parameters for %-s, or inhibit them at all, and use %s for it. 

Contrary to what user says, I do not see a way to exploit it actively (like, for modifying any data on the server), but this can easily lead for crash, since garbage pointer is referenced.

[2000-08-27 07:29 UTC] jjaakkol at cs dot helsinki dot fi

This kind of "format bugs" have been exploited before.
At least wu-ftpd and proftpd have been vulnerable to format bugs. See BugTraq mailing list last july for details
(especially the thread "paper: format bugs").
I don't know for sure if this could be exploided in PHP, but my best guess is that it probably could be.

IMHO, the best fix would be to just use syslog("%s",string). You only need five more characters but no change in the
PHP-syslog function API.

[2000-09-17 17:10 UTC] stas@php.net

fixed in CVS.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Oct 29 16:00:01 2025 UTC