PHP :: Bug #6351 :: '%'-characters in syslog()-function

Bug #6351	'%'-characters in syslog()-function
Submitted:	2000-08-25 08:22 UTC	Modified:	2000-09-17 17:10 UTC
From:	jjaakkol at cs dot helsinki dot fi	Assigned:
Status:	Closed	Package:	*General Issues
PHP Version:	4.0.1pl2	OS:	Any OS with syslog()
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jjaakkol at cs dot helsinki dot fi
New email:
PHP Version:		OS:

New Comment:

[2000-08-25 08:22 UTC] jjaakkol at cs dot helsinki dot fi

syslog() function has a client given format string vulneralibity (this is actually
known, since there is a comment on this in the sources).

# cat test.php
<?php
syslog(5,"%s");
?>
 
# php4 test.php
Content-type: text/html
 
 
# tail -1 /var/log/messages
Aug 25 15:05:12 demonstration php4: U??f?^HVS<u^Lf}^H^Bu^W?E?P?E?Pj^B??^^A         

However, I guess that  this could be exploited to gain access to PHP-server in scripts who syslog() some client given data. So this is a security problem too.

The simple fix is to change the line 
php_syslog((*priority)->value.lval, (*message)->value.str.val);
in ext/standard/syslog.c to
php_syslog((*priority)->value.lval,"%s", (*message)->value.str.val);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-08-27 06:03 UTC] stas@php.net

Seems to be a real bug. We should or require parameters for %-s, or inhibit them at all, and use %s for it. 

Contrary to what user says, I do not see a way to exploit it actively (like, for modifying any data on the server), but this can easily lead for crash, since garbage pointer is referenced.

[2000-08-27 07:29 UTC] jjaakkol at cs dot helsinki dot fi

This kind of "format bugs" have been exploited before.
At least wu-ftpd and proftpd have been vulnerable to format bugs. See BugTraq mailing list last july for details
(especially the thread "paper: format bugs").
I don't know for sure if this could be exploided in PHP, but my best guess is that it probably could be.

IMHO, the best fix would be to just use syslog("%s",string). You only need five more characters but no change in the
PHP-syslog function API.

[2000-09-17 17:10 UTC] stas@php.net

fixed in CVS.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jul 02 04:01:38 2025 UTC