PHP :: Bug #8323 :: php.exe crash when trying to pass command-line vars via URL

Bug #8323	php.exe crash when trying to pass command-line vars via URL
Submitted:	2000-12-19 12:10 UTC	Modified:	2001-05-27 19:15 UTC
From:	j dot kase at privador dot com	Assigned:
Status:	Closed	Package:	*General Issues
PHP Version:	4.0.3pl1	OS:	Win2000 SP1
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2000-12-19 12:10 UTC] j dot kase at privador dot com

How I found this: under Win32, when I use the $PHP_SELF env variable, it includes the path to PHP executable, so that if I use the $PHP_SELF var in myscript.phtml (I have .phtml mapped to PHP), e.g. http://myhost/myscript.phtml includes a form which has action="$PHP_SELF", the next URL I am thrown to is http://myhost/php/php.exe/myscript.phtml.

Now, just remove the /myscript.phtml part and try to call http://myhost/php/php.exe. It takes about 10 seconds for PHP to crash, and a DrWatson log is generated. Apache terminates with 500 Internal Server Error, and "premature end of script headers" is found in error_log.

The same also happens when trying to pass command-line vars, e.g. http://myhost/php/php.exe?-h. (php.exe -h works fine on the command line.) I am not sure if it can be tweaked in any way to actually execute commands or do anything else malicious, but perhaps you guys should look into this.

Following is the DrWatson log for a call to http://myhost/php/php.exe.

==========


Application exception occurred:
        App:  (pid=1560)
        When: 12/19/2000 @ 19:09:40.239
        Exception number: c0000005 (access violation)

*----> System Information <----*
        Computer Name: KRABI
        User Name: SYSTEM
        Number of Processors: 1
        Processor Type: x86 Family 6 Model 6 Stepping 0
        Windows 2000 Version: 5.0
        Current Build: 2195
        Service Pack: 1
        Current Type: Uniprocessor Free
        Registered Organization: Privador AS
        Registered Owner: Jaanus Kase

*----> Task List <----*
   0 Idle.exe
   8 System.exe
 136 SMSS.exe
 164 csrss.exe
 160 WINLOGON.exe
 212 services.exe
 224 LSASS.exe
 388 svchost.exe
 416 SPOOLSV.exe
 444 Apache.exe
 472 DNETC.exe
 504 svchost.exe
 528 mgabg.exe
 564 regsvc.exe
 592 Apache.exe
 600 mstask.exe
 884 WinMgmt.exe
 916 mspmspsv.exe
 252 explorer.exe
1100 pdesk.exe
1176 EM_EXEC.exe
1196 winampa.exe
1204 internat.exe
1036 AcroTray.exe
1120 Term.exe
1104 hc.exe
1420 Term.exe
1124 iexplore.exe
1180 ntvdm.exe
1216 OUTLOOK.exe
1108 msimn.exe
 968 Far.exe
1040 hh.exe
1160 Far.exe
 972 DRWTSN32.exe
1560 php.exe
1572 DRWTSN32.exe
   0 _Total.exe

(00400000 - 00405000) 
(77F80000 - 77FFA000) 
(10000000 - 10104000) 
(77E80000 - 77F35000) 
(77E10000 - 77E74000) 
(77F40000 - 77F7C000) 
(75050000 - 75058000) 
(75030000 - 75044000) 
(78000000 - 78046000) 
(77DB0000 - 77E0A000) 
(77D40000 - 77DB0000) 
(75020000 - 75028000) 
(77A50000 - 77B45000) 
(779B0000 - 77A45000) 
(1F7D0000 - 1F804000) 
(76B30000 - 76B6E000) 
(70BD0000 - 70C1C000) 
(71700000 - 7178A000) 
(69800000 - 69A42000) 
(780A0000 - 780B2000) 
(1F8C0000 - 1F8D6000) 

State Dump for Thread Id 0x1dc

eax=005e74b8 ebx=100136a0 ecx=0012fdfc edx=005e3ac0 esi=fffffffe edi=00000000
eip=1008da97 esp=0012fd90 ebp=005e74b8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000216


function: call_user_function_ex
        1008da7a 56               push    esi
        1008da7b 57               push    edi
        1008da7c 6a00             push    0x0
        1008da7e 50               push    eax
        1008da7f e84cabffff       call    ts_resource_ex (100885d0)
        1008da84 8b4c2440         mov     ecx,[esp+0x40]         ss:00bfd367=????????
        1008da88 8b7c243c         mov     edi,[esp+0x3c]         ss:00bfd367=????????
        1008da8c 8be8             mov     ebp,eax
        1008da8e 83c408           add     esp,0x8
        1008da91 c70100000000     mov     dword ptr [ecx],0x0    ds:0012fdfc=00000000
FAULT ->1008da97 8a4708           mov     al,[edi+0x8]                 ds:00acd5d6=??
        1008da9a 3c04             cmp     al,0x4
        1008da9c 0f8503010000     jne     call_user_function_ex+0x135 (1008dba5)
        1008daa2 8b07             mov     eax,[edi]              ds:00000000=????????
        1008daa4 8d542434         lea     edx,[esp+0x34]         ss:00bfd367=????????
        1008daa8 52               push    edx
        1008daa9 6a00             push    0x0
        1008daab 50               push    eax
        1008daac e89f56ffff       call    zend_hash_index_find (10083150)
        1008dab1 83c40c           add     esp,0xc
        1008dab4 83f8ff           cmp     eax,0xff
        1008dab7 750a             jnz     zend_llist_get_prev_ex+0xa3 (100939c3)

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
005E74B8 005E0178 00000000 00000000 00010000 00000000 !call_user_function_ex 
005E7500 00000000 00000000 00000000 00000000 00000000 <nosymbols> 

*----> Raw Stack Dump <----*
0012fd90  50 1d b5 00 fe ff ff ff - 94 fe 12 00 a0 36 01 10  P............6..
0012fda0  38 32 03 78 ff ff ff ff - 94 fe 12 00 26 10 00 78  82.x........&..x
0012fdb0  08 00 00 00 0f 10 00 78 - 8f d9 08 10 40 6a 5e 00  .......x....@j^.
0012fdc0  00 00 00 00 00 00 00 00 - fc fd 12 00 fe ff ff ff  ................
0012fdd0  50 1d b5 00 01 00 00 00 - 00 00 00 00 78 01 5e 00  P...........x.^.
0012fde0  08 06 5e 00 a0 36 01 10 - d6 36 01 10 40 6a 5e 00  ..^..6...6..@j^.
0012fdf0  00 00 00 00 00 00 00 00 - 10 fe 12 00 00 00 00 00  ................
0012fe00  24 ed fc 77 04 00 00 00 - 00 00 00 00 70 05 5e 00  $..w........p.^.
0012fe10  00 00 00 00 00 00 00 00 - 00 00 01 00 00 00 00 00  ................
0012fe20  ac 2b 08 10 08 06 5e 00 - c8 36 b3 00 2c 76 5e 00  .+....^..6..,v^.
0012fe30  8c fe 12 00 6f 36 01 10 - 78 01 5e 00 a0 36 01 10  ....o6..x.^..6..
0012fe40  01 00 00 00 ec 75 5e 00 - 00 00 00 00 b0 fe 12 00  .....u^.........
0012fe50  00 00 00 00 01 00 00 00 - ec 75 5e 00 90 fe 12 00  .........u^.....
0012fe60  34 4e 00 10 b0 ff 12 00 - 00 00 00 00 30 32 43 56  4N..........02CV
0012fe70  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
0012fe80  00 00 00 00 00 00 00 00 - 00 00 00 00 c8 36 b3 00  .............6..
0012fe90  b8 74 5e 00 b0 fe 12 00 - 40 4e 00 10 80 3c 5e 00  .t^.....@N...<^.
0012fea0  e8 90 5e 00 f0 6f 5e 00 - 80 3c 5e 00 b8 74 5e 00  ..^..o^..<^..t^.
0012feb0  4c ff 12 00 de 19 40 00 - 00 00 00 00 cc 40 40 00  L.....@......@@.
0012fec0  19 00 00 00 00 00 00 00 - 00 00 00 00 00 f0 fd 7f  ................

State Dump for Thread Id 0x638

eax=00540650 ebx=00000000 ecx=00413288 edx=00000000 esi=00d2ff68 edi=77e1844a
eip=77e148fc esp=00d2ff24 ebp=00d2ff44 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246


function: PtInRect
        77e148d6 ff750c           push    dword ptr [ebp+0xc]    ss:017fd51a=????????
        77e148d9 ff5508           call    dword ptr [ebp+0x8]    ss:017fd51a=????????
        77e148dc 817c2404cdabbadc                                ss:017fd4fb=????????
                                  cmp     dword ptr [esp+0x4],0xdcbaabcd
        77e148e4 0f85c8690300     jne     SetClassLongW+0x556 (77e4b2b2)
        77e148ea 83c408           add     esp,0x8
        77e148ed 5d               pop     ebp
        77e148ee c21400           ret     0x14
        77e148f1 b89a110000       mov     eax,0x119a
        77e148f6 8d542404         lea     edx,[esp+0x4]          ss:017fd4fb=????????
        77e148fa cd2e             int     2e
        77e148fc c21000           ret     0x10
        77e148ff b8cb110000       mov     eax,0x11cb
        77e14904 8d542404         lea     edx,[esp+0x4]          ss:017fd4fb=????????
        77e14908 cd2e             int     2e
        77e1490a c21000           ret     0x10

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
00D2FF44 1008E555 00D2FF68 00000000 00000000 00000000 user32!PtInRect 
00D2FFB4 77E837CD 00B50C18 005E0178 005E0178 00B50C18 !zend_timeout 
00D2FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!TlsSetValue

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-04-28 14:10 UTC] jmoore@php.net

you should use PATH_INFO rather than PHP_SELF in this situation. Also having php/php.exe callable is a security risk without FORCE_CGI_REDIRECT enabled when compiling. 

- James

[2001-05-27 19:15 UTC] sniper@php.net

This should be fixed in CVS. Reopen this bug report
if problem still exists with soon to be released PHP 4.0.6

--Jani

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat May 04 17:01:33 2024 UTC