2010-07-20:

Just some old PHP research

security:php:rant
Yesterday in the night we've published (on j00ru's blog) some old, low severity, PHP advisories (well, they are more research papers than actual advisories). Basically we've done the research to test a new (i.e. new for us) method of application review, which I find quite cool.

The method (already described in j00ru's post, so you can skip this part if you've read his post) is very simple. I've read about it in some book (it was "Art of software testing" I think), and decided we can give it a try. Here is how it works.

1. You gather a group of people (2-3 will do) and you print some code (an on screen text display will do to, but there were mixed opinions which is more convenient)
2. You select one person, who starts reading the code from some entry point (a function, main(), or sth), line by line
3. After each line, you discuss the line, with focus if it does pose some security threat, or maybe it contains some bug. If nothing is found in the line (e.g. it's too trivial line to find something), you continue. Otherwise, you note the line down and either continue or jump to the keyboard and make a PoC :)
4. You can switch the reading person once he gets tired

I think it has cool educational function too, since a beginner person in a group can learn lots of things during such discussions :)

Anyway, we've check the EXIF module in PHP with the above technique, and found some minor stuff like:
- a couple (3) of memory disclosures (a byte here, two bytes there, etc; but it wasn't useful for anything as far as we could tell)
- some (3) DoSes (which could not be turned into code execution, but were interesting from a researchers PoV)

Well, we've written PoC and advisories and pushed them to the PHP team, and got initial response that they will take a look, and then... (here is where the rant starts ;p)
Ehm.. that's the problem. I have no idea if something has indeed happened with the bugs, since the PHP team didn't let us know if they have already patched it (it was minor stuff, but we wanted to go with vendor-coordinated disclosure anyway), and didn't reply to our e-mails later.
Some time ago we've checked, and found that the current PHP has the bugs fixed, but guess we were not credited in the changelog (understandable - minor severity), and we never did get a reply from the PHP team whether the stuff got fixed.

I know that it was some minor stuff, but it's nice to get "OK Fixed" (8 characters) e-mail anyway.
Guess the PHP team will join Mozilla in my personal list of 'vendors that stop replying to emails' ;p

OK, enough of the ranting :)

The advisories:
PHP 5.2.10 / 5.3.0 EXIF Denial of Service 1
PHP 5.2.10 / 5.3.0 EXIF Denial of Service 2
PHP 5.2.10 / 5.3.0 EXIF Denial of Service 3
PHP 5.2.10 / 5.3.0 Multiple Memory Disclosure

Take care :)

Comments:

2010-09-08 19:52:34 = Phpresponse
{
Adding to your rant, I got a response from them once !

But it was a well known type of response -> you shit, me cool

Aka : offense is the best defense
}

Add a comment:

Nick:
URL (optional):
Math captcha: 8 ∗ 9 + 2 =