LFI to RCE via access_log injection

#PHP Fixes #OpenSSL Flaws in New Releases


The PHP Group has released new versions of the popular scripting language that fix a number of bugs, including two in OpenSSL. The flaws fixed in OpenSSL don’t rise to the level of the major bugs such as Heartbleed that have popped up in the last few months. But PHP 5.5.14 and 5.4.30 both contain fixes for the two vulnerabilities, one of which is related to the way that OpenSSL handles timestamps on some certificates, and the other of which also involves timestamps, but in a different way.
“This piece of code is the part of a backwards UTCTime parser. It moves 2 positions to the left, and converts those two characters to an int,” the bug report says for one of the OpenSSL flaws says.
“However, certs with a validity past 2050 contain GeneralizedTime formatted timestamps allowing 4 characters in the year field instead of the UTCTime this function parses (badly).”
The second OpenSSL vulnerability lies in the way that PHP handles certain data types for timestamps. A specially crafted certificate can cause errors.
“The cert was generated by a Windows 2003 server. Note the “valid to” time is “Jun 21 15:59:11 2109 GMT”. In openssl.c PHP checks for V_ASN1_UTCTIME, but triggers the warning when the time is V_ASN1_GENERALIZEDTIME. According to a brief search of the openssl source both are valid expressions of a valid from/to time,” the report says.
Along with the two OpenSSL vulnerabilities fixed in PHP 5.5.14 and 5.4.30, there are a number of other bugs fixed in the releases, many of which are not security related.


Comments