Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1229336221.3431.24.camel@dhcp-lab-164.englab.brq.redhat.com>
Date: Mon, 15 Dec 2008 11:17:01 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Florian Weimer <fw@...eb.enyo.de>,
        Raphael Geissert <atomo64+debian@...il.com>
Subject: Re:  Re: CVE Request - roundcubemail

Hello guys,

On Sat, 2008-12-13 at 13:54 +0100, Florian Weimer wrote:
> * Raphael Geissert:
> 
> > I became aware of some sort of code execution vulnerability one day
> > before that ticket was reported. After reviewing the file I
> > determined that it isn't a vulnerability in roundcube, but in PHP
> > itself; but I'm open to be proved wrong.
> 
> I think this is a documented feature of preg_replace with the "e"
> flag, comparable to what happens when you use string concatenation to
> create SQL statements.

Yes, according to:
http://bugs.php.net/bug.php?id=35960

the behavior of 'e' modifier in the preg_replace function is
expected and well documented feature:

http://php.net/manual/en/reference.pcre.pattern.modifiers.php

So the problem isn't in PHP itself, the problem is
roundcubemail (and possibly other applications) use it
in wrong/improper/vulnerable way.

--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.