From pre@GEEKGANG.CO.UK Mon Mar 5 18:35:22 2001 From: pre To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 5 Mar 2001 13:15:53 +0000 Subject: [BUGTRAQ] [GSA2001-01] PHP IMAP overflow fix problems [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] geekgang Security Advisory [gsa2001-01] [www.geekgang.co.uk] © Copyright 2001 geekgang ID: geekgang GSA2001-01 01 v1.0 Topic: PHP IMAP overflow fix problems Status: Released 5th March, 2001 Author: pre [Abstract] PHP 4.0.4 contains a fix for a buffer overflow in the imap module. Unfortunately this fix breaks the imap module under some circumstances due to its interaction with the WU c-client library which PHP uses to implement the imap protocol. [Description] The imap module in PHP contained a buffer overflow in versions prior to 4.0.4, due to improper use of strcpy(). The fix in 4.0.4 resolves the strcpy() problem, but causes the imap module to fail under some circumstances. For example, the IMP WebMail system fails to work correctly under 4.0.4, so PHP 4.0.3 is extensively deployed for use with IMP. A number of WebMail systems are likely to be vulnerable to this issue. The PHP imap module relies on the WU c-client library to actually perform imap (and POP3, NNTP and local mailbox) requests. Additionally, the c-client library uses callbacks into PHP in order to ascertain the username and password for the requested connection. The patch in PHP 4.0.4 changed the behavior of the imap module such that the username and password is no longer stored beyond the initial imap_open() call. However, the c-client library may still call the callback function to retrieve the username and password outside of this call, which then returns garbage data. For example, the imap_reopen() function triggers this call sequence. This issue appears to be fixed in the current CVS version of PHP (I haven't tested it, just looked at the code). The gsa2001-01.diff patch against php-4.0.4pl1 reverts the imap module to 4.0.3 behavior, without reintroducing the buffer overflow. [Time-line] 20010226 Draft v0.1 20010226 Sent to Andi Gutmans (PHP) and (IMP) for comment 20010305 Release v1.0 [Disclaimer] THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. [Part 2, Text/PLAIN 59 lines] [Unable to print this part]