Mailinglist Archive

PHP memory_limit remote vulnerability
From:	Joe Klemmer
Date:	Thu, 15 Jul 2004 12:46:24 -0400

Advisory 11/2004
PHP memory_limit remote vulnerability

Release Date:   2004/07/14 
Author:         Stefan Esser [s.esser@ematters.de] 
Application:    PHP <= 4.3.7
                PHP5 <= 5.0.0RC3 
Severity:       A vulnerability within PHP allows remote code execution
                on PHP servers with activated memory_limit 
Risk:           Critical 
Reference:      http://security.e-matters.de/advisories/112004.html 
Last Modified:  2004/07/14

Overview
During a reaudit of the memory_limit problematic it was discovered that
it is possible for a remote attacker to trigger the memory_limit request
termination in places where an interruption is unsafe. This can be
abused to execute arbitrary code on remote PHP servers.

http://security.e-matters.de/advisories/112004.html

-- 
Joe Klemmer 
Unix System/Network Administrator & Ad Hoc Programmer