PHP's glob function overwrites the EIP register with the first four bytes of the current filename encountered with glob, when a negative integer is set as the flag (optional setting). This leads to a Denial of Service condition for PHP. If the attacker is able to fill other sections of memory with code of their choice, then this vulnerability can be very simply extended to an arbitrary code execution exploit.

Description:

An interesting Denial of Service vulnerability has been released for PHP, allowing an attacker who can write arbitrary PHP code to be able to crash PHP and potentially take over the vulnerable server (yet to be tested).

This vulnerability is only of moderate risk at the moment, but if reliable control and exploitation can be achieved - leading to system control, then it will be a Critical risk especially for administrators and owners of systems where virtual hosting is used to allow multiple users access to PHP.

Mitigation:

Consider restricting the access to setting flags in glob to authorised users only, or consider replacing calls to glob with equivalent code.

Updates:

Not Yet Available

Source:

shinnai

Exploits:

http://milw0rm.com/exploits/4181

Not Yet Identified