[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : PHP remote format string vulnerabilities

Title: PHP remote format string vulnerabilities
Released by: Jouko Pynnönen
Date: 12th October 2000
Printable version: Click here

PHP is a commonly used HTML-embedded scripting language. Format string

vulnerabilities exist in the error logging routines of PHP versions 3

and 4, allowing remote users to execute arbitrary code under the web

server's user id. A web server having PHP installed and one or more PHP

scripts is vulnerable to the problem if error logging is enabled in

php.ini. Also any PHP script using the "syslog" command of PHP may be

vulnerable, regardless of error logging.

The problem was tested on a Red Hat Linux system having Apache and

mod_php3 installed. Error logging was enabled in php.ini. With a test

exploit program, a shellcode could be run remotely under the web server

user id, which is typically not the root user.


In main.c, function php3_log_error():


                if (!strcmp(php3_ini.error_log, "syslog")) {

                        syslog(LOG_NOTICE, log_message);


                } else {


                        log_file = fopen(php3_ini.error_log, "a");

                        if (log_file != NULL) {

                                fprintf(log_file, log_message);


This one is a classical "format bug". There are a couple of other

similar fprintf() calls in the same function, as well as Apache API

function calls to aplog_error() and log_error() which all use the

log_message as a format string.

The message can be trivially generated with any php3 script on a web

server, for example by sending a POST request with content-type

"multipart/form-data" but without a boundary string. A shellcode and

other data may be placed in the error message. The error message can be

generated without the script actually wanting to process any POST data.

Another format bug in functions/syslog.c, function php3_syslog:

        syslog(priority->value.lval, message->value.str.val);

The "syslog" command of PHP takes two parameters, the priority/facility

number and the message itself. The message is always passed to libc

syslog() as a format string. Thus any program doing syslogging may be

vulnerable to a format string attack; details depend on the script in


The code fragments above are taken from PHP 3 sources, but the

vulnerabilities exist in PHP version 4 too.


Authors of PHP have been contacted (two weeks ago) and they have released

new versions of the software. OS vendors have been contacted as well and

they have, or will release fix packages shortly. A temporary workaround is

to disable error logging in php.ini, and disable any PHP scripts that use

the syslog command.

A new fixed version of PHP 4 is downloadable at



Vulnerability discovered by: Jouko Pynnönen 


Jouko Pynnönen          Online Solutions Ltd       Secure your Linux -

jouko@solutions.fi                                 http://www.secmod.com

(C) 1999-2000 All rights reserved.