


PHP-5.3.9 Remote Arbitrary Code Execution Vulnerability (CVE-2012-0830) Detailed Explanation_PHP Tutorial
Remember the PHP Hash Collisions Ddos vulnerability I mentioned before? At first, the repair plan given by the development team was to report an error (E_ERROR) if it exceeds max_input_vars, which in turn caused PHP to end with an error. Later, In order to solve this problem more lightweight, we improved it and changed it to issue a warning (E_WARNING) if max_input_vars is exceeded, and no longer add to the destination array, but the process continues. Then we released 5.3.9.
This new fix has good intentions, but it brings about a serious problem (fixed in 5.3.10), which was originally discovered by Stefan Esser. Please see the previous (5.3.9) final Fix (php_register_variable_ex):
The code is as follows | Copy code | ||||
|
Note that if you register an array variable at this time (similar to: a[]=2 in GET), and this variable happens to be the max_input_vars-th variable, a warning (1) will be triggered, and everything is normal at this time. .
However, if you still register an array variable at this time, but this variable is already the max_input_vars + 1th variable, then gpc_element_p will become an uninitialized pointer at this time, and because the logic will continue now, that is will go to position (2), causing an uninitialized pointer to be dereferenced. So, Boomb~
So, at this point, we can use this feature to do Ddos on 5.3.9. If the Server has Core Dump enabled, the effect will be very obvious.
However, this problem can also lead to a more serious problem:
Still the above code, there is a loop in the outermost layer. When this loop takes effect, when registering a pair similar to a[b]=2, the loop will be executed twice. The first time a will be inserted. [], insert b into a[] for the second time. Then let us pay attention to (3). If the desired element cannot be found in the destination array, **or the element is not an array**, then It will also directly cause the process to be left to (2), so problems arise.
For a POST string like this (default max_input_vars is 1000):
1=1&1=2&..........&999=1&x="I am a malicious string"&x[0]=
What will happen?
Let me describe it step by step:
1. There is no problem from 1 to 999, they are all inserted normally
2. x is 1000 elements, so a warning is triggered and there is no problem, x is inserted
3. When x[0] is inserted, statement (3) determines that it is not Arrary and enters the if body. However, statement (4) fails at this time, so the process finally flows to (2)
4. At this time, gpc_element_p points to x, which is the string we forged...
Now let’s look at the key data structure, zval:
The code is as follows | Copy code | ||||||||
|
The code is as follows | Copy code |
typedef union _zvalue_value { long lval; /* long value */ double dval; /* double value */ struct { char *val; int len; } str; HashTable *ht; /* hash table value */ zend_object_value obj; } zvalue_value; |
zvalue_value is a union, so the memory of the string area we construct will be treated as a Hashtable structure:
The code is as follows
|
Copy code
|
||||
typedef struct _hashtable { uint nTableSize; |
unsigned char nApplyCount;

To protect the application from session-related XSS attacks, the following measures are required: 1. Set the HttpOnly and Secure flags to protect the session cookies. 2. Export codes for all user inputs. 3. Implement content security policy (CSP) to limit script sources. Through these policies, session-related XSS attacks can be effectively protected and user data can be ensured.

Methods to optimize PHP session performance include: 1. Delay session start, 2. Use database to store sessions, 3. Compress session data, 4. Manage session life cycle, and 5. Implement session sharing. These strategies can significantly improve the efficiency of applications in high concurrency environments.

Thesession.gc_maxlifetimesettinginPHPdeterminesthelifespanofsessiondata,setinseconds.1)It'sconfiguredinphp.iniorviaini_set().2)Abalanceisneededtoavoidperformanceissuesandunexpectedlogouts.3)PHP'sgarbagecollectionisprobabilistic,influencedbygc_probabi

In PHP, you can use the session_name() function to configure the session name. The specific steps are as follows: 1. Use the session_name() function to set the session name, such as session_name("my_session"). 2. After setting the session name, call session_start() to start the session. Configuring session names can avoid session data conflicts between multiple applications and enhance security, but pay attention to the uniqueness, security, length and setting timing of session names.

The session ID should be regenerated regularly at login, before sensitive operations, and every 30 minutes. 1. Regenerate the session ID when logging in to prevent session fixed attacks. 2. Regenerate before sensitive operations to improve safety. 3. Regular regeneration reduces long-term utilization risks, but the user experience needs to be weighed.

Setting session cookie parameters in PHP can be achieved through the session_set_cookie_params() function. 1) Use this function to set parameters, such as expiration time, path, domain name, security flag, etc.; 2) Call session_start() to make the parameters take effect; 3) Dynamically adjust parameters according to needs, such as user login status; 4) Pay attention to setting secure and httponly flags to improve security.

The main purpose of using sessions in PHP is to maintain the status of the user between different pages. 1) The session is started through the session_start() function, creating a unique session ID and storing it in the user cookie. 2) Session data is saved on the server, allowing data to be passed between different requests, such as login status and shopping cart content.

How to share a session between subdomains? Implemented by setting session cookies for common domain names. 1. Set the domain of the session cookie to .example.com on the server side. 2. Choose the appropriate session storage method, such as memory, database or distributed cache. 3. Pass the session ID through cookies, and the server retrieves and updates the session data based on the ID.


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),

SublimeText3 English version
Recommended: Win version, supports code prompts!

WebStorm Mac version
Useful JavaScript development tools

SublimeText3 Mac version
God-level code editing software (SublimeText3)

SublimeText3 Linux new version
SublimeText3 Linux latest version