3739831fb2
16 new exploits Banner Exchange Script 1.0 - (targetid) Blind SQL Injection Vulnerability PHP 5.3.3 - ibase_gen_id() off-by-one Overflow Vulnerability ARM Bindshell port 0x1337 ARM Bind Connect UDP Port 68 ARM Loader Port 0x1337 ARM ifconfig eth0 and Assign Address ARM Bindshell port 0x1337 ARM Bind Connect UDP Port 68 ARM Loader Port 0x1337 ARM ifconfig eth0 and Assign Address G Data TotalCare 2011 - NtOpenKey Race Condition Vulnerability ImpressPages CMS 3.8 - Stored XSS Vulnerability Seagate BlackArmor NAS sg2000-2000.1331 - Cross-Site Request Forgery Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Vulnerability Linux Netcat Reverse Shell - 32bit - 77 bytes PrestaShop 1.4.4.1 modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php Multiple Parameter XSS PrestaShop 1.4.4.1 mondialrelay (kit_mondialrelay) - Multiple Parameter XSS Getsimple CMS 3.3.10 - Arbitrary File Upload op5 v7.1.9 Configuration Command Execution op5 7.1.9 - Configuration Command Execution Alibaba Clone B2B Script - Arbitrary File Disclosure XuezhuLi FileSharing - Directory Traversal XuezhuLi FileSharing - (Add User) CSRF FinderView - Multiple Vulnerabilities
52 lines
No EOL
1.4 KiB
Text
Executable file
52 lines
No EOL
1.4 KiB
Text
Executable file
=== Vulnerability ===
|
|
PHP 5.3.3 (Possible All versions) ibase_gen_id() off-by-one overflow
|
|
|
|
=== Author ===
|
|
cb
|
|
|
|
=== Description ===
|
|
User-supplied variable "generator" copied to 128 byte buffer "query"
|
|
size of query variable. So
|
|
its cause off-by-one overflow. You can see [1] snprintf copy statement
|
|
to "query" variable.
|
|
|
|
/* {{{ proto int ibase_gen_id(string generator [, int increment [,
|
|
resource link_identifier ]])
|
|
Increments the named generator and returns its new value */
|
|
PHP_FUNCTION(ibase_gen_id)
|
|
{
|
|
zval *link = NULL;
|
|
char query[128], *generator;
|
|
int gen_len;
|
|
long inc = 1;
|
|
ibase_db_link *ib_link;
|
|
ibase_trans *trans = NULL;
|
|
XSQLDA out_sqlda;
|
|
ISC_INT64 result;
|
|
|
|
RESET_ERRMSG;
|
|
|
|
if (FAILURE == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC,
|
|
"s|lr", &generator, &gen_len,
|
|
&inc, &link)) {
|
|
RETURN_FALSE;
|
|
}
|
|
|
|
PHP_IBASE_LINK_TRANS(link, ib_link, trans);
|
|
|
|
[1] snprintf(query, sizeof(query), "SELECT GEN_ID(%s,%ld) FROM
|
|
rdb$database", generator, inc);
|
|
...
|
|
}
|
|
|
|
=== Patch ===
|
|
Replace [1] with [2].
|
|
|
|
--- [1] snprintf(query, sizeof(query), "SELECT GEN_ID(%s,%ld) FROM
|
|
rdb$database", generator, inc);
|
|
+++ [2] snprintf(query, sizeof(query) - 1 "SELECT GEN_ID(%s,%ld)
|
|
FROM rdb$database", generator, inc);
|
|
|
|
===========================================================================
|
|
Download:
|
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/14678.zip (ibase_gen_id_poc.zip) |