Serious Remote Security Hole in PHP 5.1 (beta) fixed
15. July 2005
One of the goals of the Hardened-PHP Project has always been protecting the users of PHP against current and future security holes. Therefore, beside the creation of the Hardening-Patch, we audit whenever possible, not only the codebase of already released, but also of future (beta) PHP versions.
During such an audit we have discovered a remotely exploitable security hole in recently added code, that handles HTTP Digest Authorization. This code was introduced in the early days of PHP 5.1 and therefore only the previous beta releases of PHP 5.1 are affected by this double efree() vulnerability, which would have made all installations of PHP vulnerable to remote code execution, that handle HTTP Keep-Alive requests within the same process (f.e. when running as Apache module).
Although this bug is now fixed, this once again proves the usefulness of the Hardening-Patch, because if this vulnerability had managed its way into a final version of PHP 5.1, all attempts to exploit it would have been caught and stopped by the Zend Memory Manager Canary and Safe_Unlink protections introduced with our patch.