[unisog] php memory_limit vulernability.

Matt Johnson mwj at doc.ic.ac.uk
Mon Dec 6 16:53:50 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 6 Dec 2004, Vijay S Sarvepalli VSSARVEP wrote:

> I have tested the vulernability
> wget http://www.felinemenace.org/~gyan/phpnolimit.c
>
> It doesnt seem to work on any of my linux / openbsd systems.  It might
> still be tweakable to make the xploit work.

Despite "memory_limit" being set in php.ini, the Zend engine code needed 
for the exploit to work is only compiled in if "--enable-memory-limit" 
was passed during configure. This is not a default (or even anywhere 
near) a normal configuration option.

- --Matt
- -- 
Matt Johnson <mwj at doc.ic.ac.uk>
Junior Systems Programmer
Computing Support Group

"I was told that a ZIP drive and a floppy drive were both compatible
with my computer. I put a floppy disk in my ZIP drive and it doesn't work!"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBtI6gNHkw5OSqNcERAnGBAJwPHtLmrM2FtxEj96+KAsXlcD7SGQCg0W8G
vLGKTcStqaJ+ZEztk7RAgAU=
=hCYo
-----END PGP SIGNATURE-----



More information about the unisog mailing list