According to Secunia 1) A boundary error exists within the tidy extension when processing arguments passed to the "tidy_parse_string()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the second argument to the affected function. (CVE-2007-3294) 2) A boundary error exists within the snmp extension when processing arguments passed to the "snmpget()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the third parameter to the affected function. We ship both extensions as USE-flags to PHP and they still seem unfixed upstream.
php, please advise
Um, sorry, totally forgot about this bug as we discussed it already on IRC... Current status: 1) I think it's Windows-only; there does not seem to be a patch for it anyway... 2) Same here... original "advisory" is at [1] btw [1] http://retrogod.altervista.org/php_446_snmpget_local_bof.html
I cannot reproduce any of the bugs. The provided exploits contain Windows(-only) shellcode but I think there should be at least some strangeness (segfault or something) on *nix. Closing as invalid, reopen if you can prove me wrong. ;)
