Advisory 02/2006: PHP ext/mysqli Format String Vulnerability

Hash: SHA1

Hardened-PHP Project

-= Security Advisory =-

Advisory: PHP ext/mysqli Format String Vulnerability
Release Date: 2006/01/12
Last Modified: 2006/01/12
Author: Stefan Esser []

Application: PHP5.1 <= 5.1.1
Not Affected: PHP4, PHP 5.0.x
PHP 5.1.x with Hardening-Patch
Severity: A format string vulnerability in the exception handling
of the new mysqli extension may result in remote code
Risk: Low
Vendor Status: Vendor has released a bugfixed version


PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.

During the development of the Hardening-Patch which adds security
hardening features to the PHP codebase, several vulnerabilities
within PHP were discovered. This advisory describes one of these
flaws concerning a weakness in the mysqli extension.

PHP5 comes with the new mysqli extension, which recently got a new
error reporting feature using exceptions. When an exception for such
an error is thrown the error message is used as format string.
Depending on the situation and configuration, f.e. a malicious MySQL
server or an erroneous SQL query (f.e. through SQL injection) can
result in PHP reporting a (partly) user supplied error message, which
can result in triggering the format string vulnerability, which can
lead to remote code execution.


PHP's new mysqli extension recently got a new error reporting mode
that is using PHP exceptions to report errors generated by the SQL
server or errors that occured when a connection cannot be established.

Because of a flaw in the way the format string functions where called
when such an exception is thrown the error message is used as format
string and might contain format string specifiers. Because this error
message is generated by the mysql client library or the remote mysql
server there are a number of ways a local or remote attacker can
influence the content of the message to cause arbitrary format strings
to be parsed.

By default the reporting mode will not report failed SQL queries
through this mechanism, but when it is enabled SQL injection
vulnerabilities can be used by remote attackers to feed arbitrary
format strings to PHP's internal implementation of the format string
functions. These functions also support the %n specifier and therefore
can be exploited in ways similar to the standard fmt string exploits.
(With the little problem that the %n implementation in PHP is buggy
and therefore does not behave in the normal way).

In the default reporting mode an attacker has to be either local and
try to connect to invalid hostnames or remote with control over the
error messages returned by the mysql server. (malicious server or
man in the middle attack). In all cases there is the potential for
attacker controlled memory corruption that could even lead to remote
code execution. The vulnerability is rated low risk, because it is
believed to be hard for an external attacker to abuse this remotely.

PHP servers using our Hardening-Patch are not exploitable because
since the very beginning of the patch we have the %n format string
specifier disabled, to protect against unknown format string

Proof of Concept:

The Hardened-PHP project is not going to release exploits for this
vulnerability to the public.


It is strongly recommended to upgrade to the latest appropriate PHP
release as soon as possible, because it does not only fix this
vulnerability, but finally comes with a HTTP Response Splitting

Additionally we always recommend to run PHP with the Hardening-Patch
applied, because this vulnerability once again proved that our users
are protected against unknown vulnerabilities before they become
public knowledge.


pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2006 Stefan Esser. All rights reserved.

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see

© Hardened PHP Project