CVE-2005-3319 PHP mod_php apache2handler SAPI Crafted .htaccess DoS

Timeline :

Vulnerability discovered by Eric Romang
Public release of the vulnerability the 2005-10-24
Exploit provided the 2005-10-24

PoC provided by :

Eric Romang

Reference(s) :

CVE-2005-3319
GLSA 200511-08
OSVDB-20491

Affected version(s) :

PHP versions 4.0.x to 4.4.0 and versions 5.0.0 to 5.0.5

Tested on Gentoo 2005.0 with :

PHP 4.3.11

Description :

The apache2handler SAPI (sapi_apache2.c) in the Apache module (mod_php) contains a flaw that may allow a local denial of service. The issue is triggered when a malicious user places a specially crafted .htaccess file in a root directory while safe mode is active. This will cause a segmentation fault, resulting in loss of availability for the service.

Commands :

Simply put a .htaccess file on the root directory of your website with this content :
php_value session.save_path /var/www/somewherehowexist

Eric Romang Blog

aka wow on ZATAZ.com