PHP 5.6.7 apache2handler remote code execution vulnerability


PHP 5.4.40, 5.5.24 and 5.6.8 fixed a potential remote code execution vulnerability when used with the Apache 2.4 apache2handler.

The issue is with Apache 2.4, the PHP apache2handler SAPI, and pipelined HTTP requests. Given a simple (just a single echo) PHP script the following results in segfaults, but not always:

This is because after the first request, the interpreter is deinitialized (sapi_apache2.c line 679 calls php_apache_request_dtor), BUT contrary to the situation under Apache 2.2, Apache 2.4 does NOT call the pool cleanup function (php_server_context_cleanup) before the second request is processed – resulting in SG(server_context) still being non-NULL, which then makes the second request being handled as a subrequest (parent_req != NULL), skipping the call to php_apache_request_ctor – thus running the request in a deconfigured interpreter. (still private)

Fixed by:;a=commit;h=809610f5ea38a83b284e1125d1fff129bdd615e7

+++ b/sapi/apache2handler/sapi_apache2.c