Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest! http://git.dustri.org/snuffleupagus/atom?h=optim85 2026-04-24T09:09:54Z 2026-04-24T09:09:54Z jvoisin 2026-04-24T09:09:54Z urn:sha1:c0ea33d05dfb503f60a842372c336d12b23259ba Cookies can be arrays (session_id[]=x), and we called `Z_STRLEN_P(pDest)` without checking if `Z_TYPE_P(pDest) == IS_STRING`, leading to a type confusion, leaking at least `HashTable->arData`, and the rest of the code is going to corrupt some stuff, leading to a crash. While exploitation can't be ruled out, it looks stupidly harder. The array will be decoded as base64 into another variable, decrypted, and have this value written back to the array. To obtain a controlled read, an attacker would have to bruteforce decryption to find an encrypted value that could be properly decrypted, as we're using authenticated encryption. The next steps are depending on the heap's layout, which should be pretty deterministic/simple as cookie decryption happens at RINIT. But since the heap overflow is happening in the cookies, odds are that they're stored somewhere with other data like POST/GET/… and thus nothing super-duper juicy. While remote heap exploitation in PHP have been done in the past, this primitive looks a tad too limited to yield something powerful enough to pop a shell. Reported-by: Vozec 2025-12-05T14:59:24Z Angus Johnston 2025-12-05T13:57:32Z urn:sha1:e586b7df4e575d7d5e017b4134bdac9b297b667b setcookie() is always URL encoded, urlencode is only turned off for setrawcookie(). Turning it off breaks cookies that have a value containing certain characters (namely spaces) https://github.com/php/php-src/blob/685e99655ae97c667950f7f7d176985958718f56/ext/standard/head.c#L97 2025-10-01T11:59:45Z jvoisin 2025-10-01T11:44:06Z urn:sha1:9509733befcb4010bc77b06fcf41e77078976e80 ``` ========DIFF======== 001- OK 001+ Fatal error: Uncaught ValueError: setcookie(): "partitioned" option cannot be used without "secure" option in /builddir/build/BUILD/snuffleupagus-1c7598c432551d0c49c2c57f249ccd5ccabce638/src/tests/samesite_cookies.php:2 002+ Stack trace: 003+ #0 /builddir/build/BUILD/snuffleupagus-1c7598c432551d0c49c2c57f249ccd5ccabce638/src/tests/samesite_cookies.php(2): setcookie('super_cookie', 'super_value') 004+ #1 {main} 005+ thrown in /builddir/build/BUILD/snuffleupagus-1c7598c432551d0c49c2c57f249ccd5ccabce638/src/tests/samesite_cookies.php on line 2 ========DONE======== FAIL Cookie samesite [tests/samesite_cookies.phpt] ``` Even though the warning might be spurious, let's fix this properly, by initialising `partitioned` to false, and by setting it only if `secure` is set as well. 2025-09-01T11:49:08Z jvoisin 2025-08-31T14:05:44Z urn:sha1:ee5e383c6bbca94d5f93134510468b3fe87a470c 2025-06-25T17:38:30Z Christian Göttsche 2025-06-25T09:43:58Z urn:sha1:d4e010846d9d8db8bf6e1fec9a2c39ed762e257d Do not dereference the hash key for cookie encryption if it's NULL: Program terminated with signal SIGSEGV, Segmentation fault. #0 zend_string_equal_content (s1=0x79bdb92170f0, s2=0x0) at /usr/include/php/20240924/Zend/zend_string.h:386 No locals. #1 zend_string_equals (s1=0x79bdb92170f0, s2=0x0) at /usr/include/php/20240924/Zend/zend_string.h:391 No locals. #2 sp_match_value (value=0x0, to_match=0x79bdb92170f0, rx=0x0) at ./src/sp_utils.c:273 No locals. #3 0x00007989377b0709 in sp_lookup_cookie_config (key=0x0) at ./src/sp_cookie_encryption.c:8 config = 0x79bdb92158d0 it = 0x79ae80dabd00 it = <optimized out> config = <optimized out> #4 decrypt_cookie (pDest=0x79893b6787c0, num_args=<optimized out>, args=<optimized out>, hash_key=0x7ffe657c3880) at ./src/sp_cookie_encryption.c:19 cookie = <optimized out> #5 0x000061875aac52df in zend_hash_apply_with_arguments () No symbol table info available. #6 0x00007989377ae74b in zm_activate_snuffleupagus (type=<optimized out>, module_number=<optimized out>) at ./src/snuffleupagus.c:228 config_wrapper = 0x7989377c3490 <snuffleupagus_globals+144> #7 0x000061875aa21710 in zend_activate_modules () No symbol table info available. #8 0x000061875a9a7f18 in php_request_startup () No symbol table info available. 2024-06-06T14:27:35Z Christian Göttsche 2024-05-29T18:38:23Z urn:sha1:f40955e03cd361966f927acfaa477cfceb8930e5 Adjusts casts to void dropping const qualifiers. This helps to avoid mistakes, e.g. modifying string literals. Also use size_t for length, similar to the upstream php interfaces. 2021-09-23T10:23:40Z Ben Fuhrmannek 2021-09-23T10:23:40Z urn:sha1:54c352c1b5aa08b187dd1e52e544709cad2b0fee * for easier memory manegement, the entire sp_config struct was merged into snuffleupagus_globals and allocated on stack where possible * SNUFFLEUPAGUS_G() can be written as SPG(), which is faster to type and easier to read * execution_depth is re-initialized to 0 for each request * function calls with inline string and length parameters consistently use ZEND_STRL instead of sizeof()-1 * execution is actually hooked if recursion protection is enabled * some line breaks were removed to make the code more readable 2021-08-06T14:40:57Z Ben Fuhrmannek 2021-08-06T14:40:57Z urn:sha1:2b6086486be69533d0077585c7726b3efa175fe6 2019-06-19T09:04:17Z Ben Fuhrmannek 2019-06-19T09:04:17Z urn:sha1:3ab467100883adedab71a28e1699799e45ab0b2d 2019-05-14T20:48:55Z jvoisin 2019-05-14T19:57:13Z urn:sha1:1cdb880fac5044194f0bc62dd82fcd4480192ebe PHP 7.3+ added a new prototype for the cookie setting mechanism, breaking our ghetto samesite-injection, this commit takes care of it.