PHP MySQLnd Heap Buffer Over-Read Vulnerability Allowing Information Disclosure

A vulnerability exists in PHP versions 8.1.* prior to 8.1.31, 8.2.* prior to 8.2.26, and 8.3.* prior to 8.3.14. When a PHP client connects to a malicious MySQL server, it can be tricked into leaking heap memory contents. This memory may contain sensitive data from previous SQL queries or information belonging to other users on the same server. The issue arises in the MySQLnd extension while processing field packets, where improper handling can lead to over-reading of the heap buffer.

Impact

Exploitation of this vulnerability allows for a partial leak of the heap memory, disclosing data from previous MySQL query responses. This could be exploited to access sensitive information from other users' data on the same server, depending on the context in which the vulnerability is exploited.

Reproduction

The vulnerability can be reproduced by setting up a PHP environment with a version that falls within the vulnerable ranges. After establishing a connection to a MySQL database, a crafted SQL query can be sent through the MySQLnd extension. This query should be designed to exploit the buffer over-read by manipulating the field packet response from the MySQL server. Once the heap data is leaked, it can be accessed through the PHP-FPM worker that processed the request.

Remediation

Users can upgrade to PHP versions 8.1.31, 8.2.26, or 8.3.14, where this vulnerability has been patched.