Posted by Imre RAD on Jan 27

The LiteSpeed SAPI module in PHP did not sanitize several fields of the
LSAPI request correctly. In the source file sapi/litespeed/lsapilib.c,
the parseRequest function calculated addresses of thesevariables in the
following way:

pReq->m_pScriptFile = pReq->m_pReqBuf +
pReq->m_pHeader->m_scriptFileOff;
pReq->m_pScriptName = pReq->m_pReqBuf +
pReq->m_pHeader->m_scriptNameOff;
pReq->m_pQueryString…