what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

OpenPKG Security Advisory 2007.19

OpenPKG Security Advisory 2007.19
Posted May 31, 2007
Authored by OpenPKG Foundation | Site openpkg.com

OpenPKG Security Advisory - Multiple vulnerabilities in PHP versions 5.2.2 and below have been addressed.

tags | advisory, php, vulnerability
advisories | CVE-2007-1380, CVE-2007-1375, CVE-2007-1376, CVE-2007-1521, CVE-2007-1484, CVE-2007-1583, CVE-2007-1700, CVE-2007-1718, CVE-2007-1461, CVE-2007-1887, CVE-2007-1888, CVE-2007-1717, CVE-2007-1835, CVE-2007-1890, CVE-2007-1824
SHA-256 | de25ea5eaff6e286c1e16000b5dfce7c3dedab43e0b8b25a85fcd5852260b7f1

OpenPKG Security Advisory 2007.19

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

____________________________________________________________________________

Publisher Name: OpenPKG GmbH
Publisher Home: http://openpkg.com/

Advisory Id (public): OpenPKG-SA-2007.019
Advisory Type: OpenPKG Security Advisory (SA)
Advisory Directory: http://openpkg.com/go/OpenPKG-SA
Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.019
Advisory Published: 2007-05-25 19:56 UTC

Issue Id (internal): OpenPKG-SI-20070518.04
Issue First Created: 2007-05-18
Issue Last Modified: 2007-05-25
Issue Revision: 04
____________________________________________________________________________

Subject Name: php
Subject Summary: Programming Language
Subject Home: http://www.php.net/
Subject Versions: * <= 5.2.2

Vulnerability Id: CVE-2007-1380, CVE-2007-1375, CVE-2007-1376,
CVE-2007-1521, CVE-2007-1484, CVE-2007-1583,
CVE-2007-1700, CVE-2007-1718, CVE-2007-1461,
CVE-2007-1887, CVE-2007-1888, CVE-2007-1717,
CVE-2007-1835, CVE-2007-1890, CVE-2007-1824
Vulnerability Scope: global (not OpenPKG specific)

Attack Feasibility: run-time
Attack Vector: local system, remote network
Attack Impact: denial of service, exposure of sensitive
information, manipulation of data, arbitrary code
execution

Description:
Steffan Esser published "the Month of PHP Bugs" [0] and revealed
multiple vulnerabilities regarding the programming language PHP [1].
According to a vendor release announcement [0], many of the issues
were fixed [2] in version 5.2.2. Fixes that apply to the OpenPKG
Enterprise 1 packages were extraced and backported.

The php_binary serialization handler in the session extension in
PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent
attackers to obtain sensitive information (memory contents) via a
serialized variable entry with a large length value, which triggers
a buffer over-read.
(CVE-2007-1380, MOPB-10-2007)

Integer overflow in the substr_compare function in PHP 5.2.1 and
earlier allows context-dependent attackers to read sensitive memory
via a large value in the length argument, a different vulnerability
than CVE-2006-1991.
(CVE-2007-1375, MOPB-14-2007)

The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x
series, do not verify that their arguments correspond to a shmop
resource, which allows context-dependent attackers to read and
write arbitrary memory locations via arguments associated with an
inappropriate resource, as demonstrated by a GD Image resource.
(CVE-2007-1376, MOPB-15-2007)

Double free vulnerability in PHP before 4.4.7, and 5.x before 5.2.2,
allows context-dependent attackers to execute arbitrary code by
interrupting the session_regenerate_id function, as demonstrated
by calling a userspace error handler or triggering a memory limit
violation.
(CVE-2007-1521, MOPB-22-2007)

The array_user_key_compare function in PHP 4.4.6 and earlier, and
5.x up to 5.2.1, makes erroneous calls to zval_dtor, which triggers
memory corruption and allows local users to bypass safe_mode
and execute arbitrary code via a certain unset operation after
array_user_key_compare has been called.
(CVE-2007-1484, MOPB-24-2007)

The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0
through 5.2.1 sets the internal register_globals flag and does
not disable it in certain cases when a script terminates, which
allows remote attackers to invoke available PHP scripts with
register_globals functionality that is not detectable by these
scripts, as demonstrated by forcing a memory_limit violation.
(CVE-2007-1583, MOPB-26-2007)

The session extension in PHP 4 before 4.4.5, and PHP 5 before
5.2.1, calculates the reference count for the session variables
without considering the internal pointer from the session globals,
which allows context-dependent attackers to execute arbitrary
code via a crafted string in the session_register after unsetting
HTTP_SESSION_VARS and _SESSION, which destroys the session data
Hashtable.
(CVE-2007-1700, MOPB-30-2007)

CRLF injection vulnerability in the mail function in PHP 4.0.0
through 4.4.6 and 5.0.0 through 5.2.1 allows remote attackers to
inject arbitrary e-mail headers and possibly conduct spam attacks
via a control character immediately following folding of the
(1) Subject or (2) To parameter, as demonstrated by a parameter
containing a "\r\n\t\n" sequence, related to an increment bug in the
SKIP_LONG_HEADER_SEP macro.
(CVE-2007-1718, MOPB-34-2007)

The compress.bzip2:// URL wrapper provided by the bz2 extension in
PHP before 4.4.7, and 5.x before 5.2.2, does not implement safemode
or open_basedir checks, which allows remote attackers to read bzip2
archives located outside of the intended directories.
(CVE-2007-1461, MOPB-21-2007)

Buffer overflow in the sqlite_decode_binary function in the bundled
sqlite library in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows
context-dependent attackers to execute arbitrary code via an
empty value of the in parameter, as demonstrated by calling the
sqlite_udf_decode_binary function with a 0x01 character. OpenPKG
integrated a patch from Debian which modifies PHP not SQLite, fixing
use of internal or external SQLite.
(CVE-2007-1887, MOPB-41-2007)

The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through
5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte,
which might allow context-dependent attackers to prevent intended
information from being delivered in e-mail messages. This issue
might be security-relevant in cases when the trailing contents of
e-mail messages are important, such as logging information or if the
message is expected to be well-formed.
(CVE-2007-1717, MOPB-33-2007)

PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty
session save path (session.save_path), uses the TMPDIR default
after checking the restrictions, which allows local users to bypass
open_basedir restrictions.
(CVE-2007-1835, MOPB-36-2007)

Integer overflow in the msg_receive function in PHP 4 before 4.4.5
and PHP 5 before 5.2.1, on FreeBSD and possibly other platforms,
allows context-dependent attackers to execute arbitrary code via
certain maxsize values, as demonstrated by 0xffffffff.
(CVE-2007-1890, MOPB-43-2007)

Buffer overflow in the php_stream_filter_create function in PHP 5
before 5.2.1 allows remote attackers to cause a denial of service
(application crash) via a php://filter/ URL that has a name ending
in the '.' character.
(CVE-2007-1824, MOPB-42-2007)

References:
[0] http://www.php-security.org/
[1] http://www.php.net/
[2] http://www.php.net/releases/5_2_2.php
____________________________________________________________________________

Primary Package Name: php
Primary Package Home: http://openpkg.org/go/package/php

Corrected Distribution: Corrected Branch: Corrected Package:
OpenPKG Enterprise E1.0-SOLID apache-1.3.37-E1.0.5
OpenPKG Enterprise E1.0-SOLID php-5.1.6-E1.0.3
OpenPKG Community CURRENT apache-1.3.37-20070504
OpenPKG Community CURRENT php-5.2.2-20070504
____________________________________________________________________________

For security reasons, this document was digitally signed with the
OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34)
which you can download from http://openpkg.com/openpkg.com.pgp
or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/.
Follow the instructions at http://openpkg.com/security/signatures/
for more details on how to verify the integrity of this document.
____________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG GmbH <http://openpkg.com/>

iD8DBQFGVyNWZwQuyWG3rjQRAtYGAKCYJajoloZ5Yr7QV1wxDlu0ABMF4ACfUoMN
l/Yg+z9xMYhIXYEf5Tjv0Lg=
=IY9c
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close