============================================================================================================================================ S-MAIL HTML Entity Encoder Heap Overflow / PHP Zend_Hash_Del_Key_Or_Index /Unfiletred Header Injection in Apache / PHP Unspecified Remote Arbitrary File Upload ============================================================================================================================================ Multiples Advisories But Vendor Not Response Then Full Disclosure I. VULNERABILITY ------------------------- #Title: S-MAIL Cross-site request forgery / HTML entity encoder heap overflow / PHP socket_iovec_alloc() integer overflow / PHP Zend_Hash_Del_Key_Or_Index /Unfiletred Header Injection in Apache / PHP Unspecified Remote Arbitrary File Upload #Vendor:http://WWW.s-mail.com/ #Author:Juan Carlos García (@secnight) #Follow me Twitter:@secnight II. DESCRIPTION ------------------------- S-Mail® is an innovative email system that provides high-level protection for emails on the Internet. S-Mail users have safe and secure email correspondence. Only the sender and recipient of S-Mail can access emails sent through this service. S-Mail provides the ultimate protection with strong encryption for personal and business communications. S-Mail combines simplicity and security to create a tailored solution for protecting email. Messages and attached files are encrypted and decrypted through PGP, SSL and DSA algorithms on the user's PC. As a result, communications sent using S-Mail are delivered fully protected. S-Mail is compatible with all other email systems and programs. III. PROOF OF CONCEPT ------------------------- PHP version older than 4.4.1 ***************************** Multiple vulnerabilities have been reported in PHP, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and potentially compromise a vulnerable system. Affected PHP versions (up to 4.4.0). The impact of this vulnerability ___________________________________ Security bypass, cross site scripting, denial of service, system access. Apache version older than 1.3.28 ( Current version is : Apache/1.3.27) ********************************************************************** The impact of this vulnerability _________________________________ Multiple. Check references for details about every vulnerability. Apache version older than 1.3.41 ********************************* Security fixes in Apache version 1.3.41: _________________________________________ CVE-2007-6388 (cve.mitre.org) mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. [Mark Cox] Security fixes in Apache version 1.3.40: ___________________________________________ CVE-2007-5000 (cve.mitre.org) mod_imap: Fix cross-site scripting issue. Reported by JPCERT. [Joe Orton] CVE-2007-3847 (cve.mitre.org) mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144. With Apache 1.3, the denial of service vulnerability applies only to the Windows and NetWare platforms. [Jeff Trawick] PHP HTML entity encoder heap overflow ************************************** Stefan Esser reported some vulnerabilities in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.The vulnerabilities are caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the affected application. Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected. For a detailed explanation of the vulnerability read the referenced article. Vendor has released PHP 5.2.0 which fixes this issue. Affected PHP versions (up to 4.4.4/5.1.6). The impact of this vulnerability _________________________________ Denial of service, remote code execution. PHP unspecified remote arbitrary file upload vulnerability ********************************************************** An unspecified remote arbitrary file upload vulnerability has been reported for this version of PHP. Affected PHP versions (up to 4.3.8/5.0.1). PHP Zend_Hash_Del_Key_Or_Index vulnerability ********************************************** Stefan Esser had discovered a weakness within the depths of the implementation of hashtables in the Zend Engine. This vulnerability affects a large number of PHP applications. It creates large new holes in many popular PHP applications. Additonally many old holes that were disclosed in the past were only fixed by using the unset() statement. Many of these holes are still open if the already existing exploits are changed by adding the correct numerical keys to survive the unset(). For a detailed explanation of the vulnerability read the referenced article. http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html Affected PHP versions (up to 4.4.2/5.1.3). The impact of this vulnerability ___________________________________ Code execution, SQL injection, ... Unfiltered header injection in Apache 1.3.34/2.0.57/2.2.1 *********************************************************** Vulnerability description ************************* This version of Apache is vulnerable to HTML injection (including malicious Javascript code) through "Expect" header. Until now it was not classified as a security vulnerability, since an attacker has no way to influence the Expect header to send the victim to a target website. However, according to Amit Klein's paper: "Forging HTTP request headers with Flash" there is a working cross site scripting (XSS) attack against Apache 1.3.34, 2.0.57 and 2.2.1 (as long as the client browser is IE or Firefox, and it supports Flash 6/7+). The impact of this vulnerability ________________________________ Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. How to fix this vulnerability _______________________________ Upgrade to the latest Apache versions. This flaw has been corrected in Apache versions (1.3.35/2.0.58/2.2.2) Apache error log escape sequence injection vulnerability ******************************************************** This version of Apache is vulnerable to escape character sequences injection into error log.This problem may be exploited when a vulnerable terminal emulator is used. Affected Apache versions (up to 2.0.48 for Apache 2.x and up to 1.3.29 for Apache 1.x). PHP mail function ASCII control character header spoofing vulnerability *********************************************************************** The PHP mail function does not properly sanitize user input. Because of this, a user may pass ASCII control characters to the mail() function that could alter the headers of email. This could result in spoofed mail headers. Affected PHP versions (up to 4.2.2). PHP socket_iovec_alloc() integer overflow ****************************************** Buffer overflow in openlog function for PHP 4.3.1 on Windows operating system, and possibly other OSes. Affected PHP versions (up to 4.3.1). The impact of this vulnerability ___________________________________ Allow remote attackers to cause a crash and possibly execute arbitrary code via a long filename argument. How to fix this vulnerability ________________________________ Upgrade PHP to the latest version. Web references ________________ CVE 2003-0172 PHP4 multiple vulnerabilities ***************************** PHP have released an upgrade to address multiple vulnerabilities, including integer overflow issues that have been reported to affect PHP4 and bundled software. IV. BUSINESS IMPACT ------------------------- CRITICAL V SOLUTION ------------------------ UPDATE PHP AND APACHE SOFTWARE P L E A S E !!! VI. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos García(@secnight) VII. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.