VuXML ID | Description |
ea09c5df-4362-11db-81e1-000e0c2e438a | php -- multiple vulnerabilities
The PHP development team reports:
- Added missing safe_mode/open_basedir checks inside the
error_log(), file_exists(), imap_open() and imap_reopen()
functions.
- Fixed overflows inside str_repeat() and wordwrap()
functions on 64bit systems.
- Fixed possible open_basedir/safe_mode bypass in cURL
extension and with realpath cache.
- Fixed overflow in GD extension on invalid GIF
images.
- Fixed a buffer overflow inside sscanf() function.
- Fixed an out of bounds read inside stripos()
function.
- Fixed memory_limit restriction on 64 bit system.
Discovery 2006-08-18 Entry 2006-09-13 Modified 2014-03-28 php4
php5
< 4.4.4
ge 5 lt 5.1.5
php4-cli
php5-cli
php4-cgi
php5-cgi
php4-dtc
php5-dtc
php4-horde
php5-horde
php4-nms
php5-nms
mod_php4
mod_php5
< 4.4.4
ge 5 lt 5.1.5
CVE-2006-4481
CVE-2006-4482
CVE-2006-4483
CVE-2006-4484
CVE-2006-4485
CVE-2006-4486
http://www.php.net/release_4_4_4.php
http://www.php.net/release_5_1_5.php
|
edabe438-542f-11db-a5ae-00508d6a62df | php -- open_basedir Race Condition Vulnerability
Stefan Esser reports:
PHP's open_basedir feature is meant to disallow scripts to
access files outside a set of configured base directories.
The checks for this are placed within PHP functions dealing
with files before the actual open call is performed.
Obviously there is a little span of time between the check
and the actual open call. During this time span the checked
path could have been altered and point to a file that is
forbidden to be accessed due to open_basedir restrictions.
Because the open_basedir restrictions often not call PHP
functions but 3rd party library functions to actually open
the file it is impossible to close this time span in a
general way. It would only be possible to close it when PHP
handles the actual opening on it's own.
While it seems hard to change the path during this little
time span it is very simple with the use of the symlink()
function combined with a little trick. PHP's symlink()
function ensures that source and target of the symlink
operation are allowed by open_basedir restrictions (and
safe_mode). However it is possible to point a symlink to
any file by the use of mkdir(), unlink() and at least two
symlinks.
Discovery 2006-10-02 Entry 2006-10-05 Modified 2013-04-01 php4
php5
< 4.4.4_1
ge 5 lt 5.1.6_2
php-suhosin
< 0.9.6
php4-cli
php5-cli
php4-cgi
php5-cgi
php4-dtc
php5-dtc
php4-horde
php5-horde
php4-nms
php5-nms
mod_php4
mod_php5
ge 4 lt 4.4.4_1
ge 5 lt 5.1.6_2
20326
CVE-2006-5178
http://www.hardened-php.net/advisory_082006.132.html
http://secunia.com/advisories/22235/
|
e329550b-54f7-11db-a5ae-00508d6a62df | php -- _ecalloc Integer Overflow Vulnerability
Stefan Esser reports:
The PHP 5 branch of the PHP source code lacks the
protection against possible integer overflows inside
ecalloc() that is present in the PHP 4 branch and also for
several years part of our Hardening-Patch and our new
Suhosin-Patch.
It was discovered that such an integer overflow can be
triggered when user input is passed to the unserialize()
function. Earlier vulnerabilities in PHP's unserialize()
that were also discovered by one of our audits in December
2004 are unrelated to the newly discovered flaw, but they
have shown, that the unserialize() function is exposed to
user-input in many popular PHP applications. Examples for
applications that use the content of COOKIE variables with
unserialize() are phpBB and Serendipity.
The successful exploitation of this integer overflow will
result in arbitrary code execution.
Discovery 2006-09-30 Entry 2006-10-06 Modified 2013-04-01 php5
< 5.1.6_1
php5-cli
php5-cgi
php5-dtc
php5-horde
php5-nms
mod_php5
ge 5 lt 5.1.6_1
CVE-2006-4812
http://www.hardened-php.net/advisory_092006.133.html
http://secunia.com/advisories/22280/
|
7fcf1727-be71-11db-b2ec-000c6ec775d9 | php -- multiple vulnerabilities
Multiple vulnerabilities have been found in PHP, including:
buffer overflows, stack overflows, format string, and
information disclosure vulnerabilities.
The session extension contained safe_mode and
open_basedir bypasses, but the FreeBSD Security
Officer does not consider these real security
vulnerabilities, since safe_mode and
open_basedir are insecure by design and should
not be relied upon.
Discovery 2007-02-09 Entry 2007-02-17 Modified 2013-04-01 php5-imap
php5-odbc
php5-session
php5-shmop
php5-sqlite
php5-wddx
php5
< 5.2.1_2
php4-odbc
php4-session
php4-shmop
php4-wddx
php4
< 4.4.5
mod_php4-twig
mod_php4
mod_php5
mod_php
php4-cgi
php4-cli
php4-dtc
php4-horde
php4-nms
php5-cgi
php5-cli
php5-dtc
php5-horde
php5-nms
ge 4 lt 4.4.5
ge 5 lt 5.2.1_2
CVE-2007-0905
CVE-2007-0906
CVE-2007-0907
CVE-2007-0908
CVE-2007-0909
CVE-2007-0910
CVE-2007-0988
http://secunia.com/advisories/24089/
http://www.php.net/releases/4_4_5.php
http://www.php.net/releases/5_2_1.php
|
f5e52bf5-fc77-11db-8163-000e0c2e438a | php -- multiple vulnerabilities
The PHP development team reports:
Security Enhancements and Fixes in PHP 5.2.2 and PHP
4.4.7:
- Fixed CVE-2007-1001, GD wbmp used with invalid image
size
- Fixed asciiz byte truncation inside mail()
- Fixed a bug in mb_parse_str() that can be used to
activate register_globals
- Fixed unallocated memory access/double free in in
array_user_key_compare()
- Fixed a double free inside session_regenerate_id()
- Added missing open_basedir & safe_mode checks to zip://
and bzip:// wrappers.
- Limit nesting level of input variables with
max_input_nesting_level as fix for.
- Fixed CRLF injection inside ftp_putcmd().
- Fixed a possible super-global overwrite inside
import_request_variables().
- Fixed a remotely trigger-able buffer overflow inside
bundled libxmlrpc library.
Security Enhancements and Fixes in PHP 5.2.2 only:
- Fixed a header injection via Subject and To parameters
to the mail() function
- Fixed wrong length calculation in unserialize S
type.
- Fixed substr_compare and substr_count information
leak.
- Fixed a remotely trigger-able buffer overflow inside
make_http_soap_request().
- Fixed a buffer overflow inside
user_filter_factory_create().
Security Enhancements and Fixes in PHP 4.4.7 only:
Discovery 2007-05-03 Entry 2007-05-07 Modified 2014-04-01 php5-imap
php5-odbc
php5-session
php5-shmop
php5-sqlite
php5-wddx
php5
< 5.2.2
php4-odbc
php4-session
php4-shmop
php4-wddx
php4
< 4.4.7
mod_php4-twig
mod_php4
mod_php5
mod_php
php4-cgi
php4-cli
php4-dtc
php4-horde
php4-nms
php5-cgi
php5-cli
php5-dtc
php5-horde
php5-nms
ge 4 lt 4.4.7
ge 5 lt 5.2.2
CVE-2007-1001
http://www.php.net/releases/4_4_7.php
http://www.php.net/releases/5_2_2.php
|