Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading
Highly critical

PHP Multiple Vulnerabilities

-

Release Date:  2004-12-16    Last Update:  2005-03-21    Views:  57,521

Secunia Advisory SA13481

Where:

From remote

Impact:

Security Bypass, Exposure of sensitive information, Privilege escalation, System access

Solution Status:

Vendor Patch

CVE Reference(s):

Description


Multiple vulnerabilities have been reported in PHP, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system.

1) An integer overflow in the "pack()" function can be exploited to cause a heap-based buffer overflow by passing some specially crafted parameters to the function.

Successful exploitation bypasses the safe_mode feature and allows execution of arbitrary code with the privileges of the web server.

2) An integer overflow in the "unpack()" function can be exploited to leak information stored on the heap by passing specially crafted parameters to the function.

In combination with the first vulnerability, this may also allow bypassing of heap canary protection mechanisms.

3) An error within safe_mode when executing commands can be exploited to bypass the safe_mode_exec_dir restriction by injecting shell commands into the current directory name.

Successful exploitation requires that PHP runs on a multi-threaded Unix web server.

4) An error in safe_mode combined with certain implementations of "realpath()" can be exploited to bypass safe_mode via a specially crafted file path.

5) An error within the handling of file paths may potentially lead to file inclusion vulnerabilities. The problem is that "realpath()", which in some implementations truncate filenames, is used in various places to obtain the real path of a file.

6) Various errors within the deserialization code can be exploited to disclose information or execute arbitrary code via specially crafted strings passed to the "unserialize()" function.

7) A signedness error in the "shmop_write()" function can be exploited to write data to arbitrary memory locations by passing an overly large value to the "offset" parameter.

Successful exploitation may allow execution of arbitrary code with the privileges of the web server and bypass the safe_mode restrictions.

8) An unspecified boundary error exists in the "exif_read_data()" function when handling long section names.

9) An error in the "addslashes()" function causes it to not escape NULL bytes correctly. This can e.g. be exploited to read arbitrary files on a system, if the "include()" or "require()" statements partly use user-supplied input.

10) An error within "magic_quotes_gpc" may allow a one-level directory traversal when uploading files with a single quote in the filename (e.g. "..'file.ext").

NOTE: Other potential security issues have also been reported.


Solution:
Update to version 4.3.10 or 5.0.3.

Further details available to Secunia VIM customers

Provided and/or discovered by:
1-6) Stefan Esser
6) Marcus Boerger
7) Stefano Di Paola
8) Reported by vendor.
9-10) Daniel Fabian

Original Advisory:
PHP:
http://www.php.net/release_4_3_10.php

Stefan Esser:
http://www.hardened-php.net/advisories/012004.txt

Deep Links:
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: PHP Multiple Vulnerabilities

No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability