|
PHP Multiple Extensions Buffer Overflow Vulnerabilities
|
|
Secunia Advisory:
|
SA25735
|
|
|
Release Date:
|
2007-06-21
|
|
Last Update:
|
2007-09-03
|
|
Popularity:
|
10,166 views
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Security Bypass
|
|
Where:
|
Local system
|
|
Solution Status:
|
Unpatched
|
|
| Software: | PHP 5.2.x
|
|
|
Secunia CVSS-2 Score:
|
Available in Secunia business solutions 
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities
|
|
| Advisory Content (Page 1 of 3) | [ 1 ] [ 2 ] [ 3 ] | |
|
Description:
Some vulnerabilities have been discovered in the PHP tidy, snmp, mSQL, win32std, ntuser, and iisfunc extensions, which can be exploited by malicious users to bypass certain security restrictions.
1) A boundary error exists within the tidy extension when processing arguments passed to the "tidy_parse_string()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the second argument to the affected function.
2) A boundary error exists within the snmp extension when processing arguments passed to the "snmpget()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the third parameter to the affected function.
3) A boundary error exists within the "php_msql_do_connect()" function in the mSQL extension. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the first argument to the "msql_connect()" or "msql_pconnect()" functions.
4) A boundary error exists within the win32std extension when processing arguments passed to the "win_browse_file()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the third parameter to the affected function.
5) A boundary error exists within the ntuser extension when processing arguments passed to the "ntuser_getuserlist()", "ntuser_getusergroups()", "ntuser_getdomaincontroller()" and "ntuser_getuserinfo()" functions. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the first argument to an affected function.
6) A boundary error exists within the iisfunc extension when processing arguments passed to the "iis_getservicestate()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the first argument to the affected function.
Successful exploitation of these vulnerabilities allows execution of arbitrary code, which may lead to security restrictions (e.g. the "disable_functions" directive) being bypassed, but requires that the extensions are installed.
The vulnerabilities are confirmed in the 5.2.3 win32 installer. Other versions may also be affected.
Change Page:
[ 1 ] [ 2 ] [ 3 ]
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
9th Jul, 2009
|
New advisories:
|
18 |
|
New vulnerabilities:
|
21 |
|
Updated advisories:
|
25 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 Solutions | More...
|
|
