Some vulnerabilities have been discovered in the PHP tidy, snmp, mSQL, win32std, ntuser, and iisfunc extensions, which can be exploited by malicious users to bypass certain security restrictions.

1) A boundary error exists within the tidy extension when processing arguments passed to the "tidy_parse_string()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the second argument to the affected function.

2) A boundary error exists within the snmp extension when processing arguments passed to the "snmpget()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the third parameter to the affected function.

3) A boundary error exists within the "php_msql_do_connect()" function in the mSQL extension. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the first argument to the "msql_connect()" or "msql_pconnect()" functions.

4) A boundary error exists within the win32std extension when processing arguments passed to the "win_browse_file()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the third parameter to the affected function.

5) A boundary error exists within the ntuser extension when processing arguments passed to the "ntuser_getuserlist()", "ntuser_getusergroups()", "ntuser_getdomaincontroller()" and "ntuser_getuserinfo()" functions. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the first argument to an affected function.

6) A boundary error exists within the iisfunc extension when processing arguments passed to the "iis_getservicestate()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the first argument to the affected function.

Successful exploitation of these vulnerabilities allows execution of arbitrary code, which may lead to security restrictions (e.g. the "disable_functions" directive) being bypassed, but requires that the extensions are installed.

The vulnerabilities are confirmed in the 5.2.3 win32 installer. Other versions may also be affected.

Solution
Grant only trusted users permissions to execute PHP code.

Provided and/or discovered by
1,2) Discovered by rgod.
3) Discovered by nima_501.
4) Discovered by boecke.
5) Discovered by shinnai.
6) Discovered by boecke.

Changelog
Further details available in Customer Area

Original Advisory
1) http://milw0rm.com/exploits/4080
2) http://milw0rm.com/exploits/4204
4) http://milw0rm.com/exploits/4293
5) http://milw0rm.com/exploits/4304
6) http://milw0rm.com/exploits/4318

Deep Links
Links available in Customer Area