|
 |
|
PHP Multiple Extensions Buffer Overflow Vulnerabilities
|
|
|
|
|
Secunia Advisory:
|
SA25735
|
|
|
Release Date:
|
2007-06-21
|
|
Last Update:
|
2007-09-03
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Security Bypass
|
|
Where:
|
Local system
|
|
Solution Status:
|
Unpatched
|
|
| Software: | PHP 5.2.x
|
| | CVE reference: | CVE-2007-3294 (Secunia mirror)
CVE-2007-4255 (Secunia mirror)
CVE-2007-4441 (Secunia mirror)
CVE-2007-4507 (Secunia mirror)
CVE-2007-4586 (Secunia mirror)
|
|
|
This advisory is currently marked as unpatched!
- Companies can be alerted when a patch is released! |
|
|
Description:
Some vulnerabilities have been discovered in the PHP tidy, snmp, mSQL, win32std, ntuser, and iisfunc extensions, which can be exploited by malicious users to bypass certain security restrictions.
1) A boundary error exists within the tidy extension when processing arguments passed to the "tidy_parse_string()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the second argument to the affected function.
2) A boundary error exists within the snmp extension when processing arguments passed to the "snmpget()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the third parameter to the affected function.
3) A boundary error exists within the "php_msql_do_connect()" function in the mSQL extension. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the first argument to the "msql_connect()" or "msql_pconnect()" functions.
4) A boundary error exists within the win32std extension when processing arguments passed to the "win_browse_file()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the third parameter to the affected function.
5) A boundary error exists within the ntuser extension when processing arguments passed to the "ntuser_getuserlist()", "ntuser_getusergroups()", "ntuser_getdomaincontroller()" and "ntuser_getuserinfo()" functions. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the first argument to an affected function.
6) A boundary error exists within the iisfunc extension when processing arguments passed to the "iis_getservicestate()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the first argument to the affected function.
Successful exploitation of these vulnerabilities allows execution of arbitrary code, which may lead to security restrictions (e.g. the "disable_functions" directive) being bypassed, but requires that the extensions are installed.
The vulnerabilities are confirmed in the 5.2.3 win32 installer. Other versions may also be affected.
Solution:
Grant only trusted users permissions to execute PHP code.
Provided and/or discovered by:
1,2) Discovered by rgod.
3) Discovered by nima_501.
4) Discovered by boecke.
5) Discovered by shinnai.
6) Discovered by boecke.
Changelog:
2007-06-22: Added CVE reference.
2007-07-23: Added vulnerability #2.
2007-08-07: Added vulnerability #3 and updated "Title".
2007-08-09: Added CVE reference.
2007-08-20: Added vulnerability #4.
2007-08-22: Added CVE reference.
2007-08-24: Added vulnerability #5.
2007-08-28: Added vulnerability #6.
2007-09-03: Added CVE reference.
Original Advisory:
1) http://milw0rm.com/exploits/4080
2) http://milw0rm.com/exploits/4204
4) http://milw0rm.com/exploits/4293
5) http://milw0rm.com/exploits/4304
6) http://milw0rm.com/exploits/4318
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
18 Related Secunia Security Advisories, displaying 10
|
|
|
1. PHP Multiple Vulnerabilities
|
|
2. PHP Multiple Vulnerabilities
|
|
3. PHP COM Objects Security Bypass
|
|
4. PHP Multiple Vulnerabilities
|
|
5. PHP "glob()" Code Execution Vulnerability
|
|
6. PHP Integer Overflow Vulnerability and Security Bypass
|
|
7. PHP crypt() Race Condition Vulnerability
|
|
8. PHP "gdPngReadData()" Truncated PNG Data Denial of Service
|
|
9. PHP SOAP Extension HTTP Authentication Weak Nonce
|
|
10. PHP Multiple Vulnerabilities
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
|
|
Secunia PSI
Scan | Patch | Track
Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|
