Executive Summary

Summary
Title New php4 packages fix several vulnerabilities
Informations
Name DSA-1264 First vendor Publication 2007-03-07
Vendor Debian Last vendor Modification 2007-03-07
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-0906

It was discovered that an integer overflow in the str_replace() function could lead to the execution of arbitrary code.

CVE-2007-0907

It was discovered that a buffer underflow in the sapi_header_op() function could crash the PHP interpreter.

CVE-2007-0908

Stefan Esser discovered that a programming error in the wddx extension allows information disclosure.

CVE-2007-0909

It was discovered that a format string vulnerability in the odbc_result_all() functions allows the execution of arbitrary code.

CVE-2007-0910

It was discovered that super-global variables could be overwritten with session data.

CVE-2007-0988

Stefan Esser discovered that the zend_hash_init() function could be tricked into an endless loop, allowing denial of service through resource consumption until a timeout is triggered.

For the stable distribution (sarge) these problems have been fixed in version 4:4.3.10-19.

For the unstable distribution (sid) these problems have been fixed in version 6:4.4.4-9 of php4 and version 5.2.0-9 of php5.

We recommend that you upgrade your php4 packages.

Original Source

Url : http://www.debian.org/security/2007/dsa-1264

CWE : Common Weakness Enumeration

idName
CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-20Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:8992
 
Oval ID: oval:org.mitre.oval:def:8992
Title: Multiple buffer overflows in PHP before 5.2.1 allow attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors in the (1) session, (2) zip, (3) imap, and (4) sqlite extensions; (5) stream filters; and the (6) str_replace, (7) mail, (8) ibase_delete_user, (9) ibase_add_user, and (10) ibase_modify_user functions. NOTE: vector 6 might actually be an integer overflow (CVE-2007-1885). NOTE: as of 20070411, vector (3) might involve the imap_mail_compose function (CVE-2007-1825).
Description: Multiple buffer overflows in PHP before 5.2.1 allow attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors in the (1) session, (2) zip, (3) imap, and (4) sqlite extensions; (5) stream filters; and the (6) str_replace, (7) mail, (8) ibase_delete_user, (9) ibase_add_user, and (10) ibase_modify_user functions. NOTE: vector 6 might actually be an integer overflow (CVE-2007-1885). NOTE: as of 20070411, vector (3) might involve the imap_mail_compose function (CVE-2007-1825).
Family: unix Class: vulnerability
Reference(s): CVE-2007-0906
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11321
 
Oval ID: oval:org.mitre.oval:def:11321
Title: Buffer underflow in PHP before 5.2.1 allows attackers to cause a denial of service via unspecified vectors involving the sapi_header_op function.
Description: Buffer underflow in PHP before 5.2.1 allows attackers to cause a denial of service via unspecified vectors involving the sapi_header_op function.
Family: unix Class: vulnerability
Reference(s): CVE-2007-0907
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11185
 
Oval ID: oval:org.mitre.oval:def:11185
Title: The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.
Description: The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.
Family: unix Class: vulnerability
Reference(s): CVE-2007-0908
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9722
 
Oval ID: oval:org.mitre.oval:def:9722
Title: Multiple format string vulnerabilities in PHP before 5.2.1 might allow attackers to execute arbitrary code via format string specifiers to (1) all of the *print functions on 64-bit systems, and (2) the odbc_result_all function.
Description: Multiple format string vulnerabilities in PHP before 5.2.1 might allow attackers to execute arbitrary code via format string specifiers to (1) all of the *print functions on 64-bit systems, and (2) the odbc_result_all function.
Family: unix Class: vulnerability
Reference(s): CVE-2007-0909
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9514
 
Oval ID: oval:org.mitre.oval:def:9514
Title: Unspecified vulnerability in PHP before 5.2.1 allows attackers to "clobber" certain super-global variables via unspecified vectors.
Description: Unspecified vulnerability in PHP before 5.2.1 allows attackers to "clobber" certain super-global variables via unspecified vectors.
Family: unix Class: vulnerability
Reference(s): CVE-2007-0910
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11092
 
Oval ID: oval:org.mitre.oval:def:11092
Title: The zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4.5, when running on a 64-bit platform, allows context-dependent attackers to cause a denial of service (infinite loop) by unserializing certain integer expressions, which only cause 32-bit arguments to be used after the check for a negative value, as demonstrated by an "a:2147483649:{" argument.
Description: The zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4.5, when running on a 64-bit platform, allows context-dependent attackers to cause a denial of service (infinite loop) by unserializing certain integer expressions, which only cause 32-bit arguments to be used after the check for a negative value, as demonstrated by an "a:2147483649:{" argument.
Family: unix Class: vulnerability
Reference(s): CVE-2007-0988
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application1
Application89
Application1
Os2

OpenVAS Exploits

DateDescription
2012-06-21Name : PHP version smaller than 5.2.1
File : nvt/nopsec_php_5_2_1.nasl
2012-06-21Name : PHP version smaller than 4.4.5
File : nvt/nopsec_php_4_4_5.nasl
2010-04-23Name : PHP 5.2.0 and Prior Versions Multiple Vulnerabilities
File : nvt/gb_php_22496.nasl
2009-10-10Name : SLES9: Security update for PHP4
File : nvt/sles9p5009300.nasl
2009-10-10Name : SLES9: Security update for PHP4
File : nvt/sles9p5017282.nasl
2009-04-09Name : Mandriva Update for php MDKSA-2007:048 (php)
File : nvt/gb_mandriva_MDKSA_2007_048.nasl
2009-03-23Name : Ubuntu Update for php5 vulnerabilities USN-424-1
File : nvt/gb_ubuntu_USN_424_1.nasl
2009-03-23Name : Ubuntu Update for php5 regression USN-424-2
File : nvt/gb_ubuntu_USN_424_2.nasl
2009-02-27Name : Fedora Update for php FEDORA-2007-261
File : nvt/gb_fedora_2007_261_php_fc6.nasl
2009-02-27Name : Fedora Update for php FEDORA-2007-455
File : nvt/gb_fedora_2007_455_php_fc5.nasl
2009-02-27Name : Fedora Update for php FEDORA-2007-287
File : nvt/gb_fedora_2007_287_php_fc5.nasl
2009-02-27Name : Fedora Update for php FEDORA-2007-526
File : nvt/gb_fedora_2007_526_php_fc5.nasl
2009-01-28Name : SuSE Update for php4,php5 SUSE-SA:2007:020
File : nvt/gb_suse_2007_020.nasl
2009-01-28Name : SuSE Update for php4,php5 SUSE-SA:2007:032
File : nvt/gb_suse_2007_032.nasl
2008-09-24Name : Gentoo Security Advisory GLSA 200703-21 (php)
File : nvt/glsa_200703_21.nasl
2008-09-04Name : php -- multiple vulnerabilities
File : nvt/freebsd_php5-imap.nasl
2008-01-17Name : Debian Security Advisory DSA 1264-1 (php4)
File : nvt/deb_1264_1.nasl
0000-00-00Name : Slackware Advisory SSA:2007-053-01 php
File : nvt/esoft_slk_ssa_2007_053_01.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
34715PHP ibase_modify_user() Function Unspecified Overflow
34714PHP ibase_add_user() Function Unspecified Overflow
34713PHP ibase_delete_user() Function Unspecified Overflow
34712PHP mail() Function Unspecified Overflow
34711PHP str_replace() Function Unspecified Overflow
34710PHP stream Filters Unspecified Overflow
34709PHP sqlite Extension Unspecified Overflow
34708PHP imap Extension Unspecified Overflow
34707PHP zip Extension Unspecified Overflow
34706PHP Session Extension Unspecified Overflow
32767PHP sapi_header_op Function Underflow DoS
32766PHP wddx Extension Unspecified Information Disclosure
32765PHP odbc_result_all Function Format String
32764PHP on 64-bit Multiple print Function Format String
32763PHP Super-global Variable Unspecified Clobber
32762PHP on 64-bit zend_hash_init Function Remote DoS
23767PHP-Nuke mainfile.php Multiple Method SQL Injection Protection Bypass

Nessus® Vulnerability Scanner

DateDescription
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2007-0076.nasl - Type : ACT_GATHER_INFO
2007-12-13Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_apache2-mod_php5-2684.nasl - Type : ACT_GATHER_INFO
2007-12-13Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_apache2-mod_php5-3290.nasl - Type : ACT_GATHER_INFO
2007-12-13Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_php5-3754.nasl - Type : ACT_GATHER_INFO
2007-11-10Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-424-1.nasl - Type : ACT_GATHER_INFO
2007-11-10Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-424-2.nasl - Type : ACT_GATHER_INFO
2007-10-17Name : The remote openSUSE host is missing a security update.
File : suse_apache2-mod_php5-3289.nasl - Type : ACT_GATHER_INFO
2007-10-17Name : The remote openSUSE host is missing a security update.
File : suse_php5-2687.nasl - Type : ACT_GATHER_INFO
2007-10-17Name : The remote openSUSE host is missing a security update.
File : suse_php5-3745.nasl - Type : ACT_GATHER_INFO
2007-10-17Name : The remote openSUSE host is missing a security update.
File : suse_php5-3753.nasl - Type : ACT_GATHER_INFO
2007-05-25Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2007-0082.nasl - Type : ACT_GATHER_INFO
2007-04-02Name : The remote web server uses a version of PHP that is affected by multiple flaws.
File : php_4_4_5.nasl - Type : ACT_GATHER_INFO
2007-04-02Name : The remote web server uses a version of PHP that is affected by multiple flaws.
File : php_5_2_1.nasl - Type : ACT_GATHER_INFO
2007-03-26Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200703-21.nasl - Type : ACT_GATHER_INFO
2007-03-12Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1264.nasl - Type : ACT_GATHER_INFO
2007-02-27Name : The remote Fedora Core host is missing a security update.
File : fedora_2007-287.nasl - Type : ACT_GATHER_INFO
2007-02-23Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2007-0081.nasl - Type : ACT_GATHER_INFO
2007-02-23Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2007-048.nasl - Type : ACT_GATHER_INFO
2007-02-23Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2007-053-01.nasl - Type : ACT_GATHER_INFO
2007-02-23Name : The remote Fedora Core host is missing a security update.
File : fedora_2007-261.nasl - Type : ACT_GATHER_INFO
2007-02-21Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2007-0076.nasl - Type : ACT_GATHER_INFO
2007-02-21Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2007-0076.nasl - Type : ACT_GATHER_INFO
2007-02-18Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_7fcf1727be7111dbb2ec000c6ec775d9.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:26:31
  • Multiple Updates