Executive Summary

Summary
Title PHP vulnerabilities
Informations
NameUSN-424-1First vendor Publication2007-02-21
VendorUbuntuLast vendor Modification2007-02-21
Severity (Vendor) N/ARevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score10Attack RangeNetwork
Cvss Impact Score10Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects the following Ubuntu releases:

Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 5.10:
libapache2-mod-php5 5.0.5-2ubuntu1.7
php5-cgi 5.0.5-2ubuntu1.7
php5-cli 5.0.5-2ubuntu1.7
php5-common 5.0.5-2ubuntu1.7
php5-odbc 5.0.5-2ubuntu1.7

Ubuntu 6.06 LTS:
libapache2-mod-php5 5.1.2-1ubuntu3.5
php5-cgi 5.1.2-1ubuntu3.5
php5-cli 5.1.2-1ubuntu3.5
php5-common 5.1.2-1ubuntu3.5
php5-odbc 5.1.2-1ubuntu3.5

Ubuntu 6.10:
libapache2-mod-php5 5.1.6-1ubuntu2.2
php5-cgi 5.1.6-1ubuntu2.2
php5-cli 5.1.6-1ubuntu2.2
php5-common 5.1.6-1ubuntu2.2
php5-odbc 5.1.6-1ubuntu2.2

After a standard system upgrade you need to restart Apache or reboot your computer to effect the necessary changes.

Details follow:

Multiple buffer overflows have been discovered in various PHP modules. If a PHP application processes untrusted data with functions of the session or zip module, or various string functions, a remote attacker could exploit this to execute arbitrary code with the privileges of the web server. (CVE-2007-0906)

The sapi_header_op() function had a buffer underflow that could be exploited to crash the PHP interpreter. (CVE-2007-0907)

The wddx unserialization handler did not correctly check for some buffer boundaries and had an uninitialized variable. By unserializing untrusted data, this could be exploited to expose memory regions that were not meant to be accessible. Depending on the PHP application this could lead to disclosure of potentially sensitive information. (CVE-2007-0908)

On 64 bit systems (the amd64 and sparc platforms), various print functions and the odbc_result_all() were susceptible to a format string vulnerability. A remote attacker could exploit this to execute arbitrary code with the privileges of the web server. (CVE-2007-0909)

Under certain circumstances it was possible to overwrite superglobal variables (like the HTTP GET/POST arrays) with crafted session data. (CVE-2007-0910)

When unserializing untrusted data on 64-bit platforms the zend_hash_init() function could be forced to enter an infinite loop, consuming CPU resources, for a limited length of time, until the script timeout alarm aborts the script. (CVE-2007-0988)

Original Source

Url : http://www.ubuntu.com/usn/USN-424-1

CWE : Common Weakness Enumeration

idName
CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-20Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:8992
 
Oval ID: oval:org.mitre.oval:def:8992
Title: Multiple buffer overflows in PHP before 5.2.1 allow attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors in the (1) session, (2) zip, (3) imap, and (4) sqlite extensions; (5) stream filters; and the (6) str_replace, (7) mail, (8) ibase_delete_user, (9) ibase_add_user, and (10) ibase_modify_user functions. NOTE: vector 6 might actually be an integer overflow (CVE-2007-1885). NOTE: as of 20070411, vector (3) might involve the imap_mail_compose function (CVE-2007-1825).
Description: Multiple buffer overflows in PHP before 5.2.1 allow attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors in the (1) session, (2) zip, (3) imap, and (4) sqlite extensions; (5) stream filters; and the (6) str_replace, (7) mail, (8) ibase_delete_user, (9) ibase_add_user, and (10) ibase_modify_user functions. NOTE: vector 6 might actually be an integer overflow (CVE-2007-1885). NOTE: as of 20070411, vector (3) might involve the imap_mail_compose function (CVE-2007-1825).
Family: unix Class: vulnerability
Reference(s): CVE-2007-0906
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11321
 
Oval ID: oval:org.mitre.oval:def:11321
Title: Buffer underflow in PHP before 5.2.1 allows attackers to cause a denial of service via unspecified vectors involving the sapi_header_op function.
Description: Buffer underflow in PHP before 5.2.1 allows attackers to cause a denial of service via unspecified vectors involving the sapi_header_op function.
Family: unix Class: vulnerability
Reference(s): CVE-2007-0907
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11185
 
Oval ID: oval:org.mitre.oval:def:11185
Title: The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.
Description: The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.
Family: unix Class: vulnerability
Reference(s): CVE-2007-0908
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9722
 
Oval ID: oval:org.mitre.oval:def:9722
Title: Multiple format string vulnerabilities in PHP before 5.2.1 might allow attackers to execute arbitrary code via format string specifiers to (1) all of the *print functions on 64-bit systems, and (2) the odbc_result_all function.
Description: Multiple format string vulnerabilities in PHP before 5.2.1 might allow attackers to execute arbitrary code via format string specifiers to (1) all of the *print functions on 64-bit systems, and (2) the odbc_result_all function.
Family: unix Class: vulnerability
Reference(s): CVE-2007-0909
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9514
 
Oval ID: oval:org.mitre.oval:def:9514
Title: Unspecified vulnerability in PHP before 5.2.1 allows attackers to "clobber" certain super-global variables via unspecified vectors.
Description: Unspecified vulnerability in PHP before 5.2.1 allows attackers to "clobber" certain super-global variables via unspecified vectors.
Family: unix Class: vulnerability
Reference(s): CVE-2007-0910
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11092
 
Oval ID: oval:org.mitre.oval:def:11092
Title: The zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4.5, when running on a 64-bit platform, allows context-dependent attackers to cause a denial of service (infinite loop) by unserializing certain integer expressions, which only cause 32-bit arguments to be used after the check for a negative value, as demonstrated by an "a:2147483649:{" argument.
Description: The zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4.5, when running on a 64-bit platform, allows context-dependent attackers to cause a denial of service (infinite loop) by unserializing certain integer expressions, which only cause 32-bit arguments to be used after the check for a negative value, as demonstrated by an "a:2147483649:{" argument.
Family: unix Class: vulnerability
Reference(s): CVE-2007-0988
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application89
Application1
Os2

OpenVAS Exploits

DateDescription
2012-06-21Name : PHP version smaller than 5.2.1
File : nvt/nopsec_php_5_2_1.nasl
2012-06-21Name : PHP version smaller than 4.4.5
File : nvt/nopsec_php_4_4_5.nasl
2010-04-23Name : PHP 5.2.0 and Prior Versions Multiple Vulnerabilities
File : nvt/gb_php_22496.nasl
2009-10-10Name : SLES9: Security update for PHP4
File : nvt/sles9p5009300.nasl
2009-10-10Name : SLES9: Security update for PHP4
File : nvt/sles9p5017282.nasl
2009-04-09Name : Mandriva Update for php MDKSA-2007:048 (php)
File : nvt/gb_mandriva_MDKSA_2007_048.nasl
2009-03-23Name : Ubuntu Update for php5 vulnerabilities USN-424-1
File : nvt/gb_ubuntu_USN_424_1.nasl
2009-03-23Name : Ubuntu Update for php5 regression USN-424-2
File : nvt/gb_ubuntu_USN_424_2.nasl
2009-02-27Name : Fedora Update for php FEDORA-2007-261
File : nvt/gb_fedora_2007_261_php_fc6.nasl
2009-02-27Name : Fedora Update for php FEDORA-2007-455
File : nvt/gb_fedora_2007_455_php_fc5.nasl
2009-02-27Name : Fedora Update for php FEDORA-2007-287
File : nvt/gb_fedora_2007_287_php_fc5.nasl
2009-02-27Name : Fedora Update for php FEDORA-2007-526
File : nvt/gb_fedora_2007_526_php_fc5.nasl
2009-01-28Name : SuSE Update for php4,php5 SUSE-SA:2007:020
File : nvt/gb_suse_2007_020.nasl
2009-01-28Name : SuSE Update for php4,php5 SUSE-SA:2007:032
File : nvt/gb_suse_2007_032.nasl
2008-09-24Name : Gentoo Security Advisory GLSA 200703-21 (php)
File : nvt/glsa_200703_21.nasl
2008-09-04Name : php -- multiple vulnerabilities
File : nvt/freebsd_php5-imap.nasl
2008-01-17Name : Debian Security Advisory DSA 1264-1 (php4)
File : nvt/deb_1264_1.nasl
0000-00-00Name : Slackware Advisory SSA:2007-053-01 php
File : nvt/esoft_slk_ssa_2007_053_01.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
34715PHP ibase_modify_user() Function Unspecified Overflow
34714PHP ibase_add_user() Function Unspecified Overflow
34713PHP ibase_delete_user() Function Unspecified Overflow
34712PHP mail() Function Unspecified Overflow
34711PHP str_replace() Function Unspecified Overflow
34710PHP stream Filters Unspecified Overflow
34709PHP sqlite Extension Unspecified Overflow
34708PHP imap Extension Unspecified Overflow
34707PHP zip Extension Unspecified Overflow
34706PHP Session Extension Unspecified Overflow
32767PHP sapi_header_op Function Underflow DoS
32766PHP wddx Extension Unspecified Information Disclosure
32765PHP odbc_result_all Function Format String
32764PHP on 64-bit Multiple print Function Format String
32763PHP Super-global Variable Unspecified Clobber
32762PHP on 64-bit zend_hash_init Function Remote DoS

Nessus® Vulnerability Scanner

DateDescription
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2007-0076.nasl - Type : ACT_GATHER_INFO
2007-12-13Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_apache2-mod_php5-2684.nasl - Type : ACT_GATHER_INFO
2007-12-13Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_apache2-mod_php5-3290.nasl - Type : ACT_GATHER_INFO
2007-12-13Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_php5-3754.nasl - Type : ACT_GATHER_INFO
2007-11-10Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-424-1.nasl - Type : ACT_GATHER_INFO
2007-11-10Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-424-2.nasl - Type : ACT_GATHER_INFO
2007-10-17Name : The remote openSUSE host is missing a security update.
File : suse_apache2-mod_php5-3289.nasl - Type : ACT_GATHER_INFO
2007-10-17Name : The remote openSUSE host is missing a security update.
File : suse_php5-2687.nasl - Type : ACT_GATHER_INFO
2007-10-17Name : The remote openSUSE host is missing a security update.
File : suse_php5-3745.nasl - Type : ACT_GATHER_INFO
2007-10-17Name : The remote openSUSE host is missing a security update.
File : suse_php5-3753.nasl - Type : ACT_GATHER_INFO
2007-05-25Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2007-0082.nasl - Type : ACT_GATHER_INFO
2007-04-02Name : The remote web server uses a version of PHP that is affected by multiple flaws.
File : php_4_4_5.nasl - Type : ACT_GATHER_INFO
2007-04-02Name : The remote web server uses a version of PHP that is affected by multiple flaws.
File : php_5_2_1.nasl - Type : ACT_GATHER_INFO
2007-03-26Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200703-21.nasl - Type : ACT_GATHER_INFO
2007-03-12Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1264.nasl - Type : ACT_GATHER_INFO
2007-02-27Name : The remote Fedora Core host is missing a security update.
File : fedora_2007-287.nasl - Type : ACT_GATHER_INFO
2007-02-23Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2007-0081.nasl - Type : ACT_GATHER_INFO
2007-02-23Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2007-048.nasl - Type : ACT_GATHER_INFO
2007-02-23Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2007-053-01.nasl - Type : ACT_GATHER_INFO
2007-02-23Name : The remote Fedora Core host is missing a security update.
File : fedora_2007-261.nasl - Type : ACT_GATHER_INFO
2007-02-21Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2007-0076.nasl - Type : ACT_GATHER_INFO
2007-02-21Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2007-0076.nasl - Type : ACT_GATHER_INFO
2007-02-18Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_7fcf1727be7111dbb2ec000c6ec775d9.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 12:04:10
  • Multiple Updates