Executive Summary
Summary | |
---|---|
Title | PHP vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-455-1 | First vendor Publication | 2007-04-27 |
Vendor | Ubuntu | Last vendor Modification | 2007-04-27 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:C/A:N) | |||
---|---|---|---|
Cvss Base Score | 7.8 | Attack Range | Network |
Cvss Impact Score | 6.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: Ubuntu 6.10: Ubuntu 7.04: In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Stefan Esser discovered multiple vulnerabilities in the "Month of PHP bugs". The substr_compare() function did not sufficiently verify its length argument. This might be exploited to read otherwise unaccessible memory, which might lead to information disclosure. (CVE-2007-1375) The shared memory (shmop) functions did not verify resource types, thus they could be called with a wrong resource type that might contain user supplied data. This could be exploited to read and write arbitrary memory addresses of the PHP interpreter. This issue does not affect Ubuntu 7.04. (CVE-2007-1376) The php_binary handler of the session extension was missing a boundary check. When unserializing overly long variable names this could be exploited to read up to 126 bytes of memory, which might lead to information disclosure. (CVE-2007-1380) The internal array_user_key_compare() function, as used for example by the PHP function uksort(), incorrectly handled memory unreferencing of its arguments. This could have been exploited to execute arbitrary code with the privileges of the PHP interpreter, and thus circumventing any disable_functions, open_basedir, or safe_mode restrictions. (CVE-2007-1484) The session_regenerate_id() function did not properly clean up the former session identifier variable. This could be exploited to crash the PHP interpreter, possibly also remotely. (CVE-2007-1521) Under certain conditions the mb_parse_str() could cause the register_globals configuration option to become permanently enabled. This opened an attack vector for a large and common class of vulnerabilities. (CVE-2007-1583) The session extension did not set the correct reference count value for the session variables. By unsetting _SESSION and HTTP_SESSION_VARS (or tricking a PHP script into doing that) this could be exploited to execute arbitrary code with the privileges of the PHP interpreter. This issue does not affect Ubuntu 7.04. (CVE-2007-1700) The mail() function did not correctly escape control characters in multiline email headers. This could be remotely exploited to inject arbitrary email headers. (CVE-2007-1718) The php_stream_filter_create() function had an off-by-one buffer overflow in the handling of wildcards. This could be exploited to remotely crash the PHP interpreter. This issue does not affect Ubuntu 7.04. (CVE-2007-1824) When calling the sqlite_udf_decode_binary() with special arguments, a buffer overflow happened. Depending on the application this could be locally or remotely exploited to execute arbitrary code with the privileges of the PHP interpreter. (CVE-2007-1887 CVE-2007-1888) The FILTER_VALIDATE_EMAIL filter extension used a wrong regular expression that allowed injecting a newline character at the end of the email string. This could be exploited to inject arbitrary email headers. This issue only affects Ubuntu 7.04. (CVE-2007-1900) |
Original Source
Url : http://www.ubuntu.com/usn/USN-455-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:19944 | |||
Oval ID: | oval:org.mitre.oval:def:19944 | ||
Title: | DSA-1283-1 php5 | ||
Description: | Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1283-1 CVE-2007-1286 CVE-2007-1375 CVE-2007-1376 CVE-2007-1380 CVE-2007-1453 CVE-2007-1454 CVE-2007-1521 CVE-2007-1583 CVE-2007-1700 CVE-2007-1711 CVE-2007-1718 CVE-2007-1777 CVE-2007-1824 CVE-2007-1887 CVE-2007-1889 CVE-2007-1900 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | php5 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:5348 | |||
Oval ID: | oval:org.mitre.oval:def:5348 | ||
Title: | HP-UX running Apache, Remote Arbitrary Code Execution, Cross Site Scripting (XSS) | ||
Description: | Buffer overflow in the sqlite_decode_binary function in the bundled sqlite library in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows context-dependent attackers to execute arbitrary code via an empty value of the in parameter, as demonstrated by calling the sqlite_udf_decode_binary function with a 0x01 character. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-1887 | Version: | 9 |
Platform(s): | HP-UX 11 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:6067 | |||
Oval ID: | oval:org.mitre.oval:def:6067 | ||
Title: | HP-UX running Apache, Remote Arbitrary Code Execution, Cross Site Scripting (XSS) | ||
Description: | CRLF injection vulnerability in the FILTER_VALIDATE_EMAIL filter in ext/filter in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to inject arbitrary e-mail headers via an e-mail address with a '\n' character, which causes a regular expression to ignore the subsequent part of the address string. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-1900 | Version: | 9 |
Platform(s): | HP-UX 11 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-06-21 | Name : PHP version smaller than 5.2.3 File : nvt/nopsec_php_5_2_3.nasl |
2012-06-21 | Name : PHP version smaller than 5.2.1 File : nvt/nopsec_php_5_2_1.nasl |
2012-06-21 | Name : PHP version smaller than 5.2.0 File : nvt/nopsec_php_5_2_0.nasl |
2012-06-21 | Name : PHP version smaller than 4.4.5 File : nvt/nopsec_php_4_4_5.nasl |
2010-04-23 | Name : PHP Session Data Deserialization Arbitrary Code Execution Vulnerability File : nvt/gb_php_23120.nasl |
2010-04-23 | Name : PHP Shared Memory Functions Resource Verification Arbitrary Code Execution Vu... File : nvt/gb_php_22862.nasl |
2010-04-23 | Name : PHP PHP_Binary Heap Information Leak Vulnerability File : nvt/gb_php_22805.nasl |
2010-04-21 | Name : PHP sqlite_udf_decode_binary() Function Buffer Overflow Vulnerability File : nvt/gb_php_23235.nasl |
2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
2009-10-10 | Name : SLES9: Security update for PHP4 File : nvt/sles9p5017282.nasl |
2009-05-05 | Name : HP-UX Update for Apache HPSBUX02262 File : nvt/gb_hp_ux_HPSBUX02262.nasl |
2009-04-09 | Name : Mandriva Update for php MDKSA-2007:187 (php) File : nvt/gb_mandriva_MDKSA_2007_187.nasl |
2009-04-09 | Name : Mandriva Update for php MDKSA-2007:090 (php) File : nvt/gb_mandriva_MDKSA_2007_090.nasl |
2009-04-09 | Name : Mandriva Update for php MDKSA-2007:089 (php) File : nvt/gb_mandriva_MDKSA_2007_089.nasl |
2009-04-09 | Name : Mandriva Update for sqlite MDKSA-2007:091 (sqlite) File : nvt/gb_mandriva_MDKSA_2007_091.nasl |
2009-03-23 | Name : Ubuntu Update for php5 vulnerabilities USN-455-1 File : nvt/gb_ubuntu_USN_455_1.nasl |
2009-02-27 | Name : Fedora Update for php FEDORA-2007-526 File : nvt/gb_fedora_2007_526_php_fc5.nasl |
2009-02-27 | Name : Fedora Update for php FEDORA-2007-2215 File : nvt/gb_fedora_2007_2215_php_fc7.nasl |
2009-02-27 | Name : Fedora Update for php FEDORA-2007-415 File : nvt/gb_fedora_2007_415_php_fc6.nasl |
2009-02-27 | Name : Fedora Update for php FEDORA-2007-455 File : nvt/gb_fedora_2007_455_php_fc5.nasl |
2009-01-28 | Name : SuSE Update for php4,php5 SUSE-SA:2007:020 File : nvt/gb_suse_2007_020.nasl |
2009-01-28 | Name : SuSE Update for php4,php5 SUSE-SA:2007:032 File : nvt/gb_suse_2007_032.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200703-21 (php) File : nvt/glsa_200703_21.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200710-02 (php) File : nvt/glsa_200710_02.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200705-19 (php) File : nvt/glsa_200705_19.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1283-1 (php5) File : nvt/deb_1283_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1282-1 (php4) File : nvt/deb_1282_1.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2007-152-01 php5 File : nvt/esoft_slk_ssa_2007_152_01.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
39177 | SQlite src/encode.c sqlite_decode_binary Function Overflow |
33962 | PHP ext/filter FILTER_VALIDATE_EMAIL Newline Injection PHP's ext/filter extension contains a flaw that may allow a malicious user to inject specially crafted mail headers. The issue is triggered due to the FILTER_VALIDATE_EMAIL function using an incorrect regular expression which can be trivially bypassed. By using a newline character, an attacker could potentially use this to send unsolicited e-mail from the host. |
33959 | PHP php_stream_filter_create() Function php://filter Off-by-one Overflow |
33958 | PHP sqlite Library sqlite_udf_decode_binary() Function Overflow PHP contains a flaw that may allow a context-dependent attacker to gain elevated privileges. The issue is due to the in parameter of the sqlite_decode_binary function in the bundled sqlite library not properly sanitizing user-supplied input. By supplying crafted input, an attacker can trigger a buffer overflow and potentially execute arbitrary code. |
33948 | PHP mail() Function Arbitrary Mail Sending PHP contains a flaw that may allow a remote attacker to manipulate mail functionality. The issue is due to mail function not properly sanitizing user-supplied input. By supplying CRLF (newline) characters, an attacker can inject arbitrary e-mail headers which may allow them to send mail to arbitrary hosts by supplying a control character after a Subject: or TO: parameter. |
33944 | PHP _SESSION unset() Hashtable Manipulation Arbitrary Code Execution PHP contains a flaw that may allow context-dependent attackers to gain elevated privileges. The issue is due to the session extension not properly calculating the reference count for session variables. This may allow an attacker to use a crafted string in the session_register function after unsetting global session variables, thus manipulating the session data Hashtable. |
33940 | PHP mb_parse_str() register_globals Functionality Invocation PHP contains a flaw that may allow a remote attacker to bypass security restrictions. The issue is due to the mb_parse_str function setting the internal register_globals flag but not properly disabling it in some cases when a script terminates. This may allow an attacker to execute a PHP script with register_globals functionality. |
33938 | PHP array_user_key_compare() Double DTOR Arbitrary Code Execution PHP contains a flaw that may allow local users to bypass security restrictions and elevate privileges. The issue is due to the array_user_key_compare function making a double call to zval_dtor. This may allow an attacker to bypass the safe_mode security restriction, corrupt system memory and ultimately execute arbitrary code. |
33936 | PHP session_regenerate_id() Function Double-free Arbitrary Code Execution PHP contains a flaw that may allow a context-dependent attacker to gain elevated privileges. The issue occurs when an attacker interrupts the session_regenerate_id function (i.e. by calling a userspace error handler) which triggers a double free. This may allow an attacker to execute arbitrary code. |
32781 | PHP shmop Function Arbitrary Memory Manipulation PHP contains a flaw that may allow a malicious user to access arbitrary memory addresses. The issue is due to the shared memory (shmop) function failing to verify if the type of resource supplied is a shmop resource. By using other types of resources it is possible to read and write to shared memory addresses resulting in a loss of integrity and/or availability. |
32780 | PHP substr_compare() Function Arbitrary Memory Disclosure An information leak vulnerability exists in PHP. An integer overflow which occurs while performing sanity checks on the input parameters to the substr_compare() function makes it possible to compare offsets outside of the allocated buffer. This allows memory access outside the buffer and the retrieval of sensitive information, leading to a loss of confidentiality. |
32776 | PHP Session Extension php_binary Heap Information Disclosure The php_binary serialization handler in the PHP session extension is missing a boundary check and may lead to an unauthorized information disclosure. The condition is triggered during the extraction of an overly long php_binary session data format variable name, which will disclose up to 126 bytes of heap data into PHP variables, resulting in a loss of confidentiality. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-10-10 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL7859.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0155.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0076.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-090.nasl - Type : ACT_GATHER_INFO |
2008-03-25 | Name : The remote web server uses a version of PHP that is affected by multiple buff... File : php_5_2_0.nasl - Type : ACT_GATHER_INFO |
2007-12-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_apache2-mod_php5-3290.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-455-1.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2215.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_apache2-mod_php5-3289.nasl - Type : ACT_GATHER_INFO |
2007-10-09 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200710-02.nasl - Type : ACT_GATHER_INFO |
2007-09-24 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-187.nasl - Type : ACT_GATHER_INFO |
2007-08-02 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2007-007.nasl - Type : ACT_GATHER_INFO |
2007-06-04 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2007-152-01.nasl - Type : ACT_GATHER_INFO |
2007-06-02 | Name : The remote web server uses a version of PHP that is affected by multiple flaws. File : php_5_2_3.nasl - Type : ACT_GATHER_INFO |
2007-05-29 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200705-19.nasl - Type : ACT_GATHER_INFO |
2007-05-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0153.nasl - Type : ACT_GATHER_INFO |
2007-05-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0082.nasl - Type : ACT_GATHER_INFO |
2007-05-04 | Name : The remote web server uses a version of PHP that is affected by multiple flaws. File : php_4_4_7_or_5_2_2.nasl - Type : ACT_GATHER_INFO |
2007-04-30 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1283.nasl - Type : ACT_GATHER_INFO |
2007-04-30 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0153.nasl - Type : ACT_GATHER_INFO |
2007-04-30 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1282.nasl - Type : ACT_GATHER_INFO |
2007-04-30 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-455.nasl - Type : ACT_GATHER_INFO |
2007-04-30 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-091.nasl - Type : ACT_GATHER_INFO |
2007-04-30 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-089.nasl - Type : ACT_GATHER_INFO |
2007-04-19 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-415.nasl - Type : ACT_GATHER_INFO |
2007-04-19 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0155.nasl - Type : ACT_GATHER_INFO |
2007-04-19 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0155.nasl - Type : ACT_GATHER_INFO |
2007-04-02 | Name : The remote web server uses a version of PHP that is affected by multiple flaws. File : php_4_4_5.nasl - Type : ACT_GATHER_INFO |
2007-04-02 | Name : The remote web server uses a version of PHP that is affected by multiple flaws. File : php_5_2_1.nasl - Type : ACT_GATHER_INFO |
2007-03-26 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200703-21.nasl - Type : ACT_GATHER_INFO |
2007-02-23 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0081.nasl - Type : ACT_GATHER_INFO |
2007-02-23 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-048.nasl - Type : ACT_GATHER_INFO |
2007-02-21 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0076.nasl - Type : ACT_GATHER_INFO |
2007-02-21 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0076.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:04:20 |
|