DragonPrime - LoGD Resource Community
Welcome Guest
  • Good morning, Guest.
    Please log in, or register.
  • December 15, 2018, 09:57:49 AM
Home Forums News Downloads Login Register Advanced Search
* * *
DragonPrime Menu
Login
 
 
Resource Pages
Search

Pages: [1]   Go Down
  Print  
Author Topic: PHP Multiple Vulnerabilities  (Read 5518 times)
0 Members and 1 Guest are viewing this topic.
Jim
Guest
« on: December 16, 2004, 07:36:00 AM »

TITLE:
PHP Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA13481

VERIFY ADVISORY:
http://secunia.com/advisories/13481/

CRITICAL:
Highly critical

IMPACT:
Security Bypass, Exposure of sensitive information, Privilege
escalation, System access

WHERE:
From remote

SOFTWARE:
PHP 5.0.x
http://secunia.com/product/3919/
PHP 4.3.x
http://secunia.com/product/922/

DESCRIPTION:
Multiple vulnerabilities have been reported in PHP, which can be
exploited to gain escalated privileges, bypass certain security
restrictions, gain knowledge of sensitive information, or compromise
a vulnerable system.

1) An integer overflow in the "pack()" function can be exploited to
cause a heap-based buffer overflow by passing some specially crafted
parameters to the function.

Successful exploitation bypasses the safe_mode feature and allows
execution of arbitrary code with the privileges of the web server.

2) An integer overflow in the "unpack()" function can be exploited to
leak information stored on the heap by passing specially crafted
parameters to the function.

In combination with the first vulnerability, this may also allow
bypassing of heap canary protection mechanisms.

3) An error within safe_mode when executing commands can be exploited
to bypass the safe_mode_exec_dir restriction by injecting shell
commands into the current directory name.

Successful exploitation requires that PHP runs on a multi-threaded
Unix web server.

4) An error in safe_mode combined with certain implementations of
"realpath()" can be exploited to bypass safe_mode via a specially
crafted file path.

5) An error within the handling of file paths may potentially lead to
file inclusion vulnerabilities. The problem is that "realpath()",
which in some implementations truncate filenames,  is used in various
places to obtain the real path of a file.

6) Various errors within the deserialization code can be exploited to
disclose information or execute arbitrary code via specially crafted
strings passed to the "unserialize()" function.

7) An unspecified error in the "shmop_write()" function may result in
an attempt to write to an out-of-bounds memory location.

Cool An unspecified error in the "addslashes()" function causes it to
not escape "\0" correctly.

9) An unspecified boundary error exists in the "exif_read_data()"
function when handling long section names.

10) An unspecified error within "magic_quotes_gpc" may allow a
one-level directory traversal when uploading files.

NOTE: Other potential security issues have also been reported.

SOLUTION:
Update to version 4.3.10 or 5.0.3.
http://www.php.net/downloads.php

PROVIDED AND/OR DISCOVERED BY:
1-6) Stefan Esser
6) Martin Eiszner
7-10) Reported by vendor.

ORIGINAL ADVISORY:
PHP:
http://www.php.net/release_4_3_10.php

Stefan Esser:
http://www.hardened-php.net/advisories/012004.txt

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
Logged
Pages: [1]   Go Up
  Print  
 
Jump to:  


*
DragonPrime Notices
Welcome to DragonPrime - The LoGD Resource Community!

Support Us
No funds raised yet this year
Your help is greatly appreciated!
Recent Topics
DragonPrime LoGD
Who's Online
85 Guests, 1 User
Talisman
Home Forums News Downloads Login Register Advanced Search