CERT-In Advisory CIAD-2007-09
Multiple vulnerabilities in PHP and SpamAssassin

Original issue date: February 21, 2007

Severity Rating: High

Systems Affected

• PHP versions 5.x
• PHP versions 4.x
• SpamAssassin 3.x
  

Overview

Multiple vulnerabilities have been reported in PHP which could be exploited by remote attackers to compromise a vulnerable system to bypass the security restriction or possibly execute arbitrary code on the affected system.

Description

1. Buffer overflow vulnerability in the PHP session extension ( CVE-2007-0906 )

A buffer overflow vulnerability has been reported in the PHP session extension, in str_replace () and imap_mail_compose () functions.

If very long strings under the control of an attacker are passed to the
str_replace() function then an integer overflow could occur in memory allocation and if a script uses the imap_mail_compose() function to create a new MIME message based on an input body from an untrusted source, it could result in a heap overflow.

This could be exploited by remote attacker to execute arbitrary code as the 'apache' user.

2. Buffer underflow vulnerability in PHP ( CVE-2007-0907 )

A buffer underflow vulnerability in PHP before 5.2.1 which could allow a remote attacker to cause denial of service attack via unspecified vectors involving the sapi_header_op function.

3. Vulnerability in WDDX extension in PHP ( CVE-2007-0908 )

If the WDDX extension is used to import WDDX data from an untrusted source, certain WDDX input packets may allow a remote attacker to expose random portion of heap memory and obtain sensitive information via unspecified vectors.

4. Format String vulnerabilities in PHP ( CVE-2007-0909 )

Multiple format string vulnerability has been reported in PHP due to input validation error which causes remote attackers to execute arbitrary code via format string specifiers in *print() functions on 64 bit systems and the odbc_result_all() function.

5. Unspecified vulnerability in PHP ( CVE-2007-0910 )

An unspecified vulnerability has been reported in PHP which could allow remote attacker to clobber certain super global variables via unspecified vectors.

6. SpamAssassin denial of service vulnerability via overly long URIs ( CVE-2007-0451 )

A vulnerability has been reported in SpamAssassin due to an unspecified error. The remote attacker could exploit this vulnerability via long URIs in the email message content to cause denial of service (DoS) attack on the affected system.

Solution

Upgrade to the latest version.
http://www.php.net/downloads.php

Vendor Information

PHP
http://www.php.net/releases/5_2_1.php
http://www.php.net/releases/4_4_5.php

Original Advisory
http://svn.apache.org/repos/asf/spamassassin/branches/3.1/build/
announcements/3.1.8.txt


References

RedHat
http://rhn.redhat.com/errata/RHSA-2007-0076.html

FrSIRT
http://www.frsirt.com/english/advisories/2007/0546

Secunia
http://secunia.com/advisories/24089/
http://secunia.com/advisories/24197/

CVE Name
CVE-2007-0906
CVE-2007-0907
CVE-2007-0908
CVE-2007-0909
CVE-2007-0910
CVE-2007-0451

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003