HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-15
PHP Import_Request_Variables, MSSQL_Connect, SNMPGet (), shmop(),Reference Counter and PHP-Nuke SQL Injection vulnerabilities

Original issue date: March 26, 2007

Severity Rating: High

Systems Affected

  • PHP versions 5.x
  • PHP versions 4.x
  • PHP Nuke 8.0 and prior

Overview

Multiple vulnerabilities have been reported in PHP which could be exploited by remote attackers to compromise a vulnerable system to bypass the security restriction or possibly execute arbitrary code on the affected system.

Description

1. Import_Request_Variables Arbitrary Variable Overwrite Vulnerability ( CVE-2007-1396 )

An arbitrary variable overwrite vulnerability has been reported in PHP. When import_request_variables function in PHP is called without prefix does not prevent the GET, POST, COOKIE, FILES, SERVER, SESSION and other superglobals from being overwritten. The remote attackers could spoof source IP address that cause denial of service and compromise the vulnerable applications.

2. MSSQL_Connect Buffer Overflow Vulnerability in PHP ( CVE-2007-1411 )

A buffer overflow vulnerability has been reported in PHP which could allow local and possibly remote attacker to execute arbitrary code via long server name arguments passed to the mssql_connect and (2) mssql_pconnect functions.

3. SNMPGet Function Local Buffer Overflow Vulnerability in PHP ( CVE-2007-1413 )

A buffer overflow vulnerability has been reported in snmpget function in snmp extension in PHP which could allow a context dependent remote attacker to execute arbitrary code via a long value in the third argument (object id).

4. PHP shmop Function Arbitrary Code Execution Vulnerability ( CVE-2007-1376 )

Shared memory function (shmop) in PHP fails to verify if the type of resource supplied is a shmop resource . This vulnerability could allow a context dependent attacker to execute arbitrary code in a shared memory addresses via wrong resource argument.

5. PHP Reference Counter Integer Overflow Vulnerability ( CVE-2007-1383 )

An integer overflow vulnerability has been reported in PHP 4 due to error in boundry check in 16 bit variable reference counter which allows to overflow the counter and results in a double destruction of the same variable. A local attacker can exploit this vulnerability to execute arbitrary code.

6. SQL Injection Vulnerability in PHP-Nuke ( CVE-2007-1450 )

A SQL injection vulnerability has been reported in PHP-Nuke in mainfile.php due to its failure to sufficiently sanitize user-supplied input. An attacker can exploit this vulnerability to execute arbitrary SQL commands in the Top or News module via the lang parameter. Success exploitation can compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

Solution

Upgrade to the latest version provided by vendor.
http://www.php.net/downloads.php


References

PHP
http://www.php-security.org/MOPB/MOPB-15-2007.html

FrSIRT
http://www.frsirt.com/english/advisories/2007/0546

Security Focus
http://www.securityfocus.com/bid/22886
http://www.securityfocus.com/bid/22832
http://www.securityfocus.com/bid/22893
http://www.securityfocus.com/bid/22862
http://www.securityfocus.com/bid/22909

US-CERT
http://www.us-cert.gov/cas/bulletins/SB07-078.html

CVE Name
CVE-2007-1396
CVE-2007-1411
CVE-2007-1413
CVE-2007-1376
CVE-2007-1383
CVE-2007-1450

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003