HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-48
Multiple Vulnerabilities in PHP

Original issue date: September 11, 2007

Severity Rating: High

Systems Affected

  • PHP versions prior to 5.2.4

Overview

Multiple vulnerabilities have been reported in PHP which could be exploited by remote/local attackers to compromise a vulnerable system to bypass the security restriction or possibly execute arbitrary code on the affected system.

Description

1.gdImageCopyResized(),gdImageCreate(),gdImageCreate
TrueColor() Integer Overflow Vulnerabilities.
( CVE-2007-3996 )

Multiple integer overflow vulnerabilities have been reported in libgd in PHP due to passing of overly large parameters to gdImageCopyResized(),gdImageCreate, gdImageCreateTrueColor functions in ext/gd/libgd/gd.c. A remote attacker could exploit the vulnerabilities to cause a denial of service (application crash) attack or execute arbitrary code on the affected system.

2. PHP MySQL/MySQLi extensions safe_mode and open_basedir Bypass Vulnerability ( CVE-2007-3997 )

A vulnerability has been reported in PHP's MySQL and MySQLi extenstions [before 4.4.8, and PHP 5] due to an error exists within the handling of SQL queries containing "LOCAL INFILE". A remote attacker could exploit the vulnerability to bypass PHP's "open_basedir" and "safe_mode" directives.

3. PHP session extension open_basedir Bypass Vulnerability ( CVE-2007-4652 )

A vulnerability has been reported in session extension in PHP when the session file is symlink. A local attacker could exploit the vulnerability to bypass open_basedir restrictions.

4. Unspecified error in chunk_split function ( CVE-2007-4660 )

An unspecified vulnerability has been reported in PHP due to unspecified error in chunk_split () function. This vulnerability could be possibly exploited to bypass security restrictions on the affected system.

 5. chunk_split() Heap Based Buffer Overflow Vulnerability
( CVE-2007-4661 )

A vulnerability has been reported in chunk_split() function in string.c due to error in calculating the needed buffer size when performing integer arithmetic with floating point numbers. This vulnerability possibly leads to heap based buffer overflow.

6. php_openssl_make_REQ() Buffer Overflow Vulnerability
( CVE-2007-4662 )

A buffer overflow vulnerability has been reported in PHP due to improper bounds checking by the php_openssl_make_REQ() function. This vulnerability could be exploited by a remote attacker to execute arbitrary code or cause denial of service attack on the affected system.

7. glob() open_basdir Security Bypass Vulnerability
( CVE-2007-4663 )

An unspecified vulnerability has been reported in the "glob ()" function in PHP. This vulnerability could be exploited by a remote attacker to bypass open_basedir restrictions and gain unauthorized access to the affected system.

8. strspn() and strcspn() Integer Overflow Vulnerabilities
( CVE-2007-4657 )

Multiple integer overflow vulnerabilities have been reported in PHP due to large length value specification in strspn() and strcspn() function which could be exploited by remote attacker to cause denial of service attack or possibly obtain sensitive information from the affected system.

9. Format string vulnerability in PHP ( CVE-2007-4658 )

A format string vulnerability has been reported in PHP due to error in parsing multiple “%i” and “%n” tokens to money_format() function. This vulnerability could be exploited by remote attacker for unknown impact.

10. zend_alter_ini_entry() memory limit violation vulnerability in PHP ( CVE-2007-4659 )

A vulnerability has been reported in zend_alter_ini_entry() function in PHP due to improper handling of interruption to the flow of execution triggered by a memory_limit violation . This vulnerability could be exploited by remote attacker for unknown impact.

Solution

Update to PHP version 5.2.4.
http://www.php.net/downloads.php

Vendor Information

http://www.php.net/releases/5_2_4.php

References

Secunia
http://secunia.com/advisories/26642


CVE-Name
CVE-2007-3996
CVE-2007-3997
CVE-2007-4652
CVE-2007-4660
CVE-2007-4661
CVE-2007-4662
CVE-2007-4663
CVE-2007-4657
CVE-2007-4658
CVE-2007-4659

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003