SB2012050906 - SUSE Linux update for PHP5

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2012050906

SB2012050906 - SUSE Linux update for PHP5

Published: May 9, 2012

Security Bulletin ID SB2012050906
Severity
Critical
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 67% Medium 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2012-1172)

The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.

The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not properly handle invalid [ (open square bracket) characters in name values, which makes it easier for remote attackers to cause a denial of service (malformed $_FILES indexes) or conduct directory traversal attacks during multi-file uploads by leveraging a script that lacks its own filename restrictions.


2) OS command injection (CVE-ID: CVE-2012-1823)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to error when parsing QUERY_STRING parameters within PHP-CGI-based application (sapi/cgi/cgi_main.c). A remote attacker can send specially crafted HTTP request with query string without the "=" (equals sign) character, inject and execute arbitrary OS commands on vulnerable system with privileges of the web server.

Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

3) OS command injection (CVE-ID: CVE-2012-2311)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to error when parsing QUERY_STRING parameters within PHP-CGI-based application (sapi/cgi/cgi_main.c). A remote attacker can send specially crafted HTTP request with query string, contain a %3D sequence but no = (equals sign) character, inject and execute arbitrary OS commands on vulnerable system with privileges of the web server.

Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.

This vulnerability is a result of an incomplete fix for SB2012050301.

Note: the vulnerability was being actively exploited.

Remediation

Install update from vendor's website.

References