SB2017092922 - Multiple vulnerabilities in PHP

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2007-4586)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Multiple buffer overflows in php_iisfunc.dll in the iisfunc extension for PHP 5.2.0 and earlier allow context-dependent attackers to execute arbitrary code, probably during Unicode conversion, as demonstrated by a long string in the first argument to the iis_getservicestate function, related to the ServiceId argument to the (1) fnStartService, (2) fnGetServiceState, (3) fnStopService, and possibly other functions.

2) Input validation error (CVE-ID: CVE-2007-4441)

The vulnerability allows a local user to read and manipulate data.

Buffer overflow in php_win32std.dll in the win32std extension for PHP 5.2.0 and earlier allows context-dependent attackers to execute arbitrary code via a long string in the filename argument to the win_browse_file function.

3) Input validation error (CVE-ID: CVE-2007-0448)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The fopen function in PHP 5.2.0 does not properly handle invalid URI handlers, which allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files via a file path specified with an invalid URI, as demonstrated via the srpath URI.

4) Input validation error (CVE-ID: CVE-2007-1889)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Integer signedness error in the _zend_mm_alloc_int function in the Zend Memory Manager in PHP 5.2.0 allows remote attackers to execute arbitrary code via a large emalloc request, related to an incorrect signed long cast, as demonstrated via the HTTP SOAP client in PHP, and via a call to msg_receive with the largest positive integer value of maxsize.

5) Deserialization of Untrusted Data (CVE-ID: CVE-2007-1701)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:". Successful exploitation requires that variable "register_globals" is enabled.

6) Input validation error (CVE-ID: CVE-2007-1584)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Buffer underflow in the header function in PHP 5.2.0 allows context-dependent attackers to execute arbitrary code by passing an all-whitespace string to this function, which causes it to write '' characters in whitespace that precedes the string.

7) Input validation error (CVE-ID: CVE-2007-1453)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Buffer underflow in the PHP_FILTER_TRIM_DEFAULT macro in the filtering extension (ext/filter) in PHP 5.2.0 allows context-dependent attackers to execute arbitrary code by calling filter_var with certain modes such as FILTER_VALIDATE_INT, which causes filter to write a null byte in whitespace that precedes the buffer.

8) Cross-site scripting (CVE-ID: CVE-2007-1454)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via "ext/filter" when certain whitespace characters, which passes one filter but is collapsed into a valid tag, as demonstrated using %0b. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website .

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• http://www.securityfocus.com/bid/25452
• https://exchange.xforce.ibmcloud.com/vulnerabilities/36262
• https://www.exploit-db.com/exploits/4318
• http://www.securityfocus.com/bid/25414
• https://exchange.xforce.ibmcloud.com/vulnerabilities/36118
• https://www.exploit-db.com/exploits/4293
• http://securityreason.com/achievement_securityalert/44
• http://securityreason.com/securityalert/2175
• http://www.securityfocus.com/bid/22261
• http://secunia.com/advisories/25056
• http://secunia.com/advisories/25062
• http://www.debian.org/security/2007/dsa-1283
• http://www.novell.com/linux/security/advisories/2007_32_php.html
• http://www.php-security.org/MOPB/MOPB-43-2007.html
• http://www.php-security.org/MOPB/MOPB-44-2007.html
• http://www.securityfocus.com/bid/23238
• https://exchange.xforce.ibmcloud.com/vulnerabilities/33770
• http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01056506
• http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01086137
• http://secunia.com/advisories/25423
• http://secunia.com/advisories/25445
• http://secunia.com/advisories/25850
• http://security.gentoo.org/glsa/glsa-200705-19.xml
• http://www.php-security.org/MOPB/MOPB-31-2007.html
• http://www.securityfocus.com/bid/23120
• http://www.vupen.com/english/advisories/2007/1991
• http://www.vupen.com/english/advisories/2007/2374
• https://exchange.xforce.ibmcloud.com/vulnerabilities/33658
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11034
• http://www.php-security.org/MOPB/MOPB-25-2007.html
• https://www.exploit-db.com/exploits/3517
• http://www.php.net/releases/5_2_1.php
• http://www.php-security.org/MOPB/MOPB-19-2007.html
• http://www.securityfocus.com/bid/22922
• http://www.mandriva.com/security/advisories?name=MDKSA-2007:090
• http://www.php-security.org/MOPB/MOPB-18-2007.html
• http://www.securityfocus.com/bid/22914