SB2018110514 - Multiple vulnerabilities in PHP
Published: November 5, 2018 Updated: June 14, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2018-18820)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing URL in url_add_client() function in auth_url.c. A remote unauthenticated attacker can send an overly long URL to the affected server, trigger buffer overflow and crash the server or execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) OS Command Injection (CVE-ID: CVE-2007-5653)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The Component Object Model (COM) functions in PHP 5.x on Windows do not follow safe_mode and disable_functions restrictions, which allows context-dependent attackers to bypass intended limitations, as demonstrated by executing objects with the kill bit set in the corresponding ActiveX control Compatibility Flags, executing programs via a function in compatUI.dll, invoking wscript.shell via wscript.exe, invoking Scripting.FileSystemObject via wshom.ocx, and adding users via a function in shgina.dll, related to the com_load_typelib function.
3) Buffer overflow (CVE-ID: CVE-2007-1381)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The wddx_deserialize function in wddx.c 1.119.2.10.2.12 and 1.119.2.10.2.13 in PHP 5, as modified in CVS on 20070224 and fixed on 20070304, calls strlcpy where strlcat was intended and uses improper arguments, which allows context-dependent attackers to execute arbitrary code via a WDDX packet with a malformed overlap of a STRING element, which triggers a buffer overflow. This vulnerability impacts PHP CVS as of 2007-02-24
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=28ff3d95cc514b5ef1329f39e03b913b870a3a8c
- https://git.alpinelinux.org/aports/commit/?id=10ee65fedc7f67caf449e90c48e7ac765b9a1ce3
- https://git.alpinelinux.org/aports/commit/?id=7b190731bf721f83ec988a4bc933cdd61f6709db
- https://git.alpinelinux.org/aports/commit/?id=9da3d4b343a3541827659dc4bbfa0d84ddd1e26c
- https://git.alpinelinux.org/aports/commit/?id=9eb94927b1ae5702ad3a37ecbda35eb0b9a1dbd6
- https://git.alpinelinux.org/aports/commit/?id=a732467bed034e4c8b90ad4d6bb2b745ba0b1d4f
- https://git.alpinelinux.org/aports/commit/?id=be1e550c4cd03288798c5ea30807b1e95d8cbee8
- https://git.alpinelinux.org/aports/commit/?id=c09e2b8ea59b96c9fed8aa99c69d67d448dee75b
- https://git.alpinelinux.org/aports/commit/?id=f737986301923d6739940bbb3bf00accfffbec2b
- http://secunia.com/advisories/27280
- http://www.vupen.com/english/advisories/2007/3590
- https://exchange.xforce.ibmcloud.com/vulnerabilities/37368
- https://www.exploit-db.com/exploits/4553
- http://cvs.php.net/viewvc.cgi/php-src/ext/wddx/wddx.c?r1=1.119.2.10.2.13&r2=1.119.2.10.2.14
- http://cvs.php.net/viewvc.cgi/php-src/ext/wddx/wddx.c?revision=1.119.2.10.2.14&view=markup
- http://www.osvdb.org/32775
- http://www.php-security.org/MOPB/MOPB-09-2007.html