Multiple vulnerabilities in PHP
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2018-18820 CVE-2007-5653 CVE-2007-1381 |
| CWE-ID | CWE-119 CWE-78 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
icecast (Alpine package) Operating systems & Components / Operating system package or component PHP Universal components / Libraries / Scripting languages |
| Vendor |
Alpine Linux Development Team PHP Group |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU15691
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-18820
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing URL in url_add_client() function in auth_url.c. A remote unauthenticated attacker can send an overly long URL to the affected server, trigger buffer overflow and crash the server or execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsicecast (Alpine package): 2.4.1-r0 - 2.4.3-r6
CPE2.3- cpe:2.3:a:alpine:icecast_alpine_package:2.4.1-r0:*:*:*:*:alpine_linux:*:3.1
- cpe:2.3:a:alpine:icecast_alpine_package:2.4.2-r0:*:*:*:*:alpine_linux:*:3.1
- cpe:2.3:a:alpine:icecast_alpine_package:2.4.2-r1:*:*:*:*:alpine_linux:*:3.2
https://git.alpinelinux.org/aports/commit/?id=28ff3d95cc514b5ef1329f39e03b913b870a3a8c
https://git.alpinelinux.org/aports/commit/?id=10ee65fedc7f67caf449e90c48e7ac765b9a1ce3
https://git.alpinelinux.org/aports/commit/?id=7b190731bf721f83ec988a4bc933cdd61f6709db
https://git.alpinelinux.org/aports/commit/?id=9da3d4b343a3541827659dc4bbfa0d84ddd1e26c
https://git.alpinelinux.org/aports/commit/?id=9eb94927b1ae5702ad3a37ecbda35eb0b9a1dbd6
https://git.alpinelinux.org/aports/commit/?id=a732467bed034e4c8b90ad4d6bb2b745ba0b1d4f
https://git.alpinelinux.org/aports/commit/?id=be1e550c4cd03288798c5ea30807b1e95d8cbee8
https://git.alpinelinux.org/aports/commit/?id=c09e2b8ea59b96c9fed8aa99c69d67d448dee75b
https://git.alpinelinux.org/aports/commit/?id=f737986301923d6739940bbb3bf00accfffbec2b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) OS Command Injection
EUVDB-ID: #VU110356
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2007-5653
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The Component Object Model (COM) functions in PHP 5.x on Windows do not follow safe_mode and disable_functions restrictions, which allows context-dependent attackers to bypass intended limitations, as demonstrated by executing objects with the kill bit set in the corresponding ActiveX control Compatibility Flags, executing programs via a function in compatUI.dll, invoking wscript.shell via wscript.exe, invoking Scripting.FileSystemObject via wshom.ocx, and adding users via a function in shgina.dll, related to the com_load_typelib function.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 5
CPE2.3 External linkshttps://secunia.com/advisories/27280
https://www.vupen.com/english/advisories/2007/3590
https://exchange.xforce.ibmcloud.com/vulnerabilities/37368
https://www.exploit-db.com/exploits/4553
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Buffer overflow
EUVDB-ID: #VU110452
Risk: High
CVSSv4.0: 8.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2007-1381
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The wddx_deserialize function in wddx.c 1.119.2.10.2.12 and 1.119.2.10.2.13 in PHP 5, as modified in CVS on 20070224 and fixed on 20070304, calls strlcpy where strlcat was intended and uses improper arguments, which allows context-dependent attackers to execute arbitrary code via a WDDX packet with a malformed overlap of a STRING element, which triggers a buffer overflow. This vulnerability impacts PHP CVS as of 2007-02-24
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 5
CPE2.3https://cvs.php.net/viewvc.cgi/php-src/ext/wddx/wddx.c?r1=1.119.2.10.2.13&r2=1.119.2.10.2.14
https://cvs.php.net/viewvc.cgi/php-src/ext/wddx/wddx.c?revision=1.119.2.10.2.14&view=markup
https://www.osvdb.org/32775
https://www.php-security.org/MOPB/MOPB-09-2007.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
