SB2023011945 - Multiple vulnerabilities in PHP
Published: January 19, 2023 Updated: June 8, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2010-2531)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The var_export function in PHP 5.2 before 5.2.14 and 5.3 before 5.3.3 flushes the output buffer to the user when certain fatal errors occur, even if display_errors is off, which allows remote attackers to obtain sensitive information by causing the application to exceed limits for memory, execution time, or recursion.
2) Heap-based buffer overflow (CVE-ID: CVE-2010-3062)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in mysqlnd_wireprotocol.c in the Mysqlnd extension in PHP 5.3 through 5.3.2. A remote attacker can use a modified length value to trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Heap-based buffer overflow (CVE-ID: CVE-2010-3063)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in The php_mysqlnd_read_error_from_line function in the Mysqlnd extension in PHP 5.3 through 5.3.2 does not properly calculate a buffer length, which. A remote attacker can use crafted inputs that cause a negative length value to be used. to trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Stack-based buffer overflow (CVE-ID: CVE-2010-3064)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the php_mysqlnd_auth_write function in the Mysqlnd extension when processing a long (1) username or (2) database name argument to the (a) mysql_connect or (b) mysqli_connect function. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) Integer overflow (CVE-ID: CVE-2010-1866)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The dechunk filter in PHP 5.3 through 5.3.2, when decoding an HTTP chunked encoding stream, allows context-dependent attackers to cause a denial of service (crash) and possibly trigger memory corruption via a negative chunk size, which bypasses a signed comparison, related to an integer overflow in the chunk size decoder.
Remediation
Install update from vendor's website.
References
- http://www.php.net/archive/2010.php#id2010-07-22-1
- https://bugzilla.redhat.com/show_bug.cgi?id=617673
- http://www.php.net/archive/2010.php#id2010-07-22-2
- http://www.openwall.com/lists/oss-security/2010/07/16/3
- http://www.openwall.com/lists/oss-security/2010/07/13/1
- http://svn.php.net/viewvc/php/php-src/trunk/ext/standard/tests/general_functions/var_export_error2.phpt?view=log&pathrev=301143
- http://support.apple.com/kb/HT4312
- http://lists.apple.com/archives/security-announce/2010//Aug/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
- http://support.apple.com/kb/HT4435
- http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00000.html
- http://www.redhat.com/support/errata/RHSA-2010-0919.html
- http://www.vupen.com/english/advisories/2010/3081
- http://secunia.com/advisories/42410
- http://marc.info/?l=bugtraq&m=130331363227777&w=2
- http://www.debian.org/security/2011/dsa-2266
- http://marc.info/?l=bugtraq&m=133469208622507&w=2
- http://php-security.org/2010/05/31/mops-2010-056-php-php_mysqlnd_ok_read-information-leak-vulnerability/index.html
- http://php-security.org/2010/05/31/mops-2010-057-php-php_mysqlnd_rset_header_read-buffer-overflow-vulnerability/index.html
- http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/NEWS?r1=298701&r2=298703&pathrev=298703
- http://svn.php.net/viewvc?view=revision&revision=298703
- http://php-security.org/2010/05/31/mops-2010-058-php-php_mysqlnd_read_error_from_line-buffer-overflow-vulnerability/index.html
- http://php-security.org/2010/05/31/mops-2010-059-php-php_mysqlnd_auth_write-stack-buffer-overflow-vulnerability/index.html
- http://php-security.org/2010/05/02/mops-2010-003-php-dechunk-filter-signed-comparison-vulnerability/index.html