[security-alerts] FW: [SA25123] PHP Multiple Vulnerabilities

["Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>]

> ----------------------------------------------------------------------
> 
> TITLE:
> PHP Multiple Vulnerabilities
> 
> SECUNIA ADVISORY ID:
> SA25123
> 
> VERIFY ADVISORY:
> http://secunia.com/advisories/25123/
> 
> CRITICAL:
> Moderately critical
> 
> IMPACT:
> Unknown, Security Bypass, Manipulation of data, Exposure of system
> information, Exposure of sensitive information, DoS
> 
> WHERE:
> From remote
> 
> SOFTWARE:
> PHP 5.2.x
> http://secunia.com/product/13446/
> PHP 4.4.x
> http://secunia.com/product/5768/
> 
> DESCRIPTION:
> Several vulnerabilities and weaknesses have been reported in PHP,
> where some have unknown impacts and others can be exploited by
> malicious users to manipulate certain data, disclose potentially
> sensitive information, bypass certain security restrictions, or to
> cause a DoS (Denial of Service).
> 
> 1) An unspecified error in the "ftp_putcmd()" function can be
> exploited to inject newline characters.
> 
> 2) An unspecified error in the "import_request_variables()" can be
> exploited to overwrite global variables.
> 
> 3) An unspecified error can remotely be exploited to cause a buffer
> overflow within in the "make_http_soap_request()" function (PHP 5).
> 
> 4) An unspecified error can be exploited to cause a buffer overflow
> within the "user_filter_factory_create()" function (PHP 5).
> 
> 5) An unspecified error in the bundled libxmlrpc library can remotely
> be exploited to cause a buffer overflow.
> 
> 6) An input validation error in the "mail()" function allows
> injection of headers via the "To" and "Subject" parameters.
> 
> 7) An error in the "mail()" function allows to truncate messages via
> ASCIIZ bytes.
> 
> 8) The "safe_mode" and "open_basedir" protection mechanisms can be
> bypassed via the "zip://" and "bzip://" wrappers.
> 
> 9) An integer overflow exists in "substr_compare()", which can be
> exploited to read memory from memory behind PHP variables. The
> "substr_count" function is reportedly also affected.
> 
> 10) An error in the "mb_parse_str()" can be exploited to activate
> "register_globals".
> 
> 11) An error in the Zend engine related to nested array variables
> that can be exploited to crash a PHP application.
> 
> SOLUTION:
> Update to version 5.2.2 or 4.4.7. Grant only trusted users permission
> to execute PHP code.
> 
> PROVIDED AND/OR DISCOVERED BY:
> The vendor credits:
> 1) loveshell
> 2) Stefano Di Paola and Steffan Esser
> 3, 4) Ilia Alshanetsky
> 5) Stanislav Malyshev
> 6-11) Stefan Esser
> 
> ORIGINAL ADVISORY:
> PHP:
> http://www.php.net/releases/5_2_2.php
> http://www.php.net/releases/4_4_7.php
> 
> MOPB:
> http://www.php-security.org/MOPB/MOPB-03-2007.html
> http://www.php-security.org/MOPB/MOPB-14-2007.html
> http://www.php-security.org/MOPB/MOPB-20-2007.html
> http://www.php-security.org/MOPB/MOPB-21-2007.html
> http://www.php-security.org/MOPB/MOPB-26-2007.html
> http://www.php-security.org/MOPB/MOPB-33-2007.html
> http://www.php-security.org/MOPB/MOPB-34-2007.html
>