[Typo3-dev] Security Alert! Multiple Vulnerabilities Within PHP 4/5

Reuven Cohen ruv at ruv.net
Thu Dec 23 19:57:19 CET 2004 

Multiple Vulnerabilities Within PHP 4/5

This security alert is to address a number of vulnerabilities associated
with the PHP scripting language. Several vulnerabilities within PHP4
(<=4.3.9) and PHP5 (<=5.0.2) could be exploited to gain escalated
privileges, bypass certain security restrictions, gain knowledge of
sensitive information, or compromise a vulnerable system.

1.        Pack()-integer overflow leading to heap buffer overflow

An integer overflow in the "pack()" function can be exploited to cause a
heap-based buffer overflow by passing some specially crafted parameters
to the function. Successful exploitation bypasses the safe_mode feature
and allows execution of arbitrary code with the privileges of the web
server.

2.        Unpack() - integer overflow leading to heap info leak

An integer overflow in the "unpack()" function can be exploited to leak
information stored on the heap by passing specially crafted parameters
to the function. In combination with the first vulnerability, this may
also allow bypassing of heap canary protection mechanisms.

3.        Safe_mode_exec_dir bypass in multithreaded PHP

An error within safe_mode when executing commands can be exploited to
bypass the safe_mode_exec_dir restriction by injecting shell commands
into the current directory name. Successful exploitation requires that
PHP runs on a multi-threaded Unix web server.

4.        Safe_mode bypass through path truncation

An error in safe_mode combined with certain implementations of
"realpath()" can be exploited to bypass safe_mode via a specially
crafted file path.

5.        Path truncation in realpath()

An error within the handling of file paths may potentially lead to file
inclusion vulnerabilities. The problem is that "realpath()", which in
some implementations truncate filenames, is used in various places to
obtain the real path of a file.

6.        Various errors within deserialization code

Various errors within the deserialization code can be exploited to
disclose information or execute arbitrary code via specially crafted
strings passed to the "unserialize()" function. A skilled attacker can
exploit this to create an universal string that will pass execution to
an arbitrary memory address when it is passed to unserialize().
It is necessary to understand that these strings can exploit a bunch of
popular PHP applications remotely because they pass e.g. cookie content
to unserialize().

Examples of vulnerable scripts:
      - phpBB2
      - Invision Board
      - vBulletin
      - Woltlab Burning Board 2.x
      - Serendipity Weblog
      - phpAds(New)

7.        Shmop_write() out-of-bounds memory location

An unspecified error in the "shmop_write()" function may result in an
attempt to write to an out-of-bounds memory location.

8.        exit_read_data() function

An unspecified boundary error exists in the "exif_read_data()" function
when handling long section names.

9.        addslashes() function not escaping NULL bytes correctly

An error in the "addslashes()" function causes it to not escape NULL
bytes correctly. This can e.g. be exploited to read arbitrary files on
a system, if the "include()" or "require()" statements partly use
user-supplied input.

10.        magic_quotes_gpc directory traversal

An error within "magic_quotes_gpc" may allow a one-level directory
traversal when uploading files with a single quote in the filename
(e.g. "..'file.ext").

Application Versions Affected:
PHP4 v4.3.9 and earlier
PHP5 v5.0.2 and earlier

Reuven Cohen
http://www.enomaly.com

More information about the TYPO3-dev mailing list