[Typo3-dev] Security Alert! Multiple Vulnerabilities Within PHP 4/5

Michiel van Leening leening at saurus.nl
Sun Dec 26 22:43:57 CET 2004 

Hi,

Thanks for re-posting this info on the list, but php 4.3.10 and 5.0.3 
were released about 12 days ago!

Reuven Cohen said the following on 12/23/2004 07:57 PM:
> Multiple Vulnerabilities Within PHP 4/5
> 
> This security alert is to address a number of vulnerabilities associated
> with the PHP scripting language. Several vulnerabilities within PHP4
> (<=4.3.9) and PHP5 (<=5.0.2) could be exploited to gain escalated
> privileges, bypass certain security restrictions, gain knowledge of
> sensitive information, or compromise a vulnerable system.
> 
> 1.        Pack()-integer overflow leading to heap buffer overflow
> 
> An integer overflow in the "pack()" function can be exploited to cause a
> heap-based buffer overflow by passing some specially crafted parameters
> to the function. Successful exploitation bypasses the safe_mode feature
> and allows execution of arbitrary code with the privileges of the web
> server.
> 
> 2.        Unpack() - integer overflow leading to heap info leak
> 
> An integer overflow in the "unpack()" function can be exploited to leak
> information stored on the heap by passing specially crafted parameters
> to the function. In combination with the first vulnerability, this may
> also allow bypassing of heap canary protection mechanisms.
> 
> 3.        Safe_mode_exec_dir bypass in multithreaded PHP
> 
> An error within safe_mode when executing commands can be exploited to
> bypass the safe_mode_exec_dir restriction by injecting shell commands
> into the current directory name. Successful exploitation requires that
> PHP runs on a multi-threaded Unix web server.
> 
> 4.        Safe_mode bypass through path truncation
> 
> An error in safe_mode combined with certain implementations of
> "realpath()" can be exploited to bypass safe_mode via a specially
> crafted file path.
> 
> 5.        Path truncation in realpath()
> 
> An error within the handling of file paths may potentially lead to file
> inclusion vulnerabilities. The problem is that "realpath()", which in
> some implementations truncate filenames, is used in various places to
> obtain the real path of a file.
> 
> 6.        Various errors within deserialization code
> 
> Various errors within the deserialization code can be exploited to
> disclose information or execute arbitrary code via specially crafted
> strings passed to the "unserialize()" function. A skilled attacker can
> exploit this to create an universal string that will pass execution to
> an arbitrary memory address when it is passed to unserialize().
> It is necessary to understand that these strings can exploit a bunch of
> popular PHP applications remotely because they pass e.g. cookie content
> to unserialize().
> 
> Examples of vulnerable scripts:
>       - phpBB2
>       - Invision Board
>       - vBulletin
>       - Woltlab Burning Board 2.x
>       - Serendipity Weblog
>       - phpAds(New)
> 
> 7.        Shmop_write() out-of-bounds memory location
> 
> An unspecified error in the "shmop_write()" function may result in an
> attempt to write to an out-of-bounds memory location.
> 
> 8.        exit_read_data() function
> 
> An unspecified boundary error exists in the "exif_read_data()" function
> when handling long section names.
> 
> 9.        addslashes() function not escaping NULL bytes correctly
> 
> An error in the "addslashes()" function causes it to not escape NULL
> bytes correctly. This can e.g. be exploited to read arbitrary files on
> a system, if the "include()" or "require()" statements partly use
> user-supplied input.
> 
> 10.        magic_quotes_gpc directory traversal
> 
> An error within "magic_quotes_gpc" may allow a one-level directory
> traversal when uploading files with a single quote in the filename
> (e.g. "..'file.ext").
> 
> Application Versions Affected:
> PHP4 v4.3.9 and earlier
> PHP5 v5.0.2 and earlier
> 
> Reuven Cohen
> http://www.enomaly.com
> 
> 
> 
> _______________________________________________
> Typo3-dev mailing list
> Typo3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
> 

-- 

Met vriendelijke groeten,
Michiel van Leening
---------------------------------------------------------------
  Saurus Internet - http://www.saurus.nl/ - info at saurus.nl
      Vestesingel 8, 9408 CA - Assen, The Netherlands
     tel: +31 (0)592.461.467 - fax: +31 (0)84.86.88.007
	
      Michiel van Leening - Internet Application Developer
  leening at saurus.nl - gsm: +31 (0)65.57.12.693 - ICQ#51566230
       Registered with the Linux Counter. ID #39463
---------------------------------------------------------------
Don't shout for help at night.  You might wake your neighbors.
		-- Stanislaw J. Lem, "Unkempt Thoughts"

More information about the TYPO3-dev mailing list