Next Page >>
Stefan Esser
an integer overflow in the chunk_split() function that can lead to a
heap-based buffer overflow (CVE-2007-2872). Its incomplete fix caused
incorrect buffer size calculation due to precision loss, also resulting
in a possible heap-based buffer overflow (CVE-2007-4661 and
CVE-2007-4660). A buffer overflow in the sqlite_decode_binary() of the
SQLite extension found by Stefan Esser that was addressed in PHP 5.2.1
was not fixed correctly (CVE-2007-1887).
Stefan Esser discovered an error in the zend_alter_ini_entry() function
handling a memory_limit violation (CVE-2007-4659). Stefan Esser also
discovered a flaw when handling interruptions with userspace error
Grzegorz Stachowiak discovered that the PHP session extension did not
properly handle semicolon characters. An attacker could exploit this issue
to bypass safe_mode restrictions. This issue only affected Ubuntu 8.04 LTS,
9.04 and 9.10. (CVE-2010-1130)
Stefan Esser discovered that PHP incorrectly decoded remote HTTP chunked
encoding streams. An attacker could exploit this issue to cause the PHP
server to crash and possibly execute arbitrary code with application
privileges. This issue only affected Ubuntu 10.04 LTS. (CVE-2010-1866)
Mateusz Kocielski discovered that certain PHP SQLite functions incorrectly
CFP Committee
- -------------
The CFP committee for the Month of PHP Security consists of
1) Johann-Peter Hartmann
2) Stefan Esser
3) Fukami
4) Ben Fuhrmannek
The CFP committee will review all submissions and select the list of
articles that will be published on http://php-security.org
Advisory: PHP GENERATE_SEED() Weak Random Number Seed Vulnerability
Release Date: 2008/05/06
Last Modified: 2008/05/06
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: PHP 5 <= 5.2.5
PHP 4 <= 4.4.8
Severity: Weak random number seed might lead to security
problems in PHP applications using random numbers
-= Security Advisory =-
Advisory: MyBB Password Reset Email BCC: Injection Vulnerability
Release Date: 2010/04/13
Last Modified: 2010/04/13
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: MyBB <= 1.4.11
Severity: An email injection vulnerability in MyBB allows injecting
e.g. BCC mail headers into password reset emails. This
allows an attacker to takeover accounts via the password
functions (CVE-2008-1384).
* Andrei Nigmatulin reported a stack-based buffer overflow in the
FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050).
* Stefan Esser reported that PHP does not correctly handle multibyte
characters inside the escapeshellcmd() function, which is used to
sanitize user input before its usage in shell commands
(CVE-2008-2051).
* Stefan Esser reported that a short-coming in PHP's algorithm of
Advisory: Wordpress user_login Column SQL Truncation Vulnerability
Release Date: 2008/09/12
Last Modified: 2008/09/12
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Wordpress <= 2.6.1
Severity: MySQL column truncation allows resetting the passwords of
wordpress users to random strings. Combined with weaknesses
in PHP's PRNG this allows determining the admin password.
Advisory: PHP ZipArchive::extractTo() Directory Traversal Vulnerability
Release Date: 2008/12/04
Last Modified: 2008/12/04
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: PHP 5 <= 5.2.6
Severity: PHP applications using ZipArchive::extractTo() to unpack zip
archive files can be tricked to overwrite arbitrary files
writable by the webserver which might result in PHP remote
-= Security Advisory =-
Advisory: Piwik Cookie Unserialize() Vulnerability
Release Date: 2009/12/09
Last Modified: 2009/12/09
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Piwik <= 0.4.5
Severity: Piwik unserializes() user input which allows an attacker
to send a carefully crafted cookie that when unserialized
utilizes Piwik's classes to upload arbitrary files or
CFP Committee
- -------------
The CFP committee for the Month of PHP Security consists of
1) Johann-Peter Hartmann
2) Stefan Esser
3) Fukami
4) Ben Fuhrmannek
The CFP committee will review all submissions and select the list of
articles that will be published on http://php-security.org
Advisory: Horde Application Framework Horde_Form_Type_image
Arbitrary File Overwrite Vulnerability
Release Date: 2009/09/18
Last Modified: 2009/09/18
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Horde Application Framework <= 3.2.4
Severity: PHP applications using the Horde_Form_Type_image form
element can be tricked into overwriting arbitrary files
writable by the webserver which might result in PHP
[1] Zend_Hash_Del_Key_Or_Index Vulnerability
CVE-2006-3017
Stefan Esser
http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html
[2] Dynamic Evaluation Vulnerabilities in PHP applications
http://www.securityfocus.com/archive/1/432828
Advisory: Joomla Weak Random Password Reset Token Vulnerability
Release Date: 2008/09/11
Last Modified: 2008/09/11
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Joomla <= 1.5.7
Severity: Usage of mt_rand() and mt_srand() for generation
of cryptographic secrets like random password
reset tokens
Advisory: Suhosin PHP Extension Transparent Cookie Encryption Stack
Buffer Overflow
Release Date: 2012/01/19
Last Modified: 2012/01/19
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Suhosin Extension <= 0.9.32.1
Severity: A possible stack buffer overflow in Suhosin extension's
transparent cookie encryption that can only be triggered
in an uncommon and weakened Suhosin configuration can lead
-= Security Advisory =-
Advisory: PHPIDS Unserialize() Vulnerability
Release Date: 2009/12/09
Last Modified: 2009/12/09
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: PHPIDS <= 0.6.2
Severity: PHPIDS unserializes() user input which allows an attacker
to send a carefully crafted cookie that when unserialized
can utilize existing classes which e.g. can lead to
-= Security Advisory =-
Advisory: MyBB Password Reset Weak Random Numbers Vulnerability
Release Date: 2010/04/13
Last Modified: 2010/04/13
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: MyBB <= 1.4.11
Severity: Usage of weak random number generation in password reset
functionality allows predicting the password reset token
and the randomly generated password, which results in
Advisory: PHP Multibyte Shell Command Escaping Bypass Vulnerability
Release Date: 2008/05/06
Last Modified: 2008/05/06
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: PHP 5 <= 5.2.5
PHP 4 <= 4.4.8
Severity: Several shell locales with support for east asian
variable width encodings allow bypassing PHP's
execution of arbitrary code. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2007-6114
Stefan Esser discovered a buffer overflow in the SSL dissector.
"Fabiodds" discovered a buffer overflow in the iSeries trace
dissector.
CVE-2007-6117
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Stefan Esser discovered that mod_status did not force a character set,
which could result in browsers becoming vulnerable to XSS attacks when
processing the output. If a user were tricked into viewing server
status output during a crafted server request, a remote attacker could
exploit this to modify the contents, or steal confidential data (such as
passwords), within the same domain. By default, mod_status is disabled
1 www-servers/lighttpd < 1.4.16 >= 1.4.16
Description
===========
Stefan Esser discovered errors with evidence of memory corruption in
the code parsing the headers. Several independent researchers also
reported errors involving the handling of HTTP headers, the mod_auth
and mod_scgi modules, and the limitation of active connections.
Impact
1 www-apps/tikiwiki < 1.9.8.3 >= 1.9.8.3
Description
===========
Stefan Esser reported that a previous vulnerability (CVE-2007-5423,
GLSA 200710-21) was not properly fixed in TikiWiki 1.9.8.1
(CVE-2007-5682). The TikiWiki development team also added several
checks to avoid file inclusion.
Impact
Problem type : remote
Debian-specific: no
Debian bug : 582691
CVE ID : CVE-2010-2092
Stefan Esser discovered that cacti, a front-end to rrdtool for monitoring
systems and services, is not properly validating input passed to the rra_id
parameter of the graph.php script. Due to checking the input of $_REQUEST
but using $_GET input in a query an unauthenticated attacker is able to
perform SQL injections via a crafted rra_id $_GET value and an additional
valid rra_id $_POST or $_COOKIE value.
Gerhard Wagner discovered that the chunk_split function did not
correctly handle long strings. A remote attacker could exploit this
to execute arbitrary code with application privileges. (CVE-2007-2872,
CVE-2007-4660, CVE-2007-4661)
Stefan Esser discovered that deeply nested arrays could be made to
fill stack space. A remote attacker could exploit this to cause a
crash or monopolize CPU resources, resulting in a denial of service.
(CVE-2007-1285, CVE-2007-4670)
Rasmus Lerdorf discovered that the htmlentities and htmlspecialchars
(CVE-2007-6115), Firebird/Interbase (CVE-2007-6116), HTTP
(CVE-2007-6117), MEGACO (CVE-2007-6118), DCP ETSI (CVE-2007-6119),
Bluetooth SDP (CVE-2007-6120), RPC Portmap (CVE-2007-6121), SMB
(CVE-2007-6438), IPv6 amd USB (CVE-2007-6439), WiMAX (CVE-2007-6441),
RPL (CVE-2007-6450), CIP (CVE-2007-6451). The vulnerabilities were
discovered by Stefan Esser, Beyond Security, Fabiodds, Peter Leeming,
Steve and ainsley.
Impact
======
in the money_format() function could allow the execution of
arbitrary code.
CVE-2007-4659
Stefan Esser discovered that execution control flow inside the
zend_alter_ini_entry() function in handled incorrectly in case
of a memory limit violation.
CVE-2007-4660
Additionally the research should be repeated with PHP 5.3-beta, because
it now does something very similar to Suhosin.
Stefan Esser
Gerhard Wagner discovered that the chunk_split function did not
correctly handle long strings. A remote attacker could exploit this
to execute arbitrary code with application privileges. (CVE-2007-2872,
CVE-2007-4660, CVE-2007-4661)
Stefan Esser discovered that deeply nested arrays could be made to
fill stack space. A remote attacker could exploit this to cause a
crash or monopolize CPU resources, resulting in a denial of service.
(CVE-2007-1285, CVE-2007-4670)
Rasmus Lerdorf discovered that the htmlentities and htmlspecialchars
cross-site scripting vulnerabilities, if a user were tricked into viewing
server output during a crafted server request, a remote attacker could
exploit this to modify the contents, or steal confidential data (such as
passwords), within the same domain. (CVE-2009-4142)
Stefan Esser discovered that PHP did not properly handle session data. An
attacker could exploit this issue to bypass safe_mode or open_basedir
restrictions. (CVE-2009-4143)
Updated packages for Ubuntu 6.06 LTS:
Vulnerability : code injection
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-0830
Stefan Esser discovered that the implementation of the max_input_vars
configuration variable in a recent PHP security update was flawed such
that it allows remote attackers to crash PHP or potentially execute
code.
For the oldstable distribution (lenny), no fix is available at this time.
MOPS Article: PHP Web Security (INCOMPLETE) - http://bit.ly/baE4ya
Thank you
Stefan Esser
Organiser
Month of PHP Security / php-security.org
SektionEins GmbH / www.sektioneins.com
Next Page>>
|
