Next Page >>
php5
PHP filesystem attack vectors
Name PHP filesystem attack vectors
Systems Affected PHP and PHP+Suhosin
Vendor http://www.php.net/
Advisory http://www.ush.it/team/ush/hack-phpfs/phpfs_mad.txt
Authors Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (giovanni.pellerano AT
evilaliv3 DOT org)
Date 20090207
PHP filesystem attack vectors - Take Two
Name PHP filesystem attack vectors - Take Two
Systems Affected PHP and PHP+Suhosin
Vendor http://www.php.net/
Advisory http://www.ush.it/team/ush/hack-phpfs/phpfs_mad_2.txt
Authors Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it)
Affected version: 0.4.2.5
###############################################################################
1. Arbitrary File Upload Vulnerability in "documenthandler.php"
###############################################################################
Reasons: Missing security checks in file upload functionality
Attack vectors: Uploaded file
Preconditions: Logged in as admin with FoxyPress product editing privileges
Secure Network - Security Research Advisory
Vuln name: Simple PHP Blog Multiple Vulnerabilities
Systems affected: simplePHPBlog 0.5.0.1, simplePHPBlog 0.4.8 and all previous versions
Systems not affected: -
Severity: Medium
Local/Remote: Remote
Vendor URL: http://www.simplephpblog.com/
Author(s): Luca "ikki" Carettoni - luca.carettoni@securenetwork.it, Luca "Daath" De Fulgentis - daath@webapptest.org
Vendor disclosure: 14th September 2007
Description
------------
PHP version 5.3.1 was just released. This release contains a patch for a
denial of service condition we've reported on 27 October 2009. The
problem is related with PHP's handling of RFC 1867 (Form-based File
Upload in HTML).
When you send a POST request to a PHP script with the content-type of
"multipart/form-data" and include a list of files in that request, PHP
will create a temporary file for each file from the request. PHP will
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Month of PHP Security 2010 - CALL FOR PAPERS
- --------------------------------------------
Three years ago, in March 2007, the Hardened-PHP project had organized
the Month of PHP Bugs. During one month more than 40 vulnerabilities in
the PHP interpreter were disclosed in order to improve the overall
security of PHP. Now, three years later, SektionEins GmbH will
Hello Everyone,
it is 21th of May. The Month of PHP Security
(http://www.php-security.org) is still running and we have reached a
vulnerability count of 40 vulnerabilities, which is nearly as much as we
disclosed during the whole Month of PHP Bugs in 2007. However there are
11 more days until the end of May and therefore there are still plenty
of more vulnerabilities to come. Escpecially the amount of SQL injection
vulnerabilites in PHP applications will increase, because it is called
SQL injection marathon for a reason. And we also have several articles
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Month of PHP Security 2010 - CALL FOR PAPERS
- --------------------------------------------
Three years ago, in March 2007, the Hardened-PHP project had organized
the Month of PHP Bugs. During one month more than 40 vulnerabilities in
the PHP interpreter were disclosed in order to improve the overall
security of PHP. Now, three years later, SektionEins GmbH will
DISCLAIMER: THIS SECURITY ADVISORY IS PROVIDED AS-IS, AND WITHOUT ANY GUARANTEE OF ANY KIND THAT THE INFORMATION IS ACCURATE, OR THAT THE WORKAROUND, SOLUTIONS, OR PATCHES PROVIDED WILL PROTECT SYSTEMS, OR THAT THEY WILL NOT CREATE NEW PROBLEMS. THE AUTHOR ACCEPTS NO LIABILITY OF ANY FORM FOR THE INFORMATION CONTAINED WITHIN OR THE CONSEQUENCES OF ITS USE OR MISUSE.
Synopsis:
Most current installations of PHP set up to run via FastCGI with suexec are vulnerable to a local exploit, where anyone with the ability to run code as the user the webserver runs as can gain access as any user with an account set up to run PHP. It is anticipated that this issue will especially affect shared web hosts who use FastCGI + suexec thinking it will give them additional security.
Conditions for exploitation:
=> PHP needs to be used via CGI or FastCGI.
=> The system must be set up to use suexec (rather than, say, having PHP run as an external FastCGI server).
=> The attacker must be able to run code as the same user that the webserver runs as. This is unlikely to be a problem for many local attackers, because there are a multitude of possible attack vectors, such as SSI, non-suexec CGI scripts, non-suexec PHP (if mod_php is also installed), and likely numerous other options.
=> Depending on the configuration, setting an open_basedir might protect an installation. However, this only applies if open_basedir is set, php-cgi is not installed directly into the web space, but is instead called from a script which doesn't pass any parameters from the script command line.
==========================================================================
Ubuntu Security Notice USN-1126-2
May 05, 2011
php5 regressions
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
==========================================================================
Ubuntu Security Notice USN-1126-1
April 29, 2011
php5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected is OpenCart version 1.5.2.1, older versions may be vulnerable as well.
###############################################################################
1. Local File Inclusion in "action.php"
###############################################################################
Reason: using unsanitized user submitted data for file operations
Attack vector: user submitted GET parameter "route"
Preconditions:
Application: Piwik <= 0.4.5
Severity: Piwik unserializes() user input which allows an attacker
to send a carefully crafted cookie that when unserialized
utilizes Piwik's classes to upload arbitrary files or
execute arbitrary PHP code
Risk: Critical
Vendor Status: Piwik 0.5.0 was released which fixes this vulnerability
Reference:
http://www.sektioneins.com/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability/
Hi everyone,
10 days ago the Month of PHP Security 2010 has started at
http://www.php-security.org/ and meanwhile 20 vulnerabilities were
posted and also 4 user submitted articles were published. Here is a
short summary of what was released so far. You can follow the Month of
PHP Security on Twitter, too. Just follow @mops_2010
Vulnerabilities in PHP Applications
-----------------------------------
Affected versions: 1.9.0, 2.0.0
###############################################################################
1. Arbitrary File Overwrite Vulnerability in "admin/skin_options.php"
###############################################################################
Reasons:
1. Insecure use of "parse_str()"
2. Uninitialized variable "$mainXML"
Mandriva Linux Security Advisory MDVSA-2009:324
http://www.mandriva.com/security/
_______________________________________________________________________
Package : php
Date : December 7, 2009
Affected: 2008.0
_______________________________________________________________________
Problem Description:
> Martijn Vernooij (tinus win tue nl) wrote
> On Wed, 11 Feb 2009 security.432 (at) amxl (dot) com [email concealed] wrote:
> > => The attacker must be able to run code as the same user that the
> > webserver runs as. This is unlikely to be a problem for many local
> > attackers, because there are a multitude of possible attack vectors,
> > such as SSI, non-suexec CGI scripts, non-suexec PHP (if mod_php is also
> > installed), and likely numerous other options.
>
> Once the attacker can run code as the same user > the webserver runs as, he
> can make the webserver do whatever he wants. He > can just 'debug' the
> webserver process and change any setting, inject code, whatever. You can
www.sektioneins.de
-= Security Advisory =-
Advisory: PHP Multibyte Shell Command Escaping Bypass Vulnerability
Release Date: 2008/05/06
Last Modified: 2008/05/06
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: PHP 5 <= 5.2.5
On Mon, May 10, 2010 at 09:05:16PM +0200, Stefan Esser wrote:
> Hi everyone,
>
> 10 days ago the Month of PHP Security 2010 has started at
> http://www.php-security.org/ and meanwhile 20 vulnerabilities were
> posted and also 4 user submitted articles were published. Here is a
> short summary of what was released so far. You can follow the Month of
> PHP Security on Twitter, too. Just follow @mops_2010
Thank you and all the volunteers for your efforts. It is good to see
===========================================================
Ubuntu Security Notice USN-720-1 February 12, 2009
php5 vulnerabilities
CVE-2007-3996, CVE-2007-5900, CVE-2008-3658, CVE-2008-3659,
CVE-2008-3660, CVE-2008-5557, CVE-2008-5624, CVE-2008-5625,
CVE-2008-5658
===========================================================
A security issue affects the following Ubuntu releases:
[ PHP 5.3.6 ZipArchive invalid use glob(3) ]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://securityreason.net/
http://cxib.net/
Date:
- Dis.: 01.04.2011
- Pub.: 19.08.2011
www.sektioneins.de
-= Security Advisory =-
Advisory: PHP GENERATE_SEED() Weak Random Number Seed Vulnerability
Release Date: 2008/05/06
Last Modified: 2008/05/06
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: PHP 5 <= 5.2.5
Title: Simple PHP Blog (sphpblog) <= 0.5.1 Multiple Vulnerabilities
Vendor: http://sourceforge.net/projects/sphpblog/
Advisory: http://acid-root.new.fr/?0:15
Author: DarkFig < gmdarkfig (at) gmail (dot) com >
Released on: 2007/10/21
Changelog: ----------
L M H T
Summary: Ip Spoofing [X] [_] [_] [X]
"Two years ago, I wrote a semi similar post to this one, but, well,
I'm old and tired of seeing this now. Time for folks to upgrade.
On Sep 10, 2007, at 9:38 PM, laurent.gaffie@gmail.com wrote:
> Application: PHP <=5.2.4
> Web Site: http://php.net
> Platform: unix
> Bug: safemode & open_basedir bypass
> ======
> 2) Bug
===========================================================
Ubuntu Security Notice USN-989-1 September 20, 2010
php5 vulnerabilities
CVE-2010-0397, CVE-2010-1128, CVE-2010-1129, CVE-2010-1130,
CVE-2010-1866, CVE-2010-1868, CVE-2010-1917, CVE-2010-2094,
CVE-2010-2225, CVE-2010-2531, CVE-2010-2950, CVE-2010-3065
===========================================================
A security issue affects the following Ubuntu releases:
Affected Software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CruxCMS is a lightweight, easy to use website content management system (CMS).
It is written in PHP and uses the powerful MySQL database.
http://www.cruxsoftware.co.uk/cruxcms.php
Affected versions
Mandriva Linux Security Advisory MDVSA-2011:053
http://www.mandriva.com/security/
_______________________________________________________________________
Package : php
Date : March 23, 2011
Affected: 2010.0, 2010.1
_______________________________________________________________________
Problem Description:
2. attacker must have blog editing privileges
Registered users with blog keeping privileges can access personal gallery
functionality, example URL:
http://localhost/mkportal.1.2.1/index.php?ind=blog&op=p_gal
They can also upload image files to the server. File uploading can be
dangerous without proper security checks. So let's have a closer look
at the source code of "modules/blog/index.php" line ~2452:
www.sektioneins.de
-= Security Advisory =-
Advisory: PHP ZipArchive::extractTo() Directory Traversal Vulnerability
Release Date: 2008/12/04
Last Modified: 2008/12/04
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: PHP 5 <= 5.2.6
------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
FreeWebshop.org [2] (FWS) is a free, full featured software package that
allows you to set up your own online webshop within minutes. FWS is
written in the popular language PHP and uses a MySQL database. It is
designed to provide you with all the features you need from a webshop.
------------------------------------------------------------------------
Insecure installation instructions
------------------------------------------------------------------------
Next Page>>
|
