Month of PHP Bugs – Days 11 – 22

There have been some busy days lately and I couldn’t keep up with Stefan Esser’s PHP Month of the Bugs project . During the past 10 days or so there’s been quite some activity in the bug exposure project :

  1. PHP ext/filter Space Trimming Buffer Underflow Vulnerability When ext/filter is used in an application to filter user input a buffer underflow can be triggered that allows remote code execution on big endian systems (e.g. MacOS X on PPC, Solaris on SPARC
  2. PHP zip:// URL Wrapper safemode and open_basedir Bypass Vulnerability The zip:// URL Wrapper does not perform safemode or open_basedir checks and therefore allows access to archives outside the allowed area
  3. PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability The compress.bzip2:// URL Wrapper does not perform safemode or open_basedir checks and therefore allows access to archives outside the allowed area
  4. PHP session_regenerate_id() Double Free Vulnerability session_regenerate_id() fails to clear an already freed pointer before calling an interruptible function. This can lead to an exploitable double free
  5. PHP 5 Rejected Session Identifier Double Free Vulnerability When a session storage module rejects a session id the session code fails to clear an already freed pointer before calling an interruptible function. This can lead to an exploitable double free.
  6. PHP array_user_key_compare() Double DTOR Vulnerability When the userspace key comparison function returns its parameters are destructed even if there are references left. Therefore an exploitable double DTOR can be triggered.
  7. PHP header() Space Trimming Buffer Underflow Vulnerability When the header() function is called with an all whitespace string a buffer underflow can be triggered that allows code execution on big endian systems (e.g. MacOS X on PPC, Solaris on SPARC)
  8. PHP mb_parse_str() register_globals Activation Vulnerability When the mb_parse_str() function is interrupted by for example a memory_limit violation this can result in register_globals being (and staying) activated for the Apache child
  9. PHP ext/gd Already Freed Resource Access Vulnerability A malicious error handler can trick the GD extension into accessing an already freed image resource which allows read and write access to arbitrary memory addresses from PHP code. This can lead to arbitrary code execution.
  10. PHP hash_update_file() Already Freed Resource Access Vulnerability A malicious user stream can trick the hash_update_file() function into accessing an already freed hash resource. This can lead to arbitrary code execution.




Thank you for reading this post. You can now Leave A Comment (0) or Leave A Trackback. Print This Post Print This Post


Subscribe without commenting


Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge