Month of PHP Bugs - Days 11 - 22
There have been some busy days lately and I couldn’t keep up with Stefan Esser’s PHP Month of the Bugs project . During the past 10 days or so there’s been quite some activity in the bug exposure project :
- PHP ext/filter Space Trimming Buffer Underflow Vulnerability When ext/filter is used in an application to filter user input a buffer underflow can be triggered that allows remote code execution on big endian systems (e.g. MacOS X on PPC, Solaris on SPARC
- PHP zip:// URL Wrapper safemode and open_basedir Bypass Vulnerability The zip:// URL Wrapper does not perform safemode or open_basedir checks and therefore allows access to archives outside the allowed area
- PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability The compress.bzip2:// URL Wrapper does not perform safemode or open_basedir checks and therefore allows access to archives outside the allowed area
- PHP session_regenerate_id() Double Free Vulnerability session_regenerate_id() fails to clear an already freed pointer before calling an interruptible function. This can lead to an exploitable double free
- PHP 5 Rejected Session Identifier Double Free Vulnerability When a session storage module rejects a session id the session code fails to clear an already freed pointer before calling an interruptible function. This can lead to an exploitable double free.
- PHP array_user_key_compare() Double DTOR Vulnerability When the userspace key comparison function returns its parameters are destructed even if there are references left. Therefore an exploitable double DTOR can be triggered.
- PHP header() Space Trimming Buffer Underflow Vulnerability When the header() function is called with an all whitespace string a buffer underflow can be triggered that allows code execution on big endian systems (e.g. MacOS X on PPC, Solaris on SPARC)
- PHP mb_parse_str() register_globals Activation Vulnerability When the mb_parse_str() function is interrupted by for example a memory_limit violation this can result in register_globals being (and staying) activated for the Apache child
- PHP ext/gd Already Freed Resource Access Vulnerability A malicious error handler can trick the GD extension into accessing an already freed image resource which allows read and write access to arbitrary memory addresses from PHP code. This can lead to arbitrary code execution.
- PHP hash_update_file() Already Freed Resource Access Vulnerability A malicious user stream can trick the hash_update_file() function into accessing an already freed hash resource. This can lead to arbitrary code execution.
If you enjoyed this post, make sure you subscribe to my RSS feed!
Thank you for reading this post. You can now Leave A Comment (0) or Leave A Trackback.
Post Info
This entry was posted on Thursday, March 22nd, 2007 and is filed under Month Of PHP Bugs.You can follow any responses to this entry through the Comments Feed. You can Leave A Comment, or A Trackback.
Previous Post: Web App Audit in 3 easy steps - powered by SANS »
Next Post: Symantec Internet Security Threat Report - March 2007 »
Read More
Related Reading:
Latest Posts:
- Gemalto - Security To Be Free
- Free alternative to ArcSight ESM ? Hardly..
- Privacy Dilemma: How to Protect Yourself Online
- Solera Networks Deep-Packet Capture Review
- WordPress Exploit Scanner
- Phishing Exposed, Brands Secured
- Scanners: New Nessus Release; New eEye Web Scanner
- Good News from ArcSight and Imperva
- CCTV Security Camera and Surveillance Equipment
- OpenDNS Offers Free Web Content Filtering
