Month of PHP Bugs – Days 23 – 31

Month of php bugs March 2007 is over and so is the Month of PHP Bugs project initiated by Stefan Esser. The number of PHP flaws revealed during one month it’s astonishing : 44. Many of these bugs pose a real threat to PHP installs older than 4.4.5 or 5.2.1 . so it’s no wonder that the whole project stirred a lot of controversy and debate. Here are bugs 29 to 44 :

  1. PHP 5.2.1 unserialize() Information Leak Vulnerability The new S: datatype in unserialize() does not work at all which leads to disclosure of heap memory content.
  2. PHP _SESSION unset() Vulnerability Unsetting HTTP_SESSION_VARS and _SESSION can lead to arbitrary code execution.
  3. PHP _SESSION Deserialization Overwrite Vulnerability Deserialization of session data can overwrite _SESSION which can be exploited to execute arbitrary code.
  4. PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability The security fix for MOPB-31-2007 introduced a double free vulnerability into PHP 4 that can lead to the execution of arbitrary code.
  5. PHP mail() Message ASCIIZ Byte Truncation ASCIIZ character injection into an email message will truncate it.
  6. PHP mail() Header Injection Through Subject and To Parameters A flaw in handling folded Subject and To headers allows mail header injection through both fields.
  7. PHP 4 zip_entry_read() Integer Overflow Vulnerability The zip_entry_read() function of PHP 4 is vulnerable to an integer overflow in memory allocation that leads to an exploitable bufferoverflow.
  8. PHP session.save_path open_basedir Bypass Vulnerability Due to some magic directory guessing a script can bypass the open_basedir restriction on the session save path.
  9. PHP iptcembed() Interruption Information Leak Vulnerability A malicious user space error handler that interrupts iptcembed() can manipulate its parameters which leads to disclosure of arbitrary heap memory.
  10. PHP printf() Family 64 Bit Casting Vulnerabilities A 64 bit long to int cast results in multiple flaws in PHP’s printf() function family that lead to a new class of exploitable vulnerabilities. PHP Application Format String Vulnerabilites.
  11. PHP str_replace() Memory Allocation Integer Overflow Vulnerability When a single char is replaced by a long string many times in str_replace() this can result in an integer overflow in memory allocation that leads to a buffer overflow vulnerability.
  12. PHP imap_mail_compose() Boundary Stack Buffer Overflow Vulnerability An overlong boundary string passed to imap_mail_compose() will overflow a stack buffer and lead to arbitrary code execution.
  13. PHP 5 sqlite_udf_decode_binary() Buffer Overflow Vulnerability Calling sqlite_udf_decode_binary() with a malformed input string can lead to an exploitable buffer overflow
  14. PHP 5 php_stream_filter_create() Off By One Vulnerablity The internal wildcard handling for stream filters contains an exploitable off by one overflow vulnerability that can be triggered by accessing a php://filter URL.
  15. PHP msg_receive() Memory Allocation Integer Overflow Vulnerabilty An unchecked maxsize parameter to the msg_receive() function can result in an integer overflow during memory allocation that results in an exploitable buffer overflow.
  16. PHP 5.2.0 Memory Manager Signed Comparision Vulnerability Due to a signed integer comparison the request for more than 2 GB of memory will be answered with a minimum size memory block. This results in a myriad of (sometimes remotely) exploitable buffer overflows.

Thank you for reading this post. You can now Leave A Comment (0) or Leave A Trackback. Print This Post Print This Post

Subscribe without commenting

Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge