ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [SA26642] PHP Multiple Vulnerabilities



>
> TITLE:
> PHP Multiple Vulnerabilities
>
> SECUNIA ADVISORY ID:
> SA26642
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/26642/
>
> CRITICAL:
> Moderately critical
>
> IMPACT:
> Unknown, Security Bypass
>
> WHERE:
> From remote
>
> SOFTWARE:
> PHP 5.2.x
> http://secunia.com/product/13446/
>
> DESCRIPTION:
> Some vulnerabilities have been reported in PHP, where some have
> unknown impacts and others can be exploited by malicious users to
> bypass certain security restrictions.
>
> 1) An error with unknown impact exists within the "money_format()"
> function when processing "%i" and "%n" tokens.
>
> 2) An unspecified error exists within the "zend_alter_ini_entry()"
> function. This can be exploited to trigger a memory_limit
> interruption.
>
> 3) Two integer overflow errors exist within the "gdImageCreate()" and
> "gdImageCreateTrueColor()" functions in ext/gd/libgd/gd.c. These can
> be exploited to cause a heap-based buffer overflow via overly large
> integer values passed as parameters to e.g. the
> "imagecreatetruecolor()" PHP function.
>
> 4) Two integer overflow errors exist within the
> "gdImageCopyResized()" function in ext/gd/libgd/gd.c. These can be
> exploited to cause a heap-based buffer overflow via overly large
> integer values  passed as parameters to the "imagecopyresized()" or
> "imagecopyresampled()" PHP functions.
>
> Successful exploitation of vulnerabilities #3 and #4 may allow
> execution of arbitrary code, which may lead to security restrictions
> (e.g. the "disable_functions" directive) being bypassed, but requires
> that PHP is configured to use gd.
>
> 5) An error exists within the handling of SQL queries containing
> "LOCAL INFILE" inside the MySQL and MySQLi extensions. This can be
> exploited to bypass the "open_basedir" and "safe_mode" directives.
>
> 6) An error exists when processing "session_save_path()" and
> "ini_set()" functions called from a ".htaccess" file. This can be
> exploited to bypass the "open_basedir" and "safe_mode" directives.
>
> 7) An unspecified error exists within the "glob()" function. This can
> be exploited to bypass the "open_basedir" directive.
>
> 8) An unspecified error exists within the session extension. This can
> potentially be exploited to bypass the "open_basedir" directive when
> the session file is a symlink.
>
> The vulnerabilities are reported in PHP versions prior to 5.2.4.
>
> SOLUTION:
> Update to PHP version 5.2.4.
> http://www.php.net/downloads.php
>
> PROVIDED AND/OR DISCOVERED BY:
> 1) The vendor credits Stanislav Malyshev.
> 2) The vendor credits Stefan Esser.
> 3, 4) Mattias Bengtsson and Philip Olausson.
> 5) The vendor credits Stanislav Malyshev. Also reported by Mattias
> Bengtsson and Philip Olausson.
> 6) The vendor credits Maksymilian Arciemowicz.
> 7) The vendor credits dr.
> 8) The vendor credits  c.i.morris.
>
> ORIGINAL ADVISORY:
> http://www.php.net/releases/5_2_4.php
>
> 3)
> http://secweb.se/en/advisories/php-imagecreatetruecolor-intege
> r-overflow/
> 4)
> http://secweb.se/en/advisories/php-imagecopyresized-integer-overflow/
> 5)
> http://secweb.se/en/advisories/php-mysql-safe-mode-bypass-vuln
> erability/
>



 




Copyright © Lexa Software, 1996-2009.