Directory traversal vulnerability in the ZipArchive::extractTo function in PHP 5.2.6 and earlier allows context-dependent attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences.

According to its banner, the version of PHP 5.x installed on the remote host is older than 5.2.7.  Such versions may be affected by several security issues : 

  - Missing initialization of 'BG(page_uid)' and  'BG(page_gid)' when PHP is used as an Apache module may allow for bypassing security restrictions due to SAPI 'php_getuid()' overloading.

  - Incorrect 'php_value' order for Apache configuration may allow bypassing PHP's 'safe_mode' setting.

  - File truncation can occur when calling 'dba_replace()' with an invalid argument.

  - The ZipArchive: extractTo() method in the ZipArchive extension fails to filter directory traversal sequences from file names.

  - There is a buffer overflow in the bundled PCRE library fixed by 7.8. (CVE-2008-2371)

  - A buffer overflow in the 'imageloadfont()' function in 'ext/gd/gd.c' can be triggered when a specially crafted font is given. (CVE-2008-3658)

  - There is a buffer overflow in PHP's internal function 'memnstr()', which is exposed to userspace as 'explode()'. (CVE-2008-3659)

  - When used as a FastCGI module, PHP segfaults when opening a file whose name contains two dots (eg, 'file..php'). (CVE-2008-3660)

  - Multiple directory traversal vulnerabilities in functions such as 'posix_access()', 'chdir()', 'ftok()' may allow a remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 and CVE-2008-2666).

  - A buffer overflow may be triggered when processing long message headers in 'php_imap.c' due to use of an obsolete API call. (CVE-2008-2829)  - A buffer overflow error exists in the function 'date_from_ISO8601' function within file 'xmlrpc.c' because user-supplied input is improperly validated. This can be exploited by a remote attacker to cause a denial of service or to execute arbitrary code. (CVE-2014-8626)

The remote host is affected by the vulnerability described in GLSA-201001-03 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the     CVE identifiers referenced below and the associated PHP release notes     for details.
  Impact :

    A context-dependent attacker could execute arbitrary code via a     specially crafted string containing an HTML entity when the mbstring     extension is enabled. Furthermore a remote attacker could execute     arbitrary code via a specially crafted GD graphics file.
    A remote attacker could also cause a Denial of Service via a malformed     string passed to the json_decode() function, via a specially crafted     ZIP file passed to the php_zip_make_relative_path() function, via a     malformed JPEG image passed to the exif_read_data() function, or via     temporary file exhaustion. It is also possible for an attacker to spoof     certificates, bypass various safe_mode and open_basedir restrictions     when certain criteria are met, perform Cross-site scripting attacks,     more easily perform SQL injection attacks, manipulate settings of other     virtual hosts on the same server via a malicious .htaccess entry when     running on Apache, disclose memory portions, and write arbitrary files     via a specially crafted ZIP archive. Some vulnerabilities with unknown     impact and attack vectors have been reported as well.
  Workaround :

    There is no known workaround at this time.

Several remote vulnerabilities have been discovered in the PHP 5 hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems :

The following issues have been fixed in both the stable (lenny) and the oldstable (etch) distributions :

  - CVE-2009-2687 CVE-2009-3292     The exif module did not properly handle malformed jpeg     files, allowing an attacker to cause a segfault,     resulting in a denial of service.

  - CVE-2009-3291     The php_openssl_apply_verification_policy() function did     not properly perform certificate validation.

  - No CVE id yet

    Bogdan Calin discovered that a remote attacker could     cause a denial of service by uploading a large number of     files in using multipart/ form-data requests, causing     the creation of a large number of temporary files.

  To address this issue, the max_file_uploads option introduced in PHP   5.3.1 has been backported. This option limits the maximum number of   files uploaded per request. The default value for this new option is   50. See NEWS.Debian for more information.

The following issue has been fixed in the stable (lenny) distribution :

  - CVE-2009-2626     A flaw in the ini_restore() function could lead to a     memory disclosure, possibly leading to the disclosure of     sensitive data.

In the oldstable (etch) distribution, this update also fixes a regression introduced by the fix for CVE-2008-5658 in DSA-1789-1 (bug #527560).

This update of php5 fixes a directory traversal bug in ZipArchive (CVE-2008-5658) and a buffer overflow in the mstring extension.
(CVE-2008-5557)

This update of php5 fixes a directory traversal bug in ZipArchive (CVE-2008-5658) and a buffer overflow in the mstring extension (CVE-2008-5557).

Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code.
(CVE-2008-5557) A directory traversal flaw was found in PHP's ZipArchive::extractTo function. If PHP is used to extract a malicious ZIP archive, it could allow an attacker to write arbitrary files anywhere the PHP process has write permissions. (CVE-2008-5658) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the 'background color' argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had 'display_errors' enabled, a remote attacker able to set a specially crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP.
(CVE-2008-5814) A flaw was found in the handling of the 'mbstring.func_overload' configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A flaw was found in PHP's json_decode function. A remote attacker could use this flaw to create a specially crafted string which could cause the PHP interpreter to crash while being decoded in a PHP script.
(CVE-2009-1271) A flaw was found in the use of the uw-imap library by the PHP 'imap' extension. This could cause the PHP interpreter to crash if the 'imap' extension was used to read specially crafted mail messages with long headers. (CVE-2008-2829) http://www.php.net/releases/5_2_7.php http://www.php.net/releases/5_2_8.php http://www.php.net/releases/5_2_9.php http://www.php.net/ChangeLog-5.php#5.2.9

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several remote vulnerabilities have been discovered in the PHP 5 hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems.

The following four vulnerabilities have already been fixed in the stable (lenny) version of php5 prior to the release of lenny. This update now addresses them for etch (oldstable) as well :

  - CVE-2008-2107 / CVE-2008-2108     The GENERATE_SEED macro has several problems that make     predicting generated random numbers easier, facilitating     attacks against measures that use rand() or mt_rand() as     part of a protection.

  - CVE-2008-5557     A buffer overflow in the mbstring extension allows     attackers to execute arbitrary code via a crafted string     containing an HTML entity.

  - CVE-2008-5624     The page_uid and page_gid variables are not correctly     set, allowing use of some functionality intended to be     restricted to root.

  - CVE-2008-5658     Directory traversal vulnerability in the     ZipArchive::extractTo function allows attackers to write     arbitrary files via a ZIP file with a file whose name     contains .. (dot dot) sequences.

This update also addresses the following three vulnerabilities for both oldstable (etch) and stable (lenny) :

  - CVE-2008-5814     Cross-site scripting (XSS) vulnerability, when     display_errors is enabled, allows remote attackers to     inject arbitrary web script or HTML.

  - CVE-2009-0754     When running on Apache, PHP allows local users to modify     behavior of other sites hosted on the same web server by     modifying the mbstring.func_overload setting within     .htaccess, which causes this setting to be applied to     other virtual hosts on the same server. 

  - CVE-2009-1271     The JSON_parser function allows a denial of service     (segmentation fault) via a malformed string to the     json_decode API function.

Furthermore, two updates originally scheduled for the next point update for oldstable are included in the etch package :

  - Let PHP use the system timezone database instead of the     embedded timezone database which is out of date.
  - From the source tarball, the unused 'dbase' module has     been removed which contained licensing problems.

A number of vulnerabilities have been found and corrected in PHP :

improve mbfl_filt_conv_html_dec_flush() error handling in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c (CVE-2008-5557).
Additionally on Mandriva Linux 2009.0 and up the php-mbstring module is linked against a separate shared libmbfl library that also have been patched to address CVE-2008-5557.

Directory traversal vulnerability in the ZipArchive::extractTo function in PHP 5.2.6 and earlier allows context-dependent attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences. (CVE-2008-5658)

make sure the page_uid and page_gid get initialized properly in ext/standard/basic_functions.c. Also, init server_context before processing config variables in sapi/apache/mod_php5.c (CVE-2008-5624).

enforce restrictions when merging in dir entry in sapi/apache/mod_php5.c and sapi/apache2handler/apache_config.c (CVE-2008-5625).

On 2008.1, 2009.0 and cooker (2009.1) seen on x86_64 and with the latest phpmyadmin 3.1.2 software made apache+php segfault (#26274, #45864). This problem has been addressed by using -O0 for compiler optimization and by using -fno-strict-aliasing. Either the bug is in php and/or in gcc 4.3.2. Preferable just make it work as expected for now.

In addition, the updated packages provide a number of bug fixes.

The updated packages have been patched to correct these issues.

It was discovered that PHP did not properly enforce php_admin_value and php_admin_flag restrictions in the Apache configuration file. A local attacker could create a specially crafted PHP script that would bypass intended security restrictions. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2007-5900)

It was discovered that PHP did not correctly handle certain malformed font files. If a PHP application were tricked into processing a specially crafted font file, an attacker may be able to cause a denial of service and possibly execute arbitrary code with application privileges. (CVE-2008-3658)

It was discovered that PHP did not properly check the delimiter argument to the explode function. If a script passed untrusted input to the explode function, an attacker could cause a denial of service and possibly execute arbitrary code with application privileges.
(CVE-2008-3659) 

It was discovered that PHP, when used as FastCGI module, did not properly sanitize requests. By performing a request with multiple dots preceding the extension, an attacker could cause a denial of service.
(CVE-2008-3660)

It was discovered that PHP did not properly handle Unicode conversion in the mbstring extension. If a PHP application were tricked into processing a specially crafted string containing an HTML entity, an attacker could execute arbitrary code with application privileges.
(CVE-2008-5557)

It was discovered that PHP did not properly initialize the page_uid and page_gid global variables for use by the SAPI php_getuid function.
An attacker could exploit this issue to bypass safe_mode restrictions.
(CVE-2008-5624)

It was dicovered that PHP did not properly enforce error_log safe_mode restrictions when set by php_admin_flag in the Apache configuration file. A local attacker could create a specially crafted PHP script that would overwrite arbitrary files. (CVE-2008-5625)

It was discovered that PHP contained a flaw in the ZipArchive::extractTo function. If a PHP application were tricked into processing a specially crafted zip file that had filenames containing '..', an attacker could write arbitrary files within the filesystem.
This issue only applied to Ubuntu 7.10, 8.04 LTS, and 8.10.
(CVE-2008-5658)

USN-557-1 fixed a vulnerability in the GD library. When using the GD library, PHP did not properly handle the return codes that were added in the security update. An attacker could exploit this issue with a specially crafted image file and cause PHP to crash, leading to a denial of service. This issue only applied to Ubuntu 6.06 LTS, and 7.10. (CVE-2007-3996).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP installed on the remote host is prior to 5.2.7. It is, therefore, affected by multiple vulnerabilities :

  - There is a buffer overflow flaw in the bundled PCRE     library that allows a denial of service attack.
    (CVE-2008-2371)

  - Multiple directory traversal vulnerabilities exist in     functions such as 'posix_access', 'chdir', and 'ftok'     that allow a remote attacker to bypass 'safe_mode'     restrictions. (CVE-2008-2665 and CVE-2008-2666).

  - A buffer overflow flaw in 'php_imap.c' may be triggered     when processing long message headers due to the use of     obsolete API calls. This can be exploited to cause a     denial of service or to execute arbitrary code.
    (CVE-2008-2829)

  - A buffer overflow in the 'imageloadfont' function in     'ext/gd/gd.c' can be triggered when a specially crafted     font is given. This can be exploited to cause a denial     of service or to execute arbitrary code. (CVE-2008-3658)

  - A buffer overflow flaw exists in PHP's internal function     'memnstr' which can be exploited by an attacker using     the delimiter argument to the 'explode' function. This     can be used to cause a denial of service or to execute     arbitrary code. (CVE-2008-3659)

  - When PHP is used as a FastCGI module, an attacker by     requesting a file whose file name extension is preceded     by multiple dots can cause a denial of service.
    (CVE-2008-3660)

  - A heap-based buffer overflow flaw in the mbstring     extension can be triggered via a specially crafted     string containing an HTML entity that is not handled     during Unicode conversion. This can be exploited to     execute arbitrary code.(CVE-2008-5557)

  - Improper initialization of global variables 'page_uid'     and 'page_gid' when PHP is used as an Apache module     allows the bypassing of security restriction due to     SAPI 'php_getuid' function overloading. (CVE-2008-5624)

  - PHP does not enforce the correct restrictions when     'safe_mode' is enabled through a 'php_admin_flag'     setting in 'httpd.conf'. This allows an attacker, by     placing a specially crafted 'php_value' entry in     '.htaccess', to able to write to arbitrary files.
    (CVE-2008-5625)

  - The 'ZipArchive::extractTo' function in the ZipArchive     extension fails to filter directory traversal sequences     from file names. An attacker can exploit this to write     to arbitrary files. (CVE-2008-5658)

  - Under limited circumstances, an attacker can cause a     file truncation to occur when calling the 'dba_replace'     function with an invalid argument. (CVE-2008-7068)

  - A buffer overflow error exists in the function     'date_from_ISO8601' function within file 'xmlrpc.c'     because user-supplied input is improperly validated.
    This can be exploited by a remote attacker to cause a     denial of service or to execute arbitrary code.
    (CVE-2014-8626)

According to its banner, the version of PHP installed on the remote host is older than 5.2.7.  Such versions may be affected by several security issues : 

  - Missing initialization of 'BG(page_uid)' and  'BG(page_gid)' when PHP is used as an Apache module may allow for bypassing security restrictions due to SAPI 'php_getuid()' overloading.

  - Incorrect 'php_value' order for Apache configuration may allow bypassing PHP's 'safe_mode' setting.

  - File truncation can occur when calling 'dba_replace()' with an invalid argument.

  - The ZipArchive: extractTo() method in the ZipArchive extension fails to filter directory traversal sequences from file names.

  - There is a buffer overflow in the bundled PCRE library fixed by 7.8. (CVE-2008-2371)

  - A buffer overflow in the 'imageloadfont()' function in 'ext/gd/gd.c' can be triggered when a specially crafted font is given. (CVE-2008-3658)

  - There is a buffer overflow in PHP's internal function 'memnstr()', which is exposed to userspace as 'explode()'. (CVE-2008-3659)

  - When used as a FastCGI module, PHP segfaults when opening a file whose name contains two dots (eg, 'file..php'). (CVE-2008-3660)

  - Multiple directory traversal vulnerabilities in functions such as 'posix_access()', 'chdir()', 'ftok()' may allow a remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 and CVE-2008-2666).

  - A buffer overflow may be triggered when processing long message headers in 'php_imap.c' due to use of an obsolete API call. (CVE-2008-2829)

ID	Name	Product	Family	Severity
4779	PHP 5.x < 5.2.7 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
44892	GLSA-201001-03 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
44805	Debian DSA-1940-1 : php5 - multiple issues	Nessus	Debian Local Security Checks	high
41475	SuSE 10 Security Update : PHP5 (ZYPP Patch Number 5909)	Nessus	SuSE Local Security Checks	critical
40186	openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-441)	Nessus	SuSE Local Security Checks	critical
39915	openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-441)	Nessus	SuSE Local Security Checks	critical
38957	Fedora 9 : maniadrive-1.2-13.fc9 / php-5.2.9-2.fc9 (2009-3848)	Nessus	Fedora Local Security Checks	critical
38956	Fedora 10 : maniadrive-1.2-13.fc10 / php-5.2.9-2.fc10 (2009-3768)	Nessus	Fedora Local Security Checks	critical
38691	Debian DSA-1789-1 : php5 - several vulnerabilities	Nessus	Debian Local Security Checks	critical
36677	Mandriva Linux Security Advisory : php (MDVSA-2009:045)	Nessus	Mandriva Local Security Checks	critical
36665	Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : php5 vulnerabilities (USN-720-1)	Nessus	Ubuntu Local Security Checks	critical
35606	openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-5934)	Nessus	SuSE Local Security Checks	critical
35043	PHP 5 < 5.2.7 Multiple Vulnerabilities	Nessus	CGI abuses	high
801088	PHP 5 < 5.2.7 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	high

Detections

Analytics

CVE-2008-5658

high

Tenable Plugins

high

critical

high

critical

critical

critical

critical

critical

critical

critical

critical

critical

high

high