The xmlrpc extension in PHP 5.3.1 does not properly handle a missing methodName element in the first argument to the xmlrpc_decode_request function, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) and possibly have unspecified other impact via a crafted argument.

PHP was updated to version 5.3.3 to fix serveral security issues.

(CVE-2010-0397, CVE-2010-1860, CVE-2010-1862, CVE-2010-1864, CVE-2010-1866, CVE-2010-1914, CVE-2010-1915, CVE-2010-1917, CVE-2010-2093, CVE-2010-2094, CVE-2010-2097, CVE-2010-2100, CVE-2010-2101, CVE-2010-2190, CVE-2010-2191, CVE-2010-2225, CVE-2010-2531, CVE-2010-2950, CVE-2010-3062, CVE-2010-3063, CVE-2010-3064, CVE-2010-3065)

From Red Hat Security Advisory 2010:0919 :

Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

An input validation flaw was discovered in the PHP session serializer.
If a PHP script generated session variable names from untrusted user input, a remote attacker could use this flaw to inject an arbitrary variable into the PHP session. (CVE-2010-3065)

An information leak flaw was discovered in the PHP var_export() function implementation. If some fatal error occurred during the execution of this function (such as the exhaustion of memory or script execution time limit), part of the function's output was sent to the user as script output, possibly leading to the disclosure of sensitive information. (CVE-2010-2531)

A numeric truncation error and an input validation flaw were found in the way the PHP utf8_decode() function decoded partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use these flaws to perform a cross-site scripting attack. (CVE-2009-5016, CVE-2010-3870)

It was discovered that the PHP lcg_value() function used insufficient entropy to seed the pseudo-random number generator. A remote attacker could possibly use this flaw to predict values returned by the function, which are used to generate session identifiers by default.
This update changes the function's implementation to use more entropy during seeding. (CVE-2010-1128)

It was discovered that the PHP fnmatch() function did not restrict the length of the pattern argument. A remote attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted matching patterns. (CVE-2010-1917)

A NULL pointer dereference flaw was discovered in the PHP XML-RPC extension. A malicious XML-RPC client or server could use this flaw to crash the PHP interpreter via a specially crafted XML-RPC request.
(CVE-2010-0397)

All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

An input validation flaw was discovered in the PHP session serializer.
If a PHP script generated session variable names from untrusted user input, a remote attacker could use this flaw to inject an arbitrary variable into the PHP session. (CVE-2010-3065)

An information leak flaw was discovered in the PHP var_export() function implementation. If some fatal error occurred during the execution of this function (such as the exhaustion of memory or script execution time limit), part of the function's output was sent to the user as script output, possibly leading to the disclosure of sensitive information. (CVE-2010-2531)

A numeric truncation error and an input validation flaw were found in the way the PHP utf8_decode() function decoded partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use these flaws to perform a cross-site scripting attack. (CVE-2009-5016, CVE-2010-3870)

It was discovered that the PHP lcg_value() function used insufficient entropy to seed the pseudo-random number generator. A remote attacker could possibly use this flaw to predict values returned by the function, which are used to generate session identifiers by default.
This update changes the function's implementation to use more entropy during seeding. (CVE-2010-1128)

It was discovered that the PHP fnmatch() function did not restrict the length of the pattern argument. A remote attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted matching patterns. (CVE-2010-1917)

A NULL pointer dereference flaw was discovered in the PHP XML-RPC extension. A malicious XML-RPC client or server could use this flaw to crash the PHP interpreter via a specially crafted XML-RPC request.
(CVE-2010-0397)

After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

PHP was updated to version 5.2.14 to fix serveral security issues :

  - CVE-2010-1860

  - CVE-2010-1862

  - CVE-2010-1864

  - CVE-2010-1914

  - CVE-2010-1915

  - CVE-2010-1917

  - CVE-2010-2093

  - CVE-2010-2094

  - CVE-2010-2097

  - CVE-2010-2100

  - CVE-2010-2101

  - CVE-2010-2190

  - CVE-2010-2191

  - CVE-2010-2225

  - CVE-2010-2484

  - CVE-2010-2531

  - CVE-2010-3062

  - CVE-2010-3063

  - CVE-2010-3064

  - CVE-2010-3065

Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

An input validation flaw was discovered in the PHP session serializer.
If a PHP script generated session variable names from untrusted user input, a remote attacker could use this flaw to inject an arbitrary variable into the PHP session. (CVE-2010-3065)

An information leak flaw was discovered in the PHP var_export() function implementation. If some fatal error occurred during the execution of this function (such as the exhaustion of memory or script execution time limit), part of the function's output was sent to the user as script output, possibly leading to the disclosure of sensitive information. (CVE-2010-2531)

A numeric truncation error and an input validation flaw were found in the way the PHP utf8_decode() function decoded partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use these flaws to perform a cross-site scripting attack. (CVE-2009-5016, CVE-2010-3870)

It was discovered that the PHP lcg_value() function used insufficient entropy to seed the pseudo-random number generator. A remote attacker could possibly use this flaw to predict values returned by the function, which are used to generate session identifiers by default.
This update changes the function's implementation to use more entropy during seeding. (CVE-2010-1128)

It was discovered that the PHP fnmatch() function did not restrict the length of the pattern argument. A remote attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted matching patterns. (CVE-2010-1917)

A NULL pointer dereference flaw was discovered in the PHP XML-RPC extension. A malicious XML-RPC client or server could use this flaw to crash the PHP interpreter via a specially crafted XML-RPC request.
(CVE-2010-0397)

All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

Versions of Mac OS X 10.6 earlier than 10.6.5 are potentially affected by multiple vulnerabilities.  Mac OS X 10.6.5 contains security fixes for the following products :

  - AFP Server

  - Apache mod_perl

  - Apache

  - AppKit

  - ATS

  - CFNetwork

  - CoreGraphics

  - CoreText

  - CUPS

  - Directory Services

  - diskdev_cmds

Disk Images

  - Flash Player plug-in

  - gzip

  - Image Capture

  - ImageIO

  - Image RAW

  - Kernel

  - MySQL

  - neon

  - Networking

  - OpenLDAP

  - OpenSSL

  - Password Server

  - PHP

  - Printing

  - python

  - QuickLook

  - QuickTime

  - Safari RSS

  - Time Machine

  - Wiki Server

  - X11

  - xar

The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2010-007 applied. 

This security update contains fixes for the following products :

  - AFP Server
  - Apache mod_perl
  - ATS
  - CFNetwork
  - CoreGraphics
  - CoreText
  - CUPS
  - Directory Services
  - diskdev_cmds
  - Disk Images
  - Flash Player plug-in
  - gzip
  - ImageIO
  - Image RAW
  - MySQL
  - Password Server
  - PHP
  - Printing
  - python
  - QuickLook
  - Safari RSS
  - Wiki Server
  - X11

The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.5.

Mac OS X 10.6.5 contains security fixes for the following products :

  - AFP Server
  - Apache mod_perl
  - Apache
  - AppKit
  - ATS
  - CFNetwork
  - CoreGraphics
  - CoreText
  - CUPS
  - Directory Services
  - diskdev_cmds
  - Disk Images
  - Flash Player plug-in
  - gzip
  - Image Capture
  - ImageIO
  - Image RAW
  - Kernel
  - MySQL
  - neon
  - Networking
  - OpenLDAP
  - OpenSSL
  - Password Server
  - PHP
  - Printing
  - python
  - QuickLook
  - QuickTime
  - Safari RSS
  - Time Machine
  - Wiki Server
  - X11
  - xar

Auke van Slooten discovered that PHP incorrectly handled certain xmlrpc requests. An attacker could exploit this issue to cause the PHP server to crash, resulting in a denial of service. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 9.04 and 9.10. (CVE-2010-0397)

It was discovered that the pseudorandom number generator in PHP did not provide the expected entropy. An attacker could exploit this issue to predict values that were intended to be random, such as session cookies. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 9.04 and 9.10. (CVE-2010-1128)

It was discovered that PHP did not properly handle directory pathnames that lacked a trailing slash character. An attacker could exploit this issue to bypass safe_mode restrictions. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 9.04 and 9.10. (CVE-2010-1129)

Grzegorz Stachowiak discovered that the PHP session extension did not properly handle semicolon characters. An attacker could exploit this issue to bypass safe_mode restrictions. This issue only affected Ubuntu 8.04 LTS, 9.04 and 9.10. (CVE-2010-1130)

Stefan Esser discovered that PHP incorrectly decoded remote HTTP chunked encoding streams. An attacker could exploit this issue to cause the PHP server to crash and possibly execute arbitrary code with application privileges. This issue only affected Ubuntu 10.04 LTS.
(CVE-2010-1866)

Mateusz Kocielski discovered that certain PHP SQLite functions incorrectly handled empty SQL queries. An attacker could exploit this issue to possibly execute arbitrary code with application privileges.
(CVE-2010-1868)

Mateusz Kocielski discovered that PHP incorrectly handled certain arguments to the fnmatch function. An attacker could exploit this flaw and cause the PHP server to consume all available stack memory, resulting in a denial of service. (CVE-2010-1917)

Stefan Esser discovered that PHP incorrectly handled certain strings in the phar extension. An attacker could exploit this flaw to possibly view sensitive information. This issue only affected Ubuntu 10.04 LTS.
(CVE-2010-2094, CVE-2010-2950)

Stefan Esser discovered that PHP incorrectly handled deserialization of SPLObjectStorage objects. A remote attacker could exploit this issue to view sensitive information and possibly execute arbitrary code with application privileges. This issue only affected Ubuntu 8.04 LTS, 9.04, 9.10 and 10.04 LTS. (CVE-2010-2225)

It was discovered that PHP incorrectly filtered error messages when limits for memory, execution time, or recursion were exceeded. A remote attacker could exploit this issue to possibly view sensitive information. (CVE-2010-2531)

Stefan Esser discovered that the PHP session serializer incorrectly handled the PS_UNDEF_MARKER marker. An attacker could exploit this issue to alter arbitrary session variables. (CVE-2010-3065).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running a version of Mac OS X 10.6 or 10.5 that does not have Security Update 2010-005 applied. 

This security update contains fixes for the following products :

  - ATS
  - CFNetwork
  - ClamAV
  - CoreGraphics
  - libsecurity
  - PHP
  - Samba

According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.3.  Such versions may be affected by several security issues :

  - An error exists when processing invalid XML-RPC     requests that can lead to a NULL pointer     dereference. (bug #51288) (CVE-2010-0397)

  - An error exists in the function 'shm_put_var' that     is related to resource destruction.

  - An error exists in the function 'fnmatch' that can lead     to stack exhaustion. (CVE-2010-1917)

  - A memory corruption error exists related to call-time     pass by reference and callbacks.

  - The dechunking filter is vulnerable to buffer overflow.

  - An error exists in the sqlite extension that could     allow arbitrary memory access.

  - An error exists in the 'phar' extension related to     string format validation.

  - The functions 'mysqlnd_list_fields' and     'mysqlnd_change_user' are vulnerable to buffer overflow.

  - The Mysqlnd extension is vulnerable to buffer overflow     attack when handling error packets.

  - The following functions are not properly protected     against function interruptions :

    addcslashes, chunk_split, html_entity_decode,     iconv_mime_decode, iconv_substr, iconv_mime_encode,     htmlentities, htmlspecialchars, str_getcsv,     http_build_query, strpbrk, strtr, str_pad,     str_word_count, wordwrap, strtok, setcookie,     strip_tags, trim, ltrim, rtrim, substr_replace,     parse_str, pack, unpack, uasort, preg_match, strrchr     (CVE-2010-1860, CVE-2010-1862, CVE-2010-1864,     CVE-2010-2097, CVE-2010-2100, CVE-2010-2101,     CVE-2010-2190, CVE-2010-2191, CVE-2010-2484)

  - The following opcodes are not properly protected     against function interruptions :

    ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW, XOR     (CVE-2010-2191)

  - The default session serializer contains an error     that can be exploited when assigning session     variables having user defined names. Arbitrary     serialized values can be injected into sessions by     including the PS_UNDEF_MARKER, '!', character in     variable names.

  - A use-after-free error exists in the function     'spl_object_storage_attach'. (CVE-2010-2225)

  - An information disclosure vulnerability exists in the     function 'var_export' when handling certain error     conditions. (CVE-2010-2531)

According to its banner, the version of PHP 5.2 installed on the remote host is older than 5.2.14.  Such versions may be affected by several security issues :

  - An error exists when processing invalid XML-RPC     requests that can lead to a NULL pointer     dereference. (bug #51288) (CVE-2010-0397)

  - An error exists in the function 'fnmatch' that can lead     to stack exhaustion.

  - An error exists in the sqlite extension that could     allow arbitrary memory access.

  - A memory corruption error exists in the function     'substr_replace'.

  - The following functions are not properly protected     against function interruptions :

    addcslashes, chunk_split, html_entity_decode,     iconv_mime_decode, iconv_substr, iconv_mime_encode,     htmlentities, htmlspecialchars, str_getcsv,     http_build_query, strpbrk, strstr, str_pad,     str_word_count, wordwrap, strtok, setcookie,     strip_tags, trim, ltrim, rtrim, parse_str, pack, unpack,     uasort, preg_match, strrchr, strchr, substr, str_repeat     (CVE-2010-1860, CVE-2010-1862, CVE-2010-1864,     CVE-2010-2097, CVE-2010-2100, CVE-2010-2101,     CVE-2010-2190, CVE-2010-2191, CVE-2010-2484)

  - The following opcodes are not properly protected     against function interruptions :

    ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW     (CVE-2010-2191)

  - The default session serializer contains an error     that can be exploited when assigning session     variables having user defined names. Arbitrary     serialized values can be injected into sessions by     including the PS_UNDEF_MARKER, '!', character in     variable names.

  - A use-after-free error exists in the function     'spl_object_storage_attach'. (CVE-2010-2225)

  - An information disclosure vulnerability exists in the     function 'var_export' when handling certain error     conditions. (CVE-2010-2531)

This is a maintenance and security update that upgrades php to 5.3.3 for 2010.0/2010.1.

Security Enhancements and Fixes in PHP 5.3.3 :

  - Rewrote var_export() to use smart_str rather than output     buffering, prevents data disclosure if a fatal error     occurs (CVE-2010-2531).

  - Fixed a possible resource destruction issues in     shm_put_var().

    - Fixed a possible information leak because of       interruption of XOR operator.

  - Fixed a possible memory corruption because of unexpected     call-time pass by refernce and following memory     clobbering through callbacks.

  - Fixed a possible memory corruption in     ArrayObject::uasort().

    - Fixed a possible memory corruption in parse_str().

    - Fixed a possible memory corruption in pack().

    - Fixed a possible memory corruption in       substr_replace().

    - Fixed a possible memory corruption in addcslashes().

    - Fixed a possible stack exhaustion inside fnmatch().

    - Fixed a possible dechunking filter buffer overflow.

    - Fixed a possible arbitrary memory access inside sqlite       extension.

    - Fixed string format validation inside phar extension.

    - Fixed handling of session variable serialization on       certain prefix characters.

  - Fixed a NULL pointer dereference when processing invalid     XML-RPC requests (Fixes CVE-2010-0397, bug #51288).

  - Fixed SplObjectStorage unserialization problems     (CVE-2010-2225).

    - Fixed possible buffer overflows in       mysqlnd_list_fields, mysqlnd_change_user.

  - Fixed possible buffer overflows when handling error     packets in mysqlnd.

Additionally some of the third-party extensions and required dependencies has been upgraded and/or rebuilt for the new php version.

This is a maintenance and security update that upgrades php to 5.2.14 for CS4/MES5/2008.0/2009.0/2009.1.

Security Enhancements and Fixes in PHP 5.2.14 :

  - Rewrote var_export() to use smart_str rather than output     buffering, prevents data disclosure if a fatal error     occurs (CVE-2010-2531).

  - Fixed a possible interruption array leak in     strrchr().(CVE-2010-2484)

  - Fixed a possible interruption array leak in strchr(),     strstr(), substr(), chunk_split(), strtok(),     addcslashes(), str_repeat(), trim().

  - Fixed a possible memory corruption in substr_replace().

    - Fixed SplObjectStorage unserialization problems       (CVE-2010-2225).

    - Fixed a possible stack exaustion inside fnmatch().

    - Fixed a NULL pointer dereference when processing       invalid XML-RPC requests (Fixes CVE-2010-0397, bug       #51288).

  - Fixed handling of session variable serialization on     certain prefix characters.

  - Fixed a possible arbitrary memory access inside sqlite     extension. Reported by Mateusz Kocielski.

Additionally some of the third-party extensions has been upgraded and/or rebuilt for the new php version.

Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=4 90

Versions of PHP prior to 5.2.14, or 5.3.x prior to 5.3.3 are affected by the following vulnerabilities :

 - An information disclosure vulnerability in 'var_export()' when a fatal error occurs.
 - A resource destruction issue in 'shm_put_var()'.
 - A possible information leak because of an interruption of XOR operator.
 - A memory corruption issue caused by an unexpected call-time pass by reference and the following memory clobbering through callbacks.
 - A memory corruption issue in 'ArrayObject::uasort()'.
 - A memory corruption issue in 'parse_str()'.
 - A memory corruption issue in 'pack()'.
 - A memory corruption issue in 'substr_replace()'.
 - A memory corruption issue in 'addcslashes()'.
 - A stack exhaustion issue in 'fnmatch()'.
 - A buffer overflow vulnerability in the dechunking filter.
 - An arbitrary memory access issue in the sqlite extension.
 - A string format validation issue in the phar extension.
 - An unspecified issue relating to the handling of session variable serialization on certain prefix characters.
 - A NULL pointer dereference issue when processing invalid XML-RPC requests.
 - An unserialization issue in 'SplObjectStorage'.
 - Buffer overflow vulnerabilities in 'mysqlnd_list_fields' and 'mysqlnd_change_user'.
 - Buffer overflows when handling error packets in mysqlnd.
 - A flaw affects 'sqlite_single_query()' and 'sqlite_array_query()' methods included in the 'ext/sqlite/sqlite.c' source file. Specifically, the 'rres' resource is not properly initialized before use which may trigger a double-free condition when an empty query is passed to the 'real_result_dtor()' function.

Incomplete XML RPC requests could crash the php interpreter (CVE-2010-0397).

PHP was updated to version 5.3.2 to fix the problem.

Incomplete XML RPC requests could crash the php interpreter (CVE-2010-0397).

PHP was updated to version 5.2.12 to fix the problem.

A vulnerability has been found and corrected in php :

The xmlrpc extension in PHP 5.3.1 does not properly handle a missing methodName element in the first argument to the xmlrpc_decode_request function, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) and possibly have unspecified other impact via a crafted argument (CVE-2010-0397).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.

The updated packages have been patched to correct this issue.

Auke van Slooten discovered that PHP 5, an hypertext preprocessor, crashes (because of a NULL pointer dereference) when processing invalid XML-RPC requests.

ID	Name	Product	Family	Severity
75429	openSUSE Security Update : apache2-mod_php5 (openSUSE-SU-2010:0599-1)	Nessus	SuSE Local Security Checks	high
68150	Oracle Linux 4 / 5 : php (ELSA-2010-0919)	Nessus	Oracle Linux Local Security Checks	medium
60908	Scientific Linux Security Update : php on SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
50890	SuSE 11 / 11.1 Security Update : Apache 2 (SAT Patch Numbers 2880 / 2881)	Nessus	SuSE Local Security Checks	high
50862	CentOS 4 / 5 : php (CESA-2010:0919)	Nessus	CentOS Local Security Checks	medium
50841	RHEL 4 / 5 : php (RHSA-2010:0919)	Nessus	Red Hat Local Security Checks	medium
5705	Mac OS X 10.6 < 10.6.5 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
50549	Mac OS X Multiple Vulnerabilities (Security Update 2010-007)	Nessus	MacOS X Local Security Checks	critical
50548	Mac OS X 10.6.x < 10.6.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
49306	Ubuntu 6.06 LTS / 8.04 LTS / 9.04 / 9.10 / 10.04 LTS : php5 vulnerabilities (USN-989-1)	Nessus	Ubuntu Local Security Checks	high
49210	openSUSE Security Update : apache2-mod_php5 (openSUSE-SU-2010:0599-1)	Nessus	SuSE Local Security Checks	high
48424	Mac OS X Multiple Vulnerabilities (Security Update 2010-005)	Nessus	MacOS X Local Security Checks	high
48245	PHP 5.3 < 5.3.3 Multiple Vulnerabilities	Nessus	CGI abuses	high
48244	PHP 5.2 < 5.2.14 Multiple Vulnerabilities	Nessus	CGI abuses	high
48198	Mandriva Linux Security Advisory : php (MDVSA-2010:140)	Nessus	Mandriva Local Security Checks	high
48197	Mandriva Linux Security Advisory : php (MDVSA-2010:139)	Nessus	Mandriva Local Security Checks	high
5616	PHP < 5.2.14 / 5.3.x < 5.3.3 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
46356	openSUSE Security Update : apache2-mod_php5 (openSUSE-SU-2010:0255-1)	Nessus	SuSE Local Security Checks	medium
46354	openSUSE Security Update : apache2-mod_php5 (openSUSE-SU-2010:0255-2)	Nessus	SuSE Local Security Checks	medium
45370	Mandriva Linux Security Advisory : php (MDVSA-2010:068)	Nessus	Mandriva Local Security Checks	medium
45094	Debian DSA-2018-1 : php5 - DoS (crash)	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2010-0397

medium

Tenable Plugins

high

medium

medium

high

medium

medium

critical

critical

critical

high

high

high

high

high

high

high

high

medium

medium

medium

medium