The tidy_diagnose function in PHP 5.3.8 might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that attempts to perform Tidy::diagnose operations on invalid objects, a different vulnerability than CVE-2011-4153.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2012-1046 advisory.

    - add security fix for CVE-2010-2950
    - fix tests for CVE-2012-2143, CVE-2012-0789
    - add fix for CVE-2012-2336
    - add security fixes for CVE-2012-0781, CVE-2011-4153, CVE-2012-0057,       CVE-2012-0789, CVE-2012-1172, CVE-2012-2143, CVE-2012-2386
    - correct detection of = in CVE-2012-1823 fix (#818607)
    - add security fix for CVE-2012-1823 (#818607)
    - add security fix for CVE-2012-0830 (#786744)
    - improve CVE-2011-1466 fix to cover CAL_GREGORIAN, CAL_JEWISH
    - add security fixes for CVE-2011-2483, CVE-2011-0708, CVE-2011-1148,       CVE-2011-1466, CVE-2011-1468, CVE-2011-1469, CVE-2011-1470,       CVE-2011-1471, CVE-2011-1938, and CVE-2011-2202 (#740732)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

It was discovered that the PHP XSL extension did not restrict the file writing capability of libxslt. A remote attacker could use this flaw to create or overwrite an arbitrary file that is writable by the user running PHP, if a PHP script processed untrusted eXtensible Style Sheet Language Transformations (XSLT) content. (CVE-2012-0057)

Note: This update disables file writing by default. A new PHP configuration directive, 'xsl.security_prefs', can be used to enable file writing in XSLT.

A flaw was found in the way PHP validated file names in file upload requests. A remote attacker could possibly use this flaw to bypass the sanitization of the uploaded file names, and cause a PHP script to store the uploaded file in an unexpected directory, by using a directory traversal attack. (CVE-2012-1172)

Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way the PHP phar extension processed certain fields of tar archive files. A remote attacker could provide a specially crafted tar archive file that, when processed by a PHP application using the phar extension, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running PHP. (CVE-2012-2386)

A format string flaw was found in the way the PHP phar extension processed certain PHAR files. A remote attacker could provide a specially crafted PHAR file, which once processed in a PHP application using the phar extension, could lead to information disclosure and possibly arbitrary code execution via a crafted phar:// URI.
(CVE-2010-2950)

A flaw was found in the DES algorithm implementation in the crypt() password hashing function in PHP. If the password string to be hashed contained certain characters, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. (CVE-2012-2143)

Note: With this update, passwords are no longer truncated when performing DES hashing. Therefore, new hashes of the affected passwords will not match stored hashes generated using vulnerable PHP versions, and will need to be updated.

It was discovered that the fix for CVE-2012-1823, released via a previous update, did not properly filter all php-cgi command line arguments. A specially crafted request to a PHP script could cause the PHP interpreter to execute the script in a loop, or output usage information that triggers an Internal Server Error. (CVE-2012-2336)

A memory leak flaw was found in the PHP strtotime() function call. A remote attacker could possibly use this flaw to cause excessive memory consumption by triggering many strtotime() function calls.
(CVE-2012-0789)

A NULL pointer dereference flaw was found in the PHP tidy_diagnose() function. A remote attacker could use specially crafted input to crash an application that uses tidy::diagnose. (CVE-2012-0781)

It was found that PHP did not check the zend_strndup() function's return value in certain cases. A remote attacker could possibly use this flaw to crash a PHP application. (CVE-2011-4153)

All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

It was discovered that the PHP XSL extension did not restrict the file writing capability of libxslt. A remote attacker could use this flaw to create or overwrite an arbitrary file that is writable by the user running PHP, if a PHP script processed untrusted eXtensible Style Sheet Language Transformations (XSLT) content. (CVE-2012-0057)

Note: This update disables file writing by default. A new PHP configuration directive, 'xsl.security_prefs', can be used to enable file writing in XSLT.

A flaw was found in the way PHP validated file names in file upload requests. A remote attacker could possibly use this flaw to bypass the sanitization of the uploaded file names, and cause a PHP script to store the uploaded file in an unexpected directory, by using a directory traversal attack. (CVE-2012-1172)

Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way the PHP phar extension processed certain fields of tar archive files. A remote attacker could provide a specially crafted tar archive file that, when processed by a PHP application using the phar extension, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running PHP. (CVE-2012-2386)

A format string flaw was found in the way the PHP phar extension processed certain PHAR files. A remote attacker could provide a specially crafted PHAR file, which once processed in a PHP application using the phar extension, could lead to information disclosure and possibly arbitrary code execution via a crafted phar:// URI.
(CVE-2010-2950)

A flaw was found in the DES algorithm implementation in the crypt() password hashing function in PHP. If the password string to be hashed contained certain characters, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. (CVE-2012-2143)

Note: With this update, passwords are no longer truncated when performing DES hashing. Therefore, new hashes of the affected passwords will not match stored hashes generated using vulnerable PHP versions, and will need to be updated.

It was discovered that the fix for CVE-2012-1823, released via RHSA-2012:0546, did not properly filter all php-cgi command line arguments. A specially crafted request to a PHP script could cause the PHP interpreter to execute the script in a loop, or output usage information that triggers an Internal Server Error. (CVE-2012-2336)

A memory leak flaw was found in the PHP strtotime() function call. A remote attacker could possibly use this flaw to cause excessive memory consumption by triggering many strtotime() function calls.
(CVE-2012-0789)

A NULL pointer dereference flaw was found in the PHP tidy_diagnose() function. A remote attacker could use specially crafted input to crash an application that uses tidy::diagnose. (CVE-2012-0781)

It was found that PHP did not check the zend_strndup() function's return value in certain cases. A remote attacker could possibly use this flaw to crash a PHP application. (CVE-2011-4153)

Upstream acknowledges Rubin Xu and Joseph Bonneau as the original reporters of CVE-2012-2143.

All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:1046 advisory.

  - php: Format string flaw in phar extension via phar_stream_flush() (MOPS-2010-024) (CVE-2010-2950)

  - php: zend_strndup() NULL pointer dereference may cause DoS (CVE-2011-4153)

  - php: XSLT file writing vulnerability (CVE-2012-0057)

  - php: tidy_diagnose() NULL pointer dereference may cause DoS (CVE-2012-0781)

  - php: strtotime timezone memory leak (CVE-2012-0789)

  - php: $_FILES array indexes corruption (CVE-2012-1172)

  - BSD crypt(): DES encrypted password weakness (CVE-2012-2143)

  - php: incomplete CVE-2012-1823 fix - missing filtering of -T and -h (CVE-2012-2336)

  - php: Integer overflow leading to heap-buffer overflow in the Phar extension (CVE-2012-2386)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It was discovered that PHP incorrectly handled certain Tidy::diagnose operations on invalid objects. A remote attacker could use this flaw to cause PHP to crash, leading to a denial of service. (CVE-2012-0781)

It was discovered that PHP incorrectly handled certain multi-file upload filenames. A remote attacker could use this flaw to cause a denial of service, or to perform a directory traversal attack.
(CVE-2012-1172)

Rubin Xu and Joseph Bonneau discovered that PHP incorrectly handled certain Unicode characters in passwords passed to the crypt() function. A remote attacker could possibly use this flaw to bypass authentication. (CVE-2012-2143)

It was discovered that a Debian/Ubuntu specific patch caused PHP to incorrectly handle empty salt strings. A remote attacker could possibly use this flaw to bypass authentication. This issue only affected Ubuntu 10.04 LTS and Ubuntu 11.04. (CVE-2012-2317)

It was discovered that PHP, when used as a stand alone CGI processor for the Apache Web Server, did not properly parse and filter query strings. This could allow a remote attacker to execute arbitrary code running with the privilege of the web server, or to perform a denial of service. Configurations using mod_php5 and FastCGI were not vulnerable. (CVE-2012-2335, CVE-2012-2336)

Alexander Gavrun discovered that the PHP Phar extension incorrectly handled certain malformed TAR files. A remote attacker could use this flaw to perform a denial of service, or possibly execute arbitrary code. (CVE-2012-2386).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update of php5 fixes multiple security flaws :

  - A php5 upload filename injection was fixed.
    (CVE-2011-2202)

  - A integer overflow in the EXIF extension was fixed that     could be used by attackers to crash the interpreter or     potentially read memory. (CVE-2011-4566)

  - Multiple NULL pointer dereferences were fixed that could     lead to crashes. (CVE-2011-3182)

  - An integer overflow in the PHP calendar extension was     fixed that could have led to crashes. (CVE-2011-1466)

  - A symlink vulnerability in the PEAR installer could be     exploited by local attackers to inject code.
    (CVE-2011-1072)

  - missing checks of return values could allow remote     attackers to cause a denial of service (NULL pointer     dereference). (CVE-2011-4153)

  - denial of service via hash collisions. (CVE-2011-4885)

  - specially crafted XSLT stylesheets could allow remote     attackers to create arbitrary files with arbitrary     content. (CVE-2012-0057)

  - remote attackers can cause a denial of service via     specially crafted input to an application that attempts     to perform Tidy::diagnose operations. (CVE-2012-0781)

  - applications that use a PDO driver were prone to denial     of service flaws which could be exploited remotely.
    (CVE-2012-0788)

  - memory leak in the timezone functionality could allow     remote attackers to cause a denial of service (memory     consumption). (CVE-2012-0789)

  - a stack-based buffer overflow in the php5 Suhosin     extension could allow remote attackers to execute     arbitrary code via a long string that is used in a     Set-Cookie HTTP header. (CVE-2012-0807)

  - this fixes an incorrect fix for CVE-2011-4885 which     could allow remote attackers to execute arbitrary code     via a request containing a large number of variables.
    (CVE-2012-0830)

  - temporary changes to the magic_quotes_gpc directive     during the importing of environment variables is not     properly performed which makes it easier for remote     attackers to conduct SQL injections. (CVE-2012-0831)

Also the following bugs have been fixed :

  - allow uploading files bigger than 2GB for 64bit systems     [bnc#709549]

  - amend README.SUSE to discourage using apache module with     apache2-worker [bnc#728671]

This update of php5 fixes multiple security flaws :

  - missing checks of return values could allow remote     attackers to cause a denial of service (NULL pointer     dereference). (CVE-2011-4153)

  - denial of service via hash collisions. (CVE-2011-4885)

  - specially crafted XSLT stylesheets could allow remote     attackers to create arbitrary files with arbitrary     content. (CVE-2012-0057)

  - remote attackers can cause a denial of service via     specially crafted input to an application that attempts     to perform Tidy::diagnose operations. (CVE-2012-0781)

  - applications that use a PDO driver were prone to denial     of service flaws which could be exploited remotely.
    (CVE-2012-0788)

  - memory leak in the timezone functionality could allow     remote attackers to cause a denial of service (memory     consumption). (CVE-2012-0789)

  - a stack-based buffer overflow in php5's Suhosin     extension could allow remote attackers to execute     arbitrary code via a long string that is used in a     Set-Cookie HTTP header. (CVE-2012-0807)

  - this fixes an incorrect fix for CVE-2011-4885 which     could allow remote attackers to execute arbitrary code     via a request containing a large number of variables.
    (CVE-2012-0830)

  - temporary changes to the magic_quotes_gpc directive     during the importing of environment variables is not     properly performed which makes it easier for remote     attackers to conduct SQL injections. (CVE-2012-0831)

Several vulnerabilities have been discovered in PHP, the web scripting language. The Common Vulnerabilities and Exposures project identifies the following issues :

  - CVE-2011-1072     It was discovered that insecure handling of temporary     files in the PEAR installer could lead to denial of     service.

  - CVE-2011-4153     Maksymilian Arciemowicz discovered that a NULL pointer     dereference in the zend_strndup() function could lead to     denial of service.

  - CVE-2012-0781     Maksymilian Arciemowicz discovered that a NULL pointer     dereference in the tidy_diagnose() function could lead     to denial of service.

  - CVE-2012-0788     It was discovered that missing checks in the handling of     PDORow objects could lead to denial of service.

  - CVE-2012-0831     It was discovered that the magic_quotes_gpc setting     could be disabled remotely.

This update also addresses PHP bugs, which are not treated as security issues in Debian (see README.Debian.security), but which were fixed nonetheless: CVE-2010-4697, CVE-2011-1092, CVE-2011-1148, CVE-2011-1464, CVE-2011-1467 CVE-2011-1468, CVE-2011-1469, CVE-2011-1470, CVE-2011-1657, CVE-2011-3182 CVE-2011-3267

Versions of PHP earlier than 5.3.9 are potentially affected by multiple vulnerabilities :

  - It is possible to create a denial of service condition by sending multiple, specially crafted requests containing parameter values that cause hash collisions when computing the hash values for storage in a hash table. (CVE-2011-4885)

  - An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to read arbitrary memory locations or cause a denial of service condition.  This vulnerability only affects PHP 5.4.0beta2 on 32-bit platforms. (CVE-2011-4566)

  - Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite file, resulting in arbitrary code execution. (CVE-2012-0057)

  - An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a null pointer.  This causes the application to crash. (CVE-2012-0781)

  - The 'PDORow' implementation contains an error that can cause application crashes when interacting with the session feature. C(VE-2012-0788)

  - An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial of service attack via memory consuption. (CVE-2012-0789)

Versions of PHP earlier than 5.3.9 are potentially affected by multiple vulnerabilities :

 - It is possible to create a denial of service condition by sending multiple, specially crafted requests containing parameter values that cause hash collisions when computing the hash values for storage in a hash table. (CVE-2011-4885)
 - An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to read arbitrary memory locations or cause a denial of service condition.  This vulnerability only affects PHP 5.4.0beta2 on 32-bit platforms. (CVE-2011-4566)
 - Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite file, resulting in arbitrary code execution. (CVE-2012-0057)
 - An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a null pointer.  This causes the application to crash. (CVE-2012-0781)
 - The 'PDORow' implementation contains an error that can cause application crashes when interacting with the session feature. C(VE-2012-0788)
 - An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial of service attack via memory consuption. (CVE-2012-0789)

According to its banner, the version of PHP installed on the remote host is older than 5.3.9.  As such, it may be affected by the following security issues :

  - The 'is_a()' function in PHP 5.3.7 and 5.3.8 triggers a     call to '__autoload()'. (CVE-2011-3379)

  - It is possible to create a denial of service condition     by sending multiple, specially crafted requests     containing parameter values that cause hash collisions     when computing the hash values for storage in a hash     table.  (CVE-2011-4885)    
  - An integer overflow exists in the exif_process_IFD_TAG     function in exif.c that can allow a remote attacker to     read arbitrary memory locations or cause a denial of     service condition.  This vulnerability only affects PHP     5.4.0beta2 on 32-bit platforms. (CVE-2011-4566)

  - Calls to libxslt are not restricted via     xsltSetSecurityPrefs(), which could allow an attacker     to create or overwrite files, resulting in arbitrary     code execution. (CVE-2012-0057)

  - An error exists in the function 'tidy_diagnose' that     can allow an attacker to cause the application to     dereference a NULL pointer. This causes the application     to crash. (CVE-2012-0781)

  - The 'PDORow' implementation contains an error that can     cause application crashes when interacting with the     session feature. (CVE-2012-0788)

  - An error exists in the timezone handling such that     repeated calls to the function 'strtotime' can allow     a denial of service attack via memory consumption.
    (CVE-2012-0789)

ID	Name	Product	Family	Severity
74580	openSUSE Security Update : php5 (openSUSE-SU-2012:0426-1)	Nessus	SuSE Local Security Checks	high
68570	Oracle Linux 6 : php (ELSA-2012-1046)	Nessus	Oracle Linux Local Security Checks	critical
61358	Scientific Linux Security Update : php on SL6.x i386/x86_64 (20120627)	Nessus	Scientific Linux Local Security Checks	high
59938	CentOS 6 : php (CESA-2012:1046)	Nessus	CentOS Local Security Checks	high
59752	RHEL 6 : php (RHSA-2012:1046)	Nessus	Red Hat Local Security Checks	critical
59603	Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : php5 vulnerabilities (USN-1481-1)	Nessus	Ubuntu Local Security Checks	high
58740	SuSE 11.1 Security Update : PHP5 (SAT Patch Number 5964)	Nessus	SuSE Local Security Checks	high
58480	SuSE 10 Security Update : PHP5 (ZYPP Patch Number 8009)	Nessus	SuSE Local Security Checks	high
57925	Debian DSA-2408-1 : php5 - several vulnerabilities	Nessus	Debian Local Security Checks	high
801116	PHP < 5.3.9 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	high
6263	PHP < 5.3.9 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
57537	PHP < 5.3.9 Multiple Vulnerabilities	Nessus	CGI abuses	high

Detections

Analytics

CVE-2012-0781

high

Tenable Plugins

high

critical

high

high

critical

high

high

high

high

high

high

high