The PDORow implementation in PHP before 5.3.9 does not properly interact with the session feature, which allows remote attackers to cause a denial of service (application crash) via a crafted application that uses a PDO driver for a fetch and then calls the session_start function, as demonstrated by a crash of the Apache HTTP Server.

The remote host is affected by the vulnerability described in GLSA-201209-03 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could execute arbitrary code with the privileges of       the process, cause a Denial of Service condition, obtain sensitive       information, create arbitrary files, conduct directory traversal attacks,       bypass protection mechanisms, or perform further attacks with unspecified       impact.
  Workaround :

    There is no known workaround at this time.

Multiple vulnerabilities has been identified and fixed in php :

The PDORow implementation in PHP before 5.3.9 does not properly interact with the session feature, which allows remote attackers to cause a denial of service (application crash) via a crafted application that uses a PDO driver for a fetch and then calls the session_start function, as demonstrated by a crash of the Apache HTTP Server (CVE-2012-0788). Note: this was fixed with php-5.3.10

The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885 (CVE-2012-0830). Note: this was fixed with php-5.3.10

PHP before 5.3.10 does not properly perform a temporary change to the magic_quotes_gpc directive during the importing of environment variables, which makes it easier for remote attackers to conduct SQL injection attacks via a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c (CVE-2012-0831).

Insufficient validating of upload name leading to corrupted $_FILES indices (CVE-2012-1172).

The updated php packages have been upgraded to 5.3.11 which is not vulnerable to these issues.

Stack-based buffer overflow in the suhosin_encrypt_single_cookie function in the transparent cookie-encryption feature in the Suhosin extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and suhosin.multiheader are enabled, might allow remote attackers to execute arbitrary code via a long string that is used in a Set-Cookie HTTP header (CVE-2012-0807). The php-suhosin packages has been upgraded to the 0.9.33 version which is not affected by this issue.

Additionally some of the PECL extensions has been upgraded to their latest respective versions which resolves various upstream bugs.

This update of php5 fixes multiple security flaws :

  - A php5 upload filename injection was fixed.
    (CVE-2011-2202)

  - A integer overflow in the EXIF extension was fixed that     could be used by attackers to crash the interpreter or     potentially read memory. (CVE-2011-4566)

  - Multiple NULL pointer dereferences were fixed that could     lead to crashes. (CVE-2011-3182)

  - An integer overflow in the PHP calendar extension was     fixed that could have led to crashes. (CVE-2011-1466)

  - A symlink vulnerability in the PEAR installer could be     exploited by local attackers to inject code.
    (CVE-2011-1072)

  - missing checks of return values could allow remote     attackers to cause a denial of service (NULL pointer     dereference). (CVE-2011-4153)

  - denial of service via hash collisions. (CVE-2011-4885)

  - specially crafted XSLT stylesheets could allow remote     attackers to create arbitrary files with arbitrary     content. (CVE-2012-0057)

  - remote attackers can cause a denial of service via     specially crafted input to an application that attempts     to perform Tidy::diagnose operations. (CVE-2012-0781)

  - applications that use a PDO driver were prone to denial     of service flaws which could be exploited remotely.
    (CVE-2012-0788)

  - memory leak in the timezone functionality could allow     remote attackers to cause a denial of service (memory     consumption). (CVE-2012-0789)

  - a stack-based buffer overflow in the php5 Suhosin     extension could allow remote attackers to execute     arbitrary code via a long string that is used in a     Set-Cookie HTTP header. (CVE-2012-0807)

  - this fixes an incorrect fix for CVE-2011-4885 which     could allow remote attackers to execute arbitrary code     via a request containing a large number of variables.
    (CVE-2012-0830)

  - temporary changes to the magic_quotes_gpc directive     during the importing of environment variables is not     properly performed which makes it easier for remote     attackers to conduct SQL injections. (CVE-2012-0831)

Also the following bugs have been fixed :

  - allow uploading files bigger than 2GB for 64bit systems     [bnc#709549]

  - amend README.SUSE to discourage using apache module with     apache2-worker [bnc#728671]

This update of php5 fixes multiple security flaws :

  - missing checks of return values could allow remote     attackers to cause a denial of service (NULL pointer     dereference). (CVE-2011-4153)

  - denial of service via hash collisions. (CVE-2011-4885)

  - specially crafted XSLT stylesheets could allow remote     attackers to create arbitrary files with arbitrary     content. (CVE-2012-0057)

  - remote attackers can cause a denial of service via     specially crafted input to an application that attempts     to perform Tidy::diagnose operations. (CVE-2012-0781)

  - applications that use a PDO driver were prone to denial     of service flaws which could be exploited remotely.
    (CVE-2012-0788)

  - memory leak in the timezone functionality could allow     remote attackers to cause a denial of service (memory     consumption). (CVE-2012-0789)

  - a stack-based buffer overflow in php5's Suhosin     extension could allow remote attackers to execute     arbitrary code via a long string that is used in a     Set-Cookie HTTP header. (CVE-2012-0807)

  - this fixes an incorrect fix for CVE-2011-4885 which     could allow remote attackers to execute arbitrary code     via a request containing a large number of variables.
    (CVE-2012-0830)

  - temporary changes to the magic_quotes_gpc directive     during the importing of environment variables is not     properly performed which makes it easier for remote     attackers to conduct SQL injections. (CVE-2012-0831)

USN 1358-1 fixed multiple vulnerabilities in PHP. The fix for CVE-2012-0831 introduced a regression where the state of the magic_quotes_gpc setting was not correctly reflected when calling the ini_get() function.

We apologize for the inconvenience.

It was discovered that PHP computed hash values for form parameters without restricting the ability to trigger hash collisions predictably. This could allow a remote attacker to cause a denial of service by sending many crafted parameters. (CVE-2011-4885)

ATTENTION: this update changes previous PHP behavior by limiting the number of external input variables to 1000.
This may be increased by adding a 'max_input_vars' directive to the php.ini configuration file. See http://www.php.net/manual/en/info.configuration.php#ini.max- input-vars for more information.

Stefan Esser discovered that the fix to address the predictable hash collision issue, CVE-2011-4885, did not properly handle the situation where the limit was reached.
This could allow a remote attacker to cause a denial of service or execute arbitrary code via a request containing a large number of variables. (CVE-2012-0830)

It was discovered that PHP did not always check the return value of the zend_strndup function. This could allow a remote attacker to cause a denial of service.
(CVE-2011-4153)

It was discovered that PHP did not properly enforce libxslt security settings. This could allow a remote attacker to create arbitrary files via a crafted XSLT stylesheet that uses the libxslt output extension. (CVE-2012-0057)

It was discovered that PHP did not properly enforce that PDORow objects could not be serialized and not be saved in a session. A remote attacker could use this to cause a denial of service via an application crash. (CVE-2012-0788)

It was discovered that PHP allowed the magic_quotes_gpc setting to be disabled remotely. This could allow a remote attacker to bypass restrictions that could prevent a SQL injection. (CVE-2012-0831)

USN 1126-1 addressed an issue where the /etc/cron.d/php5 cron job for PHP allowed local users to delete arbitrary files via a symlink attack on a directory under /var/lib/php5/. Emese Revfy discovered that the fix had not been applied to PHP for Ubuntu 10.04 LTS. This update corrects the issue. We apologize for the error.
(CVE-2011-0441).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in PHP, the web scripting language. The Common Vulnerabilities and Exposures project identifies the following issues :

  - CVE-2011-1072     It was discovered that insecure handling of temporary     files in the PEAR installer could lead to denial of     service.

  - CVE-2011-4153     Maksymilian Arciemowicz discovered that a NULL pointer     dereference in the zend_strndup() function could lead to     denial of service.

  - CVE-2012-0781     Maksymilian Arciemowicz discovered that a NULL pointer     dereference in the tidy_diagnose() function could lead     to denial of service.

  - CVE-2012-0788     It was discovered that missing checks in the handling of     PDORow objects could lead to denial of service.

  - CVE-2012-0831     It was discovered that the magic_quotes_gpc setting     could be disabled remotely.

This update also addresses PHP bugs, which are not treated as security issues in Debian (see README.Debian.security), but which were fixed nonetheless: CVE-2010-4697, CVE-2011-1092, CVE-2011-1148, CVE-2011-1464, CVE-2011-1467 CVE-2011-1468, CVE-2011-1469, CVE-2011-1470, CVE-2011-1657, CVE-2011-3182 CVE-2011-3267

It was discovered that PHP computed hash values for form parameters without restricting the ability to trigger hash collisions predictably. This could allow a remote attacker to cause a denial of service by sending many crafted parameters. (CVE-2011-4885)

ATTENTION: this update changes previous PHP behavior by limiting the number of external input variables to 1000. This may be increased by adding a 'max_input_vars' directive to the php.ini configuration file.
See http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars for more information.

Stefan Esser discovered that the fix to address the predictable hash collision issue, CVE-2011-4885, did not properly handle the situation where the limit was reached. This could allow a remote attacker to cause a denial of service or execute arbitrary code via a request containing a large number of variables. (CVE-2012-0830)

It was discovered that PHP did not always check the return value of the zend_strndup function. This could allow a remote attacker to cause a denial of service. (CVE-2011-4153)

It was discovered that PHP did not properly enforce libxslt security settings. This could allow a remote attacker to create arbitrary files via a crafted XSLT stylesheet that uses the libxslt output extension.
(CVE-2012-0057)

It was discovered that PHP did not properly enforce that PDORow objects could not be serialized and not be saved in a session. A remote attacker could use this to cause a denial of service via an application crash. (CVE-2012-0788)

It was discovered that PHP allowed the magic_quotes_gpc setting to be disabled remotely. This could allow a remote attacker to bypass restrictions that could prevent a SQL injection. (CVE-2012-0831)

USN 1126-1 addressed an issue where the /etc/cron.d/php5 cron job for PHP allowed local users to delete arbitrary files via a symlink attack on a directory under /var/lib/php5/. Emese Revfy discovered that the fix had not been applied to PHP for Ubuntu 10.04 LTS. This update corrects the issue. We apologize for the error. (CVE-2011-0441).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of PHP earlier than 5.3.9 are potentially affected by multiple vulnerabilities :

  - It is possible to create a denial of service condition by sending multiple, specially crafted requests containing parameter values that cause hash collisions when computing the hash values for storage in a hash table. (CVE-2011-4885)

  - An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to read arbitrary memory locations or cause a denial of service condition.  This vulnerability only affects PHP 5.4.0beta2 on 32-bit platforms. (CVE-2011-4566)

  - Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite file, resulting in arbitrary code execution. (CVE-2012-0057)

  - An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a null pointer.  This causes the application to crash. (CVE-2012-0781)

  - The 'PDORow' implementation contains an error that can cause application crashes when interacting with the session feature. C(VE-2012-0788)

  - An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial of service attack via memory consuption. (CVE-2012-0789)

Versions of PHP earlier than 5.3.9 are potentially affected by multiple vulnerabilities :

 - It is possible to create a denial of service condition by sending multiple, specially crafted requests containing parameter values that cause hash collisions when computing the hash values for storage in a hash table. (CVE-2011-4885)
 - An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to read arbitrary memory locations or cause a denial of service condition.  This vulnerability only affects PHP 5.4.0beta2 on 32-bit platforms. (CVE-2011-4566)
 - Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite file, resulting in arbitrary code execution. (CVE-2012-0057)
 - An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a null pointer.  This causes the application to crash. (CVE-2012-0781)
 - The 'PDORow' implementation contains an error that can cause application crashes when interacting with the session feature. C(VE-2012-0788)
 - An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial of service attack via memory consuption. (CVE-2012-0789)

According to its banner, the version of PHP installed on the remote host is older than 5.3.9.  As such, it may be affected by the following security issues :

  - The 'is_a()' function in PHP 5.3.7 and 5.3.8 triggers a     call to '__autoload()'. (CVE-2011-3379)

  - It is possible to create a denial of service condition     by sending multiple, specially crafted requests     containing parameter values that cause hash collisions     when computing the hash values for storage in a hash     table.  (CVE-2011-4885)    
  - An integer overflow exists in the exif_process_IFD_TAG     function in exif.c that can allow a remote attacker to     read arbitrary memory locations or cause a denial of     service condition.  This vulnerability only affects PHP     5.4.0beta2 on 32-bit platforms. (CVE-2011-4566)

  - Calls to libxslt are not restricted via     xsltSetSecurityPrefs(), which could allow an attacker     to create or overwrite files, resulting in arbitrary     code execution. (CVE-2012-0057)

  - An error exists in the function 'tidy_diagnose' that     can allow an attacker to cause the application to     dereference a NULL pointer. This causes the application     to crash. (CVE-2012-0781)

  - The 'PDORow' implementation contains an error that can     cause application crashes when interacting with the     session feature. (CVE-2012-0788)

  - An error exists in the timezone handling such that     repeated calls to the function 'strtotime' can allow     a denial of service attack via memory consumption.
    (CVE-2012-0789)

ID	Name	Product	Family	Severity
74580	openSUSE Security Update : php5 (openSUSE-SU-2012:0426-1)	Nessus	SuSE Local Security Checks	high
62236	GLSA-201209-03 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
58890	Mandriva Linux Security Advisory : php (MDVSA-2012:065)	Nessus	Mandriva Local Security Checks	high
58740	SuSE 11.1 Security Update : PHP5 (SAT Patch Number 5964)	Nessus	SuSE Local Security Checks	high
58480	SuSE 10 Security Update : PHP5 (ZYPP Patch Number 8009)	Nessus	SuSE Local Security Checks	high
57932	Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : php5 regression (USN-1358-2)	Nessus	Ubuntu Local Security Checks	high
57925	Debian DSA-2408-1 : php5 - several vulnerabilities	Nessus	Debian Local Security Checks	high
57888	Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : php5 vulnerabilities (USN-1358-1)	Nessus	Ubuntu Local Security Checks	high
801116	PHP < 5.3.9 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	high
6263	PHP < 5.3.9 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
57537	PHP < 5.3.9 Multiple Vulnerabilities	Nessus	CGI abuses	high

Detections

Analytics

CVE-2012-0788

high

Tenable Plugins

high

critical

high

high

high

high

high

high

high

high

high