PHP 5 < 5.2.7 Multiple Vulnerabilities

high Log Correlation Engine Plugin ID 801088

Synopsis

The remote web server uses a version of PHP that is affected by multiple flaws.

Description

According to its banner, the version of PHP installed on the remote host is older than 5.2.7. Such versions may be affected by several security issues :

- Missing initialization of 'BG(page_uid)' and 'BG(page_gid)' when PHP is used as an Apache module may allow for bypassing security restrictions due to SAPI 'php_getuid()' overloading.

- Incorrect 'php_value' order for Apache configuration may allow bypassing PHP's 'safe_mode' setting.

- File truncation can occur when calling 'dba_replace()' with an invalid argument.

- The ZipArchive: extractTo() method in the ZipArchive extension fails to filter directory traversal sequences from file names.

- There is a buffer overflow in the bundled PCRE library fixed by 7.8. (CVE-2008-2371)

- A buffer overflow in the 'imageloadfont()' function in 'ext/gd/gd.c' can be triggered when a specially crafted font is given. (CVE-2008-3658)

- There is a buffer overflow in PHP's internal function 'memnstr()', which is exposed to userspace as 'explode()'. (CVE-2008-3659)

- When used as a FastCGI module, PHP segfaults when opening a file whose name contains two dots (eg, 'file..php'). (CVE-2008-3660)

- Multiple directory traversal vulnerabilities in functions such as 'posix_access()', 'chdir()', 'ftok()' may allow a remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 and CVE-2008-2666).

- A buffer overflow may be triggered when processing long message headers in 'php_imap.c' due to use of an obsolete API call. (CVE-2008-2829)

Solution

Upgrade to version 5.2.7 or higher.

See Also

securityreason.com/achievement_securityalert/57

securityreason.com/achievement_securityalert/58

securityreason.com/achievement_securityalert/59

http://.sektioneins.de/advisories/SE-2008-06.txt

archives.neohapsis.com/archives/fulldisclosure/2008-06/0238.html

archives.neohapsis.com/archives/fulldisclosure/2008-06/0239.html

http://.openwall.com/lists/oss-security/2008/08/08/2

http://.openwall.com/lists/oss-security/2008/08/13/8

archives.neohapsis.com/archives/fulldisclosure/2008-11/0433.html

archives.neohapsis.com/archives/fulldisclosure/2008-12/0089.html

bugs.php.net/bug.php?id=42862

bugs.php.net/bug.php?id=45151

bugs.php.net/bug.php?id=45722

http://.php.net/ChageLog-5.php#5.2.7

http://.php.net/releases/5_2_7.php

Plugin Details

Severity: High

ID: 801088

Family: Web Servers

Nessus ID: 35043

Reference Information

CVE: CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829, CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5557, CVE-2008-5658

BID: 32948, 29796, 29797, 30087, 30649, 32625, 33498