PHP 5 < 5.2.7 Multiple Vulnerabilities

high Nessus Plugin ID 35043

Synopsis

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

Description

According to its banner, the version of PHP installed on the remote host is prior to 5.2.7. It is, therefore, affected by multiple vulnerabilities :

- There is a buffer overflow flaw in the bundled PCRE library that allows a denial of service attack.
(CVE-2008-2371)

- Multiple directory traversal vulnerabilities exist in functions such as 'posix_access', 'chdir', and 'ftok' that allow a remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 and CVE-2008-2666).

- A buffer overflow flaw in 'php_imap.c' may be triggered when processing long message headers due to the use of obsolete API calls. This can be exploited to cause a denial of service or to execute arbitrary code.
(CVE-2008-2829)

- A buffer overflow in the 'imageloadfont' function in 'ext/gd/gd.c' can be triggered when a specially crafted font is given. This can be exploited to cause a denial of service or to execute arbitrary code. (CVE-2008-3658)

- A buffer overflow flaw exists in PHP's internal function 'memnstr' which can be exploited by an attacker using the delimiter argument to the 'explode' function. This can be used to cause a denial of service or to execute arbitrary code. (CVE-2008-3659)

- When PHP is used as a FastCGI module, an attacker by requesting a file whose file name extension is preceded by multiple dots can cause a denial of service.
(CVE-2008-3660)

- A heap-based buffer overflow flaw in the mbstring extension can be triggered via a specially crafted string containing an HTML entity that is not handled during Unicode conversion. This can be exploited to execute arbitrary code.(CVE-2008-5557)

- Improper initialization of global variables 'page_uid' and 'page_gid' when PHP is used as an Apache module allows the bypassing of security restriction due to SAPI 'php_getuid' function overloading. (CVE-2008-5624)

- PHP does not enforce the correct restrictions when 'safe_mode' is enabled through a 'php_admin_flag' setting in 'httpd.conf'. This allows an attacker, by placing a specially crafted 'php_value' entry in '.htaccess', to able to write to arbitrary files.
(CVE-2008-5625)

- The 'ZipArchive::extractTo' function in the ZipArchive extension fails to filter directory traversal sequences from file names. An attacker can exploit this to write to arbitrary files. (CVE-2008-5658)

- Under limited circumstances, an attacker can cause a file truncation to occur when calling the 'dba_replace' function with an invalid argument. (CVE-2008-7068)

- A buffer overflow error exists in the function 'date_from_ISO8601' function within file 'xmlrpc.c' because user-supplied input is improperly validated.
This can be exploited by a remote attacker to cause a denial of service or to execute arbitrary code.
(CVE-2014-8626)

Solution

Upgrade to PHP version 5.2.8 or later.

Note that version 5.2.7 has been removed from distribution because of a regression in that version that results in the 'magic_quotes_gpc' setting remaining off even if it was set to on.

See Also

http://cxsecurity.com/issue/WLB-2008110041

http://cxsecurity.com/issue/WLB-2008110058

http://cxsecurity.com/issue/WLB-2008120011

https://seclists.org/fulldisclosure/2008/Jun/237

https://seclists.org/fulldisclosure/2008/Jun/238

https://www.openwall.com/lists/oss-security/2008/08/08/2

https://www.openwall.com/lists/oss-security/2008/08/13/8

https://seclists.org/fulldisclosure/2008/Nov/674

https://seclists.org/fulldisclosure/2008/Dec/90

https://bugs.php.net/bug.php?id=42862

https://bugs.php.net/bug.php?id=45151

https://bugs.php.net/bug.php?id=45722

http://www.php.net/releases/5_2_7.php

http://www.php.net/ChangeLog-5.php#5.2.7

Plugin Details

Severity: High

ID: 35043

File Name: php_5_2_7.nasl

Version: 1.33

Type: remote

Family: CGI abuses

Published: 12/5/2008

Updated: 5/28/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:php:php

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 12/4/2008

Vulnerability Publication Date: 6/19/2008

Reference Information

CVE: CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829, CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5557, CVE-2008-5624, CVE-2008-5625, CVE-2008-5658, CVE-2008-7068, CVE-2014-8626

BID: 29796, 29797, 29829, 30087, 30649, 31612, 32383, 32625, 32688, 32948, 70928

CWE: 119, 20, 22, 264