PHP Heap Overflows and Other Bugs Let Users Execute Arbitrary Code or Cause Denial of Service Conditions
|
|
SecurityTracker Alert ID: 1016984
|
|
SecurityTracker URL: http://securitytracker.com/id?1016984
|
|
CVE Reference: CVE-2006-4020
, CVE-2006-4482
, CVE-2006-4483
, CVE-2006-4484
, CVE-2006-4485
, CVE-2006-4486
, CVE-2006-4812
(Links to External Site)
|
Date: Oct 5 2006
|
Impact: Denial of service via local system, Denial of service via network, Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 5.x prior to 5.1.5
|
Description: Several vulnerabilities were reported in PHP. A user may be able to execute arbitrary code on the target system. A user may be able to cause denial of service conditions.
In August 2006, the vendor reported several flaws in PHP that may allow a user or a remote user to execute arbitrary code on the
target system.
A buffer overflow exists in the PHP sscanf() function [CVE-2006-4020]. A script that supplies specially crafted
arguments to the sscanf() function to execute arbitrary code.
An integer overflow exists in the PHP wordwrap() and str_repeat()
functions [CVE-2006-4482]. A script running on a 64-bit server can supply specially crafted data to either function to trigger
a heap overflow and execute arbitrary code.
The 'ext/curl/interface.c' and 'ext/curl/streams.c' cURL extension files allow scripts
to bypass certain safe_mode or open_basedir access restrictions [CVE-2006-4483]. This can be exploited via the CURLOPT_FOLLOWLOCATION
option.
A buffer overflow exists in the PHP gd extension [CVE-2006-4484]. A user can supply a specially crafted GIF image to
trigger a heap overflow and execute arbitrary code.
A buffer overread exists in the PHP stripos() function [CVE-2006-4485].
A script can supply specially crafted data to the stripos() function to cause PHP to read past the end of a buffer, which may cause
denial of service conditions.
An integer overflow exists in the PHP memory allocation handling on 64-bit systems [CVE-2006-4486].
A script may be able to exceed the 'memory_limit' and cause denial of service conditions.
An integer overflow exists in the
PHP memory handling routines [CVE-2006-4812]. A script may be able to execute arbitrary code.
|
Impact: A user can execute arbitrary code on the target system.
A user can cause denial of service conditions on the target system.
|
Solution: The vendor issued a fixed version (5.1.5) in August 2006, available at:
http://us2.php.net/downloads.php
|
Vendor URL: php.net/releases/5_1_5.php (Links to External Site)
|
Cause: Access control error, Boundary error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
