Multiple vulnerabilities were identified in PHP, which could be exploited by remote attackers to bypass security restrictions or conduct cross site scripting attacks.
The first issue is due to an error in "GLOBALS" when handling file upload, "extract()" and "import_request_variables()" functions, which could be exploited to conduct and facilitate attacks against third-party scripts assumed secure.
The second flaw is due to unspecified errors in "ext/curl" and "ext/gd", which could lead to exposure of files normally not accessible due to "safe_mode" or "open_basedir" restrictions.
The third vulnerability is due to an input validation error in the "phpinfo()" function when handling specially crafted parameters, which may be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser.
The fourth problem occurs when a request is terminated due to "memory_limit" constraints during certain "parse_str()" calls, which can result in "register_globals" being turned on.
The fifth flaw is due to an error when the "open_basedir" directive includes a trailing slash, which could allow certain scripts in a directory (e.g. "/user/test2/) to access files in other directories whose names are substrings of the original directory (e.g. "/user/test22/). For additional information, see : FrSIRT/ADV-2005-1862
The sixth issue is due to an error when calling "virtual()" on Apache 2, which could be exploited to bypass certain configuration directives (e.g. "safe_mode" and "open_basedir").
The seventh vulnerability is due to an integer overflow error in the PCRELib when handling specially crafted regular expressions, which could be exploited by remote attackers (able to send regular expressions) to execute arbitrary commands. For additional information, see : FrSIRT/ADV-2005-1511
The eighth issue is due to an input validation error in the "mb_send_mail()" function, which could be exploited by attackers to inject malicious headers via the "To" field.
Credits
Vulnerabilities reported by the vendor and Stefan Esser
ChangeLog
2005-10-31 : Initial release
2005-11-25 : PHP 5.1.0 released
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
