Multiple vulnerabilities have been identified in PHP, which could be exploited by malicious users to bypass security restrictions and potentially compromise a vulnerable server.
The first issue is due to a design error within the "_zval_struct" structure where the reference counter is a 16-bit length value, which could be exploited by attackers to overflow the counter via a PHP script that creates a large number of references for a specific variable, and execute arbitrary commands on the underlying operating system bypassing "disable_functions", "open_basedir", and "safe_mode" restrictions. This issue could also potentially be exploited remotely via the "unserialize()" function.
The second vulnerability is due to an error when processing deep array structures passed to recursive functions, which could be exploited by remote attackers to crash a vulnerable server via an affected application.
The third issue is due to an input validation error within the "phpinfo()" function, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.
The fourth vulnerability is due to errors the "substr_compare()" and "unserialize()" functions, which could be exploited by attackers to disclose arbitrary memory (heap) data.
The fifth vulnerability is due to an error in the PECL zip and bz2 extensions that fails to properly validate input passed to the "zip://" or "compress.bzip2://" URL wrappers, which could be exploited to bypass "safe_mode" and "open_basedir" restrictions.
The sixth issue is due to an error in the "mb_parse_str()" function when called with one parameter and is interrupted e.g. by a "memory_limit" violation, which will cause the "register_globals" directive to be activated.
The seventh flaw is due to errors in the "hash_update_file()" and GD functions that can be tricked into accessing already freed resources, which could be exploited by attackers to execute arbitrary code.
The eighth issue is due to a double free error in the "session_decode()" function, which could be exploited by attackers to execute arbitrary code via a malicious PHP script.
The ninth issue is caused by input validation errors in the "mail()" function that fails to properly filter certain strings, which could be exploited by attackers to inject arbitrary email headers (e.g. by manipulating the subject field).
The tenth vulnerability is caused by an error in the "iptcembed()" function, which could be exploited by attackers to disclose arbitrary memory contents.
The eleventh is caused by an input validation error in the ext/filter extension that does not properly validate email address via the "FILTER_VALIDATE_EMAIL" filter, which could be exploited by attackers to inject arbitrary email headers and send spam messages via an affected server.
The twelfth issue is caused by a buffer overflow error in the "sqlite_udf_decode_binary()" [encode.c] function when processing invalid strings, which could be exploited by attackers to execute arbitrary code.
Credits
Vulnerabilities reported by Stefan Esser
ChangeLog
2007-03-01 : Initial release
2007-03-23 : Updated Description
2007-03-30 : Updated Description
2007-04-07 : Updated Description
2007-05-04 : Updated Solution
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
