FrSIRT - PHP "array_user_key_compare()" and "isc_attach_database()" Local Vulnerabilities / Exploit (Security Advisories)

French Security Incident Response Team

French

English

PHP "array_user_key_compare()" and "isc_attach_database()" Local Vulnerabilities

Title : PHP "array_user_key_compare()" and "isc_attach_database()" Local Vulnerabilities
Advisory ID : FrSIRT/ADV-2007-0974
CVE ID : CVE-2007-1484
Rated as : Moderate Risk

Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2007-03-16

Advisory Details

Description

Affected Products

Solution

References

Technical Description

Two vulnerabilities have been identified in PHP, which could be exploited by malicious users to bypass security restrictions and execute arbitrary commands.

The first issue is due to a memory corruption error in the "array_user_key_compare()" function when destroying ZVALs, which could be exploited by attackers to bypass PHP restrictions and execute arbitrary commands on the underlying operating system via a malicious PHP script.

The second vulnerability is due to a buffer overflow error in the "isc_attach_database()" [gds32.dll] routine when processing malformed arguments passed to an "ibase_connect()" or "ibase_pconnect()" function, which could be exploited by attackers to bypass security restrictions and execute arbitrary commands on a system where the PHP Interbase extension is enabled (disabled by default).

Credits

Vulnerabilities reported by Stefan Esser and rgod

ChangeLog

2007-03-16 : Initial release

Vulnerability Management

Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.

Mailinglist

	Microsoft Windows "afd.sys" Privilege Escalation Vulnerability (MS08-066)
	Microsoft Windows MSMQ Code Execution Vulnerability (MS08-065)
	Microsoft Windows VADs Privilege Escalation Vulnerability (MS08-064)
	Microsoft Windows SMB Code Execution Vulnerability (MS08-063)
	Microsoft Windows IPP Service Code Execution Vulnerability (MS08-062)
	Microsoft Windows Kernel Privilege Escalation Vulnerabilities (MS08-061)
	Microsoft Windows 2000 Active Directory Vulnerability (MS08-060)

	Apple Mac OS X Code Execution and Security Bypass Vulnerabilities
	Apple TV Multiple File Processing Code Execution Vulnerabilities
	Apple Mac OS X Code Execution and Security Bypass Vulnerabilities
	Apple iPhone Code Execution and Security Bypass Vulnerabilities
	Apple QuickTime Multiple Remote Code Execution Vulnerabilities
	Apple iTunes Driver Integer Overflow Privilege Escalation Vulnerability
	Apple iPod touch Code Execution and Security Bypass Vulnerabilities

	Sun Solaris "sadmind" Remote Buffer Overflow Vulnerability
	Sun Java System Web Proxy Server FTP Heap Overflow
	Sun Solaris ACL UFS File Systems Denial of Service Vulnerability
	Sun Solaris Text Editors Tag Files Local Code Execution Vulnerability
	Sun Management Center Remote Denial of Service Vulnerability
	Sun Solaris Bzip2 Archive Handling Denial of Service Vulnerability
	Sun Solaris GNU Tar Headers Handling Buffer Overflow Vulnerability