php-sicherheit

the Month of PHP Security 2010, RDF-News-Reader by Alexander Palm, v1.93 (01.07.2006)

vom 05.02.2012 / 13:42:42, seit 0 Minute(n) / Refresh alle 15 Minuten

• Month of PHP Security 2010 - CALL FOR PAPERS
  Three years after the Month of PHP Bugs the SektionEins GmbH organises the Month of PHP Security 2010.
• PMOPB-46-2007: PHP ext/session Session Cookie Parameter Injection Vulnerability
  The session id does not get urlencoded before it is sent within the cookie. Therefore it is possible to inject arbitrary cookie parameters like a very long lifetime depending on PHP version and selected session module.
• PMOPB-45-2007: PHP ext/filter Email Validation Vulnerability
  A wrong regular expression in the email validation filter allows injection of a single newline at the end.
• MOPB-44-2007: PHP 5.2.0 Memory Manager Signed Comparision Vulnerability
  Due to a signed integer comparison the request for more than 2 GB of memory will be answered with a minimum size memory block. This results in a myriad of (sometimes remotely) exploitable buffer overflows.
• MOPB-43-2007: PHP msg_receive() Memory Allocation Integer Overflow Vulnerabilty
  An unchecked maxsize parameter to the msg_receive() function can result in an integer overflow during memory allocation that results in an exploitable buffer overflow.
• MOPB-42-2007: PHP 5 php_stream_filter_create() Off By One Vulnerablity
  The internal wildcard handling for stream filters contains an exploitable off by one overflow vulnerability that can be triggered by accessing a php://filter URL.
• MOPB-41-2007: PHP 5 sqlite_udf_decode_binary() Buffer Overflow Vulnerability
  Calling sqlite_udf_decode_binary() with a malformed input string can lead to an exploitable buffer overflow.
• MOPB-40-2007: PHP imap_mail_compose() Boundary Stack Buffer Overflow Vulnerability
  An overlong boundary string passed to imap_mail_compose() will overflow a stack buffer and lead to arbitrary code execution.
• MOPB-39-2007: PHP str_replace() Memory Allocation Integer Overflow Vulnerability
  When a single char is replaced by a long string many times in str_replace() this can result in an integer overflow in memory allocation that leads to a buffer overflow vulnerability.
• MOPB-38-2007: PHP printf() Family 64 Bit Casting Vulnerabilities
  A 64 bit long to int cast results in multiple flaws in PHP's printf() function family that lead to a new class of exploitable vulnerabilities. PHP Application Format String Vulnerabilites.
• MOPB-37-2007: PHP iptcembed() Interruption Information Leak Vulnerability
  A malicious user space error handler that interrupts iptcembed() can manipulate its parameters which leads to disclosure of arbitrary heap memory.
• MOPB-36-2007: PHP session.save_path open_basedir Bypass Vulnerability
  Due to some magic directory guessing a script can bypass the open_basedir restriction on the session save path.
• MOPB-35-2007: PHP 4 zip_entry_read() Integer Overflow Vulnerability
  The zip_entry_read() function of PHP 4 is vulnerable to an integer overflow in memory allocation that leads to an exploitable bufferoverflow.
• MOPB-34-2007: PHP mail() Header Injection Through Subject and To Parameters
  A flaw in handling folded Subject and To headers allows mail header injection through both fields.
• MOPB-33-2007: PHP mail() Message ASCIIZ Byte Truncation
  ASCIIZ character injection into an email message will truncate it.
• MOPB-32-2007: PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability
  The security fix for MOPB-31-2007 introduced a double free vulnerability into PHP 4 that can lead to the execution of arbitrary code.
• MOPB-31-2007: PHP _SESSION Deserialization Overwrite Vulnerability
  Deserialization of session data can overwrite _SESSION which can be exploited to execute arbitrary code.
• MOPB-30-2007: PHP _SESSION unset() Vulnerability
  Unsetting HTTP_SESSION_VARS and _SESSION can lead to arbitrary code execution.
• MOPB-29-2007: PHP 5.2.1 unserialize() Information Leak Vulnerability
  The new S: datatype in unserialize() does not work at all which leads to disclosure of heap memory content.
• MOPB-28-2007: PHP hash_update_file() Already Freed Resource Access Vulnerability
  A malicious user stream can trick the hash_update_file() function into accessing an already freed hash resource. This can lead to arbitrary code execution.
• MOPB-27-2007: PHP ext/gd Already Freed Resource Access Vulnerability
  A malicious error handler can trick the GD extension into accessing an already freed image resource which allows read and write access to arbitrary memory addresses from PHP code. This can lead to arbitrary code execution.
• MOPB-26-2007: PHP mb_parse_str() register_globals Activation Vulnerability
  When the mb_parse_str() function is interrupted by for example a memory_limit violation this can result in register_globals being (and staying) activated for the Apache child.
• MOPB-25-2007: PHP header() Space Trimming Buffer Underflow Vulnerability
  When the header() function is called with an all whitespace string a buffer underflow can be triggered that allows code execution on big endian systems (e.g. MacOS X on PPC, Solaris on SPARC)
• MOPB-24-2007: PHP array_user_key_compare() Double DTOR Vulnerability
  When the userspace key comparison function returns its parameters are destructed even if there are references left. Therefore an exploitable double DTOR can be triggered.
• MOPB-23-2007: PHP 5 Rejected Session Identifier Double Free Vulnerability
  When a session storage module rejects a session id the session code fails to clear an already freed pointer before calling an interruptible function. This can lead to an exploitable double free.
• MOPB-22-2007: PHP session_regenerate_id() Double Free Vulnerability
  session_regenerate_id() fails to clear an already freed pointer before calling an interruptible function. This can lead to an exploitable double free.
• MOPB-21-2007: PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability
  The compress.bzip2:// URL Wrapper does not perform safemode or open_basedir checks and therefore allows access to archives outside the allowed area
• MOPB-20-2007: PHP zip:// URL Wrapper safemode and open_basedir Bypass Vulnerability
  The zip:// URL Wrapper does not perform safemode or open_basedir checks and therefore allows access to archives outside the allowed area
• MOPB-19-2007: PHP ext/filter Space Trimming Buffer Underflow Vulnerability
  When ext/filter is used in an application to filter user input a buffer underflow can be triggered that allows remote code execution on big endian systems (e.g. MacOS X on PPC, Solaris on SPARC)
• MOPB-18-2007: PHP ext/filter HTML Tag Stripping Bypass Vulnerability
  When ext/filter is configured to strip characters with low ASCII values it is possible to bypass the HTML tag filter in an easy way.
• MOPB-17-2007: PHP ext/filter FDF Post Bypass Vulnerability
  POST data in the FDF format is not processed at all by ext/filter. When PHP is compiled with FDF support, sitewide enforced filtering will not be performed on it.
• MOPB-16-2007: PHP zip:// URL Wrapper Buffer Overflow Vulnerability
  The zip:// URL wrapper suffers from a standard stack based buffer overflow that occurs when an overlong URL is parsed and can therefore lead to arbitrary code execution.
• MOPB-15-2007: PHP shmop Functions Resource Verification Vulnerability
  The shmop functions do not verify that the supplied resource is of the correct type. This allows read and write access to arbitrary memory addresses and allows the execution of arbitrary code.
• MOPB-14-2007: PHP substr_compare() Information Leak Vulnerability
  An integer overflow in the substr_compare() function allows reading arbitrary heap memory.
• MOPB-13-2007: PHP 4 Ovrimos Extension Multiple Vulnerabilities
  The Ovrimos extension shipped with PHP 4 considers arguments as direct memory pointers. This allows direct memory access which leads to arbitrary code execution.
• BONUS-12-2007: mod_security POST Rules Bypass Vulnerability
  An ASCIIZ character embedded in application/x-www-form-urlencoded POST data terminates the data in the eyes of mod_security, which results in a trivial way to bypass its rules.
• MOPB-11-2007: PHP WDDX Session Deserialization Information Leak Vulnerability
  Numerical keys in session data in WDDX format might leak an arbitrary portion of stack data into PHP variables.
• MOPB-10-2007: PHP php_binary Session Deserialization Information Leak Vulnerability
  Malformed session data in php_binary format might leak a portion of heap data into PHP variables.
• MOPB-09-2007: PHP wddx_deserialize() String Append Buffer Overflow Vulnerability
  Malformed WDDX data might trigger an exploitable buffer overflow that was introduced by a pseudo security fix.
• MOPB-08-2007: PHP 4 phpinfo() XSS Vulnerability (Deja-vu)
  phpinfo() does not escape the content of user supplied arrays in GET, POST or COOKIE variables when it displays them which leads to an XSS vulnerability.
• BONUS-07-2007: Zend Platform ini_modifier Local Root Vulnerability
  The ini_modifier of the Zend Platform can be tricked by a local user to edit the system php.ini file, which can be used to obtain root privileges.
• BONUS-06-2007: Zend Platform Insecure File Permission Local Root Vulnerability
  Several binaries and shellscripts installed by the Zend Platform are installed with unsafe permissions that might allow an attacker to gain root privileges.
• MOPB-05-2007: PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability
  Deserialisation of malformed PHP arrays from within unserialize() might result in a tight endless loop exhausting CPU ressources on 64bit systems.
• MOPB-04-2007: PHP 4 unserialize() ZVAL Reference Counter Overflow
  During unserialisation of user supplied data that contains a lot of references to a variable the internal 16bit zval reference counter can overflow. This leads to an exploitable double dtor condition.
• MOPB-03-2007: PHP Variable Destructor Deep Recursion Stack Overflow
  The destruction of deeply nested PHP arrays will exhaust all available stack which leads to remotely triggerable crashes.
• MOPB-02-2007: PHP Executor Deep Recursion Stack Overflow
  A deep recursion of PHP userland code will exhaust all available stack which leads to a sometimes remotely triggerable crash.
• MOPB-01-2007: PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability
  In PHP 4 userland code is able to overflow the internal 16bit zval reference counter by creating many references to a variable. This leads to an exploitable double dtor condition.

PHP-Sicherheit, RDF-News-Reader by Alexander Palm, v1.93 (01.07.2006)
Errata, Advisories, Tips und Howtos zu PHP-Sicherheit
vom 05.02.2012 / 13:42:42, seit 0 Minute(n) / Refresh alle 15 Minuten

• Exploit-Kit mit Fake-Adminkonsole
• Neuer "Month of PHP Security"
• Rezension im Linux-Magazin 09/08
• Buchvorstellung in der Online-Ausgabe der "PC Welt"
• Schulung "PHP-Sicherheit" mit Peter Prochaska
• Neue Rezension zur dritten Auflage
• Neuer Artikel online: PKI Login with PHP
• Zweite Auflage ausverkauft, dritte Auflage unterwegs
• PHP-Sicherheit
• Dritte Auflage in Arbeit
• Neue Lesermeinung auf amazon.de
• Neues Leserfeedback
• Erste Rezension zur zweiten Auflage
• Zweite Auflage im Druck
• Secure Linux Administration Conference: Sessionslides