copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Operating... » UNIX (all) » Linux (all) » AA-2007.0039 -- [Win][UNIX/Linux] -- PHP 5.2.3 relea...
 

AA-2007.0039 -- [Win][UNIX/Linux] -- PHP 5.2.3 release fixes several vulnerabilities
Date: 06 June 2007
References: ESB-2007.0280  AU-2007.0017  ESB-2007.0717  ESB-2007.0831  ESB-2008.0466  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
AA-2007.0039                  AUSCERT Advisory

                             [Win][UNIX/Linux]
              PHP 5.2.3 release fixes several vulnerabilities
                                6 June 2007
- ---------------------------------------------------------------------------

        AusCERT Advisory Summary
        ------------------------

Product:              PHP 5.2.3 and prior
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact:               Execute Arbitrary Code/Commands
                      Denial of Service
                      Reduced Security
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-2872 CVE-2007-2756 CVE-2007-1900
Member content until: Tuesday, July 03 2007

Ref:                  ESB-2007.0280

Revision History:  
  June 6 2007: PHP 5.2.3 confirmed still vulnerable to overflow
  June 5 2007: Initial Release


OVERVIEW:

	PHP 5.2.3 has been released addressing several security issues. 
	The most significant are as follows:

	1. A heap overflow in the chunk_split() function potentially allows
	   execution of arbitrary code. In most PHP applications this will 
	   not be remotely exploitable. 

	   Update: this vulnerability was not correctly fixed in 5.2.3, which
	   continues to be vulnerable. A corrected patch is currently in CVS
	   but not released, as discussed in AusCERT Update AU-2007.0017. [5]

	2. A malformed PNG image can cause a denial of service via an infinite
	   loop in imagecreatefrompng().

	3. The ext/filter FILTER_VALIDATE_EMAIL filter does not correctly
	   validate email addresses, allowing a newline character at the end.


IMPACT:

	1. An attacker who is able to run arbitrary PHP code (e.g. on a shared
	   hosting server) may execute arbitrary code on the server with the 
	   privileges of the web server process. 

	   Exploitation requires control of the third parameter of chunk_split()
	   which will not be user supplied data in most PHP applications. 

	2. If the imagecreatefrompng() function is used, an attacker who is able
	   to supply a malformed PNG file can cause a denial of service. 

	3. Depending on the application, an attacker may in some cases be able
	   to inject arbitrary email headers.


MITIGATION:

	PHP 5.2.3 has been released fixing vulnerabilities 2 and 3. [1]

	Corrected patches are available in CVS to address vulnerability 1. [5]


REFERENCES:

	[1] PHP 5.2.3 Release Announcement
	    http://www.php.net/releases/5_2_3.php

	[2] PHP 5.2.3 ChangeLog
	    http://www.php.net/ChangeLog-5.php#5.2.3

	[3] PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability
	    http://www.php-security.org/MOPB/PMOPB-45-2007.html

	[4] PHP Bug #41492
	    http://bugs.php.net/bug.php?id=41492

	[5] AusCERT Update AU-2007.0017 - PHP 5.2.3 still vulnerable to overflow
	    https://www.auscert.org.au/7677


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRmZczih9+71yA2DNAQIX0wQAk8mhEnd0/xNuzGplgAYgTBxB4MNz6zMc
5U7Zw7v+XXJkaCwVKQ5j+AR3/87EqiwVgiGWgvPz5qmQA4cqJeQ1df9JkTxLbJqs
DN9rGX3u34LOlQqd5O0DKIYcEvb1otFRAjEAWt8cIAV1IuGx2sBNnL8udWjShLAC
Hj7iNbg4Gkc=
=LLI1
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/7669