[php-maint] php4 security issues, the complete works (vol 2)

sean finney seanius at debian.org
Sun Sep 10 15:02:24 UTC 2006 

on the heels of the previous email, i've discovered a number of other
missed issues.  fortunately, most of them are safe_mode/open_basedir
vulnerabilities which i believe means we will ignore them.  also, one
entry appeared twice in my original email.

for the sake of clarity, the new entries are marked with '*'.

also, for the issues needing further discussion, i've added the CVE text
for easier reference.

i'd really like to get *something* out, and have prepared something that
covers all of the current "yes" entries so far:

http://people.debian.org/~seanius/security/php/php4_4.3.10-16sarge0.8.diff.gz
md5sum: 280c6ec67d9a0182745fc40514029949

so, executive summary:
 - i still need an answer about CVE-2006-4020 (joey/moritz: ?)
 - we need a position on CVE-2005-3390 (joey/moritz: see below)
 - CVE-2006-0207 previously marked unaffected appears to be an issue 
   after all, so more research is needed

and here's the new list:


CVE-2002-1954: no (no support for XSS fixes in phpinfo)
CVE-2005-1759: already fixed (shtool)
*CVE-2005-3054: no (no support for safe_mode/open_basedir)
CVE-2005-3319: can't reproduce (htsession.save_path DoS)
CVE-2005-3353: yes (Possible DoS in exif_read_data())
CVE-2005-3388: no (no support for XSS fixes in phpinfo)
CVE-2005-3389: no (app's responsibility to sanitize parse_str input)
*CVE-2005-3390: not previously discussed.
	text: 

	The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x
	up to 5.0.5, when register_globals is enabled, allows remote
	attackers to modify the GLOBALS array and bypass security
	protections of PHP applications via a multipart/form-data POST
	request with a "GLOBALS" fileupload field.
*CVE-2005-3391: no (no support for safe_mode/open_basedir)
*CVE-2005-3392: no (no support for safe_mode/open_basedir)
CVE-2005-3883: no (app's responsibility to sanitize sendmail input)
*CVE-2006-0207: needs further research:
	text:
	Multiple HTTP response splitting vulnerabilities in PHP 5.1.1
	allow remote attackers to inject arbitrary HTTP headers via a
	crafted Set-Cookie header, related to the (1) session extension
	(aka ext/session) and the (2) header function.

	background:
	this bug was marked closed in the security tracker, but later it
	was revealed that sarge might still be affected.  see 
	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=354683
	for more information.
CVE-2006-0208: no (no support for XSS fixes in phpinfo)
CVE-2006-0931: no (app's responsibility to sanitize tar input)
CVE-2006-0996: no (no support for XSS fixes in phpinfo)
CVE-2006-1014: no (app's responsibility to sanitize sendmail input)
CVE-2006-1015: no (app's responsibility to sanitize sendmail input)
CVE-2006-1490: no (app's responsibility to sanitize html_decode input)
*CVE-2006-1494: no (no support for safe_mode/open_basedir)
CVE-2006-1549: no (users can crash their own programs if they want)
*CVE-2006-1608: no (no support for safe_mode/open_basedir)
CVE-2006-1990: no (would require malicious local user to exploit)
*CVE-2006-2563: no (no support for safe_mode/open_basedir)
CVE-2006-2660: no (users can create the files if they want)
*CVE-2006-3011: no (no support for safe_mode/open_basedir)
CVE-2006-3016: no (we don't do "unspecified vulnerabilities")
CVE-2006-3017: yes (zend_hash_del and deleting wrong element)
CVE-2006-3018: no (we don't do "unspecified vulnerabilities")
CVE-2006-4020: contested (moritz/joey: can we get an agreement?)
	text:
	scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows
	context-dependent attackers to execute arbitrary code via a 
	sscanf PHP function call that performs argument swapping, which 
	increments an index past the end of an array and triggers a 
	buffer over-read.
CVE-2006-4023: no (app's responsibility to sanitize ip2long input)
*CVE-2006-4433: no (not a bug in php, possibly other session handlers)
*CVE-2006-4481: no (no support for safe_mode/open_basedir)
CVE-2006-4482: yes (wordwrap vuln on 64-bit systems)
*CVE-2006-4483: no (no support for safe_mode/open_basedir)
CVE-2006-4484: no (not from php4-gd, but *is* found in libgd2)
*CVE-2006-4486: no (would require a malicious local user)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20060910/ad961fb1/attachment.pgp

More information about the pkg-php-maint mailing list