SUSE-SR:2010:017

SUSE-SR:2010:018

SSRT100826

http://www.php-security.org/2010/05/30/mops-2010-047-php-trimltrimrtrim-interruption-information-leak-vulnerability/index.html

http://www.php-security.org/2010/05/30/mops-2010-048-php-substr_replace-interruption-information-leak-vulnerability/index.html

php-substrreplace-info-disclosure(59220)

PHP was updated to version 5.3.3 to fix serveral security issues.

(CVE-2010-0397, CVE-2010-1860, CVE-2010-1862, CVE-2010-1864, CVE-2010-1866, CVE-2010-1914, CVE-2010-1915, CVE-2010-1917, CVE-2010-2093, CVE-2010-2094, CVE-2010-2097, CVE-2010-2100, CVE-2010-2101, CVE-2010-2190, CVE-2010-2191, CVE-2010-2225, CVE-2010-2531, CVE-2010-2950, CVE-2010-3062, CVE-2010-3063, CVE-2010-3064, CVE-2010-3065)

The remote host is affected by the vulnerability described in GLSA-201110-06 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker could execute arbitrary code, obtain       sensitive information from process memory, bypass intended access       restrictions, or cause a Denial of Service in various ways.
    A remote attacker could cause a Denial of Service in various ways,       bypass spam detections, or bypass open_basedir restrictions.
  Workaround :

    There is no known workaround at this time.

PHP was updated to version 5.2.14 to fix serveral security issues :

  - CVE-2010-1860

  - CVE-2010-1862

  - CVE-2010-1864

  - CVE-2010-1914

  - CVE-2010-1915

  - CVE-2010-1917

  - CVE-2010-2093

  - CVE-2010-2094

  - CVE-2010-2097

  - CVE-2010-2100

  - CVE-2010-2101

  - CVE-2010-2190

  - CVE-2010-2191

  - CVE-2010-2225

  - CVE-2010-2484

  - CVE-2010-2531

  - CVE-2010-3062

  - CVE-2010-3063

  - CVE-2010-3064

  - CVE-2010-3065

PHP was updated to version 5.2.14 to fix several security issues :

- [CVE-2010-1860](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-1860)

- [CVE-2010-1862](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-1862)

- [CVE-2010-1864](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-1864)

- [CVE-2010-1914](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-1914)

- [CVE-2010-1915](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-1915)

- [CVE-2010-1917](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-1917)

- [CVE-2010-2093](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2093)

- [CVE-2010-2094](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2094)

- [CVE-2010-2097](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2097)

- [CVE-2010-2100](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2100)

- [CVE-2010-2101](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2101)

- [CVE-2010-2190](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2190)

- [CVE-2010-2191](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2191)

- [CVE-2010-2225](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2225)

- [CVE-2010-2484](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2484)

- [CVE-2010-2531](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2531)

- [CVE-2010-3062](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-3062)

- [CVE-2010-3063](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-3063)

- [CVE-2010-3064](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-3064)

- [CVE-2010-3065](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-3065)

Update to PHP 5.3.3 Security Enhancements and Fixes in PHP 5.3.3: * Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs (CVE-2010-2531). * Fixed a possible resource destruction issues in shm_put_var(). * Fixed a possible information leak because of interruption of XOR operator. * Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks. * Fixed a possible memory corruption in ArrayObject::uasort(). * Fixed a possible memory corruption in parse_str(). * Fixed a possible memory corruption in pack(). * Fixed a possible memory corruption in substr_replace(). * Fixed a possible memory corruption in addcslashes(). * Fixed a possible stack exhaustion inside fnmatch(). * Fixed a possible dechunking filter buffer overflow. * Fixed a possible arbitrary memory access inside sqlite extension. * Fixed string format validation inside phar extension. * Fixed handling of session variable serialization on certain prefix characters. * Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288). * Fixed SplObjectStorage unserialization problems (CVE-2010-2225). * Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user. * Fixed possible buffer overflows when handling error packets in mysqlnd. Full upstream Changelog: http://www.php.net/ChangeLog-5.php#5.3.3

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.3.  Such versions may be affected by several security issues :

  - An error exists when processing invalid XML-RPC     requests that can lead to a NULL pointer     dereference. (bug #51288) (CVE-2010-0397)

  - An error exists in the function 'shm_put_var' that     is related to resource destruction.

  - An error exists in the function 'fnmatch' that can lead     to stack exhaustion. (CVE-2010-1917)

  - A memory corruption error exists related to call-time     pass by reference and callbacks.

  - The dechunking filter is vulnerable to buffer overflow.

  - An error exists in the sqlite extension that could     allow arbitrary memory access.

  - An error exists in the 'phar' extension related to     string format validation.

  - The functions 'mysqlnd_list_fields' and     'mysqlnd_change_user' are vulnerable to buffer overflow.

  - The Mysqlnd extension is vulnerable to buffer overflow     attack when handling error packets.

  - The following functions are not properly protected     against function interruptions :

    addcslashes, chunk_split, html_entity_decode,     iconv_mime_decode, iconv_substr, iconv_mime_encode,     htmlentities, htmlspecialchars, str_getcsv,     http_build_query, strpbrk, strtr, str_pad,     str_word_count, wordwrap, strtok, setcookie,     strip_tags, trim, ltrim, rtrim, substr_replace,     parse_str, pack, unpack, uasort, preg_match, strrchr     (CVE-2010-1860, CVE-2010-1862, CVE-2010-1864,     CVE-2010-2097, CVE-2010-2100, CVE-2010-2101,     CVE-2010-2190, CVE-2010-2191, CVE-2010-2484)

  - The following opcodes are not properly protected     against function interruptions :

    ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW, XOR     (CVE-2010-2191)

  - The default session serializer contains an error     that can be exploited when assigning session     variables having user defined names. Arbitrary     serialized values can be injected into sessions by     including the PS_UNDEF_MARKER, '!', character in     variable names.

  - A use-after-free error exists in the function     'spl_object_storage_attach'. (CVE-2010-2225)

  - An information disclosure vulnerability exists in the     function 'var_export' when handling certain error     conditions. (CVE-2010-2531)

According to its banner, the version of PHP 5.2 installed on the remote host is older than 5.2.14.  Such versions may be affected by several security issues :

  - An error exists when processing invalid XML-RPC     requests that can lead to a NULL pointer     dereference. (bug #51288) (CVE-2010-0397)

  - An error exists in the function 'fnmatch' that can lead     to stack exhaustion.

  - An error exists in the sqlite extension that could     allow arbitrary memory access.

  - A memory corruption error exists in the function     'substr_replace'.

  - The following functions are not properly protected     against function interruptions :

    addcslashes, chunk_split, html_entity_decode,     iconv_mime_decode, iconv_substr, iconv_mime_encode,     htmlentities, htmlspecialchars, str_getcsv,     http_build_query, strpbrk, strstr, str_pad,     str_word_count, wordwrap, strtok, setcookie,     strip_tags, trim, ltrim, rtrim, parse_str, pack, unpack,     uasort, preg_match, strrchr, strchr, substr, str_repeat     (CVE-2010-1860, CVE-2010-1862, CVE-2010-1864,     CVE-2010-2097, CVE-2010-2100, CVE-2010-2101,     CVE-2010-2190, CVE-2010-2191, CVE-2010-2484)

  - The following opcodes are not properly protected     against function interruptions :

    ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW     (CVE-2010-2191)

  - The default session serializer contains an error     that can be exploited when assigning session     variables having user defined names. Arbitrary     serialized values can be injected into sessions by     including the PS_UNDEF_MARKER, '!', character in     variable names.

  - A use-after-free error exists in the function     'spl_object_storage_attach'. (CVE-2010-2225)

  - An information disclosure vulnerability exists in the     function 'var_export' when handling certain error     conditions. (CVE-2010-2531)

According to its banner the version of PHP installed on the remote host is earlier than 5.3.3 / 5.2.14.  Such version are potentially affected by multiple vulnerabilities :

  - An information disclosure vulnerability in var_export() when a fatal error occurs.

  - A resource destruction issue in shm_put_var().

  - A possible information leak because of an interruption of XOR operator.

  - A memory corruption issue caused by an unexpected call-time pass by reference and the following memory clobbering through callbacks.

  - A memory corruption issue in ArrayObject::uasort().

  - A memory corruption issue in parse_str().

  - A memory corruption issue in pack().

  - A memory corruption issue in substr_replace().

  - A memory corruption issue in addcslashes().

  - A stack exhaustion issue in fnmatch().

  - A buffer overflow vulnerability in the dechunking filter.

  - An arbitrary memory access issue in the sqlite extension.

  - A string format validation issue in the phar extension.

  - An unspecified issue relating to the handling of session variable serialization on certain prefix characters.

  - A NULL pointer dereference issue when processing invalid XML-RPC requests.

  - An unserialization issue in SplObjectStorage.

  - Buffer overflow vulnerabilities in mysqlnd_list_fields and mysqlnd_change_user.

  - Buffer overflows when handling error packets in mysqlnd.

Versions of PHP prior to 5.2.14, or 5.3.x prior to 5.3.3 are affected by the following vulnerabilities :

 - An information disclosure vulnerability in 'var_export()' when a fatal error occurs.
 - A resource destruction issue in 'shm_put_var()'.
 - A possible information leak because of an interruption of XOR operator.
 - A memory corruption issue caused by an unexpected call-time pass by reference and the following memory clobbering through callbacks.
 - A memory corruption issue in 'ArrayObject::uasort()'.
 - A memory corruption issue in 'parse_str()'.
 - A memory corruption issue in 'pack()'.
 - A memory corruption issue in 'substr_replace()'.
 - A memory corruption issue in 'addcslashes()'.
 - A stack exhaustion issue in 'fnmatch()'.
 - A buffer overflow vulnerability in the dechunking filter.
 - An arbitrary memory access issue in the sqlite extension.
 - A string format validation issue in the phar extension.
 - An unspecified issue relating to the handling of session variable serialization on certain prefix characters.
 - A NULL pointer dereference issue when processing invalid XML-RPC requests.
 - An unserialization issue in 'SplObjectStorage'.
 - Buffer overflow vulnerabilities in 'mysqlnd_list_fields' and 'mysqlnd_change_user'.
 - Buffer overflows when handling error packets in mysqlnd.
 - A flaw affects 'sqlite_single_query()' and 'sqlite_array_query()' methods included in the 'ext/sqlite/sqlite.c' source file. Specifically, the 'rres' resource is not properly initialized before use which may trigger a double-free condition when an empty query is passed to the 'real_result_dtor()' function.

ID	Name	Product	Family	Severity
75429	openSUSE Security Update : apache2-mod_php5 (openSUSE-SU-2010:0599-1)	Nessus	SuSE Local Security Checks	high
56459	GLSA-201110-06 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
50890	SuSE 11 / 11.1 Security Update : Apache 2 (SAT Patch Numbers 2880 / 2881)	Nessus	SuSE Local Security Checks	high
49830	SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 7110)	Nessus	SuSE Local Security Checks	high
49752	openSUSE Security Update : apache2-mod_php5 (openSUSE-SU-2010:0678-1)	Nessus	SuSE Local Security Checks	high
49210	openSUSE Security Update : apache2-mod_php5 (openSUSE-SU-2010:0599-1)	Nessus	SuSE Local Security Checks	high
48412	Fedora 13 : maniadrive-1.2-22.fc13 / php-5.3.3-1.fc13 / php-eaccelerator-0.9.6.1-2.fc13 (2010-11481)	Nessus	Fedora Local Security Checks	high
48411	Fedora 12 : maniadrive-1.2-22.fc12 / php-5.3.3-1.fc12 / php-eaccelerator-0.9.6.1-2.fc12 (2010-11428)	Nessus	Fedora Local Security Checks	high
48245	PHP 5.3 < 5.3.3 Multiple Vulnerabilities	Nessus	CGI abuses	high
48244	PHP 5.2 < 5.2.14 Multiple Vulnerabilities	Nessus	CGI abuses	high
801070	PHP < 5.3.3 / 5.2.14 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	high
5616	PHP < 5.2.14 / 5.3.x < 5.3.3 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high

CVE-2010-2190

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins