SSRT100877

8525

http://svn.php.net/viewvc/?view=revision&revision=317183

http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/

20110923 Security issue is_a function in PHP 5.3.7+

https://bugs.php.net/bug.php?id=55475

https://bugzilla.redhat.com/show_bug.cgi?id=741020

PHP before 5.3.7 does not properly check the return values of the malloc, calloc, and realloc library functions, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function.

The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the
__autoload function, which makes it easier for remote attackers to execute arbitrary code by providing a crafted URL and leveraging potentially unsafe behavior in certain PEAR packages and custom autoloaders.

php: changes to is_a() in 5.3.7 may allow arbitrary code execution with certain code

A signedness issue was found in the way the PHP crypt() function handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value.

A signedness issue was found in the way the crypt() function in the PostgreSQL pgcrypto module handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value.

crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.

A stack-based buffer overflow flaw was found in the way the PHP socket extension handled long AF_UNIX socket addresses. An attacker able to make a PHP script connect to a long AF_UNIX socket address could use this flaw to crash the PHP interpreter.

Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket.

The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a 'file path injection vulnerability.'

An off-by-one flaw was found in PHP. If an attacker uploaded a file with a specially crafted file name it could cause a PHP script to attempt to write a file to the root (/) directory. By default, PHP runs as the 'apache' user, preventing it from writing to the root directory.

The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a 'file path injection vulnerability.'

Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments.

A use-after-free flaw was found in the PHP substr_replace() function.
If a PHP script used the same variable as multiple function arguments, a remote attacker could possibly use this to crash the PHP interpreter or, possibly, execute arbitrary code.

The MITRE CVE database describes these CVEs as :

Revert is_a() behavior to php <= 5.3.6 and add a new new option (allow_string) for the new behavior (accept string and raise autoload if needed)

Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments.

Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket.

The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a 'file path injection vulnerability.'

crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.

PHP before 5.3.7 does not properly check the return values of the malloc, calloc, and realloc library functions, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function.

The remote host is affected by the vulnerability described in GLSA-201209-03 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could execute arbitrary code with the privileges of       the process, cause a Denial of Service condition, obtain sensitive       information, create arbitrary files, conduct directory traversal attacks,       bypass protection mechanisms, or perform further attacks with unspecified       impact.
  Workaround :

    There is no known workaround at this time.

According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote host is earlier than 7.1.1 and is, therefore, reportedly affected by the following vulnerabilities :

  - The bundled version of the libxml2 library contains     multiple vulnerabilities. (CVE-2011-1944, CVE-2011-2821,     CVE-2011-2834)

  - The bundled version of PHP contains multiple     vulnerabilities. (CVE-2011-3379, CVE-2011-4153,     CVE-2011-4885, CVE-2012-1823, CVE-2012-0057,     CVE-2012-0830)

  - The bundled version of the Apache HTTP Server contains     multiple vulnerabilities. (CVE-2011-3607, CVE-2011-4317,     CVE-2011-4415, CVE-2012-0021, CVE-2012-0031,     CVE-2012-0053)

  - An issue exists in the 'include/iniset.php' script in     the embedded RoundCube Webmail version that could lead     to a denial of service. (CVE-2011-4078)

  - The bundled version of OpenSSL contains multiple     vulnerabilities. (CVE-2011-4108, CVE-2011-4576,     CVE-2011-4577, CVE-2011-4619, CVE-2012-0027,     CVE-2012-1165)

  - The bundled version of curl and libcurl does not     properly consider special characters during extraction     of a pathname from a URL. (CVE-2012-0036)     
  - An off autocomplete attribute does not exist for     unspecified form fields, which makes it easier for     remote attackers to obtain access by leveraging an     unattended workstation. (CVE-2012-2012)

  - An unspecified vulnerability exists that could allow a     remote attacker to cause a denial of service, or     possibly obtain sensitive information or modify data.
    (CVE-2012-2013)

  - An unspecified vulnerability exists related to improper     input validation. (CVE-2012-2014)

  - An unspecified vulnerability allows remote,     unauthenticated users to gain privileges and obtain     sensitive information. (CVE-2012-2015)

  - An unspecified vulnerability allows local users to     obtain sensitive information via unknown vectors.
    (CVE-2012-2016)

Versions of PHP earlier than 5.3.9 are potentially affected by multiple vulnerabilities :

 - It is possible to create a denial of service condition by sending multiple, specially crafted requests containing parameter values that cause hash collisions when computing the hash values for storage in a hash table. (CVE-2011-4885)
 - An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to read arbitrary memory locations or cause a denial of service condition.  This vulnerability only affects PHP 5.4.0beta2 on 32-bit platforms. (CVE-2011-4566)
 - Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite file, resulting in arbitrary code execution. (CVE-2012-0057)
 - An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a null pointer.  This causes the application to crash. (CVE-2012-0781)
 - The 'PDORow' implementation contains an error that can cause application crashes when interacting with the session feature. C(VE-2012-0788)
 - An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial of service attack via memory consuption. (CVE-2012-0789)

According to its banner, the version of PHP installed on the remote host is older than 5.3.9.  As such, it may be affected by the following security issues :

  - The 'is_a()' function in PHP 5.3.7 and 5.3.8 triggers a     call to '__autoload()'. (CVE-2011-3379)

  - It is possible to create a denial of service condition     by sending multiple, specially crafted requests     containing parameter values that cause hash collisions     when computing the hash values for storage in a hash     table.  (CVE-2011-4885)    
  - An integer overflow exists in the exif_process_IFD_TAG     function in exif.c that can allow a remote attacker to     read arbitrary memory locations or cause a denial of     service condition.  This vulnerability only affects PHP     5.4.0beta2 on 32-bit platforms. (CVE-2011-4566)

  - Calls to libxslt are not restricted via     xsltSetSecurityPrefs(), which could allow an attacker     to create or overwrite files, resulting in arbitrary     code execution. (CVE-2012-0057)

  - An error exists in the function 'tidy_diagnose' that     can allow an attacker to cause the application to     dereference a NULL pointer. This causes the application     to crash. (CVE-2012-0781)

  - The 'PDORow' implementation contains an error that can     cause application crashes when interacting with the     session feature. (CVE-2012-0788)

  - An error exists in the timezone handling such that     repeated calls to the function 'strtotime' can allow     a denial of service attack via memory consumption.
    (CVE-2012-0789)

A vulnerability has been identified and fixed in php :

The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the
__autoload function, which makes it easier for remote attackers to execute arbitrary code by providing a crafted URL and leveraging potentially unsafe behavior in certain PEAR packages and custom autoloaders (CVE-2011-3379).

The php-ini-5.3.8 package was missing with the MDVSA-2011:165 advisory and is now being provided, the php-timezonedb package was upgraded to the latest version (2011.14) for 2011.

The updated packages have been patched to correct this issue.

- Revert is_a() behavior to php <= 5.3.6 and add a new new     option (allow_string) for the new behavior (accept     string and raise autoload if needed)

  - Provides MySQL Native Driver in new php-mysqlnd package.

Upstream documentation:
http://www.php.net/manual/en/mysqlnd.overview.php

This is a drop-in replacement of MySQL Client Library used by php-mysql package.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Revert is_a() behavior to php <= 5.3.6 and add a new new option (allow_string) for the new behavior (accept string and raise autoload if needed)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
78268	Amazon Linux AMI : php (ALAS-2011-7)	Nessus	Amazon Linux Local Security Checks	high
69566	Amazon Linux AMI : php (ALAS-2011-07)	Nessus	Amazon Linux Local Security Checks	high
62236	GLSA-201209-03 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
59851	HP System Management Homepage < 7.1.1 Multiple Vulnerabilities	Nessus	Web Servers	critical
6263	PHP < 5.3.9 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
57537	PHP < 5.3.9 Multiple Vulnerabilities	Nessus	CGI abuses	high
56708	Mandriva Linux Security Advisory : php (MDVSA-2011:166)	Nessus	Mandriva Local Security Checks	high
56423	Fedora 16 : php-5.3.8-3.fc16 (2011-13472)	Nessus	Fedora Local Security Checks	high
56422	Fedora 14 : php-5.3.8-3.fc14 (2011-13458)	Nessus	Fedora Local Security Checks	high
56420	Fedora 15 : php-5.3.8-3.fc15 (2011-13446)	Nessus	Fedora Local Security Checks	high

CVE-2011-3379

HIGH

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

critical

critical

high

high

high

high

high

high