Debian DSA-1283-1 : php5 - several vulnerabilities

high Nessus Plugin ID 25100
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Debian host is missing a security-related update.

Description

Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2007-1286 Stefan Esser discovered an overflow in the object reference handling code of the unserialize() function, which allows the execution of arbitrary code if malformed input is passed from an application.

- CVE-2007-1375 Stefan Esser discovered that an integer overflow in the substr_compare() function allows information disclosure of heap memory.

- CVE-2007-1376 Stefan Esser discovered that insufficient validation of shared memory functions allows the disclosure of heap memory.

- CVE-2007-1380 Stefan Esser discovered that the session handler performs insufficient validation of variable name length values, which allows information disclosure through a heap information leak.

- CVE-2007-1453 Stefan Esser discovered that the filtering framework performs insufficient input validation, which allows the execution of arbitrary code through a buffer underflow.

- CVE-2007-1454 Stefan Esser discovered that the filtering framework can be bypassed with a special whitespace character.

- CVE-2007-1521 Stefan Esser discovered a double free vulnerability in the session_regenerate_id() function, which allows the execution of arbitrary code.

- CVE-2007-1583 Stefan Esser discovered that a programming error in the mb_parse_str() function allows the activation of 'register_globals'.

- CVE-2007-1700 Stefan Esser discovered that the session extension incorrectly maintains the reference count of session variables, which allows the execution of arbitrary code.

- CVE-2007-1711 Stefan Esser discovered a double free vulnerability in the session management code, which allows the execution of arbitrary code.

- CVE-2007-1718 Stefan Esser discovered that the mail() function performs insufficient validation of folded mail headers, which allows mail header injection.

- CVE-2007-1777 Stefan Esser discovered that the extension to handle ZIP archives performs insufficient length checks, which allows the execution of arbitrary code.

- CVE-2007-1824 Stefan Esser discovered an off-by-one error in the filtering framework, which allows the execution of arbitrary code.

- CVE-2007-1887 Stefan Esser discovered that a buffer overflow in the sqlite extension allows the execution of arbitrary code.

- CVE-2007-1889 Stefan Esser discovered that the PHP memory manager performs an incorrect type cast, which allows the execution of arbitrary code through buffer overflows.

- CVE-2007-1900 Stefan Esser discovered that incorrect validation in the email filter extension allows the injection of mail headers.

The oldstable distribution (sarge) doesn't include php5.

Solution

Upgrade the PHP packages. Packages for the arm, hppa, mips and mipsel architectures are not yet available. They will be provided later.

For the stable distribution (etch) these problems have been fixed in version 5.2.0-8+etch3.

See Also

https://security-tracker.debian.org/tracker/CVE-2007-1286

https://security-tracker.debian.org/tracker/CVE-2007-1375

https://security-tracker.debian.org/tracker/CVE-2007-1376

https://security-tracker.debian.org/tracker/CVE-2007-1380

https://security-tracker.debian.org/tracker/CVE-2007-1453

https://security-tracker.debian.org/tracker/CVE-2007-1454

https://security-tracker.debian.org/tracker/CVE-2007-1521

https://security-tracker.debian.org/tracker/CVE-2007-1583

https://security-tracker.debian.org/tracker/CVE-2007-1700

https://security-tracker.debian.org/tracker/CVE-2007-1711

https://security-tracker.debian.org/tracker/CVE-2007-1718

https://security-tracker.debian.org/tracker/CVE-2007-1777

https://security-tracker.debian.org/tracker/CVE-2007-1824

https://security-tracker.debian.org/tracker/CVE-2007-1887

https://security-tracker.debian.org/tracker/CVE-2007-1889

https://security-tracker.debian.org/tracker/CVE-2007-1900

https://www.debian.org/security/2007/dsa-1283

Plugin Details

Severity: High

ID: 25100

File Name: debian_DSA-1283.nasl

Version: 1.22

Type: local

Agent: unix

Published: 4/30/2007

Updated: 1/4/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:php5, cpe:/o:debian:debian_linux:4.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/29/2007

Vulnerability Publication Date: 3/6/2007

Exploitable With

Metasploit (PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie))

Reference Information

CVE: CVE-2007-1286, CVE-2007-1375, CVE-2007-1376, CVE-2007-1380, CVE-2007-1453, CVE-2007-1454, CVE-2007-1521, CVE-2007-1583, CVE-2007-1700, CVE-2007-1711, CVE-2007-1718, CVE-2007-1777, CVE-2007-1824, CVE-2007-1887, CVE-2007-1889, CVE-2007-1900

DSA: 1283