SynopsisThe remote web server uses a version of PHP that is affected by multiple vulnerabilities.
DescriptionAccording to its banner, the version of PHP installed on the remote host is prior to 5.2.7. It is, therefore, affected by multiple vulnerabilities :
- There is a buffer overflow flaw in the bundled PCRE library that allows a denial of service attack.
- Multiple directory traversal vulnerabilities exist in functions such as 'posix_access', 'chdir', and 'ftok' that allow a remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 and CVE-2008-2666).
- A buffer overflow flaw in 'php_imap.c' may be triggered when processing long message headers due to the use of obsolete API calls. This can be exploited to cause a denial of service or to execute arbitrary code.
- A buffer overflow in the 'imageloadfont' function in 'ext/gd/gd.c' can be triggered when a specially crafted font is given. This can be exploited to cause a denial of service or to execute arbitrary code. (CVE-2008-3658)
- A buffer overflow flaw exists in PHP's internal function 'memnstr' which can be exploited by an attacker using the delimiter argument to the 'explode' function. This can be used to cause a denial of service or to execute arbitrary code. (CVE-2008-3659)
- When PHP is used as a FastCGI module, an attacker by requesting a file whose file name extension is preceded by multiple dots can cause a denial of service.
- A heap-based buffer overflow flaw in the mbstring extension can be triggered via a specially crafted string containing an HTML entity that is not handled during Unicode conversion. This can be exploited to execute arbitrary code.(CVE-2008-5557)
- Improper initialization of global variables 'page_uid' and 'page_gid' when PHP is used as an Apache module allows the bypassing of security restriction due to SAPI 'php_getuid' function overloading. (CVE-2008-5624)
- PHP does not enforce the correct restrictions when 'safe_mode' is enabled through a 'php_admin_flag' setting in 'httpd.conf'. This allows an attacker, by placing a specially crafted 'php_value' entry in '.htaccess', to able to write to arbitrary files.
- The 'ZipArchive::extractTo' function in the ZipArchive extension fails to filter directory traversal sequences from file names. An attacker can exploit this to write to arbitrary files. (CVE-2008-5658)
- Under limited circumstances, an attacker can cause a file truncation to occur when calling the 'dba_replace' function with an invalid argument. (CVE-2008-7068)
- A buffer overflow error exists in the function 'date_from_ISO8601' function within file 'xmlrpc.c' because user-supplied input is improperly validated.
This can be exploited by a remote attacker to cause a denial of service or to execute arbitrary code.
SolutionUpgrade to PHP version 5.2.8 or later.
Note that version 5.2.7 has been removed from distribution because of a regression in that version that results in the 'magic_quotes_gpc' setting remaining off even if it was set to on.
File Name: php_5_2_7.nasl
Configuration: Enable thorough checks
Temporal Vector: E:POC/RL:OF/RC:C
Required KB Items: www/PHP
Exploit Ease: No exploit is required
Patch Publication Date: 12/4/2008
Vulnerability Publication Date: 6/19/2008
CVE: CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829, CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5557, CVE-2008-5624, CVE-2008-5625, CVE-2008-5658, CVE-2008-7068, CVE-2014-8626
BID: 29796, 29797, 29829, 30087, 30649, 31612, 32383, 32625, 32688, 32948, 70928