[OpenPKG-SA-2006.023] OpenPKG Security Advisory (php) Oct 17 2006 07:09AM
OpenPKG (openpkg openpkg org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory OpenPKG GmbH
http://www.openpkg.org/security/ http://openpkg.com
OpenPKG-SA-2006.023 2006-10-17
________________________________________________________________________

Package: php
Vulnerability: privilege escalation, arbitrary code execution
OpenPKG Specific: no

Affected Series: Affected Packages: Corrected Packages:
1.0-ENTERPRISE N.A. >= php-5.1.6-E1.0.0
2-STABLE-20061018 N.A. >= php-5.1.6-2.20061018
2-STABLE <= php-5.1.5-2.20060818 >= php-5.1.6-2.20061018
CURRENT <= php-5.1.6-20061013 >= php-5.1.6-20061017

Description:
According to a security advisory [1] from Maksymilian Arciemowicz,
a vulnerability exists in the programming language PHP [0] which
allows local users to bypass certain Apache HTTP server "httpd.conf"
options, such as "safe_mode" and "open_basedir", via the "ini_restore"
function, which resets the values to their "php.ini" (master value)
defaults. The Common Vulnerabilities and Exposures (CVE) project
assigned the id CVE-2006-4625 [2] to the problem.

According to a security advisory [3] from the Hardened-PHP project, an
integer overflow bug exists in the programming language PHP [0] which
allows remote attackers to execute arbitrary code via an argument to
the "unserialize" PHP function with a large value for the number of
array elements, which triggers the overflow in the underlying Zend
Engine "ecalloc" function. The Common Vulnerabilities and Exposures
(CVE) project assigned the id CVE-2006-4812 [4] to the problem.

According to a security advisory [5] from the Hardened-PHP project, a
race condition in the "symlink" function of the programming language
PHP [0] exists which allows local users to bypass the "open_basedir"
restriction by using a combination of "symlink", "mkdir", and "unlink"
functions to change the file path after the "open_basedir" check and
before the file is opened by the underlying system, as demonstrated
by symlinking a symlink into a subdirectory, to point to a parent
directory via ".." sequences, and then unlinking the resulting
symlink. The Common Vulnerabilities and Exposures (CVE) project
assigned the id CVE-2006-5178 [6] to the problem.
________________________________________________________________________

References:
[0] http://www.php.net/
[1] http://securityreason.com/achievement_securityalert/42
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4625
[3] http://www.hardened-php.net/advisory_092006.133.html
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4812
[5] http://www.hardened-php.net/advisory_082006.132.html
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5178
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg (at) openpkg (dot) org [email concealed]>" (ID 63C4CB9F) which
you can retrieve from http://www.openpkg.org/openpkg.pgp. Follow the
instructions on http://www.openpkg.org/security/signatures/ for details
on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg (at) openpkg (dot) org [email concealed]>

iD8DBQFFNIGdgHWT4GPEy58RAtVBAJoCX3irrZamtyw2iB6kr0prNfJK8wCg7/bo
S+LNuXuT19oMnAmzUXudLkc=
=RAhf
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus