virus logo Intrusion Prevention

PHP.Versions.Prior.to.5.2.5.Multiple.Vulnerabilities

description-logoDescription

PHP is a scripting language designed for CGI applications that is used on many websites.
This application is prone to multiple vulnerabilities:
PHP before 5.2.3 allows context-dependent attackers to cause a denial of service via a long string in the pattern parameter to the glob function; or a long string in the string parameter to the fnmatch function, accompanied by a pattern parameter value with undefined characteristics, as demonstrated by a "*[1]e" value. (CVE-2007-4782)
The iconv_substr function in PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in the charset parameter, probably also requiring a long string in the str parameter; or a denial of service (temporary application hang) via a long string in the str parameter. (CVE-2007-4783)
The setlocale function in PHP before 5.2.4 allows context-dependent attackers to cause a denial of service (application crash) via a long string in the locale parameter. (CVE-2007-4784)
Directory traversal vulnerability in PHP 5.2.4 and earlier allows attackers to bypass open_basedir restrictions and possibly execute arbitrary code via a .. (dot dot) in the dl function. (CVE-2007-4825)
PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in the out_charset parameter to the iconv function; or a long string in the charset parameter to the iconv_mime_decode_headers, iconv_mime_decode, or iconv_strlen function. (CVE-2007-4840)
The dl function in PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in the library parameter. (CVE-2007-4887)
The MySQL extension in PHP 5.2.4 and earlier allows remote attackers to bypass safe_mode and open_basedir restrictions via the MySQL LOAD_FILE, INTO DUMPFILE, and INTO OUTFILE functions, a different issue than CVE-2007-3997. (CVE-2007-4889)
ioncube_loader_win_5.2.dll in the ionCube Loader 6.5 extension for PHP 5.2.4 does not follow safe_mode and disable_functions restrictions, which allows context-dependent attackers to bypass intended limitations, as demonstrated by reading arbitrary files via the ioncube_read_file function. (CVE-2007-5447)
The Component Object Model (COM) functions in PHP 5.x on Windows do not follow safe_mode and disable_functions restrictions, which allows context-dependent attackers to bypass intended limitations, as demonstrated by executing objects with the kill bit set in the corresponding ActiveX control Compatibility Flags, executing programs via a function in compatUI.dll, invoking wscript.shell via wscript.exe, invoking Scripting.FileSystemObject via wshom.ocx, and adding users via a function in shgina.dll, related to the com_load_typelib function. (CVE-2007-5653)
The htmlentities and htmlspecialchars functions in PHP before 5.2.5 accept partial multibyte sequences, which has unknown impact and attack vectors, a different issue than CVE-2006-5465. (CVE-2007-5898)
The output_add_rewrite_var function in PHP before 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which allows remote attackers to obtain potentially sensitive information by reading the requests for this URL, as demonstrated by a rewritten form containing a local session ID. (CVE-2007-5899)
PHP before 5.2.5 allows local users to bypass protection mechanisms configured through php_admin_value or php_admin_flag in httpd.conf by using ini_set to modify arbitrary configuration variables, a different issue than CVE-2006-4625. (CVE-2007-5900)
The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 32-bit systems, performs a multiplication using values that can produce a zero seed in rare circumstances, which allows context-dependent attackers to predict subsequent values of the rand and mt_rand functions and possibly bypass protection mechanisms that rely on an unknown initial seed. (CVE-2008-2107)
The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions. (CVE-2008-2108)
The rand and mt_rand functions in PHP 5.2.6 do not produce cryptographically strong random numbers, which allows attackers to leverage exposures in products that rely on these functions for security-relevant functionality, as demonstrated by the password-reset functionality in Joomla! 1.5.x and WordPress before 2.6.2, a different vulnerability than CVE-2008-2107, CVE-2008-2108, and CVE-2008-4102. (CVE-2008-4107)
Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function. (CVE-2007-3996)

affected-products-logoAffected Products

PHP 5 versions prior to 5.2.5

Impact logoImpact

The vulnerable system could allow a remote attacker to launch a cross-site scripting attacks, therefore, there is a risk of creating a DoS scenario.

recomended-action-logoRecommended Actions

PHP recommends users to update php to version 5.2.5 or later versions:
http://www.php.net/releases/5_2_5.php

Coverage

IPS (Regular DB)
IPS (Extended DB)
ID 20985
Created Apr 21, 2010
Updated Apr 21, 2010
CVE ID
Risk black-background-circle-icon black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon
Exploit Prediction Score 2.02%
Default Action Unavailable
Active
Profile Type N/A