From openpkg@openpkg.org Sat Dec 3 15:33:51 2005 From: OpenPKG To: bugtraq@securityfocus.com Date: Sat, 3 Dec 2005 19:21:42 +0100 Subject: [OpenPKG-SA-2005.027] OpenPKG Security Advisory (php) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.027 03-Dec-2005 ________________________________________________________________________ Package: php Vulnerability: multiple ones OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= php-4.4.0-20051004 >= php-4.4.1-20051031 OpenPKG 2.5 <= php-4.4.0-2.5.1 >= php-4.4.0-2.5.2 <= apache-1.3.33-2.5.3 >= apache-1.3.33-2.5.4 OpenPKG 2.4 <= php-4.3.11-2.4.1 >= php-4.3.11-2.4.2 <= apache-1.3.33-2.4.3 >= apache-1.3.33-2.4.4 OpenPKG 2.3 <= php-4.3.10-2.3.3 >= php-4.3.10-2.3.4 <= apache-1.3.33-2.3.5 >= apache-1.3.33-2.3.6 Description: Multiple vulnerabilities were recently found in the PHP [1] web scripting language: 1. The "exif_read_data" function in the EXIF module in PHP before 4.4.1 allows remote attackers to cause a Denial of Service (DoS) through an infinite recursion via a malformed JPEG image. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2005-3353 [2] to the problem. 2. A Cross-Site Scripting (XSS) vulnerability in the "phpinfo" function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a "stacked array assignment". The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2005-3388 [3] to the problem. 3. The "parse_str" function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the "register_globals" directive via inputs that cause a request to be terminated due to the "memory_limit" setting, which causes PHP to set an internal flag that enables "register_globals" and allows attackers to exploit vulnerabilities in PHP applications that would otherwise be protected. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2005-3389 [4] to the problem. 4. The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when "register_globals" is enabled, allows remote attackers to modify the "GLOBALS" array and bypass security protections of PHP applications via a "multipart/form-data" POST request with a "GLOBALS" "fileupload" field. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2005-3390 [5] to the problem. 5. Multiple vulnerabilities in PHP before 4.4.1 allow remote attackers to bypass "safe_mode" and "open_basedir" restrictions via unknown attack vectors in the "curl" and "gd" extensions. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2005-3391 [6] to the problem. 6. The additionally discovered issue CVE-2005-3392 doesn't affect PHP under the OpenPKG platforms. ________________________________________________________________________ References: [1] http://www.php.net/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3353 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3388 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3389 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3390 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3391 ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFDkeIjgHWT4GPEy58RAr0kAKDI3vR3w7KhCg2iQ5h9au1LiYv2ogCdF4c7 IgeVMyxYVnQdAh6vmLP1kJE= =hdmj -----END PGP SIGNATURE-----