. Updated Daily. Editions SDA India   SDA Indonesia
JAX Asia 2008 - Conference for Enterprise Java, SOA, Spring, Web Services, Ajax, Agile and more
BUSINESS ENTERPRISE SOLUTIONS ARCHITECTURE INFORMATION SECURITY WIRELESS & MOBILITY DATA & STORAGE DEVELOPMENT HARDWARE













News

Wednesday, 21 March 2007

Overview of the Month of PHP Bugs
 

 

Stefan Esser provides an overview of the PHP Month of bugs in a new post over at Nexen.net. The post contains 26 vulnerabilities.

Some of the vulnerabilities are as follows:

    • PHP ext/gd Already Freed Resource Access Vulnerability: when GD functions are called they first retrieve the resource data for further processing. When these functions are interrupted by an error, after the source data is retrieved, a malicious userspace error handler can destroy the image resource and replace it with a specially prepared fake resource. This allows red and write access to arbitrary memory addresses that can be exploited to execute arbitrary code.
    • PHP mb_parse_str() register_globals Activation Vulnerability: when the mb_parse_str() function, which is the multibyte variant of the parse_str() function, is called with only one parameter and is interrupted by for example a memory_limit violation the register_globals directive will get internally activated during the process and not deactivated. Therefore Apache child will have register_globals activated in a way undectable to PHP code.
    • PHP header() Space Trimming Buffer Underflow Vulnerability: when an all whitespace string is passed to the header() function this can result in a buffer underflow that allows code execution on at least big endian systems like MacOS X on PPC.
    • PHP 5 Rejected Session Identifier Double Free Vulnerability: internal session storage modules can reject session identifiers since PHP 5.2.0 when they contain for example characters considered malicious. When the session extension gets notified that the session id is invalid, it fails to clear an already freed pointer to the invalid session identifier before calling the session identifier generator. When this generator triggers an error this can result in a double free that is exploitable locally and might be remotely exploitable too.
    • PHP session_regenerate_id() Double Free Vulnerability: the session_regenerate_id() function that is used to generate a new session identifier fails to clear an already freed pointer to the former session identifier before calling the session identifier generator. When this generator triggers an error this can result in a double free that is easily exploitable and might be remotely exploitable.
 

Read the Post

 
 
print save email comment

print

save

email

comment
 
 

Search SDA Asia

Free eNewsletter
SDA Asia Magazine Free Download
 
 
 
Copyright @ 2008 SDA Asia Magazine - All Right Reserved Privacy Policy | Terms of Use