Vigil@nce: PHP 5, several vulnerabilities
December 2008 by Vigil@nce
SYNTHESIS
An attacker can use several vulnerabilities of PHP in order to
create a denial of service or to execute code.
Gravity: 2/4
Consequences: user access/rights, data creation/edition, denial of
service of service
Provenance: internet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 4
Creation date: 04/12/2008
Revision date: 05/12/2008
IMPACTED PRODUCTS
– PHP
– Slackware Linux
DESCRIPTION
Several vulnerabilities were announced in PHP 5.
When the attacker can change the PCRE regular expression, he can
corrupt its memory in order for example to execute code
(VIGILANCE-VUL-7926 (https://vigilance.fr/tree/1/7926)).
[grav:1/4; BID-30087, CVE-2008-2371]
The page_uid/page_gid global variables (BG, basic_globals) are not
initialized, which can be used to bypass uid/gid checks in Safe
Mode. [grav:2/4; BID-32688]
An attacker can use a malicious ZIP archive in order to create a
file outside the ZipArchive::extractTo() extraction directory.
[grav:2/4; BID-32625]
An attacker can generate a memory leak in sqlite_create_aggregate(),
sqliteCreateAggregate(), readline_callback_handler_remove(),
readline_callback_handler_install(), readline_completion_function()
and ibase_trans() functions. [grav:1/4]
These vulnerabilities are local or remote depending on the context.
CHARACTERISTICS
Identifiers: BID-30087, BID-32625, BID-32688, CVE-2008-2371,
SSA:2008-339-01, VIGILANCE-VUL-8286