Vigil@nce: PHP, several vulnerabilities
October 2009 by Vigil@nce
An attacker can use several vulnerabilities of PHP, in order to
obtain information or to access to a file.
Severity: 2/4
Consequences: data reading, data creation/edition
Provenance: user account
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: unique source (2/5)
Diffusion of the vulnerable configuration: medium (2/3)
Number of vulnerabilities in this bulletin: 5
Creation date: 28/09/2009
IMPACTED PRODUCTS
– PHP
DESCRIPTION OF THE VULNERABILITY
An attacker can use several vulnerabilities of PHP, in order to
obtain information or to access to a file.
The preg_match() function, which is used to match a Perl regular
expression, has to be used with a string parameter. However, if an
array is used, a warning message is displayed, and it contains the
full installation path. [grav:1/4; MajorSecurity Advisory #57]
The file_get_contents() function returns the contents of a file.
An attacker can use the "aa/../cc" filename, which is simplified
as "cc" by file_get_contents() without checking if "aa" is a
directory. [grav:2/4]
An attacker can use the null %00 character in file_get_contents(),
in order to open another file. [grav:2/4]
An attacker can exit from the root with file_get_contents().
[grav:2/4]
The mysqli_real_escape_string() function, which is used to escape
a string for MySQL, has to be used with a string parameter.
However, if an array is used, a warning message is displayed, and
it contains the full installation path. [grav:1/4]
These vulnerabilities are local or remote depending on the context.
CHARACTERISTICS
Identifiers: MajorSecurity Advisory #57, VIGILANCE-VUL-9053
http://vigilance.fr/vulnerability/PHP-several-vulnerabilities-9053