PHP vulnerabilities

Releases

• Ubuntu 5.10
• Ubuntu 5.04
• Ubuntu 4.10

Details

Eric Romang discovered a local Denial of Service vulnerability in the
handling of the ‘session.save_path’ parameter in PHP’s Apache 2.0
module. By setting this parameter to an invalid value in an .htaccess
file, a local user could crash the Apache server. (CVE-2005-3319)

A Denial of Service flaw was found in the EXIF module. By sending an
image with specially crafted EXIF data to a PHP program that
automatically evaluates them (e. g. a web gallery), a remote attacker
could cause an infinite recursion in the PHP interpreter, which caused
the web server to crash. (CVE-2005-3353)

Stefan Esser reported a Cross Site Scripting vulnerability in the
phpinfo() function. By tricking a user into retrieving a specially
crafted URL to a PHP page that exposes phpinfo(), a remote attacker
could inject arbitrary HTML or web script into the output page and
possibly steal private data like cookies or session identifiers.
(CVE-2005-3388)

Stefan Esser discovered a vulnerability of the parse_str() function
when it is called with just one argument. By calling such programs
with specially crafted parameters, a remote attacker could enable the
‘register_globals’ option which is normally turned off for security
reasons. Once this option is enabled, the remote attacker could
exploit other security flaws of PHP programs which are normally
protected by ‘register_globals’ being deactivated. (CVE-2005-3389)

Stefan Esser discovered that a remote attacker could overwrite the
$GLOBALS array in PHP programs that allow file uploads and run with
‘register_globals’ enabled. Depending on the particular application,
this can lead to unexpected vulnerabilities. (CVE-2005-3390)

The ‘gd’ image processing and cURL modules did not properly check
processed file names against the ‘open_basedir’ and ‘safe_mode’
restrictions, which could be exploited to circumvent these
limitations. (CVE-2005-3391)

Another bypass of the ‘open_basedir’ and ‘safe_mode’ restrictions was
found in virtual() function. A local attacker could exploit this to
circumvent these restrictions with specially crafted PHP INI files
when virtual Apache 2.0 hosts are used. (CVE-2005-3392)

The mb_send_mail() function did not properly check its arguments for
invalid embedded line breaks. By setting the ‘To:’ field of an email
to a specially crafted value in a PHP web mail application, a remote
attacker could inject arbitrary headers into the sent email.
(CVE-2005-3883)