the Month of PHP Security

As a last minute addition to the Month of PHP Security we present an article by Ben Fuhrmannek about virtual meta-scripting bytecode for PHP and JavaScript.

It is time to present you the tenth and last external MOPS submission. It is an article by Solar Designer describing in length how to manage PHP application’s users and passwords.

During the last hours of the CFP we received the following MOPS submission by Johannes Dahse. It is a static code analysing tool for PHP based on the tokenizer extension.

Today it is time to present you the eighth external MOPS submission. It is an article by Juergen Pabel describing a new feature for the Suhosin Extension that allows encrypting configuration strings.

Today we want to present you the seventh external MOPS submission. It is an article about usual and unusual PHP code execution vulnerabilities sent in by Arthur Gerkis.

Today we want to present you the sixth external MOPS submission. It is the second article sent in by Jakub Vrana. This one is about variable initialization in PHP.

Today we present you a short article about how to decode a PHP file encoded with the php-crypt.com PHP encoder. This article was written today by Stefan Esser after having seen an advertisement for php-crypt in the Xing PHP Development Forum.

Today it is time for the fifth external MOPS submission. It it the second submission by Mateusz Kocielski, an article about his PHP fuzzer called Minerva.

Today we want to present you the fourth external MOPS submission. It was submitted by Jordi Boggiano and explains how to generate unpredictable session ids and hashes in PHP.

Today we want to present you the third external MOPS submission. It is the first of two submissions sent in by Mateusz Kocielski. This one is a detailed explanation about how to exploit the sqlite_single_query() and sqlite_array_query() uninitialized memory usage.

Today we want to present you the second external MOPS submission. It is one of two articles sent in by Jakub Vrana. This one is about context-aware HTML escaping in PHP.

Today we want to present you the first external MOPS submission. It was sent in by Mike Boberski on behalf of the OWASP ESAPI development team. It is an article about their OWASP ESAPI for PHP.

This article is the first part of the HTML version of SektionEins GmbH’s PHP Web Security Poster. You can download an outdated PDF version here.

A use-after-free vulnerability was discovered in the deserialization of SPLObjectStorage objects that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

PHP’s default sesson serializer wrongly handles the PS_UNDEF_MARKER character

PHP’s php_mysqlnd_auth_write() does not check user supplied values which can result in a stack based buffer overflow.

PHP’s php_mysqlnd_read_error_from_line() trusts network data which can result in a heap based buffer overflow.

PHP’s php_mysqlnd_rset_header_read() trusts network data which can result in a heap based buffer overflow.

PHP’s php_mysqlnd_ok_read() trusts network data which can result in a heap information leak.

PHP’s ArrayObject::uasort() method can be interrupted and used for memory corruption attacks.

PHP’s ZEND_CONCAT/ZEND_ASSIGN_CONCAT opcodes can be abused for information leakage or memory corruption by a userspace error handler interruption attack. This can be leveraged to execute arbitrary code.

PHP’s ZEND_FETCH_RW opcode can be abused for information leakage by a userspace error handler interruption attack.

PHP’s pack() function can be interrupted and used for information leakage due to call time pass by reference.

PHP’s unpack() function can be interrupted and used for information leakage due to call time pass by reference.

PHP’s preg_match() function can be interrupted by an object destructor causing information leaks due to call time pass by reference.

PHP’s parse_str() function can be interrupted by deeply nested arrays which can lead to memory corruption and arbitrary code execution.

PHP’s substr_replace() function can be abused for information leak attacks, because of the call time pass by reference feature.

PHP’s trim()/ltrim()/rtrim() function can be abused for information leak attacks, because of the call time pass by reference feature.

PHP’s str_pad() function can be abused for information leak attacks, because of the call time pass by reference feature.

PHP’s str_word_count() function can be abused for information leak attacks, because of the call time pass by reference feature.

PHP’s wordwrap() function can be abused for information leak attacks, because of the call time pass by reference feature.

PHP’s strtok() function can be abused for information leak attacks, because of the call time pass by reference feature.

PHP’s setcookie() function can be abused for information leak attacks, because of the call time pass by reference feature.

PHP’s strip_tags() function can be abused for information leak attacks, because of the call time pass by reference feature.

PHP’s strtr() function can be abused for information leak attacks, similar to all the other interruption exploits. However the interruption is not triggered inside the zend_parse_parameters() function and therefore another fix is required.

PHP’s strpbrk() function can be abused for information leak attacks, because of the call time pass by reference feature.

PHP’s http_build_query() function can be abused for information leak attacks, because of the call time pass by reference feature.

PHP’s str_getcsv() function can be abused for information leak attacks, because of the call time pass by reference feature.

PHP’s htmlentities() and htmlspecialchars() functions can be abused for information leak attacks, because of the call time pass by reference feature.

It was discovered that access control to the [php] bbcode which allows executing PHP code is wrongly implemented in e107. This allows unauthenticated users to execute arbitrary PHP code easily.

PHP’s iconv_mime_encode() function can be abused for information leak attacks, because of the call time pass by reference feature. This vulnerability also demonstrates that fixing zend_parse_parameters() is not enough to kill some of these vulnerabilities.

PHP’s iconv_substr() function can be abused for information leak attacks, because of the call time pass by reference feature.

PHP’s iconv_mime_decode() function can be abused for information leak attacks, because of the call time pass by reference feature.

An SQL Injection vulnerability was discovered in the user settings dialog of e107 that allows any user to become an admin easily.

A local file inclusion vulnerability was discovered in CMSQlite that might allow remote PHP code execution.

An SQL Injection vulnerability was discovered in CMSQlite that allows to retrieve all data from the database.

The new phar extension in PHP 5.3 contains several format string vulnerabilities in the internal phar_wrapper_open_url() function.

The new phar extension in PHP 5.3 contains several format string vulnerabilities in the internal phar_parse_url() function.

The new phar extension in PHP 5.3 contains a format string vulnerability in the internal phar_wrapper_unlink() function.

The new phar extension in PHP 5.3 contains a format string vulnerability in the internal phar_wrapper_open_dir() function.

The new phar extension in PHP 5.3 contains a format string vulnerability in the internal phar_stream_flush() function.

An SQL Injection vulnerability was discovered in Cacti that allows to retrieve all data from the database. In Cacti installations with publicly viewable graphs this vulnerability is a pre-auth SQL injection vulnerability.

PHP uses the stream context during stream destruction, although it was already freed in the request shutdown before.

PHP’s fnmatch() function can be used to crash PHP through a stack exhaustion attack.

A preauth plugin configuration injection vulnerability was discovered in the WYSIWYG editor Xinha that allows e.g. uploading arbitrary PHP files to the webserver.

A preauth plugin configuration injection vulnerability was discovered in the WYSIWYG editor (Xinha) bundled with Serendipity Weblog that allows e.g. uploading arbitrary PHP files to the webserver.

A preauth SQL injection vulnerability was discovered in the chat feature of EFront that allows retrieving all data from the database by simple URL manipulation.

PHP’s preg_quote() function can be abused for information leak attacks, because of the call time pass by reference feature.

PHP’s ZEND_SR opcode can be abused for address information leak attacks by an userspace error handler interruption attack.

PHP’s ZEND_SL opcode can be abused for address information leak attacks by an userspace error handler interruption attack.

PHP’s ZEND_BW_XOR opcode can be abused for address information leak attacks by an userspace error handler interruption attack.

PHP’s sqlite_array_query() function will use uninitialized memory if it is used with an empty SQL query. This can lead to arbitrary code execution.

PHP’s sqlite_single_query() function will use uninitialized memory if it is used with an empty SQL query. This can lead to arbitrary code execution.

A SQL injection vulnerability was discovered in DeluxeBB that allows retrieving all the data from the database by adding new threads to the forum.

PHP’s html_entity_decode() function can be abused for information leak attacks, because of the call time pass by reference feature.

When PHP’s shm_put_var() function is interrupted by an object’s __sleep() function it can destroy the shm resource used by this function which allows to write an arbitrary memory address.

PHP’s chunk_split() function can be abused for information leak attacks, because of the call time pass by reference feature.

A SQL injection vulnerability was discovered in the shoutbox module of ClanTiger that allows retrieving all the data from the database.

PHP’s addcslashes() function can be abused for information leak attacks, because of the call time pass by reference feature.

A generic SQL Injection vulnerability was discovered in the MySQL Driver of ClanSphere that allows exploiting a lot of otherwise safe SQL queries.

A SQL Injection vulnerability was discovered in the Captcha generator of ClanSphere that allows retrieving all the data from the database.

PHP’s dechunk filter that can be used to decode remote HTTP chunked encoding streams, performs a signed comparison of the chunk size against the space in the buffer. A negative number will result in a far to many bytes (2GB – 4GB) being copied between heap buffers, which results in a crash.

A SQL Injection vulnerability was discovered in the TinyMCE custom article attachment plugin within Campsite that allows retrieving all data from the database.

During Month of PHP Bugs in 2007 the same vulnerability was already disclosed to the general public. Because the issue remained unfixed for three years the Month of PHP Security 2010 starts with this old unfixed vulnerability.