http://www.php-security.org/enRSS Generator 1.0Fri, 01 Jun 2007 12:27:58 CESThttp://www.php-security.org/MOPB/img/mopb-logo.pnghttp://www.php-security.org/MOPB/14796http://www.php-security.org/MOPB/PMOPB-46-2007.htmlThe session id does not get urlencoded before it is sent within the cookie. Therefore it is possible to inject arbitrary cookie parameters like a very long lifetime depending on PHP version and selected session module.stefan@hardened-php.net (Stefan Esser)Fri, 01 Jun 2007 09:05:04 CESThttp://www.php-security.org/MOPB/PMOPB-45-2007.htmlA wrong regular expression in the email validation filter allows injection of a single newline at the end.stefan@hardened-php.net (Stefan Esser)Sat, 07 Apr 2007 22:20:05 CESThttp://www.php-security.org/MOPB/MOPB-44-2007.htmlDue to a signed integer comparison the request for more than 2 GB of memory will be answered with a minimum size memory block. This results in a myriad of (sometimes remotely) exploitable buffer overflows.stefan@hardened-php.net (Stefan Esser)Sat, 31 Mar 2007 19:30:05 CESThttp://www.php-security.org/MOPB/MOPB-43-2007.htmlAn unchecked maxsize parameter to the msg_receive() function can result in an integer overflow during memory allocation that results in an exploitable buffer overflow.stefan@hardened-php.net (Stefan Esser)Sat, 31 Mar 2007 19:30:04 CESThttp://www.php-security.org/MOPB/MOPB-42-2007.htmlThe internal wildcard handling for stream filters contains an exploitable off by one overflow vulnerability that can be triggered by accessing a php://filter URL.stefan@hardened-php.net (Stefan Esser)Sat, 31 Mar 2007 19:30:03 CESThttp://www.php-security.org/MOPB/MOPB-41-2007.htmlCalling sqlite_udf_decode_binary() with a malformed input string can lead to an exploitable buffer overflow.stefan@hardened-php.net (Stefan Esser)Sat, 31 Mar 2007 19:30:02 CESThttp://www.php-security.org/MOPB/MOPB-40-2007.htmlAn overlong boundary string passed to imap_mail_compose() will overflow a stack buffer and lead to arbitrary code execution.stefan@hardened-php.net (Stefan Esser)Sat, 31 Mar 2007 19:30:01 CESThttp://www.php-security.org/MOPB/MOPB-39-2007.htmlWhen a single char is replaced by a long string many times in str_replace() this can result in an integer overflow in memory allocation that leads to a buffer overflow vulnerability.stefan@hardened-php.net (Stefan Esser)Sat, 31 Mar 2007 19:30:00 CESThttp://www.php-security.org/MOPB/MOPB-38-2007.htmlA 64 bit long to int cast results in multiple flaws in PHP's printf() function family that lead to a new class of exploitable vulnerabilities. PHP Application Format String Vulnerabilites.stefan@hardened-php.net (Stefan Esser)Fri, 30 Mar 2007 20:45:00 CESThttp://www.php-security.org/MOPB/MOPB-37-2007.htmlA malicious user space error handler that interrupts iptcembed() can manipulate its parameters which leads to disclosure of arbitrary heap memory. stefan@hardened-php.net (Stefan Esser)Thu, 29 Mar 2007 23:00:00 CESThttp://www.php-security.org/MOPB/MOPB-36-2007.htmlDue to some magic directory guessing a script can bypass the open_basedir restriction on the session save path. stefan@hardened-php.net (Stefan Esser)Wed, 28 Mar 2007 23:00:00 CESThttp://www.php-security.org/MOPB/MOPB-35-2007.htmlThe zip_entry_read() function of PHP 4 is vulnerable to an integer overflow in memory allocation that leads to an exploitable bufferoverflow. stefan@hardened-php.net (Stefan Esser)Tue, 27 Mar 2007 23:00:00 CESThttp://www.php-security.org/MOPB/MOPB-34-2007.htmlA flaw in handling folded Subject and To headers allows mail header injection through both fields. stefan@hardened-php.net (Stefan Esser)Mon, 26 Mar 2007 23:00:00 CESThttp://www.php-security.org/MOPB/MOPB-33-2007.htmlASCIIZ character injection into an email message will truncate it. stefan@hardened-php.net (Stefan Esser)Mon, 26 Mar 2007 21:00:00 CESThttp://www.php-security.org/MOPB/MOPB-32-2007.htmlThe security fix for MOPB-31-2007 introduced a double free vulnerability into PHP 4 that can lead to the execution of arbitrary code. stefan@hardened-php.net (Stefan Esser)Sun, 25 Mar 2007 12:00:00 CESThttp://www.php-security.org/MOPB/MOPB-31-2007.htmlDeserialization of session data can overwrite _SESSION which can be exploited to execute arbitrary code. stefan@hardened-php.net (Stefan Esser)Sat, 24 Mar 2007 19:50:00 CEThttp://www.php-security.org/MOPB/MOPB-30-2007.htmlUnsetting HTTP_SESSION_VARS and _SESSION can lead to arbitrary code execution. stefan@hardened-php.net (Stefan Esser)Sat, 24 Mar 2007 19:30:00 CEThttp://www.php-security.org/MOPB/MOPB-29-2007.htmlThe new S: datatype in unserialize() does not work at all which leads to disclosure of heap memory content. stefan@hardened-php.net (Stefan Esser)Fri, 23 Mar 2007 09:40:00 CEThttp://www.php-security.org/MOPB/MOPB-28-2007.htmlA malicious user stream can trick the hash_update_file() function into accessing an already freed hash resource. This can lead to arbitrary code execution. stefan@hardened-php.net (Stefan Esser)Tue, 20 Mar 2007 20:20:00 CEThttp://www.php-security.org/MOPB/MOPB-27-2007.htmlA malicious error handler can trick the GD extension into accessing an already freed image resource which allows read and write access to arbitrary memory addresses from PHP code. This can lead to arbitrary code execution. stefan@hardened-php.net (Stefan Esser)Mon, 19 Mar 2007 23:00:00 CEThttp://www.php-security.org/MOPB/MOPB-26-2007.htmlWhen the mb_parse_str() function is interrupted by for example a memory_limit violation this can result in register_globals being (and staying) activated for the Apache child.stefan@hardened-php.net (Stefan Esser)Sun, 18 Mar 2007 15:00:00 CEThttp://www.php-security.org/MOPB/MOPB-25-2007.htmlWhen the header() function is called with an all whitespace string a buffer underflow can be triggered that allows code execution on big endian systems (e.g. MacOS X on PPC, Solaris on SPARC)stefan@hardened-php.net (Stefan Esser)Sat, 17 Mar 2007 22:03:00 CEThttp://www.php-security.org/MOPB/MOPB-24-2007.htmlWhen the userspace key comparison function returns its parameters are destructed even if there are references left. Therefore an exploitable double DTOR can be triggered.stefan@hardened-php.net (Stefan Esser)Fri, 16 Mar 2007 00:00:00 CEThttp://www.php-security.org/MOPB/MOPB-23-2007.htmlWhen a session storage module rejects a session id the session code fails to clear an already freed pointer before calling an interruptible function. This can lead to an exploitable double free.stefan@hardened-php.net (Stefan Esser)Thu, 15 Mar 2007 00:00:00 CEThttp://www.php-security.org/MOPB/MOPB-22-2007.htmlsession_regenerate_id() fails to clear an already freed pointer before calling an interruptible function. This can lead to an exploitable double free.stefan@hardened-php.net (Stefan Esser)Wed, 14 Mar 2007 18:44:00 CEThttp://www.php-security.org/MOPB/MOPB-21-2007.htmlThe compress.bzip2:// URL Wrapper does not perform safemode or open_basedir checks and therefore allows access to archives outside the allowed areastefan@hardened-php.net (Stefan Esser)Tue, 13 Mar 2007 23:01:00 CEThttp://www.php-security.org/MOPB/MOPB-20-2007.htmlThe zip:// URL Wrapper does not perform safemode or open_basedir checks and therefore allows access to archives outside the allowed areastefan@hardened-php.net (Stefan Esser)Tue, 13 Mar 2007 23:00:00 CEThttp://www.php-security.org/MOPB/MOPB-19-2007.htmlWhen ext/filter is used in an application to filter user input a buffer underflow can be triggered that allows remote code execution on big endian systems (e.g. MacOS X on PPC, Solaris on SPARC)stefan@hardened-php.net (Stefan Esser)Mon, 12 Mar 2007 00:03:00 CEThttp://www.php-security.org/MOPB/MOPB-18-2007.htmlWhen ext/filter is configured to strip characters with low ASCII values it is possible to bypass the HTML tag filter in an easy way.stefan@hardened-php.net (Stefan Esser)Sun, 11 Mar 2007 00:03:00 CEThttp://www.php-security.org/MOPB/MOPB-17-2007.htmlPOST data in the FDF format is not processed at all by ext/filter. When PHP is compiled with FDF support, sitewide enforced filtering will not be performed on it.stefan@hardened-php.net (Stefan Esser)Sat, 10 Mar 2007 13:30:00 CEThttp://www.php-security.org/MOPB/MOPB-16-2007.htmlThe zip:// URL wrapper suffers from a standard stack based buffer overflow that occurs when an overlong URL is parsed and can therefore lead to arbitrary code execution.stefan@hardened-php.net (Stefan Esser)Fri, 09 Mar 2007 00:05:00 CEThttp://www.php-security.org/MOPB/MOPB-15-2007.htmlThe shmop functions do not verify that the supplied resource is of the correct type. This allows read and write access to arbitrary memory addresses and allows the execution of arbitrary code.stefan@hardened-php.net (Stefan Esser)Thu, 08 Mar 2007 00:05:00 CEThttp://www.php-security.org/MOPB/MOPB-14-2007.htmlAn integer overflow in the substr_compare() function allows reading arbitrary heap memory.stefan@hardened-php.net (Stefan Esser)Wed, 07 Mar 2007 11:50:00 CEThttp://www.php-security.org/MOPB/MOPB-13-2007.htmlThe Ovrimos extension shipped with PHP 4 considers arguments as direct memory pointers. This allows direct memory access which leads to arbitrary code execution.stefan@hardened-php.net (Stefan Esser)Tue, 06 Mar 2007 00:04:15 CEThttp://www.php-security.org/MOPB/BONUS-12-2007.htmlAn ASCIIZ character embedded in application/x-www-form-urlencoded POST data terminates the data in the eyes of mod_security, which results in a trivial way to bypass its rules.stefan@hardened-php.net (Stefan Esser)Tue, 06 Mar 2007 00:00:15 CEThttp://www.php-security.org/MOPB/MOPB-11-2007.htmlNumerical keys in session data in WDDX format might leak an arbitrary portion of stack data into PHP variables.stefan@hardened-php.net (Stefan Esser)Mon, 05 Mar 2007 00:00:15 CEThttp://www.php-security.org/MOPB/MOPB-10-2007.htmlMalformed session data in php_binary format might leak a portion of heap data into PHP variables.stefan@hardened-php.net (Stefan Esser)Mon, 05 Mar 2007 00:00:00 CEThttp://www.php-security.org/MOPB/MOPB-09-2007.htmlMalformed WDDX data might trigger an exploitable buffer overflow that was introduced by a pseudo security fix.stefan@hardened-php.net (Stefan Esser)Sun, 04 Mar 2007 00:09:00 CEThttp://www.php-security.org/MOPB/MOPB-08-2007.htmlphpinfo() does not escape the content of user supplied arrays in GET, POST or COOKIE variables when it displays them which leads to an XSS vulnerability.stefan@hardened-php.net (Stefan Esser)Sat, 03 Mar 2007 15:02:00 CEThttp://www.php-security.org/MOPB/BONUS-07-2007.htmlThe ini_modifier of the Zend Platform can be tricked by a local user to edit the system php.ini file, which can be used to obtain root privileges.stefan@hardened-php.net (Stefan Esser)Sat, 03 Mar 2007 13:02:00 CEThttp://www.php-security.org/MOPB/BONUS-06-2007.htmlSeveral binaries and shellscripts installed by the Zend Platform are installed with unsafe permissions that might allow an attacker to gain root privileges.stefan@hardened-php.net (Stefan Esser)Sat, 03 Mar 2007 13:01:00 CEThttp://www.php-security.org/MOPB/MOPB-05-2007.htmlDeserialisation of malformed PHP arrays from within unserialize() might result in a tight endless loop exhausting CPU ressources on 64bit systems.stefan@hardened-php.net (Stefan Esser)Fri, 02 Mar 2007 00:02:00 CEThttp://www.php-security.org/MOPB/MOPB-04-2007.htmlDuring unserialisation of user supplied data that contains a lot of references to a variable the internal 16bit zval reference counter can overflow. This leads to an exploitable double dtor condition.stefan@hardened-php.net (Stefan Esser)Fri, 02 Mar 2007 00:01:00 CEThttp://www.php-security.org/MOPB/MOPB-03-2007.htmlThe destruction of deeply nested PHP arrays will exhaust all available stack which leads to remotely triggerable crashes.stefan@hardened-php.net (Stefan Esser)Thu, 01 Mar 2007 14:04:02 CEThttp://www.php-security.org/MOPB/MOPB-02-2007.htmlA deep recursion of PHP userland code will exhaust all available stack which leads to a sometimes remotely triggerable crash.stefan@hardened-php.net (Stefan Esser)Thu, 01 Mar 2007 14:00:02 CEThttp://www.php-security.org/MOPB/MOPB-01-2007.htmlIn PHP 4 userland code is able to overflow the internal 16bit zval reference counter by creating many references to a variable. This leads to an exploitable double dtor condition.stefan@hardened-php.net (Stefan Esser)Thu, 01 Mar 2007 00:00:00 CET