Info

Disclosure

Feb 09, 2007

Discovery

Unknown

Dates

Exploit

Mar 05, 2007

Solution

Unknown

Description

The php_binary serialization handler in the PHP session extension is missing a boundary check and may lead to an unauthorized information disclosure. The condition is triggered during the extraction of an overly long php_binary session data format variable name, which will disclose up to 126 bytes of heap data into PHP variables, resulting in a loss of confidentiality.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Concern

Solution

Upgrade to PHP versions 4.4.5 or higher and PHP 5.2.1 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

The PHP Group	PHP	5.2.1
		5.2.0
		5.1.x
		5.0.x
		5.0 Release Candidate 3
		5.0 Release Candidate 2
		5.0 Release Candidate 1
		5.0 Beta 4
		5.0 Beta 3
		5.0 Beta 2
		5.0 Beta 1
		4.4.6
		4.4.5
		4.4.4
		4.4.3
		4.4.2
		4.4.1
		4.4.0
		4.3.x
		4.2.x
		4.1.x
		4.0.x
		4.0, Release Candidate 2
		4.0, Release Candidate 1
		4.0 Beta 4
		4.0 Beta 3
		4.0 Beta 2
		4.0 Beta 1
		3.x

References

CVE ID: 2007-1380 (see also: NVD)
Bugtraq ID: 22496 22805
Secunia Advisory ID: 24089 24236 24282 24284 24419 24432 24514 24606 25025 25057 25062 25423 25850
SCIP VulDB ID: 2912
Milw0rm: 3413
Exploit Database: 3413
VUPEN Advisory: FrSIRT/ADV-2007-0546
Other Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20070201-01-P.asc http://lists.suse.com/archive/suse-security-announce/2007-Mar/0003.html
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.535756
http://support.avaya.com/elmodocs2/security/ASA-2007-101.htm
http://www.gentoo.org/security/en/glsa/glsa-200703-21.xml
http://www.mandriva.com/security/advisories?name=MDKSA-2007:048
http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.010.html
http://www.php-security.org/MOPB/MOPB-10-2007.html
http://www.trustix.org/errata/2007/0009/
http://www.ubuntu.com/usn/usn-455-1
http://www.us.debian.org/security/2007/dsa-1282
http://www.us.debian.org/security/2007/dsa-1283
Keyword: HPSBMA02215,SSRT071423 HPSBTU02232,SSRT071429 HPSBTU02232,SSRT071429,c01086137
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-06/0363.html
RedHat RHSA: http://rhn.redhat.com/errata/RHSA-2007-0089.html
Vendor Specific Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:048
http://www8.itrc.hp.com/service/cki/docDisplay.do?docId=c01056506
https://lists.ubuntu.com/archives/ubuntu-security-announce/2007-February/000487.html
https://lists.ubuntu.com/archives/ubuntu-security-announce/2007-March/000497.html
Generic Exploit URL: http://www.php-security.org/MOPB/code/MOPB-10-2007.php
Vendor URL: http://www.php.net/
Vendor Specific News/Changelog Entry: http://www.php.net/ChangeLog-4.php
http://www.php.net/ChangeLog-5.php
Vendor Specific Solution URL: http://www.php.net/downloads.php

Credit

Stefan Esser - sesserhardened-php.net - www.hardened-php.net

Direct URL: http://osvdb.org/32776

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

The PHP Group

PHP

References

Credit