Ravens PHP Scripts

PHP Two Unspecified Vulnerabilities
Date: Thursday, August 03, 2006 @ 11:08:32 CDT
Topic: Security

TITLE: PHP Two Unspecified Vulnerabilities

SECUNIA ADVISORY ID: SA21328

VERIFY ADVISORY: http://secunia.com/advisories/21328/

CRITICAL: Moderately critical

IMPACT: Unknown

WHERE: >From remote

SOFTWARE: PHP 4.4.x -- http://secunia.com/product/5768/

DESCRIPTION: Two unspecified vulnerabilities with unknown impacts have been reported in PHP.

1) An offset/length parameter validation error exists in the "substr_compare()" function.

2) An unspecified error exists in the handling of certain characters in session names.

Many other issues, where some may be security related, have also been reported.

SOLUTION: Update to version 4.4.3. -- http://www.php.net/downloads.php

PROVIDED AND/OR DISCOVERED BY: Reported by the vendor.

ORIGINAL ADVISORY: PHP Group: http://www.php.net/release_4_4_3.php

The security issues resolved include the following:

* Disallow certain characters in session names.
* Fixed a buffer overflow inside the wordwrap() function.
* Prevent jumps to parent directory via the 2nd parameter of the tempnam() function.
* Improved safe_mode check for the error_log() function.
* Fixed cross-site scripting inside the phpinfo() function.
* Fixed offset/length parameter validation inside the substr_compare() function.

The release also includes about 20 bug fixes and an upgraded PCRE library (version 6.6).

For a full list of changes in PHP 4.4.3, read more......

Version 4.4.3
03-Aug-2006

* Added control character checks for cURL extension's open_basedir/safe_mode checks.
* Added overflow checks to wordwrap() function.
* Added a check for special characters in the session name.
* Improved safe_mode check for the error_log() function.
* Updated PCRE to version 6.6.
* Fixed handling of extremely long paths inside tempnam() function.
* Fixed XSS inside phpinfo() with long inputs.
* Fixed a possible buffer overflow inside create_named_pipe() for Win32 systems in libmysql.c.
* Fixed bug #37720 (merge_php_config scrambles values).
* Fixed bug #37569 (WDDX incorrectly encodes high-ascii characters).
* Fixed bug #37510 (session_regenerate_id changes session_id() even on failure).
* Fixed bug #37360 (Memory errors with a corrupt GIF file).
* Fixed bug #37348 (Make PEAR install ignore open_basedir).
* Fixed bug #37346 (Crashes when using an invalid colormap format).
* Fixed bug #37162 (wddx does not build as a shared extension).
* Fixed bug #37046 (foreach breaks static scope).
* Fixed bug #37045 (Fixed check for special chars for http redirects).
* Fixed bug #36857 (Added support for partial content fetching to the HTTP streams wrapper).
* Fixed bug #36776 (node_list_wrapper_dtor segfault).
* Fixed bug #36459 (Incorrect adding PHPSESSID to links, which contains ).
* Fixed bug #36458 (sleep() accepts negative values).
* Fixed bug #36242 (Possible memory corruption in stream_select()).
* Fixed bug #36223 (curl bypasses open_basedir restrictions).
* Fixed bug #36205 (Memory leaks on duplicate cookies).
* Fixed bug #36148 (unpack("H*hex", $data) is adding an extra character to the end of the string).
* Fixed bug #36017 (fopen() crashes PHP when opening a URL).





This article comes from Ravens PHP Scripts
https://www.ravenphpscripts.com

The URL for this story is:
https://www.ravenphpscripts.com/modules.php?name=News&file=article&sid=2292