Vulnerabilities > CVE-2005-3353 - Denial Of Service vulnerability in PHP Group Exif Module Infinite Recursion
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The exif_read_data function in the Exif module in PHP before 4.4.1 allows remote attackers to cause a denial of service (infinite loop) via a malformed JPEG image.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | Php
| 27 |
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-831.NASL description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A flaw was found in the way PHP registers global variables during a file upload request. A remote attacker could submit a carefully crafted multipart/form-data POST request that would overwrite the $GLOBALS array, altering expected script behavior, and possibly leading to the execution of arbitrary PHP commands. Please note that this vulnerability only affects installations which have register_globals enabled in the PHP configuration file, which is not a default or recommended option. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3390 to this issue. A flaw was found in the PHP parse_str() function. If a PHP script passes only one argument to the parse_str() function, and the script can be forced to abort execution during operation (for example due to the memory_limit setting), the register_globals may be enabled even if it is disabled in the PHP configuration file. This vulnerability only affects installations that have PHP scripts using the parse_str function in this way. (CVE-2005-3389) A Cross-Site Scripting flaw was found in the phpinfo() function. If a victim can be tricked into following a malicious URL to a site with a page displaying the phpinfo() output, it may be possible to inject JavaScript or HTML content into the displayed page or steal data such as cookies. This vulnerability only affects installations which allow users to view the output of the phpinfo() function. As the phpinfo() function outputs a large amount of information about the current state of PHP, it should only be used during debugging or if protected by authentication. (CVE-2005-3388) A denial of service flaw was found in the way PHP processes EXIF image data. It is possible for an attacker to cause PHP to crash by supplying carefully crafted EXIF image data. (CVE-2005-3353) Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 21871 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21871 title CentOS 3 / 4 : php (CESA-2005:831) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2006-001.NASL description The remote host is running Apple Mac OS X, but lacks Security Update 2006-001. This security update contains fixes for the following applications : apache_mod_php automount Bom Directory Services iChat IPSec LaunchServices LibSystem loginwindow Mail rsync Safari Syndication last seen 2020-06-01 modified 2020-06-02 plugin id 20990 published 2006-03-02 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20990 title Mac OS X Multiple Vulnerabilities (Security Update 2006-001) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1206.NASL description Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3353 Tim Starling discovered that missing input sanitising in the EXIF module could lead to denial of service. - CVE-2006-3017 Stefan Esser discovered a security-critical programming error in the hashtable implementation of the internal Zend engine. - CVE-2006-4482 It was discovered that str_repeat() and wordwrap() functions perform insufficient checks for buffer boundaries on 64 bit systems, which might lead to the execution of arbitrary code. - CVE-2006-5465 Stefan Esser discovered a buffer overflow in the htmlspecialchars() and htmlentities(), which might lead to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 23655 published 2006-11-20 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23655 title Debian DSA-1206-1 : php4 - several vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-232-1.NASL description Eric Romang discovered a local Denial of Service vulnerability in the handling of the last seen 2020-06-01 modified 2020-06-02 plugin id 20776 published 2006-01-21 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20776 title Ubuntu 4.10 / 5.04 / 5.10 : php4, php5 vulnerabilities (USN-232-1) NASL family SuSE Local Security Checks NASL id SUSE_SA_2005_069.NASL description The remote host is missing the patch for the advisory SUSE-SA:2005:069 (php4,php5). Updated PHP packages fix the following security issues: - Stefan Esser found out that a bug in parse_str() could lead to activation of register_globals (CVE-2005-3389) and additionally that file uploads could overwrite $GLOBALS (CVE-2005-3390) - Bugs in the exif code could lead to a crash (CVE-2005-3353) - Missing safe_mode checks in image processing code and cURL functions allowed to bypass safe_mode and open_basedir (CVE-2005-3391) - Information leakage via the virtual() function (CVE-2005-3392) - Missing input sanitation in the mb_send_mail() function potentially allowed to inject arbitrary mail headers (CVE-2005-3883) The previous security update for php caused crashes when mod_rewrite was used. The updated packages fix that problem as well. last seen 2019-10-28 modified 2005-12-20 plugin id 20335 published 2005-12-20 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20335 title SUSE-SA:2005:069: php4,php5 NASL family Fedora Local Security Checks NASL id FEDORA_2005-1061.NASL description This update includes several security fixes : - fixes for prevent malicious requests from overwriting the GLOBALS array (CVE-2005-3390) - a fix to stop the parse_str() function from enabling the register_globals setting (CVE-2005-3389) - fixes for Cross-Site Scripting flaws in the phpinfo() output (CVE-2005-3388) - a fix for a denial of service (process crash) in EXIF image parsing (CVE-2005-3353) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20186 published 2005-11-15 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20186 title Fedora Core 3 : php-4.3.11-2.8 (2005-1061) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-213.NASL description A number of vulnerabilities were discovered in PHP : An issue with fopen_wrappers.c would not properly restrict access to other directories when the open_basedir directive included a trailing slash (CVE-2005-3054); this issue does not affect Corporate Server 2.1. An issue with the apache2handler SAPI in mod_php could allow an attacker to cause a Denial of Service via the session.save_path option in an .htaccess file or VirtualHost stanza (CVE-2005-3319); this issue does not affect Corporate Server 2.1. A Denial of Service vulnerability was discovered in the way that PHP processes EXIF image data which could allow an attacker to cause PHP to crash by supplying carefully crafted EXIF image data (CVE-2005-3353). A cross-site scripting vulnerability was discovered in the phpinfo() function which could allow for the injection of JavaScript or HTML content onto a page displaying phpinfo() output, or to steal data such as cookies (CVE-2005-3388). A flaw in the parse_str() function could allow for the enabling of register_globals, even if it was disabled in the PHP configuration file (CVE-2005-3389). A vulnerability in the way that PHP registers global variables during a file upload request could allow a remote attacker to overwrite the $GLOBALS array which could potentially lead the execution of arbitrary PHP commands. This vulnerability only affects systems with register_globals enabled (CVE-2005-3390). The updated packages have been patched to address this issue. Once the new packages have been installed, you will need to restart your Apache server using last seen 2020-06-01 modified 2020-06-02 plugin id 20445 published 2006-01-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20445 title Mandrake Linux Security Advisory : php (MDKSA-2005:213) NASL family Fedora Local Security Checks NASL id FEDORA_2005-1062.NASL description This update includes several security fixes : - fixes for prevent malicious requests from overwriting the GLOBALS array (CVE-2005-3390) - a fix to stop the parse_str() function from enabling the register_globals setting (CVE-2005-3389) - fixes for Cross-Site Scripting flaws in the phpinfo() output (CVE-2005-3388) - a fix for a denial of service (process crash) in EXIF image parsing (CVE-2005-3353) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20187 published 2005-11-15 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20187 title Fedora Core 4 : php-5.0.4-10.5 (2005-1062) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-831.NASL description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A flaw was found in the way PHP registers global variables during a file upload request. A remote attacker could submit a carefully crafted multipart/form-data POST request that would overwrite the $GLOBALS array, altering expected script behavior, and possibly leading to the execution of arbitrary PHP commands. Please note that this vulnerability only affects installations which have register_globals enabled in the PHP configuration file, which is not a default or recommended option. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3390 to this issue. A flaw was found in the PHP parse_str() function. If a PHP script passes only one argument to the parse_str() function, and the script can be forced to abort execution during operation (for example due to the memory_limit setting), the register_globals may be enabled even if it is disabled in the PHP configuration file. This vulnerability only affects installations that have PHP scripts using the parse_str function in this way. (CVE-2005-3389) A Cross-Site Scripting flaw was found in the phpinfo() function. If a victim can be tricked into following a malicious URL to a site with a page displaying the phpinfo() output, it may be possible to inject JavaScript or HTML content into the displayed page or steal data such as cookies. This vulnerability only affects installations which allow users to view the output of the phpinfo() function. As the phpinfo() function outputs a large amount of information about the current state of PHP, it should only be used during debugging or if protected by authentication. (CVE-2005-3388) A denial of service flaw was found in the way PHP processes EXIF image data. It is possible for an attacker to cause PHP to crash by supplying carefully crafted EXIF image data. (CVE-2005-3353) Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20206 published 2005-11-15 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20206 title RHEL 3 / 4 : php (RHSA-2005:831)
Oval
| accepted | 2013-04-29T04:10:54.510-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | The exif_read_data function in the Exif module in PHP before 4.4.1 allows remote attackers to cause a denial of service (infinite loop) via a malformed JPEG image. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:11032 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | The exif_read_data function in the Exif module in PHP before 4.4.1 allows remote attackers to cause a denial of service (infinite loop) via a malformed JPEG image. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://bugs.php.net/bug.php?id=34704
- http://docs.info.apple.com/article.html?artnum=303382
- http://itrc.hp.com/service/cki/docDisplay.do?docId=c00786522
- http://lists.apple.com/archives/security-announce/2006/Mar/msg00000.html
- http://rhn.redhat.com/errata/RHSA-2005-831.html
- http://secunia.com/advisories/17371
- http://secunia.com/advisories/17490
- http://secunia.com/advisories/17531
- http://secunia.com/advisories/17557
- http://secunia.com/advisories/18054
- http://secunia.com/advisories/18198
- http://secunia.com/advisories/19064
- http://secunia.com/advisories/22691
- http://secunia.com/advisories/22713
- http://securityreason.com/securityalert/525
- http://www.debian.org/security/2006/dsa-1206
- http://www.fedoralegacy.org/updates/FC2/2005-11-28-FLSA_2005_166943__Updated_php_packages_fix_security_issues.html
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:213
- http://www.openpkg.org/security/OpenPKG-SA-2005.027-php.html
- http://www.php.net/ChangeLog-4.php#4.4.1
- http://www.securityfocus.com/archive/1/419504/100/0/threaded
- http://www.securityfocus.com/bid/15358
- http://www.securityfocus.com/bid/16907
- http://www.turbolinux.com/security/2006/TLSA-2006-38.txt
- http://www.us-cert.gov/cas/techalerts/TA06-062A.html
- http://www.vupen.com/english/advisories/2006/0791
- http://www.vupen.com/english/advisories/2006/4320
- https://exchange.xforce.ibmcloud.com/vulnerabilities/24351
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11032
- https://www.ubuntu.com/usn/usn-232-1/