Vulnerabilities > CVE-2007-1383 - Numeric Errors vulnerability in PHP 4.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Integer overflow in the 16 bit variable reference counter in PHP 4 allows context-dependent attackers to execute arbitrary code by overflowing this counter, which causes the same variable to be destroyed twice, a related issue to CVE-2007-1286.
Common Weakness Enumeration (CWE)
Exploit-Db
| description | PHP 4 Userland ZVAL Reference Counter Overflow Exploit PoC. CVE-2007-1383. Dos exploits for multiple platform |
| id | EDB-ID:3394 |
| last seen | 2016-01-31 |
| modified | 2007-03-01 |
| published | 2007-03-01 |
| reporter | Stefan Esser |
| source | https://www.exploit-db.com/download/3394/ |
| title | PHP 4 Userland ZVAL Reference Counter Overflow Exploit PoC |
Nessus
NASL family CGI abuses NASL id PHP_5_2_1.NASL description According to its banner, the version of PHP installed on the remote host is older than 5.2.1. Such versions may be affected by several issues, including buffer overflows, format string vulnerabilities, arbitrary code execution, last seen 2020-06-01 modified 2020-06-02 plugin id 24907 published 2007-04-02 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24907 title PHP < 5.2.1 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(24907); script_version("1.27"); script_cvs_date("Date: 2018/07/24 18:56:10"); script_cve_id( "CVE-2006-6383", "CVE-2007-0905", "CVE-2007-0906", "CVE-2007-0907", "CVE-2007-0908", "CVE-2007-0909", "CVE-2007-0910", "CVE-2007-0988", "CVE-2007-1376", "CVE-2007-1380", "CVE-2007-1383", "CVE-2007-1452", "CVE-2007-1453", "CVE-2007-1454", "CVE-2007-1700", "CVE-2007-1701", "CVE-2007-1824", "CVE-2007-1825", "CVE-2007-1835", "CVE-2007-1884", "CVE-2007-1885", "CVE-2007-1886", "CVE-2007-1887", "CVE-2007-1889", "CVE-2007-1890", "CVE-2007-4441", "CVE-2007-4586" ); script_bugtraq_id( 21508, 22496, 22805, 22806, 22862, 22922, 23119, 23120, 23219, 23233, 23234, 23235, 23236, 23237, 23238 ); script_name(english:"PHP < 5.2.1 Multiple Vulnerabilities"); script_summary(english:"Checks version of PHP"); script_set_attribute( attribute:"synopsis", value: "The remote web server uses a version of PHP that is affected by multiple flaws." ); script_set_attribute( attribute:"description", value: "According to its banner, the version of PHP installed on the remote host is older than 5.2.1. Such versions may be affected by several issues, including buffer overflows, format string vulnerabilities, arbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and clobbering of super-globals." ); script_set_attribute(attribute:"see_also", value:"http://www.php.net/releases/5_2_1.php"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP version 5.2.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 119, 189, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/09"); script_set_attribute(attribute:"patch_publication_date", value:"2007/02/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/02"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("php_version.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("audit.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); php = get_php_from_kb( port : port, exit_on_fail : TRUE ); version = php["ver"]; source = php["src"]; backported = get_kb_item('www/php/'+port+'/'+version+'/backported'); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install"); if (version =~ "^5\.[01]\." || version =~ "^5\.2\.0($|[^0-9])" ) { if (report_verbosity > 0) { report = '\n Version source : '+source + '\n Installed version : '+version+ '\n Fixed version : 5.2.1\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200703-21.NASL description The remote host is affected by the vulnerability described in GLSA-200703-21 (PHP: Multiple vulnerabilities) Several vulnerabilities were found in PHP by the Hardened-PHP Project and other researchers. These vulnerabilities include a heap-based buffer overflow in htmlentities() and htmlspecialchars() if called with UTF-8 parameters, and an off-by-one error in str_ireplace(). Other vulnerabilities were also found in the PHP4 branch, including possible overflows, stack corruptions and a format string vulnerability in the *print() functions on 64 bit systems. Impact : Remote attackers might be able to exploit these issues in PHP applications making use of the affected functions, potentially resulting in the execution of arbitrary code, Denial of Service, execution of scripted contents in the context of the affected site, security bypass or information leak. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 24887 published 2007-03-26 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24887 title GLSA-200703-21 : PHP: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200703-21. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(24887); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:44"); script_cve_id("CVE-2006-5465", "CVE-2007-0906", "CVE-2007-0907", "CVE-2007-0908", "CVE-2007-0909", "CVE-2007-0910", "CVE-2007-0911", "CVE-2007-0988", "CVE-2007-1286", "CVE-2007-1375", "CVE-2007-1376", "CVE-2007-1380", "CVE-2007-1383"); script_bugtraq_id(20879, 22496, 22505, 22765, 22805, 22851, 22862); script_xref(name:"GLSA", value:"200703-21"); script_name(english:"GLSA-200703-21 : PHP: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200703-21 (PHP: Multiple vulnerabilities) Several vulnerabilities were found in PHP by the Hardened-PHP Project and other researchers. These vulnerabilities include a heap-based buffer overflow in htmlentities() and htmlspecialchars() if called with UTF-8 parameters, and an off-by-one error in str_ireplace(). Other vulnerabilities were also found in the PHP4 branch, including possible overflows, stack corruptions and a format string vulnerability in the *print() functions on 64 bit systems. Impact : Remote attackers might be able to exploit these issues in PHP applications making use of the affected functions, potentially resulting in the execution of arbitrary code, Denial of Service, execution of scripted contents in the context of the affected site, security bypass or information leak. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"http://www.php.net/releases/4_4_5.php" ); script_set_attribute( attribute:"see_also", value:"http://www.php.net/releases/5_2_1.php" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200703-21" ); script_set_attribute( attribute:"solution", value: "All PHP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose 'dev-lang/php'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(20, 189, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:php"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/03/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/03/26"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-lang/php", unaffected:make_list("ge 5.2.1-r3", "rge 5.1.6-r11", "rge 4.4.6", "rge 4.4.7", "rge 4.4.8_pre20070816"), vulnerable:make_list("lt 5.2.1-r3"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "PHP"); }
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-04-16 |
| organization | Red Hat |
| statement | The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. |
References
- http://secunia.com/advisories/24606
- http://secunia.com/advisories/25056
- http://security.gentoo.org/glsa/glsa-200703-21.xml
- http://www.novell.com/linux/security/advisories/2007_32_php.html
- http://www.osvdb.org/32770
- http://www.php-security.org/MOPB/MOPB-01-2007.html
- http://www.securityfocus.com/bid/22765