Vulnerabilities > CVE-2007-1522 - Unspecified vulnerability in PHP 5.2.0/5.2.1

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
php
nessus
exploit available
NVD
Published: 2007-03-20
Updated: 2011-03-08

Summary

Double free vulnerability in the session extension in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to execute arbitrary code via illegal characters in a session identifier, which is rejected by an internal session storage module, which calls the session identifier generator with an improper environment, leading to code execution when the generator is interrupted, as demonstrated by triggering a memory limit violation or certain PHP errors.

Vulnerable Configurations

Part Description Count
Application
Php
2

Exploit-Db

descriptionPHP 5.2.0/5.2.1 Rejected Session ID Double Free Exploit. CVE-2007-1522. Local exploit for linux platform
idEDB-ID:3480
last seen2016-01-31
modified2007-03-14
published2007-03-14
reporterStefan Esser
sourcehttps://www.exploit-db.com/download/3480/
titlePHP 5.2.0/5.2.1 Rejected Session ID Double Free Exploit

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_APACHE2-MOD_PHP5-3289.NASL
    descriptionThis Update fixes numerous vulnerabilities in PHP. Most of them were made public during the
    last seen2020-06-01
    modified2020-06-02
    plugin id27150
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27150
    titleopenSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-3289)
    code
    #%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update apache2-mod_php5-3289.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(27150);
  script_version ("1.14");
  script_cvs_date("Date: 2019/10/25 13:36:29");

  script_cve_id("CVE-2007-0988", "CVE-2007-1001", "CVE-2007-1375", "CVE-2007-1376", "CVE-2007-1380", "CVE-2007-1453", "CVE-2007-1454", "CVE-2007-1460", "CVE-2007-1461", "CVE-2007-1484", "CVE-2007-1521", "CVE-2007-1522", "CVE-2007-1583", "CVE-2007-1700", "CVE-2007-1717", "CVE-2007-1718", "CVE-2007-1824", "CVE-2007-1889");

  script_name(english:"openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-3289)");
  script_summary(english:"Check for the apache2-mod_php5-3289 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This Update fixes numerous vulnerabilities in PHP. Most of them were
made public during the 'Month of PHP Bugs'. The vulnerabilities
potentially lead to crashes, information leaks or even execution of
malicious code.

CVE-2007-1380, CVE-2007-0988, CVE-2007-1375, CVE-2007-1454
CVE-2007-1453, CVE-2007-1521, CVE-2007-1522, CVE-2007-1376
CVE-2007-1583, CVE-2007-1460, CVE-2007-1461, CVE-2007-1484
CVE-2007-1700, CVE-2007-1717, CVE-2007-1718, CVE-2007-1001
CVE-2007-1824, CVE-2007-1889, CVE-2007-1900"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected apache2-mod_php5 packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
  script_cwe_id(399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_php5");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bcmath");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bz2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-calendar");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ctype");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-curl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dbase");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dom");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-exif");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fastcgi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ftp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gettext");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-hash");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-iconv");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-imap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-json");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ldap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mbstring");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mcrypt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mhash");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mysql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ncurses");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-odbc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-openssl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pcntl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pdo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pear");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pgsql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-posix");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pspell");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-shmop");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-snmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-soap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sockets");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sqlite");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-suhosin");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvmsg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvsem");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvshm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tidy");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tokenizer");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-wddx");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlreader");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlrpc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlwriter");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xsl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zip");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zlib");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2");

  script_set_attribute(attribute:"patch_publication_date", value:"2007/05/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE10\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.2", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE10.2", reference:"apache2-mod_php5-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-bcmath-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-bz2-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-calendar-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-ctype-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-curl-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-dba-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-dbase-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-devel-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-dom-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-exif-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-fastcgi-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-ftp-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-gd-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-gettext-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-gmp-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-hash-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-iconv-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-imap-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-json-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-ldap-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-mbstring-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-mcrypt-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-mhash-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-mysql-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-ncurses-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-odbc-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-openssl-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-pcntl-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-pdo-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-pear-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-pgsql-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-posix-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-pspell-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-shmop-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-snmp-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-soap-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-sockets-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-sqlite-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-suhosin-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-sysvmsg-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-sysvsem-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-sysvshm-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-tidy-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-tokenizer-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-wddx-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-xmlreader-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-xmlrpc-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-xmlwriter-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-xsl-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-zip-5.2.0-14") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"php5-zlib-5.2.0-14") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache2-mod_php5 / php5 / php5-bcmath / php5-bz2 / php5-calendar / etc");
}
  • NASL familyCGI abuses
    NASL idPHP_4_4_7_OR_5_2_2.NASL
    descriptionAccording to its banner, the version of PHP installed on the remote host is older than 4.4.7 / 5.2.2. Such versions may be affected by several issues, including buffer overflows in the GD library.
    last seen2020-06-01
    modified2020-06-02
    plugin id25159
    published2007-05-04
    reporterThis script is Copyright (C) 2007-2018 Westpoint Limited.
    sourcehttps://www.tenable.com/plugins/nessus/25159
    titlePHP < 4.4.7 / 5.2.2 Multiple Vulnerabilities
    code
    #
# Copyright (C) Westpoint Limited
#
# Based on scripts written by Tenable Network Security.
#
# Changes made by Tenable:
# -Add audit.inc include and adjust get_kb_item code to obtain
# PHP version and source after updates to php_version.nasl (9/5/2013)
#


include("compat.inc");

if(description)
{
  script_id(25159);
  script_version("1.37");
  script_cvs_date("Date: 2018/07/24 18:56:10");

  script_cve_id(
    "CVE-2007-0455",
    "CVE-2007-0911",
    "CVE-2007-1001",
    "CVE-2007-1521",
    "CVE-2007-1285",
    "CVE-2007-1375",
    "CVE-2007-1396",
    "CVE-2007-1399",
    "CVE-2007-1460",
    "CVE-2007-1461",
    "CVE-2007-1484",
    "CVE-2007-1522",
    "CVE-2007-1582",
    "CVE-2007-1583",
    "CVE-2007-1709",
    "CVE-2007-1710",
    "CVE-2007-1717",
    "CVE-2007-1718",
    "CVE-2007-1864",
    "CVE-2007-1883",
    "CVE-2007-2509",
    "CVE-2007-2510",
    "CVE-2007-2511",
    "CVE-2007-2727",
    "CVE-2007-2748",
    "CVE-2007-3998",
    "CVE-2007-4670"
  );
  script_bugtraq_id(
    22289,
    22764,
    22990,
    23357,
    23813,
    23818,
    23984,
    24012
  );

  script_name(english:"PHP < 4.4.7 / 5.2.2 Multiple Vulnerabilities");
  script_summary(english:"Checks version of PHP");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server uses a version of PHP that is affected by
multiple flaws.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of PHP installed on the remote
host is older than 4.4.7 / 5.2.2.  Such versions may be affected by
several issues, including buffer overflows in the GD library.");
  script_set_attribute(attribute:"see_also", value:"http://www.php.net/releases/4_4_7.php");
  script_set_attribute(attribute:"see_also", value:"http://www.php.net/releases/5_2_2.php");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PHP 4.4.7 / 5.2.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 119);

  script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/04");
  script_set_attribute(attribute:"vuln_publication_date", value:"2007/01/29");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2007-2018 Westpoint Limited.");

  script_dependencies("php_version.nasl");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP", "Settings/ParanoidReport");
  exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("audit.inc");

# Banner checks of PHP are prone to false-positives so we only run the
# check if the reporting is paranoid.
if (report_paranoia <= 1) audit(AUDIT_PARANOID);

port = get_http_port(default:80, php:TRUE);

version = get_kb_item_or_exit('www/php/'+port+'/version');
match = eregmatch(string:version, pattern:'(.+) under (.+)$');
if (!isnull(match))
{
  version = match[1];
  source = match[2];
}

backported = get_kb_item('www/php/'+port+'/'+version+'/backported');
if (report_paranoia < 2 && backported)
  audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");

if (version =~ "^3\.|4\.[0-3]\." ||
    version =~ "^4\.4\.[0-6]($|[^0-9])" ||
    version =~ "^5\.[01]\." ||
    version =~ "^5\.2\.[01]($|[^0-9])"
)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Version source     : '+source +
      '\n  Installed version  : '+version+
      '\n  Fixed version      : 4.4.7 / 5.2.2\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);

Statements

contributorMark J Cox
lastmodified2007-04-16
organizationRed Hat
statementThe PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

References