Vulnerabilities > CVE-2007-1522 - Unspecified vulnerability in PHP 5.2.0/5.2.1
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Double free vulnerability in the session extension in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to execute arbitrary code via illegal characters in a session identifier, which is rejected by an internal session storage module, which calls the session identifier generator with an improper environment, leading to code execution when the generator is interrupted, as demonstrated by triggering a memory limit violation or certain PHP errors.
Exploit-Db
description | PHP 5.2.0/5.2.1 Rejected Session ID Double Free Exploit. CVE-2007-1522. Local exploit for linux platform |
id | EDB-ID:3480 |
last seen | 2016-01-31 |
modified | 2007-03-14 |
published | 2007-03-14 |
reporter | Stefan Esser |
source | https://www.exploit-db.com/download/3480/ |
title | PHP 5.2.0/5.2.1 Rejected Session ID Double Free Exploit |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-MOD_PHP5-3289.NASL description This Update fixes numerous vulnerabilities in PHP. Most of them were made public during the last seen 2020-06-01 modified 2020-06-02 plugin id 27150 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27150 title openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-3289) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update apache2-mod_php5-3289. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27150); script_version ("1.14"); script_cvs_date("Date: 2019/10/25 13:36:29"); script_cve_id("CVE-2007-0988", "CVE-2007-1001", "CVE-2007-1375", "CVE-2007-1376", "CVE-2007-1380", "CVE-2007-1453", "CVE-2007-1454", "CVE-2007-1460", "CVE-2007-1461", "CVE-2007-1484", "CVE-2007-1521", "CVE-2007-1522", "CVE-2007-1583", "CVE-2007-1700", "CVE-2007-1717", "CVE-2007-1718", "CVE-2007-1824", "CVE-2007-1889"); script_name(english:"openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-3289)"); script_summary(english:"Check for the apache2-mod_php5-3289 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This Update fixes numerous vulnerabilities in PHP. Most of them were made public during the 'Month of PHP Bugs'. The vulnerabilities potentially lead to crashes, information leaks or even execution of malicious code. CVE-2007-1380, CVE-2007-0988, CVE-2007-1375, CVE-2007-1454 CVE-2007-1453, CVE-2007-1521, CVE-2007-1522, CVE-2007-1376 CVE-2007-1583, CVE-2007-1460, CVE-2007-1461, CVE-2007-1484 CVE-2007-1700, CVE-2007-1717, CVE-2007-1718, CVE-2007-1001 CVE-2007-1824, CVE-2007-1889, CVE-2007-1900" ); script_set_attribute( attribute:"solution", value:"Update the affected apache2-mod_php5 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N"); script_cwe_id(399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bz2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-calendar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ctype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dbase"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-exif"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fastcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-hash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-iconv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mhash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ncurses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pcntl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pear"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-posix"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-shmop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sockets"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-suhosin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvmsg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvsem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvshm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tokenizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-wddx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlreader"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlwriter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xsl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zip"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zlib"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2"); script_set_attribute(attribute:"patch_publication_date", value:"2007/05/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.2", reference:"apache2-mod_php5-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-bcmath-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-bz2-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-calendar-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-ctype-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-curl-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-dba-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-dbase-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-devel-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-dom-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-exif-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-fastcgi-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-ftp-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-gd-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-gettext-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-gmp-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-hash-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-iconv-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-imap-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-json-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-ldap-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-mbstring-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-mcrypt-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-mhash-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-mysql-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-ncurses-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-odbc-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-openssl-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-pcntl-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-pdo-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-pear-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-pgsql-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-posix-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-pspell-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-shmop-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-snmp-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-soap-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-sockets-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-sqlite-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-suhosin-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-sysvmsg-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-sysvsem-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-sysvshm-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-tidy-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-tokenizer-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-wddx-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-xmlreader-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-xmlrpc-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-xmlwriter-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-xsl-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-zip-5.2.0-14") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"php5-zlib-5.2.0-14") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache2-mod_php5 / php5 / php5-bcmath / php5-bz2 / php5-calendar / etc"); }
NASL family CGI abuses NASL id PHP_4_4_7_OR_5_2_2.NASL description According to its banner, the version of PHP installed on the remote host is older than 4.4.7 / 5.2.2. Such versions may be affected by several issues, including buffer overflows in the GD library. last seen 2020-06-01 modified 2020-06-02 plugin id 25159 published 2007-05-04 reporter This script is Copyright (C) 2007-2018 Westpoint Limited. source https://www.tenable.com/plugins/nessus/25159 title PHP < 4.4.7 / 5.2.2 Multiple Vulnerabilities code # # Copyright (C) Westpoint Limited # # Based on scripts written by Tenable Network Security. # # Changes made by Tenable: # -Add audit.inc include and adjust get_kb_item code to obtain # PHP version and source after updates to php_version.nasl (9/5/2013) # include("compat.inc"); if(description) { script_id(25159); script_version("1.37"); script_cvs_date("Date: 2018/07/24 18:56:10"); script_cve_id( "CVE-2007-0455", "CVE-2007-0911", "CVE-2007-1001", "CVE-2007-1521", "CVE-2007-1285", "CVE-2007-1375", "CVE-2007-1396", "CVE-2007-1399", "CVE-2007-1460", "CVE-2007-1461", "CVE-2007-1484", "CVE-2007-1522", "CVE-2007-1582", "CVE-2007-1583", "CVE-2007-1709", "CVE-2007-1710", "CVE-2007-1717", "CVE-2007-1718", "CVE-2007-1864", "CVE-2007-1883", "CVE-2007-2509", "CVE-2007-2510", "CVE-2007-2511", "CVE-2007-2727", "CVE-2007-2748", "CVE-2007-3998", "CVE-2007-4670" ); script_bugtraq_id( 22289, 22764, 22990, 23357, 23813, 23818, 23984, 24012 ); script_name(english:"PHP < 4.4.7 / 5.2.2 Multiple Vulnerabilities"); script_summary(english:"Checks version of PHP"); script_set_attribute(attribute:"synopsis", value: "The remote web server uses a version of PHP that is affected by multiple flaws."); script_set_attribute(attribute:"description", value: "According to its banner, the version of PHP installed on the remote host is older than 4.4.7 / 5.2.2. Such versions may be affected by several issues, including buffer overflows in the GD library."); script_set_attribute(attribute:"see_also", value:"http://www.php.net/releases/4_4_7.php"); script_set_attribute(attribute:"see_also", value:"http://www.php.net/releases/5_2_2.php"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP 4.4.7 / 5.2.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 119); script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/04"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/01/29"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2007-2018 Westpoint Limited."); script_dependencies("php_version.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/PHP", "Settings/ParanoidReport"); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("audit.inc"); # Banner checks of PHP are prone to false-positives so we only run the # check if the reporting is paranoid. if (report_paranoia <= 1) audit(AUDIT_PARANOID); port = get_http_port(default:80, php:TRUE); version = get_kb_item_or_exit('www/php/'+port+'/version'); match = eregmatch(string:version, pattern:'(.+) under (.+)$'); if (!isnull(match)) { version = match[1]; source = match[2]; } backported = get_kb_item('www/php/'+port+'/'+version+'/backported'); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install"); if (version =~ "^3\.|4\.[0-3]\." || version =~ "^4\.4\.[0-6]($|[^0-9])" || version =~ "^5\.[01]\." || version =~ "^5\.2\.[01]($|[^0-9])" ) { if (report_verbosity > 0) { report = '\n Version source : '+source + '\n Installed version : '+version+ '\n Fixed version : 4.4.7 / 5.2.2\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);
Statements
contributor | Mark J Cox |
lastmodified | 2007-04-16 |
organization | Red Hat |
statement | The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. |