Vulnerabilities > CVE-2007-1890 - Integer Overflow vulnerability in PHP Msg_Receive() Memory Allocation

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

php

nessus

exploit available

NVD

Published: 2007-04-06

Updated: 2018-10-30

Summary

Integer overflow in the msg_receive function in PHP 4 before 4.4.5 and PHP 5 before 5.2.1, on FreeBSD and possibly other platforms, allows context-dependent attackers to execute arbitrary code via certain maxsize values, as demonstrated by 0xffffffff.

Vulnerable Configurations

Part	Description	Count
Application	Php PHP PHP 4.0.0 PHP PHP 4.0.1 PHP PHP 4.0.2 PHP PHP 4.0.3 PHP PHP 4.0.4 PHP PHP 4.0.5 PHP PHP 4.0.6 PHP PHP 4.0.7 PHP PHP 4.1.0 PHP PHP 4.1.1 PHP PHP 4.1.2 PHP PHP 4.2 PHP PHP 4.2.0 PHP PHP 4.2.1 PHP PHP 4.2.2 PHP PHP 4.2.3 PHP PHP 4.3.0 PHP PHP 4.3.1 PHP PHP 4.3.2 PHP PHP 4.3.3 PHP PHP 4.3.4 PHP PHP 4.3.5 PHP PHP 4.3.6 PHP PHP 4.3.7 PHP PHP 4.3.8 PHP PHP 4.3.9 PHP PHP 4.3.10 PHP PHP 4.3.11 PHP PHP 4.4.0 PHP PHP 4.4.1 PHP PHP 4.4.2 PHP PHP 4.4.3 PHP PHP 4.4.4 PHP PHP 5.0 PHP PHP 5.0.0 PHP PHP 5.0.1 PHP PHP 5.0.2 PHP PHP 5.0.3 PHP PHP 5.0.4 PHP PHP 5.0.5 PHP PHP 5.1.0 PHP PHP 5.1.1 PHP PHP 5.1.2 PHP PHP 5.1.3 PHP PHP 5.1.4 PHP PHP 5.1.5 PHP PHP 5.1.6 PHP PHP 5.2.0	64

Exploit-Db

description	PHP 5.1.6 Msg_Receive() Memory Allocation Integer Overflow Vulnerability. CVE-2007-1890. Remote exploit for php platform
id	EDB-ID:29808
last seen	2016-02-03
modified	2007-03-31
published	2007-03-31
reporter	Stefan Esser
source	https://www.exploit-db.com/download/29808/
title	PHP <= 5.1.6 - Msg_Receive Memory Allocation Integer Overflow Vulnerability

Nessus

NASL family	CGI abuses
NASL id	PHP_5_2_1.NASL
description	According to its banner, the version of PHP installed on the remote host is older than 5.2.1. Such versions may be affected by several issues, including buffer overflows, format string vulnerabilities, arbitrary code execution,
last seen	2020-06-01
modified	2020-06-02
plugin id	24907
published	2007-04-02
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24907
title	PHP < 5.2.1 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(24907); script_version("1.27"); script_cvs_date("Date: 2018/07/24 18:56:10"); script_cve_id( "CVE-2006-6383", "CVE-2007-0905", "CVE-2007-0906", "CVE-2007-0907", "CVE-2007-0908", "CVE-2007-0909", "CVE-2007-0910", "CVE-2007-0988", "CVE-2007-1376", "CVE-2007-1380", "CVE-2007-1383", "CVE-2007-1452", "CVE-2007-1453", "CVE-2007-1454", "CVE-2007-1700", "CVE-2007-1701", "CVE-2007-1824", "CVE-2007-1825", "CVE-2007-1835", "CVE-2007-1884", "CVE-2007-1885", "CVE-2007-1886", "CVE-2007-1887", "CVE-2007-1889", "CVE-2007-1890", "CVE-2007-4441", "CVE-2007-4586" ); script_bugtraq_id( 21508, 22496, 22805, 22806, 22862, 22922, 23119, 23120, 23219, 23233, 23234, 23235, 23236, 23237, 23238 ); script_name(english:"PHP < 5.2.1 Multiple Vulnerabilities"); script_summary(english:"Checks version of PHP"); script_set_attribute( attribute:"synopsis", value: "The remote web server uses a version of PHP that is affected by multiple flaws." ); script_set_attribute( attribute:"description", value: "According to its banner, the version of PHP installed on the remote host is older than 5.2.1. Such versions may be affected by several issues, including buffer overflows, format string vulnerabilities, arbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and clobbering of super-globals." ); script_set_attribute(attribute:"see_also", value:"http://www.php.net/releases/5_2_1.php"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP version 5.2.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 119, 189, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/09"); script_set_attribute(attribute:"patch_publication_date", value:"2007/02/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/02"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("php_version.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("audit.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); php = get_php_from_kb( port : port, exit_on_fail : TRUE ); version = php["ver"]; source = php["src"]; backported = get_kb_item('www/php/'+port+'/'+version+'/backported'); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install"); if (version =~ "^5\.[01]\." \|\| version =~ "^5\.2\.0($\|[^0-9])" ) { if (report_verbosity > 0) { report = '\n Version source : '+source + '\n Installed version : '+version+ '\n Fixed version : 5.2.1\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);

NASL family	CGI abuses
NASL id	PHP_4_4_5.NASL
description	According to its banner, the version of PHP installed on the remote host is older than 4.4.5. Such versions may be affected by several issues, including buffer overflows, format string vulnerabilities, arbitrary code execution,
last seen	2020-06-01
modified	2020-06-02
plugin id	24906
published	2007-04-02
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24906
title	PHP < 4.4.5 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(24906); script_version("1.25"); script_cvs_date("Date: 2018/07/24 18:56:10"); script_cve_id( "CVE-2006-4625", "CVE-2007-0905", "CVE-2007-0906", "CVE-2007-0907", "CVE-2007-0908", "CVE-2007-0909", "CVE-2007-0910", "CVE-2007-0988", "CVE-2007-1286", "CVE-2007-1376", "CVE-2007-1378", "CVE-2007-1379", "CVE-2007-1380", "CVE-2007-1700", "CVE-2007-1701", "CVE-2007-1777", "CVE-2007-1825", "CVE-2007-1835", "CVE-2007-1884", "CVE-2007-1885", "CVE-2007-1886", "CVE-2007-1887", "CVE-2007-1890" ); script_bugtraq_id( 22496, 22805, 22806, 22833, 22862, 23119, 23120, 23169, 23219, 23233, 23234, 23235, 23236 ); script_name(english:"PHP < 4.4.5 Multiple Vulnerabilities"); script_summary(english:"Checks version of PHP"); script_set_attribute( attribute:"synopsis", value: "The remote web server uses a version of PHP that is affected by multiple flaws." ); script_set_attribute( attribute:"description", value: "According to its banner, the version of PHP installed on the remote host is older than 4.4.5. Such versions may be affected by several issues, including buffer overflows, format string vulnerabilities, arbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and clobbering of super-globals." ); script_set_attribute(attribute:"see_also", value:"http://www.php.net/releases/4_4_5.php"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP version 4.4.5 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"metasploit_name", value:'PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(20, 399); script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/02"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/02/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("php_version.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("audit.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); php = get_php_from_kb( port : port, exit_on_fail : TRUE ); version = php["ver"]; source = php["src"]; backported = get_kb_item('www/php/'+port+'/'+version+'/backported'); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install"); if (version =~ "^3\." \|\| version =~ "^4\.[0-3]\." \|\| version =~ "^4\.4\.[0-4]($\|[^0-9])" ) { if (report_verbosity > 0) { report = '\n Version source : '+source + '\n Installed version : '+version+ '\n Fixed version : 4.4.5\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);

Statements

contributor	Mark J Cox
lastmodified	2007-04-16
organization	Red Hat
statement	The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Summary

Vulnerable Configurations

Exploit-Db

Nessus

Statements

References