Vulnerabilities > CVE-2007-3996 - Numeric Errors vulnerability in PHP

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
php
CWE-189
nessus

Summary

Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.

Vulnerable Configurations

Part Description Count
Application
Php
328

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-0889.NASL
    descriptionUpdated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. These updated packages address the following vulnerabilities : Various integer overflow flaws were found in the PHP gd extension script that could be forced to resize images from an untrusted source, possibly allowing a remote attacker to execute arbitrary code as the apache user. (CVE-2007-3996) An integer overflow flaw was found in the PHP chunk_split function. If a remote attacker was able to pass arbitrary data to the third argument of chunk_split they could possibly execute arbitrary code as the apache user. Note that it is unusual for a PHP script to use the chunk_split function with a user-supplied third argument. (CVE-2007-2872) A previous security update introduced a bug into PHP session cookie handling. This could allow an attacker to stop a victim from viewing a vulnerable website if the victim has first visited a malicious web page under the control of the attacker, and that page can set a cookie for the vulnerable website. (CVE-2007-4670) A flaw was found in the PHP money_format function. If a remote attacker was able to pass arbitrary data to the money_format function this could possibly result in an information leak or denial of service. Note that it is unusual for a PHP script to pass user-supplied data to the money_format function. (CVE-2007-4658) A flaw was found in the PHP wordwrap function. If a remote attacker was able to pass arbitrary data to the wordwrap function this could possibly result in a denial of service. (CVE-2007-3998) A bug was found in PHP session cookie handling. This could allow an attacker to create a cross-site cookie insertion attack if a victim follows an untrusted carefully-crafted URL. (CVE-2007-3799) An infinite-loop flaw was discovered in the PHP gd extension. A script that could be forced to process PNG images from an untrusted source could allow a remote attacker to cause a denial of service. (CVE-2007-2756) A flaw was found in the PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id26191
    published2007-09-26
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/26191
    titleRHEL 3 : php (RHSA-2007:0889)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2007-709.NASL
    descriptionThis update fixes a number of security issues in PHP : - various integer overflow flaws were found in the PHP gd extension. A script that could be forced to resize images from an untrusted source could possibly allow a remote attacker to execute arbitrary code as the apache user. (CVE-2007-3996) - an integer overflow flaw was found in the PHP chunk_split function. If a remote attacker was able to pass arbitrary data to the third argument of chunk_split they could possibly execute arbitrary code as the apache user. Note that it is unusual for a PHP script to use the chunk_script function with a user-supplied third argument. (CVE-2007-2872) - a previous security update introduced a bug into PHP session cookie handling. This could allow an attacker to stop a victim from viewing a vulnerable website if the victim has first visited a malicious web page under the control of the attacker, and that page can set a cookie for the vulnerable website. (CVE-2007-4670) - a flaw was found in the PHP money_format function. If a remote attacker was able to pass arbitrary data to the money_format function this could possibly result in an information leak or denial of service. Note that is is unusual for a PHP script to pass user-supplied data to the money_format function. (CVE-2007-4658) - a flaw was found in the PHP wordwrap function. If a remote attacker was able to pass arbitrary data to the wordwrap function this could possibly result in a denial of service. (CVE-2007-3998) - a bug was found in PHP session cookie handling. This could allow an attacker to create a cross-site cookie insertion attack if a victim follows an untrusted carefully-crafted URL. (CVE-2007-3799) - an infinite-loop flaw was discovered in the PHP gd extension. A script that could be forced to process PNG images from an untrusted source could allow a remote attacker to cause a denial of service. (CVE-2007-2756) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id26115
    published2007-09-25
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/26115
    titleFedora Core 6 : php-5.1.6-3.7.fc6 (2007-709)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200710-02.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200710-02 (PHP: Multiple vulnerabilities) Several vulnerabilities were found in PHP. Mattias Bengtsson and Philip Olausson reported integer overflows in the gdImageCreate() and gdImageCreateTrueColor() functions of the GD library which can cause heap-based buffer overflows (CVE-2007-3996). Gerhard Wagner discovered an integer overflow in the chunk_split() function that can lead to a heap-based buffer overflow (CVE-2007-2872). Its incomplete fix caused incorrect buffer size calculation due to precision loss, also resulting in a possible heap-based buffer overflow (CVE-2007-4661 and CVE-2007-4660). A buffer overflow in the sqlite_decode_binary() of the SQLite extension found by Stefan Esser that was addressed in PHP 5.2.1 was not fixed correctly (CVE-2007-1887). Stefan Esser discovered an error in the zend_alter_ini_entry() function handling a memory_limit violation (CVE-2007-4659). Stefan Esser also discovered a flaw when handling interruptions with userspace error handlers that can be exploited to read arbitrary heap memory (CVE-2007-1883). Disclosure of sensitive memory can also be triggered due to insufficient boundary checks in the strspn() and strcspn() functions, an issue discovered by Mattias Bengtsson and Philip Olausson (CVE-2007-4657) Stefan Esser reported incorrect validation in the FILTER_VALIDATE_EMAIL filter of the Filter extension allowing arbitrary email header injection (CVE-2007-1900). NOTE: This CVE was referenced, but not fixed in GLSA 200705-19. Stanislav Malyshev found an error with unknown impact in the money_format() function when processing
    last seen2020-06-01
    modified2020-06-02
    plugin id26942
    published2007-10-09
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/26942
    titleGLSA-200710-02 : PHP: Multiple vulnerabilities
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20070920_PHP_ON_SL5_X.NASL
    descriptionVarious integer overflow flaws were found in the PHP gd extension. A script that could be forced to resize images from an untrusted source could possibly allow a remote attacker to execute arbitrary code as the apache user. (CVE-2007-3996) An integer overflow flaw was found in the PHP chunk_split function. If a remote attacker was able to pass arbitrary data to the third argument of chunk_split they could possibly execute arbitrary code as the apache user. Note that it is unusual for a PHP script to use the chunk_script function with a user-supplied third argument. (CVE-2007-2872) A previous security update introduced a bug into PHP session cookie handling. This could allow an attacker to stop a victim from viewing a vulnerable website if the victim has first visited a malicious web page under the control of the attacker, and that page can set a cookie for the vulnerable website. (CVE-2007-4670) A flaw was found in the PHP money_format function. If a remote attacker was able to pass arbitrary data to the money_format function this could possibly result in an information leak or denial of service. Note that is is unusual for a PHP script to pass user-supplied data to the money_format function. (CVE-2007-4658) A flaw was found in the PHP wordwrap function. If a remote attacker was able to pass arbitrary data to the wordwrap function this could possibly result in a denial of service. (CVE-2007-3998) A bug was found in PHP session cookie handling. This could allow an attacker to create a cross-site cookie insertion attack if a victim follows an untrusted carefully-crafted URL. (CVE-2007-3799) An infinite-loop flaw was discovered in the PHP gd extension. A script that could be forced to process PNG images from an untrusted source could allow a remote attacker to cause a denial of service. (CVE-2007-2756)
    last seen2020-06-01
    modified2020-06-02
    plugin id60255
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60255
    titleScientific Linux Security Update : php on SL5.x, SL4.x i386/x86_64
  • NASL familySuSE Local Security Checks
    NASL idSUSE_APACHE2-MOD_PHP5-4810.NASL
    descriptionThis update fixes multiple bugs in php : - use system pcre library to fix several pcre vulnerabilities (CVE-2007-1659, CVE-2006-7230, CVE-2007-1660, CVE-2006-7227 CVE-2005-4872, CVE-2006-7228) - Flaws in processing multi byte sequences in htmlentities/htmlspecialchars (CVE-2007-5898) - overly long arguments to the dl() function could crash php (CVE-2007-4825) - overy long arguments to the glob() function could crash php (CVE-2007-4782) - overly long arguments to some iconv functions could crash php (CVE-2007-4840) - overy long arguments to the setlocale() function could crash php (CVE-2007-4784) - the wordwrap-Function could cause a floating point exception (CVE-2007-3998) - overy long arguments to the fnmatch() function could crash php (CVE-2007-4782) - incorrect size calculation in the chunk_split function could lead to a buffer overflow (CVE-2007-4661) - Flaws in the GD extension could lead to integer overflows (CVE-2007-3996) - The money_format function contained format string flaws (CVE-2007-4658) - Data for some time zones has been updated
    last seen2020-06-01
    modified2020-06-02
    plugin id29878
    published2008-01-08
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29878
    titleopenSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-4810)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_71D903FC602D11DC898C001921AB2FA4.NASL
    descriptionThe PHP development team reports : Security Enhancements and Fixes in PHP 5.2.4 : - Fixed a floating point exception inside wordwrap() (Reported by Mattias Bengtsson) - Fixed several integer overflows inside the GD extension (Reported by Mattias Bengtsson) - Fixed size calculation in chunk_split() (Reported by Gerhard Wagner) - Fixed integer overflow in str[c]spn(). (Reported by Mattias Bengtsson) - Fixed money_format() not to accept multiple %i or %n tokens. (Reported by Stanislav Malyshev) - Fixed zend_alter_ini_entry() memory_limit interruption vulnerability. (Reported by Stefan Esser) - Fixed INFILE LOCAL option handling with MySQL extensions not to be allowed when open_basedir or safe_mode is active. (Reported by Mattias Bengtsson) - Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378) (Reported by Maksymilian Arciemowicz) - Fixed a possible invalid read in glob() win32 implementation (CVE-2007-3806) (Reported by shinnai) - Fixed a possible buffer overflow in php_openssl_make_REQ (Reported by zatanzlatan at hotbrev dot com) - Fixed an open_basedir bypass inside glob() function (Reported by dr at peytz dot dk) - Fixed a possible open_basedir bypass inside session extension when the session file is a symlink (Reported by c dot i dot morris at durham dot ac dot uk) - Improved fix for MOPB-03-2007. - Corrected fix for CVE-2007-2872.
    last seen2020-06-01
    modified2020-06-02
    plugin id26038
    published2007-09-14
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/26038
    titleFreeBSD : php -- multiple vulnerabilities (71d903fc-602d-11dc-898c-001921ab2fa4)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2007-0890.NASL
    descriptionUpdated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Various integer overflow flaws were found in the PHP gd extension. A script that could be forced to resize images from an untrusted source could possibly allow a remote attacker to execute arbitrary code as the apache user. (CVE-2007-3996) An integer overflow flaw was found in the PHP chunk_split function. If a remote attacker was able to pass arbitrary data to the third argument of chunk_split they could possibly execute arbitrary code as the apache user. Note that it is unusual for a PHP script to use the chunk_script function with a user-supplied third argument. (CVE-2007-2872) A previous security update introduced a bug into PHP session cookie handling. This could allow an attacker to stop a victim from viewing a vulnerable website if the victim has first visited a malicious web page under the control of the attacker, and that page can set a cookie for the vulnerable website. (CVE-2007-4670) A flaw was found in the PHP money_format function. If a remote attacker was able to pass arbitrary data to the money_format function this could possibly result in an information leak or denial of service. Note that is is unusual for a PHP script to pass user-supplied data to the money_format function. (CVE-2007-4658) A flaw was found in the PHP wordwrap function. If a remote attacker was able to pass arbitrary data to the wordwrap function this could possibly result in a denial of service. (CVE-2007-3998) A bug was found in PHP session cookie handling. This could allow an attacker to create a cross-site cookie insertion attack if a victim follows an untrusted carefully-crafted URL. (CVE-2007-3799) An infinite-loop flaw was discovered in the PHP gd extension. A script that could be forced to process PNG images from an untrusted source could allow a remote attacker to cause a denial of service. (CVE-2007-2756) Users of PHP should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id26075
    published2007-09-24
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/26075
    titleCentOS 4 / 5 : php (CESA-2007:0890)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2007-0889.NASL
    descriptionUpdated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. These updated packages address the following vulnerabilities : Various integer overflow flaws were found in the PHP gd extension script that could be forced to resize images from an untrusted source, possibly allowing a remote attacker to execute arbitrary code as the apache user. (CVE-2007-3996) An integer overflow flaw was found in the PHP chunk_split function. If a remote attacker was able to pass arbitrary data to the third argument of chunk_split they could possibly execute arbitrary code as the apache user. Note that it is unusual for a PHP script to use the chunk_split function with a user-supplied third argument. (CVE-2007-2872) A previous security update introduced a bug into PHP session cookie handling. This could allow an attacker to stop a victim from viewing a vulnerable website if the victim has first visited a malicious web page under the control of the attacker, and that page can set a cookie for the vulnerable website. (CVE-2007-4670) A flaw was found in the PHP money_format function. If a remote attacker was able to pass arbitrary data to the money_format function this could possibly result in an information leak or denial of service. Note that it is unusual for a PHP script to pass user-supplied data to the money_format function. (CVE-2007-4658) A flaw was found in the PHP wordwrap function. If a remote attacker was able to pass arbitrary data to the wordwrap function this could possibly result in a denial of service. (CVE-2007-3998) A bug was found in PHP session cookie handling. This could allow an attacker to create a cross-site cookie insertion attack if a victim follows an untrusted carefully-crafted URL. (CVE-2007-3799) An infinite-loop flaw was discovered in the PHP gd extension. A script that could be forced to process PNG images from an untrusted source could allow a remote attacker to cause a denial of service. (CVE-2007-2756) A flaw was found in the PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id26204
    published2007-10-03
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/26204
    titleCentOS 3 : php (CESA-2007:0889)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_APACHE2-MOD_PHP5-4808.NASL
    descriptionThis update fixes multiple bugs in php : - use system pcre library to fix several pcre vulnerabilities. (CVE-2007-1659 / CVE-2006-7230 / CVE-2007-1660 / CVE-2006-7227 / CVE-2005-4872 / CVE-2006-7228) - Flaws in processing multi byte sequences in htmlentities/htmlspecialchars. (CVE-2007-5898) - overly long arguments to the dl() function could crash php. (CVE-2007-4825) - overy long arguments to the glob() function could crash php. (CVE-2007-4782) - overly long arguments to some iconv functions could crash php. (CVE-2007-4840) - overy long arguments to the setlocale() function could crash php. (CVE-2007-4784) - the wordwrap-Function could cause a floating point exception. (CVE-2007-3998) - overy long arguments to the fnmatch() function could crash php. (CVE-2007-4782) - incorrect size calculation in the chunk_split function could lead to a buffer overflow. (CVE-2007-4661) - Flaws in the GD extension could lead to integer overflows. (CVE-2007-3996) - The money_format function contained format string flaws. (CVE-2007-4658) - Data for some time zones has been updated
    last seen2020-06-01
    modified2020-06-02
    plugin id29780
    published2007-12-24
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29780
    titleSuSE 10 Security Update : PHP5 (ZYPP Patch Number 4808)
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_12049.NASL
    descriptionThis update fixes multiple bugs in php : - several problems in pcre (CVE-2007-1660, CVE-2006-7225, CVE-2006-7224, CVE-2006-7226 CVE-2007-1659, CVE-2006-7230) - Flaws in processing multi byte sequences in htmlentities/htmlspecialchars. (CVE-2007-5898) - overly long arguments to the dl() function could crash php. (CVE-2007-4825) - overy long arguments to the glob() function could crash php. (CVE-2007-4782) - overly long arguments to some iconv functions could crash php. (CVE-2007-4840) - overy long arguments to the setlocale() function could crash php. (CVE-2007-4784) - the wordwrap-Function could cause a floating point exception. (CVE-2007-3998) - overy long arguments to the fnmatch() function could crash php. (CVE-2007-4782) - incorrect size calculation in the chunk_split function could lead to a buffer overflow. (CVE-2007-4661, CVE-2007-2872) - Flaws in the GD extension could lead to integer overflows. (CVE-2007-3996) - The money_format function contained format string flaws. (CVE-2007-4658)
    last seen2020-06-01
    modified2020-06-02
    plugin id41187
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41187
    titleSuSE9 Security Update : PHP4 (YOU Patch Number 12049)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20070926_PHP_ON_SL3.NASL
    descriptionVarious integer overflow flaws were found in the PHP gd extension script that could be forced to resize images from an untrusted source, possibly allowing a remote attacker to execute arbitrary code as the apache user. (CVE-2007-3996) An integer overflow flaw was found in the PHP chunk_split function. If a remote attacker was able to pass arbitrary data to the third argument of chunk_split they could possibly execute arbitrary code as the apache user. Note that it is unusual for a PHP script to use the chunk_split function with a user-supplied third argument. (CVE-2007-2872) A previous security update introduced a bug into PHP session cookie handling. This could allow an attacker to stop a victim from viewing a vulnerable website if the victim has first visited a malicious web page under the control of the attacker, and that page can set a cookie for the vulnerable website. (CVE-2007-4670) A flaw was found in the PHP money_format function. If a remote attacker was able to pass arbitrary data to the money_format function this could possibly result in an information leak or denial of service. Note that it is unusual for a PHP script to pass user-supplied data to the money_format function. (CVE-2007-4658) A flaw was found in the PHP wordwrap function. If a remote attacker was able to pass arbitrary data to the wordwrap function this could possibly result in a denial of service. (CVE-2007-3998) A bug was found in PHP session cookie handling. This could allow an attacker to create a cross-site cookie insertion attack if a victim follows an untrusted carefully-crafted URL. (CVE-2007-3799) An infinite-loop flaw was discovered in the PHP gd extension. A script that could be forced to process PNG images from an untrusted source could allow a remote attacker to cause a denial of service. (CVE-2007-2756) A flaw was found in the PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id60257
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60257
    titleScientific Linux Security Update : php on SL3.x i386/x86_64
  • NASL familyCGI abuses
    NASL idPHP_5_2_5.NASL
    descriptionAccording to its banner, the version of PHP installed on the remote host is older than 5.2.5. Such versions may be affected by various issues, including but not limited to several buffer overflows.
    last seen2020-06-01
    modified2020-06-02
    plugin id28181
    published2007-11-12
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/28181
    titlePHP < 5.2.5 Multiple Vulnerabilities
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2007-0889.NASL
    descriptionFrom Red Hat Security Advisory 2007:0889 : Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. These updated packages address the following vulnerabilities : Various integer overflow flaws were found in the PHP gd extension script that could be forced to resize images from an untrusted source, possibly allowing a remote attacker to execute arbitrary code as the apache user. (CVE-2007-3996) An integer overflow flaw was found in the PHP chunk_split function. If a remote attacker was able to pass arbitrary data to the third argument of chunk_split they could possibly execute arbitrary code as the apache user. Note that it is unusual for a PHP script to use the chunk_split function with a user-supplied third argument. (CVE-2007-2872) A previous security update introduced a bug into PHP session cookie handling. This could allow an attacker to stop a victim from viewing a vulnerable website if the victim has first visited a malicious web page under the control of the attacker, and that page can set a cookie for the vulnerable website. (CVE-2007-4670) A flaw was found in the PHP money_format function. If a remote attacker was able to pass arbitrary data to the money_format function this could possibly result in an information leak or denial of service. Note that it is unusual for a PHP script to pass user-supplied data to the money_format function. (CVE-2007-4658) A flaw was found in the PHP wordwrap function. If a remote attacker was able to pass arbitrary data to the wordwrap function this could possibly result in a denial of service. (CVE-2007-3998) A bug was found in PHP session cookie handling. This could allow an attacker to create a cross-site cookie insertion attack if a victim follows an untrusted carefully-crafted URL. (CVE-2007-3799) An infinite-loop flaw was discovered in the PHP gd extension. A script that could be forced to process PNG images from an untrusted source could allow a remote attacker to cause a denial of service. (CVE-2007-2756) A flaw was found in the PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id67569
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67569
    titleOracle Linux 3 : php (ELSA-2007-0889)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-0890.NASL
    descriptionUpdated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Various integer overflow flaws were found in the PHP gd extension. A script that could be forced to resize images from an untrusted source could possibly allow a remote attacker to execute arbitrary code as the apache user. (CVE-2007-3996) An integer overflow flaw was found in the PHP chunk_split function. If a remote attacker was able to pass arbitrary data to the third argument of chunk_split they could possibly execute arbitrary code as the apache user. Note that it is unusual for a PHP script to use the chunk_script function with a user-supplied third argument. (CVE-2007-2872) A previous security update introduced a bug into PHP session cookie handling. This could allow an attacker to stop a victim from viewing a vulnerable website if the victim has first visited a malicious web page under the control of the attacker, and that page can set a cookie for the vulnerable website. (CVE-2007-4670) A flaw was found in the PHP money_format function. If a remote attacker was able to pass arbitrary data to the money_format function this could possibly result in an information leak or denial of service. Note that is is unusual for a PHP script to pass user-supplied data to the money_format function. (CVE-2007-4658) A flaw was found in the PHP wordwrap function. If a remote attacker was able to pass arbitrary data to the wordwrap function this could possibly result in a denial of service. (CVE-2007-3998) A bug was found in PHP session cookie handling. This could allow an attacker to create a cross-site cookie insertion attack if a victim follows an untrusted carefully-crafted URL. (CVE-2007-3799) An infinite-loop flaw was discovered in the PHP gd extension. A script that could be forced to process PNG images from an untrusted source could allow a remote attacker to cause a denial of service. (CVE-2007-2756) Users of PHP should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id26110
    published2007-09-24
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/26110
    titleRHEL 4 / 5 : php (RHSA-2007:0890)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2007-0890.NASL
    descriptionFrom Red Hat Security Advisory 2007:0890 : Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Various integer overflow flaws were found in the PHP gd extension. A script that could be forced to resize images from an untrusted source could possibly allow a remote attacker to execute arbitrary code as the apache user. (CVE-2007-3996) An integer overflow flaw was found in the PHP chunk_split function. If a remote attacker was able to pass arbitrary data to the third argument of chunk_split they could possibly execute arbitrary code as the apache user. Note that it is unusual for a PHP script to use the chunk_script function with a user-supplied third argument. (CVE-2007-2872) A previous security update introduced a bug into PHP session cookie handling. This could allow an attacker to stop a victim from viewing a vulnerable website if the victim has first visited a malicious web page under the control of the attacker, and that page can set a cookie for the vulnerable website. (CVE-2007-4670) A flaw was found in the PHP money_format function. If a remote attacker was able to pass arbitrary data to the money_format function this could possibly result in an information leak or denial of service. Note that is is unusual for a PHP script to pass user-supplied data to the money_format function. (CVE-2007-4658) A flaw was found in the PHP wordwrap function. If a remote attacker was able to pass arbitrary data to the wordwrap function this could possibly result in a denial of service. (CVE-2007-3998) A bug was found in PHP session cookie handling. This could allow an attacker to create a cross-site cookie insertion attack if a victim follows an untrusted carefully-crafted URL. (CVE-2007-3799) An infinite-loop flaw was discovered in the PHP gd extension. A script that could be forced to process PNG images from an untrusted source could allow a remote attacker to cause a denial of service. (CVE-2007-2756) Users of PHP should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id67570
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67570
    titleOracle Linux 4 / 5 : php (ELSA-2007-0890)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-720-1.NASL
    descriptionIt was discovered that PHP did not properly enforce php_admin_value and php_admin_flag restrictions in the Apache configuration file. A local attacker could create a specially crafted PHP script that would bypass intended security restrictions. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2007-5900) It was discovered that PHP did not correctly handle certain malformed font files. If a PHP application were tricked into processing a specially crafted font file, an attacker may be able to cause a denial of service and possibly execute arbitrary code with application privileges. (CVE-2008-3658) It was discovered that PHP did not properly check the delimiter argument to the explode function. If a script passed untrusted input to the explode function, an attacker could cause a denial of service and possibly execute arbitrary code with application privileges. (CVE-2008-3659) It was discovered that PHP, when used as FastCGI module, did not properly sanitize requests. By performing a request with multiple dots preceding the extension, an attacker could cause a denial of service. (CVE-2008-3660) It was discovered that PHP did not properly handle Unicode conversion in the mbstring extension. If a PHP application were tricked into processing a specially crafted string containing an HTML entity, an attacker could execute arbitrary code with application privileges. (CVE-2008-5557) It was discovered that PHP did not properly initialize the page_uid and page_gid global variables for use by the SAPI php_getuid function. An attacker could exploit this issue to bypass safe_mode restrictions. (CVE-2008-5624) It was dicovered that PHP did not properly enforce error_log safe_mode restrictions when set by php_admin_flag in the Apache configuration file. A local attacker could create a specially crafted PHP script that would overwrite arbitrary files. (CVE-2008-5625) It was discovered that PHP contained a flaw in the ZipArchive::extractTo function. If a PHP application were tricked into processing a specially crafted zip file that had filenames containing
    last seen2020-06-01
    modified2020-06-02
    plugin id36665
    published2009-04-23
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/36665
    titleUbuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : php5 vulnerabilities (USN-720-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_APACHE2-MOD_PHP5-4909.NASL
    descriptionThis update fixes multiple bugs in php by upgrading it to version 5.2.5. - Flaws in processing multi byte sequences in htmlentities/htmlspecialchars (CVE-2007-5898) - overly long arguments to the dl() function could crash php (CVE-2007-4825) - overy long arguments to the glob() function could crash php (CVE-2007-4782) - overly long arguments to some iconv functions could crash php (CVE-2007-4840) - overy long arguments to the setlocale() function could crash php (CVE-2007-4784) - the wordwrap-Function could cause a floating point exception (CVE-2007-3998) - overy long arguments to the fnmatch() function could crash php (CVE-2007-4782) - incorrect size calculation in the chunk_split function could lead to a buffer overflow (CVE-2007-4661, CVE-2007-2872) - Flaws in the GD extension could lead to integer overflows (CVE-2007-3996) - The money_format function contained format string flaws (CVE-2007-4658) - Data for some time zones has been updated - php5 has been updated to version 5.2.5 to fix those problems
    last seen2020-06-01
    modified2020-06-02
    plugin id30092
    published2008-01-27
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/30092
    titleopenSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-4909)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-0888.NASL
    descriptionUpdated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1 This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Various integer overflow flaws were found in the PHP gd extension. A script that could be forced to resize images from an untrusted source could possibly allow a remote attacker to execute arbitrary code as the apache user. (CVE-2007-3996) An integer overflow flaw was found in the PHP chunk_split function. If a remote attacker was able to pass arbitrary data to the third argument of chunk_split they could possibly execute arbitrary code as the apache user. Note that it is unusual for a PHP script to use the chunk_script function with a user-supplied third argument. (CVE-2007-2872) A previous security update introduced a bug into PHP session cookie handling. This could allow an attacker to stop a victim from viewing a vulnerable website if the victim has first visited a malicious web page under the control of the attacker, and that page can set a cookie for the vulnerable website. (CVE-2007-4670) A bug was found in PHP session cookie handling. This could allow an attacker to create a cross-site cookie insertion attack if a victim follows an untrusted carefully-crafted URL. (CVE-2007-3799) A flaw was found in the PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id27564
    published2007-10-25
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27564
    titleRHEL 2.1 : php (RHSA-2007:0888)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2007-187.NASL
    descriptionNumerous vulnerabilities were discovered in the PHP scripting language that are corrected with this update. An integer overflow in the substr_compare() function allows context-dependent attackers to read sensitive memory via a large value in the length argument. This only affects PHP5 (CVE-2007-1375). A stack-based buffer overflow in the zip:// URI wrapper in PECL ZIP 1.8.3 and earlier allowes remote attackers to execute arbitrary code via a long zip:// URL. This only affects Corporate Server 4.0 (CVE-2007-1399). A CRLF injection vulnerability in the FILTER_VALIDATE_EMAIL filter could allow an attacker to inject arbitrary email headers via a special email address. This only affects Mandriva Linux 2007.1 (CVE-2007-1900). The mcrypt_create_iv() function calls php_rand_r() with an uninitialized seed variable, thus always generating the same initialization vector, which may allow an attacker to decrypt certain data more easily because of the guessable encryption keys (CVE-2007-2727). The soap extension calls php_rand_r() with an uninitialized seec variable, which has unknown impact and attack vectors; an issue similar to that affecting mcrypt_create_iv(). This only affects PHP5 (CVE-2007-2728). The substr_count() function allows attackers to obtain sensitive information via unspecified vectors. This only affects PHP5 (CVE-2007-2748). An infinite loop was found in the gd extension that could be used to cause a denial of service if a script were forced to process certain PNG images from untrusted sources (CVE-2007-2756). An integer overflow flaw was found in the chunk_split() function that ould possibly execute arbitrary code as the apache user if a remote attacker was able to pass arbitrary data to the third argument of chunk_split() (CVE-2007-2872). A flaw in the PHP session cookie handling could allow an attacker to create a cross-site cookie insertion attack if a victim followed an untrusted carefully-crafted URL (CVE-2007-3799). Various integer overflow flaws were discovered in the PHP gd extension that could allow a remote attacker to execute arbitrary code as the apache user (CVE-2007-3996). A flaw in the wordwrap() frunction could result in a denial of ervice if a remote attacker was able to pass arbitrary data to the function (CVE-2007-3998). A flaw in the money_format() function could result in an information leak or denial of service if a remote attacker was able to pass arbitrary data to this function; this situation would be unlikely however (CVE-2007-4658). A bug in the PHP session cookie handling could allow an attacker to stop a victim from viewing a vulnerable website if the victim first visited a malicious website under the control of the attacker who was able to use that page to set a cookie for the vulnerable website (CVE-2007-4670). Updated packages have been patched to prevent these issues. In addition, PECL ZIP version 1.8.10 is being provided for Corporate Server 4.0.
    last seen2020-06-01
    modified2020-06-02
    plugin id26107
    published2007-09-24
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/26107
    titleMandrake Linux Security Advisory : php (MDKSA-2007:187)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1613.NASL
    descriptionMultiple vulnerabilities have been identified in libgd2, a library for programmatic graphics creation and manipulation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-2445 Grayscale PNG files containing invalid tRNS chunk CRC values could cause a denial of service (crash), if a maliciously crafted image is loaded into an application using libgd. - CVE-2007-3476 An array indexing error in libgd
    last seen2020-06-01
    modified2020-06-02
    plugin id33552
    published2008-07-23
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33552
    titleDebian DSA-1613-1 : libgd2 - multiple vulnerabilities
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-557-1.NASL
    descriptionMattias Bengtsson and Philip Olausson discovered that the GD library did not properly perform bounds checking when creating images. An attacker could send specially crafted input to applications linked against libgd2 and cause a denial of service or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id29739
    published2007-12-19
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/29739
    titleUbuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : libgd2 vulnerability (USN-557-1)

Oval

accepted2013-04-29T04:11:50.664-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionMultiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.
familyunix
idoval:org.mitre.oval:def:11147
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleMultiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.
version27

Redhat

advisories
  • rhsa
    idRHSA-2007:0888
  • rhsa
    idRHSA-2007:0889
  • rhsa
    idRHSA-2007:0890
  • rhsa
    idRHSA-2007:0891
rpms
  • php-0:4.1.2-2.19
  • php-devel-0:4.1.2-2.19
  • php-imap-0:4.1.2-2.19
  • php-ldap-0:4.1.2-2.19
  • php-manual-0:4.1.2-2.19
  • php-mysql-0:4.1.2-2.19
  • php-odbc-0:4.1.2-2.19
  • php-pgsql-0:4.1.2-2.19
  • php-0:4.3.2-43.ent
  • php-debuginfo-0:4.3.2-43.ent
  • php-devel-0:4.3.2-43.ent
  • php-imap-0:4.3.2-43.ent
  • php-ldap-0:4.3.2-43.ent
  • php-mysql-0:4.3.2-43.ent
  • php-odbc-0:4.3.2-43.ent
  • php-pgsql-0:4.3.2-43.ent
  • php-0:4.3.9-3.22.9
  • php-0:5.1.6-15.el5
  • php-bcmath-0:5.1.6-15.el5
  • php-cli-0:5.1.6-15.el5
  • php-common-0:5.1.6-15.el5
  • php-dba-0:5.1.6-15.el5
  • php-debuginfo-0:4.3.9-3.22.9
  • php-debuginfo-0:5.1.6-15.el5
  • php-devel-0:4.3.9-3.22.9
  • php-devel-0:5.1.6-15.el5
  • php-domxml-0:4.3.9-3.22.9
  • php-gd-0:4.3.9-3.22.9
  • php-gd-0:5.1.6-15.el5
  • php-imap-0:4.3.9-3.22.9
  • php-imap-0:5.1.6-15.el5
  • php-ldap-0:4.3.9-3.22.9
  • php-ldap-0:5.1.6-15.el5
  • php-mbstring-0:4.3.9-3.22.9
  • php-mbstring-0:5.1.6-15.el5
  • php-mysql-0:4.3.9-3.22.9
  • php-mysql-0:5.1.6-15.el5
  • php-ncurses-0:4.3.9-3.22.9
  • php-ncurses-0:5.1.6-15.el5
  • php-odbc-0:4.3.9-3.22.9
  • php-odbc-0:5.1.6-15.el5
  • php-pdo-0:5.1.6-15.el5
  • php-pear-0:4.3.9-3.22.9
  • php-pgsql-0:4.3.9-3.22.9
  • php-pgsql-0:5.1.6-15.el5
  • php-snmp-0:4.3.9-3.22.9
  • php-snmp-0:5.1.6-15.el5
  • php-soap-0:5.1.6-15.el5
  • php-xml-0:5.1.6-15.el5
  • php-xmlrpc-0:4.3.9-3.22.9
  • php-xmlrpc-0:5.1.6-15.el5
  • php-0:5.1.6-3.el4s1.8
  • php-bcmath-0:5.1.6-3.el4s1.8
  • php-cli-0:5.1.6-3.el4s1.8
  • php-common-0:5.1.6-3.el4s1.8
  • php-dba-0:5.1.6-3.el4s1.8
  • php-debuginfo-0:5.1.6-3.el4s1.8
  • php-devel-0:5.1.6-3.el4s1.8
  • php-gd-0:5.1.6-3.el4s1.8
  • php-imap-0:5.1.6-3.el4s1.8
  • php-ldap-0:5.1.6-3.el4s1.8
  • php-mbstring-0:5.1.6-3.el4s1.8
  • php-mysql-0:5.1.6-3.el4s1.8
  • php-ncurses-0:5.1.6-3.el4s1.8
  • php-odbc-0:5.1.6-3.el4s1.8
  • php-pdo-0:5.1.6-3.el4s1.8
  • php-pgsql-0:5.1.6-3.el4s1.8
  • php-snmp-0:5.1.6-3.el4s1.8
  • php-soap-0:5.1.6-3.el4s1.8
  • php-xml-0:5.1.6-3.el4s1.8
  • php-xmlrpc-0:5.1.6-3.el4s1.8
  • php-0:5.2.3-3.el5s2
  • php-bcmath-0:5.2.3-3.el5s2
  • php-cli-0:5.2.3-3.el5s2
  • php-common-0:5.2.3-3.el5s2
  • php-dba-0:5.2.3-3.el5s2
  • php-debuginfo-0:5.2.3-3.el5s2
  • php-devel-0:5.2.3-3.el5s2
  • php-gd-0:5.2.3-3.el5s2
  • php-imap-0:5.2.3-3.el5s2
  • php-ldap-0:5.2.3-3.el5s2
  • php-mbstring-0:5.2.3-3.el5s2
  • php-mysql-0:5.2.3-3.el5s2
  • php-ncurses-0:5.2.3-3.el5s2
  • php-odbc-0:5.2.3-3.el5s2
  • php-pdo-0:5.2.3-3.el5s2
  • php-pgsql-0:5.2.3-3.el5s2
  • php-snmp-0:5.2.3-3.el5s2
  • php-soap-0:5.2.3-3.el5s2
  • php-xml-0:5.2.3-3.el5s2
  • php-xmlrpc-0:5.2.3-3.el5s2

Seebug

bulletinFamilyexploit
descriptionCVE(CAN) ID: CVE-2007-3996 PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。 PHP的libgd实现中gdImageCreate()和gdImageCreateTrueColor()函数存在整数溢出漏洞,远程攻击者可能利用此漏洞控制服务器。 这两个函数可由ImageCreate()和ImageCreateTrueColor()直接调用。 ... im-&gt;tpixels = (int **) gdMalloc(sizeof(int *) * sy); im-&gt;AA_opacity = (unsigned char **) gdMalloc(sizeof(unsigned char *) * sy); ... for (i = 0; i &lt; sy; i++) { im-&gt;tpixels[i] = (int *) gdCalloc(sx, sizeof(int)); im-&gt;AA_opacity[i] = (unsigned char *) gdCalloc(sx, sizeof(unsigned char)); } ... 使用很大的sy/height或sx/width值就可以在为im-&gt;tpixels和im-&gt;AA_opacity分配内存时触发整数溢出,导致崩溃或执行任意代码。由于可从PHP代码的多个位置调用gdImageCreate()和gdImageCreateTrueColor(),如使用任意imagecreatefrom* -函数,因此可以通过向Web应用上传图形来远程触发溢出。 PHP的libgd实现中gdImageCopyResized()函数也存在整数溢出漏洞,该函数可由imagecopyresized()或imagecopyresampled()调用。 ... stx = (int *) gdMalloc (sizeof (int) * srcW); sty = (int *) gdMalloc (sizeof (int) * srcH); ... for (i = 0; (i &lt; srcW); i++) { stx[i] = dstW * (i+1) / srcW - dstW * i / srcW ; } for (i = 0; (i &lt; srcH); i++) { sty[i] = dstH * (i+1) / srcH - dstH * i / srcH ; } ... 向srcW或srcH传送很大的值就会在分配stx和sty的缓冲区时触发整数溢出,分配操作后的for循环会试图写入大量数据,导致崩溃或执行任意代码。如果Web应用程序使用这个函数调整远程上传图形的大小,则上传特制图形文件就可以触发这个溢出。 PHP &lt; 5.2.4 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://www.php.net/releases/5_2_4.php" target="_blank">http://www.php.net/releases/5_2_4.php</a>
idSSV:2185
last seen2017-11-19
modified2007-09-05
published2007-09-05
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-2185
titlePHP libgd实现多个函数整数溢出漏洞

References