Vulnerabilities > CVE-2007-4507 - Denial-Of-Service vulnerability in PHP 5.2.3

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
php
nessus
exploit available

Summary

Multiple buffer overflows in the php_ntuser component for PHP 5.2.3 allow context-dependent attackers to cause a denial of service or execute arbitrary code via long arguments to the (1) ntuser_getuserlist, (2) ntuser_getuserinfo, (3) ntuser_getusergroups, or (4) ntuser_getdomaincontroller functions.

Vulnerable Configurations

Part Description Count
Application
Php
1

Exploit-Db

descriptionPHP 5.2.3 php_ntuser ntuser_getuserlist() Local Buffer Overflow PoC. CVE-2007-4507. Dos exploit for windows platform
fileexploits/windows/dos/4304.php
idEDB-ID:4304
last seen2016-01-31
modified2007-08-23
platformwindows
port
published2007-08-23
reportershinnai
sourcehttps://www.exploit-db.com/download/4304/
titlePHP 5.2.3 php_ntuser ntuser_getuserlist Local Buffer Overflow PoC
typedos

Nessus

NASL familyCGI abuses
NASL idPHP_5_2_4.NASL
descriptionAccording to its banner, the version of PHP installed on the remote host is older than 5.2.4. Such versions may be affected by various issues, including but not limited to several overflows.
last seen2020-06-01
modified2020-06-02
plugin id25971
published2007-09-03
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/25971
titlePHP < 5.2.4 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(25971);
  script_version("1.20");
  script_cvs_date("Date: 2018/07/24 18:56:10");

  script_cve_id(
    "CVE-2007-1413",
    "CVE-2007-2872",
    "CVE-2007-3294",
    "CVE-2007-3378",
    "CVE-2007-3790",
    "CVE-2007-3799",
    "CVE-2007-3806",
    "CVE-2007-4010",
    "CVE-2007-4033",
    "CVE-2007-4255",
    "CVE-2007-4507",
    "CVE-2007-4652",
    "CVE-2007-4658",
    "CVE-2007-4659",
    "CVE-2007-4660",
    "CVE-2007-4661",
    "CVE-2007-4662",
    "CVE-2007-4663"
  );
  script_bugtraq_id(24661, 24261, 24922, 25498);

  script_name(english:"PHP < 5.2.4 Multiple Vulnerabilities");
  script_summary(english:"Checks version of PHP");
 
  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote web server uses a version of PHP that is affected by
multiple flaws."
  );
  script_set_attribute(
    attribute:"description",
    value:
"According to its banner, the version of PHP installed on the remote
host is older than 5.2.4.  Such versions may be affected by various
issues, including but not limited to several overflows."
  );
  script_set_attribute(attribute:"see_also", value:"http://www.php.net/releases/5_2_4.php");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PHP version 5.2.4 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 22, 119, 189, 362, 399);

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2007/08/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/09/03");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");

  script_dependencies("php_version.nasl");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("audit.inc");
include("webapp_func.inc");

port = get_http_port(default:80, php:TRUE);

php = get_php_from_kb(
  port : port,
  exit_on_fail : TRUE
);

version = php["ver"];
source = php["src"];

backported = get_kb_item('www/php/'+port+'/'+version+'/backported');

if (report_paranoia < 2 && backported)
  audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");

if (version =~ "^5\.[01]\." ||
    version =~ "^5\.2\.[0-3]($|[^0-9])"
)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Version source     : '+source +
      '\n  Installed version  : '+version+
      '\n  Fixed version      : 5.2.4\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);

Statements

contributorMark J Cox
lastmodified2007-08-24
organizationRed Hat
statementNot vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, or Red Hat Application Stack 1.