Vulnerabilities > CVE-2008-0599 - Incorrect Calculation of Buffer Size vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Buffer Overflow via Parameter Expansion In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-628-1.NASL description It was discovered that PHP did not properly check the length of the string parameter to the fnmatch function. An attacker could cause a denial of service in the PHP interpreter if a script passed untrusted input to the fnmatch function. (CVE-2007-4782) Maksymilian Arciemowicz discovered a flaw in the cURL library that allowed safe_mode and open_basedir restrictions to be bypassed. If a PHP application were tricked into processing a bad file:// request, an attacker could read arbitrary files. (CVE-2007-4850) Rasmus Lerdorf discovered that the htmlentities and htmlspecialchars functions did not correctly stop when handling partial multibyte sequences. A remote attacker could exploit this to read certain areas of memory, possibly gaining access to sensitive information. This issue affects Ubuntu 8.04 LTS, and an updated fix is included for Ubuntu 6.06 LTS, 7.04 and 7.10. (CVE-2007-5898) It was discovered that the output_add_rewrite_var function would sometimes leak session id information to forms targeting remote URLs. Malicious remote sites could use this information to gain access to a PHP application user last seen 2020-06-01 modified 2020-06-02 plugin id 33575 published 2008-07-24 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33575 title Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : php5 vulnerabilities (USN-628-1) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2008-005.NASL description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-005 applied. This update contains security fixes for a number of programs. last seen 2020-06-01 modified 2020-06-02 plugin id 33790 published 2008-08-01 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33790 title Mac OS X Multiple Vulnerabilities (Security Update 2008-005) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200811-05.NASL description The remote host is affected by the vulnerability described in GLSA-200811-05 (PHP: Multiple vulnerabilities) Several vulnerabilitites were found in PHP: PHP ships a vulnerable version of the PCRE library which allows for the circumvention of security restrictions or even for remote code execution in case of an application which accepts user-supplied regular expressions (CVE-2008-0674). Multiple crash issues in several PHP functions have been discovered. Ryan Permeh reported that the init_request_info() function in sapi/cgi/cgi_main.c does not properly consider operator precedence when calculating the length of PATH_TRANSLATED (CVE-2008-0599). An off-by-one error in the metaphone() function may lead to memory corruption. Maksymilian Arciemowicz of SecurityReason Research reported an integer overflow, which is triggerable using printf() and related functions (CVE-2008-1384). Andrei Nigmatulin reported a stack-based buffer overflow in the FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050). Stefan Esser reported that PHP does not correctly handle multibyte characters inside the escapeshellcmd() function, which is used to sanitize user input before its usage in shell commands (CVE-2008-2051). Stefan Esser reported that a short-coming in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 34787 published 2008-11-17 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34787 title GLSA-200811-05 : PHP: Multiple vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-128.NASL description A number of vulnerabilities have been found and corrected in PHP : php-cgi in PHP prior to 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors (CVE-2008-0599). The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown impact and context-dependent attack vectors related to incomplete multibyte characters (CVE-2008-2051). Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, CVE-2008-2108). The IMAP module in PHP uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request (CVE-2008-2829). In addition, the updated packages provide a number of bug fixes. The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36486 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36486 title Mandriva Linux Security Advisory : php (MDVSA-2008:128) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2008-128-01.NASL description New php packages are available for Slackware 10.2, 11.0, 12.0, 12.1, and -current to fix security issues. Note that PHP5 is not the default PHP for Slackware 10.2 or 11.0 (those use PHP4), so if your PHP code is not ready for PHP5, don last seen 2020-06-01 modified 2020-06-02 plugin id 32444 published 2008-05-28 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32444 title Slackware 10.2 / 11.0 / 12.0 / 12.1 / current : php (SSA:2008-128-01) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3606.NASL description This release updates PHP to the latest upstream version 5.2.6, fixing multiple bugs and security issues. See upstream release notes for further details: http://www.php.net/releases/5_2_6.php It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) It was discovered that a PHP script using the transparent session ID configuration option, or using the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form which is posted to a third-party website, the user last seen 2020-06-01 modified 2020-06-02 plugin id 33231 published 2008-06-24 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33231 title Fedora 9 : php-5.2.6-2.fc9 (2008-3606) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3864.NASL description This release updates PHP to the latest upstream version 5.2.6, fixing multiple bugs and security issues. See upstream release notes for further details: http://www.php.net/releases/5_2_5.php http://www.php.net/releases/5_2_6.php It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. An attacker could use this flaw to conduct cross-site scripting attack against users of such browsers. (CVE-2007-5898) It was discovered that a PHP script using the transparent session ID configuration option, or using the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form which is posted to a third-party website, the user last seen 2020-06-01 modified 2020-06-02 plugin id 33232 published 2008-06-24 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33232 title Fedora 8 : php-5.2.6-2.fc8 (2008-3864) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-127.NASL description A number of vulnerabilities have been found and corrected in PHP : The htmlentities() and htmlspecialchars() functions in PHP prior to 5.2.5 accepted partial multibyte sequences, which has unknown impact and attack vectors (CVE-2007-5898). The output_add_rewrite_var() function in PHP prior to 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which could allow a remote attacker to obtain potentially sensitive information by reading the requests for this URL (CVE-2007-5899). php-cgi in PHP prior to 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors (CVE-2008-0599). The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown impact and context-dependent attack vectors related to incomplete multibyte characters (CVE-2008-2051). Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, CVE-2008-2108). The IMAP module in PHP uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request (CVE-2008-2829). In addition, this update also corrects an issue with some float to string conversions. The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 38042 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38042 title Mandriva Linux Security Advisory : php (MDVSA-2008:127) NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-MOD_PHP5-5345.NASL description This version upgrade php5 to 5.2.6 fixes several security vulnerabilities. - Fixed possible stack-based buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. - Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. - Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. - Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. - Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. - and many more... last seen 2020-06-01 modified 2020-06-02 plugin id 33266 published 2008-06-26 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33266 title SuSE 10 Security Update : PHP5 (ZYPP Patch Number 5345) NASL family CGI abuses NASL id PHP_5_2_6.NASL description According to its banner, the version of PHP installed on the remote host is older than 5.2.6. Such versions may be affected by the following issues : - A stack-based buffer overflow in FastCGI SAPI. - An integer overflow in printf(). - An security issue arising from improper calculation of the length of PATH_TRANSLATED in cgi_main.c. - A safe_mode bypass in cURL. - Incomplete handling of multibyte chars inside escapeshellcmd(). - Issues in the bundled PCRE fixed by version 7.6. last seen 2020-06-01 modified 2020-06-02 plugin id 32123 published 2008-05-02 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32123 title PHP < 5.2.6 Multiple Vulnerabilities
Oval
accepted | 2015-04-20T04:02:25.696-04:00 | ||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||
contributors |
| ||||||||||||||||||||
description | The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI. | ||||||||||||||||||||
family | unix | ||||||||||||||||||||
id | oval:org.mitre.oval:def:5510 | ||||||||||||||||||||
status | accepted | ||||||||||||||||||||
submitted | 2008-06-30T13:13:25.000-04:00 | ||||||||||||||||||||
title | HP-UX Running Apache with PHP, Remote Execution of Arbitrary Code | ||||||||||||||||||||
version | 46 |
Redhat
advisories |
| ||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 29009 CVE(CAN) ID: CVE-2008-0599 PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。 PHP的5.2.6之前版本存在多个安全漏洞,允许恶意用户绕过安全限制、导致拒绝服务或入侵有漏洞的系统。 1) FastCGI SAPI中的安全漏洞可能导致栈溢出。 2) 处理escapeshellcmd()中不完整多字节字符时存在安全漏洞。 3) cURL中的错误可能导致绕过safe_mode限制。 4) PCRE中的边界条件错误可能允许恶意用户导致拒绝服务或入侵有漏洞的系统。 PHP < 5.2.6 PHP --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.php.net target=_blank>http://www.php.net</a> |
id | SSV:3253 |
last seen | 2017-11-19 |
modified | 2008-05-07 |
published | 2008-05-07 |
reporter | Root |
title | PHP 5.2.6修复多个安全漏洞 |
Statements
contributor | Mark J Cox |
lastmodified | 2008-08-07 |
organization | Red Hat |
statement | Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, and Red Hat Application Stack v1. For Red Hat Application Stack v2, issue was addressed via: https://rhn.redhat.com/errata/RHSA-2008-0505.html |
References
- http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.50.2.12&r2=1.267.2.15.2.50.2.13&diff_format=u
- http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.50.2.12&r2=1.267.2.15.2.50.2.13&diff_format=u
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01476437
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01476437
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01476437
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01476437
- http://lists.apple.com/archives/security-announce//2008/Jul/msg00003.html
- http://lists.apple.com/archives/security-announce//2008/Jul/msg00003.html
- http://marc.info/?l=bugtraq&m=124654546101607&w=2
- http://marc.info/?l=bugtraq&m=124654546101607&w=2
- http://marc.info/?l=bugtraq&m=124654546101607&w=2
- http://marc.info/?l=bugtraq&m=124654546101607&w=2
- http://marc.info/?l=bugtraq&m=125631037611762&w=2
- http://marc.info/?l=bugtraq&m=125631037611762&w=2
- http://marc.info/?l=bugtraq&m=125631037611762&w=2
- http://marc.info/?l=bugtraq&m=125631037611762&w=2
- http://secunia.com/advisories/30048
- http://secunia.com/advisories/30048
- http://secunia.com/advisories/30083
- http://secunia.com/advisories/30083
- http://secunia.com/advisories/30345
- http://secunia.com/advisories/30345
- http://secunia.com/advisories/30616
- http://secunia.com/advisories/30616
- http://secunia.com/advisories/30757
- http://secunia.com/advisories/30757
- http://secunia.com/advisories/30828
- http://secunia.com/advisories/30828
- http://secunia.com/advisories/31200
- http://secunia.com/advisories/31200
- http://secunia.com/advisories/31326
- http://secunia.com/advisories/31326
- http://secunia.com/advisories/32746
- http://secunia.com/advisories/32746
- http://secunia.com/advisories/35650
- http://secunia.com/advisories/35650
- http://security.gentoo.org/glsa/glsa-200811-05.xml
- http://security.gentoo.org/glsa/glsa-200811-05.xml
- http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0176
- http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0176
- http://www.kb.cert.org/vuls/id/147027
- http://www.kb.cert.org/vuls/id/147027
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:127
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:127
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:128
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:128
- http://www.openwall.com/lists/oss-security/2008/05/02/2
- http://www.openwall.com/lists/oss-security/2008/05/02/2
- http://www.php.net/ChangeLog-5.php
- http://www.php.net/ChangeLog-5.php
- http://www.redhat.com/support/errata/RHSA-2008-0505.html
- http://www.redhat.com/support/errata/RHSA-2008-0505.html
- http://www.securityfocus.com/archive/1/492535/100/0/threaded
- http://www.securityfocus.com/archive/1/492535/100/0/threaded
- http://www.securityfocus.com/bid/29009
- http://www.securityfocus.com/bid/29009
- http://www.securitytracker.com/id?1019958
- http://www.securitytracker.com/id?1019958
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.488951
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.488951
- http://www.ubuntu.com/usn/usn-628-1
- http://www.ubuntu.com/usn/usn-628-1
- http://www.vupen.com/english/advisories/2008/1412
- http://www.vupen.com/english/advisories/2008/1412
- http://www.vupen.com/english/advisories/2008/1810/references
- http://www.vupen.com/english/advisories/2008/1810/references
- http://www.vupen.com/english/advisories/2008/2268
- http://www.vupen.com/english/advisories/2008/2268
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42137
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42137
- https://issues.rpath.com/browse/RPL-2503
- https://issues.rpath.com/browse/RPL-2503
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5510
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5510
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00773.html
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00773.html
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00779.html
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00779.html