Vulnerabilities > CVE-2008-0599 - Incorrect Calculation of Buffer Size vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
php
fedoraproject
canonical
apple
CWE-131
critical
nessus
NVD
Published: 2008-05-05
Updated: 2024-02-02

Summary

The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI.

Vulnerable Configurations

Part Description Count
Application
Php
347
OS
Fedoraproject
2
OS
Canonical
4
OS
Apple
110

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-628-1.NASL
    descriptionIt was discovered that PHP did not properly check the length of the string parameter to the fnmatch function. An attacker could cause a denial of service in the PHP interpreter if a script passed untrusted input to the fnmatch function. (CVE-2007-4782) Maksymilian Arciemowicz discovered a flaw in the cURL library that allowed safe_mode and open_basedir restrictions to be bypassed. If a PHP application were tricked into processing a bad file:// request, an attacker could read arbitrary files. (CVE-2007-4850) Rasmus Lerdorf discovered that the htmlentities and htmlspecialchars functions did not correctly stop when handling partial multibyte sequences. A remote attacker could exploit this to read certain areas of memory, possibly gaining access to sensitive information. This issue affects Ubuntu 8.04 LTS, and an updated fix is included for Ubuntu 6.06 LTS, 7.04 and 7.10. (CVE-2007-5898) It was discovered that the output_add_rewrite_var function would sometimes leak session id information to forms targeting remote URLs. Malicious remote sites could use this information to gain access to a PHP application user
    last seen2020-06-01
    modified2020-06-02
    plugin id33575
    published2008-07-24
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33575
    titleUbuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : php5 vulnerabilities (USN-628-1)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2008-005.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-005 applied. This update contains security fixes for a number of programs.
    last seen2020-06-01
    modified2020-06-02
    plugin id33790
    published2008-08-01
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33790
    titleMac OS X Multiple Vulnerabilities (Security Update 2008-005)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200811-05.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200811-05 (PHP: Multiple vulnerabilities) Several vulnerabilitites were found in PHP: PHP ships a vulnerable version of the PCRE library which allows for the circumvention of security restrictions or even for remote code execution in case of an application which accepts user-supplied regular expressions (CVE-2008-0674). Multiple crash issues in several PHP functions have been discovered. Ryan Permeh reported that the init_request_info() function in sapi/cgi/cgi_main.c does not properly consider operator precedence when calculating the length of PATH_TRANSLATED (CVE-2008-0599). An off-by-one error in the metaphone() function may lead to memory corruption. Maksymilian Arciemowicz of SecurityReason Research reported an integer overflow, which is triggerable using printf() and related functions (CVE-2008-1384). Andrei Nigmatulin reported a stack-based buffer overflow in the FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050). Stefan Esser reported that PHP does not correctly handle multibyte characters inside the escapeshellcmd() function, which is used to sanitize user input before its usage in shell commands (CVE-2008-2051). Stefan Esser reported that a short-coming in PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id34787
    published2008-11-17
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34787
    titleGLSA-200811-05 : PHP: Multiple vulnerabilities
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-128.NASL
    descriptionA number of vulnerabilities have been found and corrected in PHP : php-cgi in PHP prior to 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors (CVE-2008-0599). The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown impact and context-dependent attack vectors related to incomplete multibyte characters (CVE-2008-2051). Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, CVE-2008-2108). The IMAP module in PHP uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request (CVE-2008-2829). In addition, the updated packages provide a number of bug fixes. The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id36486
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36486
    titleMandriva Linux Security Advisory : php (MDVSA-2008:128)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2008-128-01.NASL
    descriptionNew php packages are available for Slackware 10.2, 11.0, 12.0, 12.1, and -current to fix security issues. Note that PHP5 is not the default PHP for Slackware 10.2 or 11.0 (those use PHP4), so if your PHP code is not ready for PHP5, don
    last seen2020-06-01
    modified2020-06-02
    plugin id32444
    published2008-05-28
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/32444
    titleSlackware 10.2 / 11.0 / 12.0 / 12.1 / current : php (SSA:2008-128-01)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-3606.NASL
    descriptionThis release updates PHP to the latest upstream version 5.2.6, fixing multiple bugs and security issues. See upstream release notes for further details: http://www.php.net/releases/5_2_6.php It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) It was discovered that a PHP script using the transparent session ID configuration option, or using the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form which is posted to a third-party website, the user
    last seen2020-06-01
    modified2020-06-02
    plugin id33231
    published2008-06-24
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33231
    titleFedora 9 : php-5.2.6-2.fc9 (2008-3606)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-3864.NASL
    descriptionThis release updates PHP to the latest upstream version 5.2.6, fixing multiple bugs and security issues. See upstream release notes for further details: http://www.php.net/releases/5_2_5.php http://www.php.net/releases/5_2_6.php It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. An attacker could use this flaw to conduct cross-site scripting attack against users of such browsers. (CVE-2007-5898) It was discovered that a PHP script using the transparent session ID configuration option, or using the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form which is posted to a third-party website, the user
    last seen2020-06-01
    modified2020-06-02
    plugin id33232
    published2008-06-24
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33232
    titleFedora 8 : php-5.2.6-2.fc8 (2008-3864)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-127.NASL
    descriptionA number of vulnerabilities have been found and corrected in PHP : The htmlentities() and htmlspecialchars() functions in PHP prior to 5.2.5 accepted partial multibyte sequences, which has unknown impact and attack vectors (CVE-2007-5898). The output_add_rewrite_var() function in PHP prior to 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which could allow a remote attacker to obtain potentially sensitive information by reading the requests for this URL (CVE-2007-5899). php-cgi in PHP prior to 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors (CVE-2008-0599). The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown impact and context-dependent attack vectors related to incomplete multibyte characters (CVE-2008-2051). Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, CVE-2008-2108). The IMAP module in PHP uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request (CVE-2008-2829). In addition, this update also corrects an issue with some float to string conversions. The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id38042
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38042
    titleMandriva Linux Security Advisory : php (MDVSA-2008:127)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_APACHE2-MOD_PHP5-5345.NASL
    descriptionThis version upgrade php5 to 5.2.6 fixes several security vulnerabilities. - Fixed possible stack-based buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. - Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. - Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. - Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. - Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. - and many more...
    last seen2020-06-01
    modified2020-06-02
    plugin id33266
    published2008-06-26
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33266
    titleSuSE 10 Security Update : PHP5 (ZYPP Patch Number 5345)
  • NASL familyCGI abuses
    NASL idPHP_5_2_6.NASL
    descriptionAccording to its banner, the version of PHP installed on the remote host is older than 5.2.6. Such versions may be affected by the following issues : - A stack-based buffer overflow in FastCGI SAPI. - An integer overflow in printf(). - An security issue arising from improper calculation of the length of PATH_TRANSLATED in cgi_main.c. - A safe_mode bypass in cURL. - Incomplete handling of multibyte chars inside escapeshellcmd(). - Issues in the bundled PCRE fixed by version 7.6.
    last seen2020-06-01
    modified2020-06-02
    plugin id32123
    published2008-05-02
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/32123
    titlePHP < 5.2.6 Multiple Vulnerabilities

Oval

accepted2015-04-20T04:02:25.696-04:00
classvulnerability
contributors
  • namePai Peng
    organizationHewlett-Packard
  • nameSushant Kumar Singh
    organizationHewlett-Packard
  • nameSushant Kumar Singh
    organizationHewlett-Packard
  • namePrashant Kumar
    organizationHewlett-Packard
  • nameMike Cokus
    organizationThe MITRE Corporation
descriptionThe init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI.
familyunix
idoval:org.mitre.oval:def:5510
statusaccepted
submitted2008-06-30T13:13:25.000-04:00
titleHP-UX Running Apache with PHP, Remote Execution of Arbitrary Code
version46

Redhat

advisories
rhsa
idRHSA-2008:0505
rpms
  • httpd-0:2.2.8-1.el5s2
  • httpd-debuginfo-0:2.2.8-1.el5s2
  • httpd-devel-0:2.2.8-1.el5s2
  • httpd-manual-0:2.2.8-1.el5s2
  • mod_jk-ap20-0:1.2.26-1.el5s2
  • mod_jk-debuginfo-0:1.2.26-1.el5s2
  • mod_perl-0:2.0.4-3.el5s2
  • mod_perl-debuginfo-0:2.0.4-3.el5s2
  • mod_perl-devel-0:2.0.4-3.el5s2
  • mod_ssl-1:2.2.8-1.el5s2
  • mysql-0:5.0.50sp1a-2.el5s2
  • mysql-bench-0:5.0.50sp1a-2.el5s2
  • mysql-cluster-0:5.0.50sp1a-2.el5s2
  • mysql-connector-odbc-0:3.51.24r1071-1.el5s2
  • mysql-connector-odbc-debuginfo-0:3.51.24r1071-1.el5s2
  • mysql-debuginfo-0:5.0.50sp1a-2.el5s2
  • mysql-devel-0:5.0.50sp1a-2.el5s2
  • mysql-jdbc-0:5.0.8-1jpp.1.el5s2
  • mysql-libs-0:5.0.50sp1a-2.el5s2
  • mysql-server-0:5.0.50sp1a-2.el5s2
  • mysql-test-0:5.0.50sp1a-2.el5s2
  • perl-DBD-MySQL-0:4.006-1.el5s2
  • perl-DBD-MySQL-debuginfo-0:4.006-1.el5s2
  • perl-DBI-0:1.604-1.el5s2
  • perl-DBI-debuginfo-0:1.604-1.el5s2
  • php-0:5.2.6-2.el5s2
  • php-bcmath-0:5.2.6-2.el5s2
  • php-cli-0:5.2.6-2.el5s2
  • php-common-0:5.2.6-2.el5s2
  • php-dba-0:5.2.6-2.el5s2
  • php-debuginfo-0:5.2.6-2.el5s2
  • php-devel-0:5.2.6-2.el5s2
  • php-gd-0:5.2.6-2.el5s2
  • php-imap-0:5.2.6-2.el5s2
  • php-ldap-0:5.2.6-2.el5s2
  • php-mbstring-0:5.2.6-2.el5s2
  • php-mysql-0:5.2.6-2.el5s2
  • php-ncurses-0:5.2.6-2.el5s2
  • php-odbc-0:5.2.6-2.el5s2
  • php-pdo-0:5.2.6-2.el5s2
  • php-pgsql-0:5.2.6-2.el5s2
  • php-snmp-0:5.2.6-2.el5s2
  • php-soap-0:5.2.6-2.el5s2
  • php-xml-0:5.2.6-2.el5s2
  • php-xmlrpc-0:5.2.6-2.el5s2
  • postgresql-0:8.2.9-1.el5s2
  • postgresql-contrib-0:8.2.9-1.el5s2
  • postgresql-debuginfo-0:8.2.9-1.el5s2
  • postgresql-devel-0:8.2.9-1.el5s2
  • postgresql-docs-0:8.2.9-1.el5s2
  • postgresql-jdbc-0:8.2.508-1jpp.el5s2
  • postgresql-jdbc-debuginfo-0:8.2.508-1jpp.el5s2
  • postgresql-libs-0:8.2.9-1.el5s2
  • postgresql-odbc-0:08.02.0500-1.el5s2
  • postgresql-odbc-debuginfo-0:08.02.0500-1.el5s2
  • postgresql-plperl-0:8.2.9-1.el5s2
  • postgresql-plpython-0:8.2.9-1.el5s2
  • postgresql-pltcl-0:8.2.9-1.el5s2
  • postgresql-python-0:8.2.9-1.el5s2
  • postgresql-server-0:8.2.9-1.el5s2
  • postgresql-tcl-0:8.2.9-1.el5s2
  • postgresql-test-0:8.2.9-1.el5s2
  • postgresqlclient81-0:8.1.11-1.el5s2
  • postgresqlclient81-debuginfo-0:8.1.11-1.el5s2
  • unixODBC-0:2.2.12-8.el5s2
  • unixODBC-debuginfo-0:2.2.12-8.el5s2
  • unixODBC-devel-0:2.2.12-8.el5s2
  • unixODBC-kde-0:2.2.12-8.el5s2

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 29009 CVE(CAN) ID: CVE-2008-0599 PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。 PHP的5.2.6之前版本存在多个安全漏洞,允许恶意用户绕过安全限制、导致拒绝服务或入侵有漏洞的系统。 1) FastCGI SAPI中的安全漏洞可能导致栈溢出。 2) 处理escapeshellcmd()中不完整多字节字符时存在安全漏洞。 3) cURL中的错误可能导致绕过safe_mode限制。 4) PCRE中的边界条件错误可能允许恶意用户导致拒绝服务或入侵有漏洞的系统。 PHP &lt; 5.2.6 PHP --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.php.net target=_blank>http://www.php.net</a>
idSSV:3253
last seen2017-11-19
modified2008-05-07
published2008-05-07
reporterRoot
titlePHP 5.2.6修复多个安全漏洞

Statements

contributorMark J Cox
lastmodified2008-08-07
organizationRed Hat
statementNot vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, and Red Hat Application Stack v1. For Red Hat Application Stack v2, issue was addressed via: https://rhn.redhat.com/errata/RHSA-2008-0505.html

References