Vulnerabilities > CVE-2008-1384 - Numeric Errors vulnerability in PHP

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

nessus

NVD

Published: 2008-03-27

Updated: 2024-11-21

Summary

Integer overflow in PHP 5.2.5 and earlier allows context-dependent attackers to cause a denial of service and possibly have unspecified other impact via a printf format parameter with a large width specifier, related to the php_sprintf_appendstring function in formatted_print.c and probably other functions for formatted strings (aka *printf functions).

Vulnerable Configurations

Part	Description	Count
Application	Php PHP PHP - PHP PHP 0.1 PHP PHP 0.1.1 PHP PHP 0.2 PHP PHP 0.2.0 PHP PHP 0.2.1 PHP PHP 0.2.2 PHP PHP 0.2.3 PHP PHP 0.2.4 PHP PHP 0.3 PHP PHP 0.4 PHP PHP 0.5 PHP PHP 0.5.2 PHP PHP 0.5.3 PHP PHP 0.6 PHP PHP 0.7 PHP PHP 0.9 PHP PHP 0.9.0 PHP PHP 0.9.1 PHP PHP 0.9.2 PHP PHP 0.9.3 PHP PHP 0.9.4 PHP PHP 0.10 PHP PHP 0.11 PHP PHP 0.90 PHP PHP 0.91 PHP PHP 1.0 PHP PHP 1.0.0 PHP PHP 1.0.1 PHP PHP 1.0.2 PHP PHP 1.0.3 PHP PHP 1.0.4 PHP PHP 1.1 PHP PHP 1.1.0 PHP PHP 1.1.1 PHP PHP 1.2 PHP PHP 1.2.0 PHP PHP 1.2.1 PHP PHP 1.2.2 PHP PHP 1.2.3 PHP PHP 1.2.4 PHP PHP 1.2.5 PHP PHP 1.3 PHP PHP 1.3.1 PHP PHP 1.3.5 PHP PHP 1.4 PHP PHP 1.5 PHP PHP 2.0 PHP PHP 2.0.0 PHP PHP 2.0.1 PHP PHP 2.0.2 PHP PHP 2.0B10 PHP PHP 3.0 PHP PHP 3.0.1 PHP PHP 3.0.2 PHP PHP 3.0.3 PHP PHP 3.0.4 PHP PHP 3.0.5 PHP PHP 3.0.6 PHP PHP 3.0.7 PHP PHP 3.0.8 PHP PHP 3.0.9 PHP PHP 3.0.10 PHP PHP 3.0.11 PHP PHP 3.0.12 PHP PHP 3.0.13 PHP PHP 3.0.14 PHP PHP 3.0.15 PHP PHP 3.0.16 PHP PHP 3.0.17 PHP PHP 3.0.18 PHP PHP 4.0 PHP PHP 4.0.0 PHP PHP 4.0.1 PHP PHP 4.0.2 PHP PHP 4.0.3 PHP PHP 4.0.4 PHP PHP 4.0.5 PHP PHP 4.0.6 PHP PHP 4.0.7 PHP PHP 4.1.0 PHP PHP 4.1.1 PHP PHP 4.1.2 PHP PHP 4.1.3 PHP PHP 4.2 PHP PHP 4.2.0 PHP PHP 4.2.1 PHP PHP 4.2.2 PHP PHP 4.2.3 PHP PHP 4.2.4 PHP PHP 4.3 PHP PHP 4.3.0 PHP PHP 4.3.1 PHP PHP 4.3.2 PHP PHP 4.3.3 PHP PHP 4.3.4 PHP PHP 4.3.5 PHP PHP 4.3.6 PHP PHP 4.3.7 PHP PHP 4.3.8 PHP PHP 4.3.9 PHP PHP 4.3.10 PHP PHP 4.3.11 PHP PHP 4.4.0 PHP PHP 4.4.1 PHP PHP 4.4.2 PHP PHP 4.4.3 PHP PHP 4.4.4 PHP PHP 4.4.5 PHP PHP 4.4.6 PHP PHP 4.4.7 PHP PHP 4.4.8 PHP PHP 4.4.9 PHP PHP 5.0.0 PHP PHP 5.0.1 PHP PHP 5.0.2 PHP PHP 5.0.3 PHP PHP 5.0.4 PHP PHP 5.0.5 PHP PHP 5.1 PHP PHP 5.1.0 PHP PHP 5.1.1 PHP PHP 5.1.2 PHP PHP 5.1.3 PHP PHP 5.1.4 PHP PHP 5.1.5 PHP PHP 5.1.6 PHP PHP 5.2.0 PHP PHP 5.2.1 PHP PHP 5.2.2 PHP PHP 5.2.3 PHP PHP 5.2.4 PHP PHP 5.2.5	340

Common Weakness Enumeration (CWE)

CWE-189 - Numeric Errors

Nessus

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-628-1.NASL
description	It was discovered that PHP did not properly check the length of the string parameter to the fnmatch function. An attacker could cause a denial of service in the PHP interpreter if a script passed untrusted input to the fnmatch function. (CVE-2007-4782) Maksymilian Arciemowicz discovered a flaw in the cURL library that allowed safe_mode and open_basedir restrictions to be bypassed. If a PHP application were tricked into processing a bad file:// request, an attacker could read arbitrary files. (CVE-2007-4850) Rasmus Lerdorf discovered that the htmlentities and htmlspecialchars functions did not correctly stop when handling partial multibyte sequences. A remote attacker could exploit this to read certain areas of memory, possibly gaining access to sensitive information. This issue affects Ubuntu 8.04 LTS, and an updated fix is included for Ubuntu 6.06 LTS, 7.04 and 7.10. (CVE-2007-5898) It was discovered that the output_add_rewrite_var function would sometimes leak session id information to forms targeting remote URLs. Malicious remote sites could use this information to gain access to a PHP application user
last seen	2020-06-01
modified	2020-06-02
plugin id	33575
published	2008-07-24
reporter	Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/33575
title	Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : php5 vulnerabilities (USN-628-1)

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2009-022.NASL
description	A vulnerability in PHP allowed context-dependent attackers to cause a denial of service (crash) via a certain long string in the glob() or fnmatch() functions (CVE-2007-4782). A vulnerability in the cURL library in PHP allowed context-dependent attackers to bypass safe_mode and open_basedir restrictions and read arbitrary files using a special URL request (CVE-2007-4850). An integer overflow in PHP allowed context-dependent attackers to cause a denial of serivce via a special printf() format parameter (CVE-2008-1384). A stack-based buffer overflow in the FastCGI SAPI in PHP has unknown impact and attack vectors (CVE-2008-2050). A buffer overflow in the imageloadfont() function in PHP allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via a crafted font file (CVE-2008-3658). A buffer overflow in the memnstr() function allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via the delimiter argument to the explode() function (CVE-2008-3659). PHP, when used as a FastCGI module, allowed remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension (CVE-2008-3660). An array index error in the imageRotate() function in PHP allowed context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument to the function for an indexed image (CVE-2008-5498). The updated packages have been patched to correct these issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	36294
published	2009-04-23
reporter	This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/36294
title	Mandriva Linux Security Advisory : php (MDVSA-2009:022)

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_F6377F0812A711DDBAB70016179B2DD5.NASL
description	CVE reports : Integer overflow in PHP 5.2.5 and earlier allows context-dependent attackers to cause a denial of service and possibly have unspecified other impact via a printf format parameter with a large width specifier, related to the php_sprintf_appendstring function in formatted_print.c and probably other functions for formatted strings (aka *printf functions).
last seen	2020-06-01
modified	2020-06-02
plugin id	32128
published	2008-05-02
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/32128
title	FreeBSD : php -- integer overflow vulnerability (f6377f08-12a7-11dd-bab7-0016179b2dd5)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200811-05.NASL
description	The remote host is affected by the vulnerability described in GLSA-200811-05 (PHP: Multiple vulnerabilities) Several vulnerabilitites were found in PHP: PHP ships a vulnerable version of the PCRE library which allows for the circumvention of security restrictions or even for remote code execution in case of an application which accepts user-supplied regular expressions (CVE-2008-0674). Multiple crash issues in several PHP functions have been discovered. Ryan Permeh reported that the init_request_info() function in sapi/cgi/cgi_main.c does not properly consider operator precedence when calculating the length of PATH_TRANSLATED (CVE-2008-0599). An off-by-one error in the metaphone() function may lead to memory corruption. Maksymilian Arciemowicz of SecurityReason Research reported an integer overflow, which is triggerable using printf() and related functions (CVE-2008-1384). Andrei Nigmatulin reported a stack-based buffer overflow in the FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050). Stefan Esser reported that PHP does not correctly handle multibyte characters inside the escapeshellcmd() function, which is used to sanitize user input before its usage in shell commands (CVE-2008-2051). Stefan Esser reported that a short-coming in PHP
last seen	2020-06-01
modified	2020-06-02
plugin id	34787
published	2008-11-17
reporter	This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/34787
title	GLSA-200811-05 : PHP: Multiple vulnerabilities

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1572.NASL
description	Several vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3806 The glob function allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via an invalid value of the flags parameter. - CVE-2008-1384 Integer overflow allows context-dependent attackers to cause a denial of service and possibly have other impact via a printf format parameter with a large width specifier. - CVE-2008-2050 Stack-based buffer overflow in the FastCGI SAPI. - CVE-2008-2051 The escapeshellcmd API function could be attacked via incomplete multibyte chars.
last seen	2020-06-01
modified	2020-06-02
plugin id	32306
published	2008-05-13
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/32306
title	Debian DSA-1572-1 : php5 - several vulnerabilities

NASL family	SuSE Local Security Checks
NASL id	SUSE_APACHE2-MOD_PHP5-5379.NASL
description	This update of php5 fixes : - possible stack-based buffer overflow CVE-2008-2050 - incomplete escapeshellcmd() CVE-2008-2051 - printf() integer overflow CVE-2008-1384 - insecure GENERATE_SEED macro CVE-2008-2107 - timezone update for DST in Pakistan
last seen	2020-06-01
modified	2020-06-02
plugin id	33381
published	2008-07-02
reporter	This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/33381
title	openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-5379)

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_0_APACHE2-MOD_PHP5-080625.NASL
description	This update of php5 fixes : - possible stack-based buffer overflow CVE-2008-2050 - incomplete escapeshellcmd() CVE-2008-2051 - printf() integer overflow CVE-2008-1384 - insecure GENERATE_SEED macro CVE-2008-2107 - timezone update for DST in Pakistan
last seen	2020-06-01
modified	2020-06-02
plugin id	39912
published	2009-07-21
reporter	This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/39912
title	openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-61)

NASL family	CGI abuses
NASL id	PHP_5_2_6.NASL
description	According to its banner, the version of PHP installed on the remote host is older than 5.2.6. Such versions may be affected by the following issues : - A stack-based buffer overflow in FastCGI SAPI. - An integer overflow in printf(). - An security issue arising from improper calculation of the length of PATH_TRANSLATED in cgi_main.c. - A safe_mode bypass in cURL. - Incomplete handling of multibyte chars inside escapeshellcmd(). - Issues in the bundled PCRE fixed by version 7.6.
last seen	2020-06-01
modified	2020-06-02
plugin id	32123
published	2008-05-02
reporter	This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/32123
title	PHP < 5.2.6 Multiple Vulnerabilities

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 28392 CVE(CAN) ID: CVE-2008-1384 PHP是广泛使用的通用目的脚本语言，特别适合于Web开发，可嵌入到HTML中。 PHP formatted_print.c文件的printf()函数存在整数溢出漏洞，能够执行PHP脚本的攻击者可能利用此漏洞提升权限。在formatted_print.c文件的php_sprintf_appendstring()函数中： - ---formatted_print.c-start--- inline static void php_sprintf_appendstring(char buffer, int pos, int size, char add, int min_width, int max_width, char padding, int alignment, int len, int neg, int expprec, int always_sign) - ---formatted_print.c-end--- 主变量为npad。 - ---formatted_print.c-start--- copy_len = (expprec ? MIN(max_width, len) : len); npad = min_width - copy_len; - ---formatted_print.c-end--- 这里npad为2147483646。 - ---formatted_print.c-start--- req_size = pos + MAX(min_width, copy_len) + 1; - ---formatted_print.c-end--- req_size overflow - ---formatted_print.c-start--- if (req_size > size) { while (req_size > size) { size <<= 1; } PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", size)); buffer = erealloc(buffer, size); } - ---formatted_print.c-end--- (req_size > size)为False，(alignment == ALIGN_RIGHT)为True，因此 - ---formatted_print.c-start--- while (npad-- > 0) { (buffer)[(*pos)++] = padding; } - ---formatted_print.c-end--- gdb调试结果如下： - --- Debug --- 0x08295ba5 in php_sprintf_appendstring (buffer=0xbfbfd318, pos=0xbfbfd31c, size=0xbfbfd324, add=0x28f20404 'A' <repeats 200 times>..., min_width=2147483646, max_width=0, padding=65 'A', alignment=1, len=1, neg=0, expprec=0, always_sign=0) ... 0x290fff0c: 'A' <repeats 200 times>... 0x290fffd4: 'A' <repeats 44 times> <Error reading address 0x29100000: Bad \ address> 0x29100000: <Error reading address 0x29100000: Bad address> - --- Debug --- 脚本会向内存分配大量数据，导致拒绝服务或执行任意指令。 PHP 5.2.5 PHP --- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： <a href=http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1120&view=markup target=_blank>http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1120&view=markup</a>
id	SSV:3085
last seen	2017-11-19
modified	2008-03-25
published	2008-03-25
reporter	Root
title	PHP 5 php_sprintf_appendstring()函数整数溢出漏洞

Statements

contributor	Mark J Cox
lastmodified	2008-03-28
organization	Red Hat
statement	Red Hat do not consider this to be a security vulnerability: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1384

References

CVE is a registered MITRE Corporation trademark and MITRE's CVE website is the authoritative source of CVE content. CWE is a registered MITRE Corporation trademark and MITRE's CWE website is the authoritative source of CWE content.