Vulnerabilities > CVE-2008-2050 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in PHP
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Stack-based buffer overflow in the FastCGI SAPI (fastcgi.c) in PHP before 5.2.6 has unknown impact and attack vectors.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-628-1.NASL description It was discovered that PHP did not properly check the length of the string parameter to the fnmatch function. An attacker could cause a denial of service in the PHP interpreter if a script passed untrusted input to the fnmatch function. (CVE-2007-4782) Maksymilian Arciemowicz discovered a flaw in the cURL library that allowed safe_mode and open_basedir restrictions to be bypassed. If a PHP application were tricked into processing a bad file:// request, an attacker could read arbitrary files. (CVE-2007-4850) Rasmus Lerdorf discovered that the htmlentities and htmlspecialchars functions did not correctly stop when handling partial multibyte sequences. A remote attacker could exploit this to read certain areas of memory, possibly gaining access to sensitive information. This issue affects Ubuntu 8.04 LTS, and an updated fix is included for Ubuntu 6.06 LTS, 7.04 and 7.10. (CVE-2007-5898) It was discovered that the output_add_rewrite_var function would sometimes leak session id information to forms targeting remote URLs. Malicious remote sites could use this information to gain access to a PHP application user last seen 2020-06-01 modified 2020-06-02 plugin id 33575 published 2008-07-24 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33575 title Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : php5 vulnerabilities (USN-628-1) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2008-005.NASL description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-005 applied. This update contains security fixes for a number of programs. last seen 2020-06-01 modified 2020-06-02 plugin id 33790 published 2008-08-01 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33790 title Mac OS X Multiple Vulnerabilities (Security Update 2008-005) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-022.NASL description A vulnerability in PHP allowed context-dependent attackers to cause a denial of service (crash) via a certain long string in the glob() or fnmatch() functions (CVE-2007-4782). A vulnerability in the cURL library in PHP allowed context-dependent attackers to bypass safe_mode and open_basedir restrictions and read arbitrary files using a special URL request (CVE-2007-4850). An integer overflow in PHP allowed context-dependent attackers to cause a denial of serivce via a special printf() format parameter (CVE-2008-1384). A stack-based buffer overflow in the FastCGI SAPI in PHP has unknown impact and attack vectors (CVE-2008-2050). A buffer overflow in the imageloadfont() function in PHP allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via a crafted font file (CVE-2008-3658). A buffer overflow in the memnstr() function allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via the delimiter argument to the explode() function (CVE-2008-3659). PHP, when used as a FastCGI module, allowed remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension (CVE-2008-3660). An array index error in the imageRotate() function in PHP allowed context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument to the function for an indexed image (CVE-2008-5498). The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36294 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36294 title Mandriva Linux Security Advisory : php (MDVSA-2009:022) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200811-05.NASL description The remote host is affected by the vulnerability described in GLSA-200811-05 (PHP: Multiple vulnerabilities) Several vulnerabilitites were found in PHP: PHP ships a vulnerable version of the PCRE library which allows for the circumvention of security restrictions or even for remote code execution in case of an application which accepts user-supplied regular expressions (CVE-2008-0674). Multiple crash issues in several PHP functions have been discovered. Ryan Permeh reported that the init_request_info() function in sapi/cgi/cgi_main.c does not properly consider operator precedence when calculating the length of PATH_TRANSLATED (CVE-2008-0599). An off-by-one error in the metaphone() function may lead to memory corruption. Maksymilian Arciemowicz of SecurityReason Research reported an integer overflow, which is triggerable using printf() and related functions (CVE-2008-1384). Andrei Nigmatulin reported a stack-based buffer overflow in the FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050). Stefan Esser reported that PHP does not correctly handle multibyte characters inside the escapeshellcmd() function, which is used to sanitize user input before its usage in shell commands (CVE-2008-2051). Stefan Esser reported that a short-coming in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 34787 published 2008-11-17 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34787 title GLSA-200811-05 : PHP: Multiple vulnerabilities NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2008-128-01.NASL description New php packages are available for Slackware 10.2, 11.0, 12.0, 12.1, and -current to fix security issues. Note that PHP5 is not the default PHP for Slackware 10.2 or 11.0 (those use PHP4), so if your PHP code is not ready for PHP5, don last seen 2020-06-01 modified 2020-06-02 plugin id 32444 published 2008-05-28 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32444 title Slackware 10.2 / 11.0 / 12.0 / 12.1 / current : php (SSA:2008-128-01) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1572.NASL description Several vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3806 The glob function allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via an invalid value of the flags parameter. - CVE-2008-1384 Integer overflow allows context-dependent attackers to cause a denial of service and possibly have other impact via a printf format parameter with a large width specifier. - CVE-2008-2050 Stack-based buffer overflow in the FastCGI SAPI. - CVE-2008-2051 The escapeshellcmd API function could be attacked via incomplete multibyte chars. last seen 2020-06-01 modified 2020-06-02 plugin id 32306 published 2008-05-13 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32306 title Debian DSA-1572-1 : php5 - several vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-MOD_PHP5-5379.NASL description This update of php5 fixes : - possible stack-based buffer overflow CVE-2008-2050 - incomplete escapeshellcmd() CVE-2008-2051 - printf() integer overflow CVE-2008-1384 - insecure GENERATE_SEED macro CVE-2008-2107 - timezone update for DST in Pakistan last seen 2020-06-01 modified 2020-06-02 plugin id 33381 published 2008-07-02 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33381 title openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-5379) NASL family SuSE Local Security Checks NASL id SUSE_11_0_APACHE2-MOD_PHP5-080625.NASL description This update of php5 fixes : - possible stack-based buffer overflow CVE-2008-2050 - incomplete escapeshellcmd() CVE-2008-2051 - printf() integer overflow CVE-2008-1384 - insecure GENERATE_SEED macro CVE-2008-2107 - timezone update for DST in Pakistan last seen 2020-06-01 modified 2020-06-02 plugin id 39912 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39912 title openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-61) NASL family CGI abuses NASL id PHP_5_2_6.NASL description According to its banner, the version of PHP installed on the remote host is older than 5.2.6. Such versions may be affected by the following issues : - A stack-based buffer overflow in FastCGI SAPI. - An integer overflow in printf(). - An security issue arising from improper calculation of the length of PATH_TRANSLATED in cgi_main.c. - A safe_mode bypass in cURL. - Incomplete handling of multibyte chars inside escapeshellcmd(). - Issues in the bundled PCRE fixed by version 7.6. last seen 2020-06-01 modified 2020-06-02 plugin id 32123 published 2008-05-02 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32123 title PHP < 5.2.6 Multiple Vulnerabilities
Statements
| contributor | Joshua Bressers |
| lastmodified | 2008-05-22 |
| organization | Red Hat |
| statement | This issue does not affect the version of PHP shipped in Red Hat Enterprise Linux 2.1, 3, or 4. We do not consider this issue to be a security flaw for Red Hat Enterprise Linux 5 since no trust boundary is crossed. More information can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2050 |
References
- http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/fastcgi.c?r1=1.44&r2=1.45&diff_format=u
- http://www.php.net/ChangeLog-5.php
- http://www.openwall.com/lists/oss-security/2008/05/02/2
- http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0176
- https://issues.rpath.com/browse/RPL-2503
- http://www.securityfocus.com/bid/29009
- http://secunia.com/advisories/30048
- http://secunia.com/advisories/30345
- http://secunia.com/advisories/30967
- http://secunia.com/advisories/31200
- http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html
- http://www.ubuntu.com/usn/usn-628-1
- http://secunia.com/advisories/31326
- http://lists.apple.com/archives/security-announce//2008/Jul/msg00003.html
- http://www.debian.org/security/2008/dsa-1572
- http://secunia.com/advisories/30158
- http://secunia.com/advisories/30083
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:023
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:022
- http://www.vupen.com/english/advisories/2008/2268
- http://www.vupen.com/english/advisories/2008/1412
- http://secunia.com/advisories/32746
- http://security.gentoo.org/glsa/glsa-200811-05.xml
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.488951
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42133
- http://www.securityfocus.com/archive/1/492535/100/0/threaded