Vulnerabilities > CVE-2008-5498 - Information Exposure vulnerability in PHP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Exploit-Db
| description | PHP <= 5.2.8 gd library - imageRotate() Information Leak Vulnerability. CVE-2008-5498. Local exploits for multiple platform |
| id | EDB-ID:7646 |
| last seen | 2016-02-01 |
| modified | 2009-01-02 |
| published | 2009-01-02 |
| reporter | Hamid Ebadi |
| source | https://www.exploit-db.com/download/7646/ |
| title | PHP <= 5.2.8 gd library - imageRotate Information Leak Vulnerability |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_11_0_APACHE2-MOD_PHP5-090312.NASL description php 5.1.9 fixes among other things some security issues : - Missing bounds checks of an error in the imageRotate function of the gd extension potentially allowed attackers to read portions of memory (CVE-2008-5498). - the mbstring.func_overload in .htaccess was applied to other virtual hosts on th same machine (CVE-2009-0754). last seen 2020-06-01 modified 2020-06-02 plugin id 39916 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39916 title openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-593) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0338.NASL description From Red Hat Security Advisory 2009:0338 : Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 67818 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67818 title Oracle Linux 5 : php (ELSA-2009-0338) NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-MOD_PHP5-6068.NASL description php 5.1.9 fixes among other things some security issues : - Missing bounds checks of an error in the imageRotate function of the gd extension potentially allowed attackers to read portions of memory (CVE-2008-5498). - the mbstring.func_overload in .htaccess was applied to other virtual hosts on th same machine (CVE-2009-0754). last seen 2020-06-01 modified 2020-06-02 plugin id 36079 published 2009-04-03 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36079 title openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-6068) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201001-03.NASL description The remote host is affected by the vulnerability described in GLSA-201001-03 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below and the associated PHP release notes for details. Impact : A context-dependent attacker could execute arbitrary code via a specially crafted string containing an HTML entity when the mbstring extension is enabled. Furthermore a remote attacker could execute arbitrary code via a specially crafted GD graphics file. A remote attacker could also cause a Denial of Service via a malformed string passed to the json_decode() function, via a specially crafted ZIP file passed to the php_zip_make_relative_path() function, via a malformed JPEG image passed to the exif_read_data() function, or via temporary file exhaustion. It is also possible for an attacker to spoof certificates, bypass various safe_mode and open_basedir restrictions when certain criteria are met, perform Cross-site scripting attacks, more easily perform SQL injection attacks, manipulate settings of other virtual hosts on the same server via a malicious .htaccess entry when running on Apache, disclose memory portions, and write arbitrary files via a specially crafted ZIP archive. Some vulnerabilities with unknown impact and attack vectors have been reported as well. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 44892 published 2010-02-25 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44892 title GLSA-201001-03 : PHP: Multiple vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-022.NASL description A vulnerability in PHP allowed context-dependent attackers to cause a denial of service (crash) via a certain long string in the glob() or fnmatch() functions (CVE-2007-4782). A vulnerability in the cURL library in PHP allowed context-dependent attackers to bypass safe_mode and open_basedir restrictions and read arbitrary files using a special URL request (CVE-2007-4850). An integer overflow in PHP allowed context-dependent attackers to cause a denial of serivce via a special printf() format parameter (CVE-2008-1384). A stack-based buffer overflow in the FastCGI SAPI in PHP has unknown impact and attack vectors (CVE-2008-2050). A buffer overflow in the imageloadfont() function in PHP allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via a crafted font file (CVE-2008-3658). A buffer overflow in the memnstr() function allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via the delimiter argument to the explode() function (CVE-2008-3659). PHP, when used as a FastCGI module, allowed remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension (CVE-2008-3660). An array index error in the imageRotate() function in PHP allowed context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument to the function for an indexed image (CVE-2008-5498). The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36294 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36294 title Mandriva Linux Security Advisory : php (MDVSA-2009:022) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-0338.NASL description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 43732 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43732 title CentOS 5 : php (CESA-2009:0338) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2009-005.NASL description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-005 applied. This security update contains fixes for the following products : - Alias Manager - CarbonCore - ClamAV - ColorSync - CoreGraphics - CUPS - Flash Player plug-in - ImageIO - Launch Services - MySQL - PHP - SMB - Wiki Server last seen 2020-06-01 modified 2020-06-02 plugin id 40945 published 2009-09-11 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40945 title Mac OS X Multiple Vulnerabilities (Security Update 2009-005) NASL family SuSE Local Security Checks NASL id SUSE_11_1_APACHE2-MOD_PHP5-090312.NASL description php 5.1.9 fixes among other things some security issues : - Missing bounds checks of an error in the imageRotate function of the gd extension potentially allowed attackers to read portions of memory (CVE-2008-5498). - the mbstring.func_overload in .htaccess was applied to other virtual hosts on th same machine (CVE-2009-0754). last seen 2020-06-01 modified 2020-06-02 plugin id 40187 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40187 title openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-593) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2009-098-02.NASL description New php packages are available for Slackware 11.0, 12.0, 12.1, 12.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36105 published 2009-04-08 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36105 title Slackware 11.0 / 12.0 / 12.1 / 12.2 / current : php (SSA:2009-098-02) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0338.NASL description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 36098 published 2009-04-07 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36098 title RHEL 5 : php (RHSA-2009:0338) NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-MOD_PHP5-6069.NASL description Missing bounds checks of an error in the imageRotate function of the gd extension potentially allowed attackers to read portions of memory. (CVE-2008-5498) The mbstring.func_overload in .htaccess was applied to other virtual hosts on th same machine. (CVE-2009-0754) last seen 2020-06-01 modified 2020-06-02 plugin id 41476 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41476 title SuSE 10 Security Update : PHP5 (ZYPP Patch Number 6069) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_58A3C266DB0111DDAE30001CC0377035.NASL description According to CVE-2008-5498 entry : Array index error in the last seen 2020-06-01 modified 2020-06-02 plugin id 35583 published 2009-02-04 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35583 title FreeBSD : php5-gd -- uninitialized memory information disclosure vulnerability (58a3c266-db01-11dd-ae30-001cc0377035) NASL family CGI abuses NASL id PHP_5_2_9.NASL description According to its banner, the version of PHP installed on the remote host is older than 5.2.9. Such versions may be affected by several security issues : - Background color is not correctly validated with a non true color image in function last seen 2020-06-01 modified 2020-06-02 plugin id 35750 published 2009-02-27 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35750 title PHP < 5.2.9 Multiple Vulnerabilities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0337.NASL description From Red Hat Security Advisory 2009:0337 : Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 67817 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67817 title Oracle Linux 3 / 4 : php (ELSA-2009-0337) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-021.NASL description A buffer overflow in the imageloadfont() function in PHP allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via a crafted font file (CVE-2008-3658). A buffer overflow in the memnstr() function allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via the delimiter argument to the explode() function (CVE-2008-3659). PHP, when used as a FastCGI module, allowed remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension (CVE-2008-3660). An array index error in the imageRotate() function in PHP allowed context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument to the function for an indexed image (CVE-2008-5498). The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37701 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37701 title Mandriva Linux Security Advisory : php (MDVSA-2009:021) NASL family Scientific Linux Local Security Checks NASL id SL_20090406_PHP_ON_SL3_X.NASL description A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 60561 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60561 title Scientific Linux Security Update : php on SL3.x, SL4.x, SL5.x i386/x86_64 NASL family SuSE Local Security Checks NASL id SUSE_11_APACHE2-MOD_PHP5-090319.NASL description php 5.1.9 fixes among other things some security issues : - Missing bounds checks of an error in the imageRotate function of the gd extension potentially allowed attackers to read portions of memory. (CVE-2008-5498) - the mbstring.func_overload in .htaccess was applied to other virtual hosts on th same machine (CVE-2009-0754) last seen 2020-06-01 modified 2020-06-02 plugin id 41368 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41368 title SuSE 11 Security Update : PHP5 (SAT Patch Number 666) NASL family Fedora Local Security Checks NASL id FEDORA_2009-3848.NASL description Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 38957 published 2009-06-01 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38957 title Fedora 9 : maniadrive-1.2-13.fc9 / php-5.2.9-2.fc9 (2009-3848) NASL family Fedora Local Security Checks NASL id FEDORA_2009-3768.NASL description Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 38956 published 2009-06-01 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38956 title Fedora 10 : maniadrive-1.2-13.fc10 / php-5.2.9-2.fc10 (2009-3768) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-0337.NASL description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 36089 published 2009-04-07 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36089 title CentOS 3 / 4 : php (CESA-2009:0337) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0337.NASL description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 36097 published 2009-04-07 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36097 title RHEL 3 / 4 : php (RHSA-2009:0337)
Oval
| accepted | 2013-04-29T04:21:11.432-04:00 | ||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||
| description | Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image. | ||||||||||||||||||||||||||||||||
| family | unix | ||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:9667 | ||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||||||||||
| title | r an indexed image. | ||||||||||||||||||||||||||||||||
| version | 27 |
Redhat
| advisories |
| ||||
| rpms |
|
Seebug
bulletinFamily exploit description No description provided by source. id SSV:66122 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-66122 title PHP <= 5.2.8 gd library - imageRotate() Information Leak Vulnerability bulletinFamily exploit description No description provided by source. id SSV:10377 last seen 2017-11-19 modified 2009-01-03 published 2009-01-03 reporter Root source https://www.seebug.org/vuldb/ssvid-10377 title PHP <= 5.2.8 gd library - imageRotate() Information Leak Vulnerability bulletinFamily exploit description BUGTRAQ ID: 33002 CVE(CAN) ID: CVE-2008-5498 PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。 PHP的imageRotate函数中存在数组索引错误,允许远程攻击者通过向索引的图片提交特制的bgd_color或clrBack 参数值读取任意内存位置的内容。 PHP 5.2.8 厂商补丁: PHP --- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href=http://www.php.net target=_blank rel=external nofollow>http://www.php.net</a> id SSV:4604 last seen 2017-11-19 modified 2008-12-30 published 2008-12-30 reporter Root source https://www.seebug.org/vuldb/ssvid-4604 title PHP imageRotate()未初始化内存信息泄露漏洞
References
- http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1360&r2=1.2027.2.547.2.1361&diff_format=u
- http://downloads.securityfocus.com/vulnerabilities/exploits/33002.php
- http://downloads.securityfocus.com/vulnerabilities/exploits/33002-2.php
- http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html
- http://marc.info/?l=bugtraq&m=124654546101607&w=2
- http://marc.info/?l=bugtraq&m=125631037611762&w=2
- http://osvdb.org/51031
- http://secunia.com/advisories/34642
- http://secunia.com/advisories/35306
- http://secunia.com/advisories/35650
- http://secunia.com/advisories/36701
- http://securitytracker.com/id?1021494
- http://support.apple.com/kb/HT3865
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:021
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:022
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:023
- http://www.php.net/releases/5_2_9.php
- http://www.redhat.com/support/errata/RHSA-2009-0350.html
- http://www.securityfocus.com/bid/33002
- https://exchange.xforce.ibmcloud.com/vulnerabilities/47635
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9667
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01451.html
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01465.html