Vulnerabilities > CVE-2009-0754 - USE of Externally-Controlled Format String vulnerability in PHP 4.4.4/5.1.6
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 | |
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Exploit-Db
| description | PHP 5.2.5 'mbstring.func_overload' Webserver Denial Of Service Vulnerability. CVE-2009-0754. Dos exploit for php platform |
| id | EDB-ID:32769 |
| last seen | 2016-02-03 |
| modified | 2009-01-30 |
| published | 2009-01-30 |
| reporter | strategma |
| source | https://www.exploit-db.com/download/32769/ |
| title | PHP 5.2.5 - 'mbstring.func_overload' Webserver Denial Of Service Vulnerability |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_11_0_APACHE2-MOD_PHP5-090312.NASL description php 5.1.9 fixes among other things some security issues : - Missing bounds checks of an error in the imageRotate function of the gd extension potentially allowed attackers to read portions of memory (CVE-2008-5498). - the mbstring.func_overload in .htaccess was applied to other virtual hosts on th same machine (CVE-2009-0754). last seen 2020-06-01 modified 2020-06-02 plugin id 39916 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39916 title openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-593) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0338.NASL description From Red Hat Security Advisory 2009:0338 : Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 67818 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67818 title Oracle Linux 5 : php (ELSA-2009-0338) NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-MOD_PHP5-6068.NASL description php 5.1.9 fixes among other things some security issues : - Missing bounds checks of an error in the imageRotate function of the gd extension potentially allowed attackers to read portions of memory (CVE-2008-5498). - the mbstring.func_overload in .htaccess was applied to other virtual hosts on th same machine (CVE-2009-0754). last seen 2020-06-01 modified 2020-06-02 plugin id 36079 published 2009-04-03 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36079 title openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-6068) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201001-03.NASL description The remote host is affected by the vulnerability described in GLSA-201001-03 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below and the associated PHP release notes for details. Impact : A context-dependent attacker could execute arbitrary code via a specially crafted string containing an HTML entity when the mbstring extension is enabled. Furthermore a remote attacker could execute arbitrary code via a specially crafted GD graphics file. A remote attacker could also cause a Denial of Service via a malformed string passed to the json_decode() function, via a specially crafted ZIP file passed to the php_zip_make_relative_path() function, via a malformed JPEG image passed to the exif_read_data() function, or via temporary file exhaustion. It is also possible for an attacker to spoof certificates, bypass various safe_mode and open_basedir restrictions when certain criteria are met, perform Cross-site scripting attacks, more easily perform SQL injection attacks, manipulate settings of other virtual hosts on the same server via a malicious .htaccess entry when running on Apache, disclose memory portions, and write arbitrary files via a specially crafted ZIP archive. Some vulnerabilities with unknown impact and attack vectors have been reported as well. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 44892 published 2010-02-25 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44892 title GLSA-201001-03 : PHP: Multiple vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-0338.NASL description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 43732 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43732 title CentOS 5 : php (CESA-2009:0338) NASL family SuSE Local Security Checks NASL id SUSE_11_1_APACHE2-MOD_PHP5-090312.NASL description php 5.1.9 fixes among other things some security issues : - Missing bounds checks of an error in the imageRotate function of the gd extension potentially allowed attackers to read portions of memory (CVE-2008-5498). - the mbstring.func_overload in .htaccess was applied to other virtual hosts on th same machine (CVE-2009-0754). last seen 2020-06-01 modified 2020-06-02 plugin id 40187 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40187 title openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-593) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0338.NASL description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 36098 published 2009-04-07 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36098 title RHEL 5 : php (RHSA-2009:0338) NASL family CGI abuses NASL id PHP_4_4_9.NASL description According to its banner, the version of PHP installed on the remote host is older than 4.4.9. Such versions may be affected by several security issues : - There are unspecified issues in the bundled PCRE library fixed by version 7.7. - A buffer overflow in the last seen 2020-06-01 modified 2020-06-02 plugin id 33849 published 2008-08-08 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33849 title PHP < 4.4.9 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-MOD_PHP5-6069.NASL description Missing bounds checks of an error in the imageRotate function of the gd extension potentially allowed attackers to read portions of memory. (CVE-2008-5498) The mbstring.func_overload in .htaccess was applied to other virtual hosts on th same machine. (CVE-2009-0754) last seen 2020-06-01 modified 2020-06-02 plugin id 41476 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41476 title SuSE 10 Security Update : PHP5 (ZYPP Patch Number 6069) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-066.NASL description PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server (CVE-2009-0754). The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 38117 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38117 title Mandriva Linux Security Advisory : php (MDVSA-2009:066) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1789.NASL description Several remote vulnerabilities have been discovered in the PHP 5 hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems. The following four vulnerabilities have already been fixed in the stable (lenny) version of php5 prior to the release of lenny. This update now addresses them for etch (oldstable) as well : - CVE-2008-2107 / CVE-2008-2108 The GENERATE_SEED macro has several problems that make predicting generated random numbers easier, facilitating attacks against measures that use rand() or mt_rand() as part of a protection. - CVE-2008-5557 A buffer overflow in the mbstring extension allows attackers to execute arbitrary code via a crafted string containing an HTML entity. - CVE-2008-5624 The page_uid and page_gid variables are not correctly set, allowing use of some functionality intended to be restricted to root. - CVE-2008-5658 Directory traversal vulnerability in the ZipArchive::extractTo function allows attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences. This update also addresses the following three vulnerabilities for both oldstable (etch) and stable (lenny) : - CVE-2008-5814 Cross-site scripting (XSS) vulnerability, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML. - CVE-2009-0754 When running on Apache, PHP allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server. - CVE-2009-1271 The JSON_parser function allows a denial of service (segmentation fault) via a malformed string to the json_decode API function. Furthermore, two updates originally scheduled for the next point update for oldstable are included in the etch package : - Let PHP use the system timezone database instead of the embedded timezone database which is out of date. - From the source tarball, the unused last seen 2020-06-01 modified 2020-06-02 plugin id 38691 published 2009-05-06 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38691 title Debian DSA-1789-1 : php5 - several vulnerabilities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0337.NASL description From Red Hat Security Advisory 2009:0337 : Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 67817 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67817 title Oracle Linux 3 / 4 : php (ELSA-2009-0337) NASL family Scientific Linux Local Security Checks NASL id SL_20090406_PHP_ON_SL3_X.NASL description A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 60561 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60561 title Scientific Linux Security Update : php on SL3.x, SL4.x, SL5.x i386/x86_64 NASL family SuSE Local Security Checks NASL id SUSE_11_APACHE2-MOD_PHP5-090319.NASL description php 5.1.9 fixes among other things some security issues : - Missing bounds checks of an error in the imageRotate function of the gd extension potentially allowed attackers to read portions of memory. (CVE-2008-5498) - the mbstring.func_overload in .htaccess was applied to other virtual hosts on th same machine (CVE-2009-0754) last seen 2020-06-01 modified 2020-06-02 plugin id 41368 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41368 title SuSE 11 Security Update : PHP5 (SAT Patch Number 666) NASL family Fedora Local Security Checks NASL id FEDORA_2009-3848.NASL description Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 38957 published 2009-06-01 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38957 title Fedora 9 : maniadrive-1.2-13.fc9 / php-5.2.9-2.fc9 (2009-3848) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-761-1.NASL description It was discovered that PHP did not sanitize certain error messages when display_errors is enabled, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. (CVE-2008-5814) It was discovered that PHP did not properly handle the mbstring.func_overload setting within .htaccess files when using virtual hosts. A virtual host administrator could use this flaw to cause settings to be applied to other virtual hosts on the same server. (CVE-2009-0754) It was discovered that PHP did not properly handle certain malformed strings when being parsed by the json_decode function. A remote attacker could exploit this flaw and cause the PHP server to crash, resulting in a denial of service. This issue only affected Ubuntu 8.04 and 8.10. (CVE-2009-1271). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37849 published 2009-04-23 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37849 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 : php5 vulnerabilities (USN-761-1) NASL family Fedora Local Security Checks NASL id FEDORA_2009-3768.NASL description Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 38956 published 2009-06-01 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38956 title Fedora 10 : maniadrive-1.2-13.fc10 / php-5.2.9-2.fc10 (2009-3768) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-0337.NASL description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 36089 published 2009-04-07 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36089 title CentOS 3 / 4 : php (CESA-2009:0337) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0337.NASL description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 36097 published 2009-04-07 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36097 title RHEL 3 / 4 : php (RHSA-2009:0337)
Oval
| accepted | 2013-04-29T04:10:56.367-04:00 | ||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||
| description | PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server. | ||||||||||||||||||||||||||||||||
| family | unix | ||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:11035 | ||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||||||||||
| title | PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server. | ||||||||||||||||||||||||||||||||
| version | 27 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 33542 CVE ID: CVE-2009-0754 PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。 运行在Apache上的PHP允许本地用户通过修改.htaccess中的mbstring.func_overload设置来修改同一Web服务器上所承载的其他站点的行为,将设置应用到同一服务器的其他虚拟主机,导致无法正确的处理多字节字符串。 PHP PHP 5.1.6 PHP PHP 4.4.4 厂商补丁: PHP --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://snaps.php.net/ RedHat ------ RedHat已经为此发布了一个安全公告(Moderate: php security update)以及相应补丁: Moderate: php security update:Moderate: php security update 链接:https://www.redhat.com/support/errata/Moderate-Moderate:.html Gentoo ------ Gentoo已经为此发布了一个安全公告(GLSA 201001-03)以及相应补丁: GLSA 201001-03:PHP: Multiple vulnerabilities 链接:http://security.gentoo.org/glsa/201001-03.xml |
| id | SSV:15209 |
| last seen | 2017-11-19 |
| modified | 2010-01-08 |
| published | 2010-01-08 |
| reporter | Root |
| title | PHP mbstring.func_overload Webserver本地拒绝服务漏洞 |
References
- http://bugs.php.net/bug.php?id=27421
- http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html
- http://secunia.com/advisories/34642
- http://secunia.com/advisories/34830
- http://secunia.com/advisories/35003
- http://secunia.com/advisories/35007
- http://secunia.com/advisories/35306
- http://www.debian.org/security/2009/dsa-1789
- http://www.openwall.com/lists/oss-security/2009/01/30/1
- http://www.openwall.com/lists/oss-security/2009/02/03/3
- http://www.openwall.com/lists/oss-security/2009/02/25/3
- http://www.redhat.com/support/errata/RHSA-2009-0350.html
- http://www.securitytracker.com/id?1021979
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11035
- https://usn.ubuntu.com/761-1/
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01451.html
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01465.html