Multiple vulnerabilities in PHP
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2011-3267 CVE-2011-3268 CVE-2011-3182 CVE-2011-2202 CVE-2011-0441 CVE-2011-1148 CVE-2011-0420 |
| CWE-ID | CWE-399 CWE-119 CWE-20 CWE-264 CWE-59 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #7 is available. |
| Vulnerable software |
PHP Universal components / Libraries / Scripting languages |
| Vendor | PHP Group |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Resource management error
EUVDB-ID: #VU44779
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-3267
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
PHP before 5.3.7 does not properly implement the error_log function, which allows context-dependent attackers to cause a denial of service (application crash) via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 1.0 - 5.3.5
CPE2.3- cpe:2.3:a:php_group:php:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:2.0b10:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:3.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:4.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:4.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:4.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:5.0.5:*:*:*:*:*:*:*
https://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
https://osvdb.org/74739
https://support.apple.com/kb/HT5130
https://www.mandriva.com/security/advisories?name=MDVSA-2011:165
https://www.php.net/archive/2011.php#id2011-08-18-1
https://www.php.net/ChangeLog-5.php#5.3.7
https://www.securityfocus.com/bid/49241
https://exchange.xforce.ibmcloud.com/vulnerabilities/69428
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU44780
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2011-3268
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Buffer overflow in the crypt function in PHP before 5.3.7 allows context-dependent attackers to have an unspecified impact via a long salt argument, a different vulnerability than CVE-2011-2483.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 1.0 - 5.3.5
CPE2.3 External linkshttps://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
https://osvdb.org/74738
https://support.apple.com/kb/HT5130
https://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/standard/php_crypt_r.c?r1=311300&r2=311390&pathrev=315218
https://www.mandriva.com/security/advisories?name=MDVSA-2011:165
https://www.php.net/archive/2011.php#id2011-08-18-1
https://www.php.net/ChangeLog-5.php#5.3.7
https://www.securityfocus.com/bid/49241
https://exchange.xforce.ibmcloud.com/vulnerabilities/69427
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU44783
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2011-3182
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
PHP before 5.3.7 does not properly check the return values of the malloc, calloc, and realloc library functions, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference'
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 1.0 - 5.3.5
CPE2.3 External linkshttps://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
https://marc.info/?l=full-disclosure&m=131373057621672&w=2
https://securityreason.com/achievement_securityalert/101
https://support.apple.com/kb/HT5130
https://www.mandriva.com/security/advisories?name=MDVSA-2011:165
https://www.openwall.com/lists/oss-security/2011/08/22/9
https://www.securityfocus.com/bid/49249
https://exchange.xforce.ibmcloud.com/vulnerabilities/69430
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU44946
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2011-2202
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate or delete data.
The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability."
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 1.0 - 5.3.5
CPE2.3 External linkshttps://bugs.php.net/bug.php?id=54939
https://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
https://marc.info/?l=bugtraq&m=133469208622507&w=2
https://openwall.com/lists/oss-security/2011/06/12/5
https://openwall.com/lists/oss-security/2011/06/13/15
https://pastebin.com/1edSuSVN
https://rhn.redhat.com/errata/RHSA-2012-0071.html
https://secunia.com/advisories/44874
https://securitytracker.com/id?1025659
https://support.apple.com/kb/HT5130
https://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/main/rfc1867.c?r1=312103&r2=312102&pathrev=312103
https://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/NEWS?view=markup&pathrev=312103
https://svn.php.net/viewvc?view=revision&revision=312103
https://www.debian.org/security/2011/dsa-2266
https://www.mandriva.com/security/advisories?name=MDVSA-2011:165
https://www.php.net/archive/2011.php#id2011-08-18-1
https://www.php.net/ChangeLog-5.php#5.3.7
https://www.redhat.com/support/errata/RHSA-2011-1423.html
https://www.securityfocus.com/bid/48259
https://www.securityfocus.com/bid/49241
https://exchange.xforce.ibmcloud.com/vulnerabilities/67999
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
5) Link following
EUVDB-ID: #VU45157
Risk: High
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2011-0441
CWE-ID:
CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.
The Debian GNU/Linux /etc/cron.d/php5 cron job for PHP 5.3.5 allows local users to delete arbitrary files via a symlink attack on a directory under /var/lib/php5/.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 5.3.5
CPE2.3https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618489
https://git.debian.org/?p=pkg-php/php.git;a=commit;h=d09fd04ed7bfcf7f008360c6a42025108925df09
https://www.mandriva.com/security/advisories?name=MDVSA-2011:069
https://www.securityfocus.com/bid/46928
https://www.vupen.com/english/advisories/2011/0910
https://exchange.xforce.ibmcloud.com/vulnerabilities/66180
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Resource management error
EUVDB-ID: #VU45220
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-1148
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 1.0 - 5.3.5
CPE2.3https://bugs.php.net/bug.php?id=54238
https://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
https://marc.info/?l=bugtraq&m=133469208622507&w=2
https://openwall.com/lists/oss-security/2011/03/13/2
https://openwall.com/lists/oss-security/2011/03/13/3
https://openwall.com/lists/oss-security/2011/03/13/9
https://support.apple.com/kb/HT5130
https://www.mandriva.com/security/advisories?name=MDVSA-2011:165
https://www.php.net/archive/2011.php#id2011-08-18-1
https://www.php.net/ChangeLog-5.php#5.3.7
https://www.redhat.com/support/errata/RHSA-2011-1423.html
https://www.securityfocus.com/bid/46843
https://www.securityfocus.com/bid/49241
https://exchange.xforce.ibmcloud.com/vulnerabilities/66080
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU45307
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2011-0420
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows context-dependent attackers to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (crash) via an invalid size argument, which triggers a NULL pointer dereference.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsPHP: 5.3.5
CPE2.3https://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
https://securityreason.com/achievement_securityalert/94
https://securityreason.com/securityalert/8087
https://support.apple.com/kb/HT5002
https://svn.php.net/viewvc/php/php-src/trunk/ext/intl/grapheme/grapheme_string.c?r1=306449&r2=306448&pathrev=306449
https://www.debian.org/security/2011/dsa-2266
https://www.exploit-db.com/exploits/16182
https://www.kb.cert.org/vuls/id/210829
https://www.securityfocus.com/archive/1/516504/100/0/threaded
https://www.securityfocus.com/archive/1/516518/100/0/threaded
https://www.securityfocus.com/bid/46429
https://exchange.xforce.ibmcloud.com/vulnerabilities/65437
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
