SB2012051102 - Multiple vulnerabilities in PHP
Published: May 11, 2012 Updated: August 11, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Heap-based buffer overflow (CVE-ID: CVE-2012-2386)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Integer overflow in the phar_parse_tarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4. A remote attacker can use a crafted tar file that triggers a heap-based buffer overflow. to trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Buffer overflow (CVE-ID: CVE-2012-2329)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
Buffer overflow in the apache_request_headers function in sapi/cgi/cgi_main.c in PHP 5.4.x before 5.4.3 allows remote attackers to cause a denial of service (application crash) via a long string in the header of an HTTP request.
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-2335)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence.
4) Input validation error (CVE-ID: CVE-2012-2336)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- http://0x1byte.blogspot.com/2011/04/php-phar-extension-heap-overflow.html
- http://git.php.net/?p=php-src.git;a=commit;h=158d8a6b088662ce9d31e0c777c6ebe90efdc854
- http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00003.html
- http://openwall.com/lists/oss-security/2012/05/22/10
- http://support.apple.com/kb/HT5501
- http://www.php.net/ChangeLog-5.php
- https://bugs.php.net/bug.php?id=61065
- https://bugzilla.redhat.com/show_bug.cgi?id=823594
- http://secunia.com/advisories/49014
- http://www.php.net/archive/2012.php#id2012-05-08-1
- http://www.php.net/ChangeLog-5.php#5.4.3
- http://www.securityfocus.com/bid/53455
- https://bugs.php.net/bug.php?id=61807
- https://bugzilla.redhat.com/show_bug.cgi?id=820000
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75545
- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
- http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
- http://git.php.net/?p=php-src.git;a=blob;f=sapi/cgi/cgi_main.c;h=a7ac26f0#l1569
- http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00004.html
- http://www.kb.cert.org/vuls/id/520827
- http://www.php.net/archive/2012.php#id2012-05-06-1
- https://bugs.php.net/bug.php?id=61910
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75652
- https://bugs.php.net/patch-display.php?bug_id=61910&patch=CVE-2012-1823.patch&revision=1336251592&display=1