Input validation error in PHP

1) Input validation error

EUVDB-ID: #VU43771

Risk: Low

CVSSv4.0: 2.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2012-3450

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x before 5.4.4 does not properly determine the end of the query string during parsing of prepared statements, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted parameter value.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PHP: 5.3.0 - 5.4.3

CPE2.3

• cpe:2.3:a:php_group:php:5.3.12:*:*:*:*:*:*:*
• cpe:2.3:a:php_group:php:5.4.3:*:*:*:*:*:*:*

External links

https://lists.opensuse.org/opensuse-security-announce/2012-08/msg00021.html
https://seclists.org/bugtraq/2012/Jun/60
https://www.debian.org/security/2012/dsa-2527
https://www.mandriva.com/security/advisories?name=MDVSA-2012:108
https://www.openwall.com/lists/oss-security/2012/08/02/3
https://www.openwall.com/lists/oss-security/2012/08/02/7
https://www.php.net/ChangeLog-5.php
https://www.ubuntu.com/usn/USN-1569-1
https://bugs.php.net/bug.php?id=61755
https://bugzilla.novell.com/show_bug.cgi?id=769785

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.