SB2018103068 - Multiple vulnerabilities in PHP

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2003-1303)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Buffer overflow in the imap_fetch_overview function in the IMAP functionality (php_imap.c) in PHP before 4.3.3 allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a long e-mail address in a (1) To or (2) From header.

2) Input validation error (CVE-ID: CVE-2003-0863)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The php_check_safe_mode_include_dir function in fopen_wrappers.c of PHP 4.3.x returns a success value (0) when the safe_mode_include_dir variable is not specified in configuration, which differs from the previous failure value and may allow remote attackers to exploit file include vulnerabilities in PHP applications.

Remediation

Install update from vendor's website.

References

• http://bugs.php.net/bug.php?id=24150
• https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175040
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10346
• http://marc.info/?l=bugtraq&m=105839111204227