(Conectiva Issues Fix) PHP serialize() May Let Users Execute Arbitrary Code or View Memory Contents
|
|
SecurityTracker Alert ID: 1012899 |
|
SecurityTracker URL: http://securitytracker.com/id/1012899
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 14 2005
|
Impact:
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 4.3.10 and 5.0.3; tested on 4.3.9
|
Description:
A vulnerability was reported in PHP in the unserialize() function. A script may be able to execute arbitrary code or obtain portions of memory.
Martin Eiszner of SEC-CONSULT reported that the unserialize() function does not properly validate serialized strings. As a result, a specially crafted PHP script may be able to access portions of PHP memory or execute arbitrary code on the target system.
A demonstration exploit script is provided:
<?
$s = 's:9999999:"A";"';
$a = unserialize($s);
print $a;
?>
If a PHP script allows remote users to supply data (e.g., via cookies) to be processed by unserialize(), this vulnerability may be exploited by remote users, depending on the PHP application.
The vendor was notified on November 19, 2004.
|
Impact:
A script may be able to execute arbitrary code or obtain portions of memory.
|
Solution:
Conectiva has released a fix.
ftp://atualizacoes.conectiva.com.br/10/SRPMS/php4-4.3.10-72720U10_5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-dba-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-devel-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-doc-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-doc-es-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-doc-pt_BR-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-imap-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-ldap-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-mcrypt-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-mhash-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-mnogosearch-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-mssql-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-mysql-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-odbc-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-pgsql-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-snmp-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-sybase-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-sybase-ct-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/php4-4.3.10-26997U90_4cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-devel-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-doc-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-doc-es-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-doc-pt_BR-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-imap-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-ldap-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-mcrypt-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-mysql-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-odbc-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-pgsql-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-snmp-4.3.10-26997U90_4cl.i386.rpm
|
Vendor URL: www.php.net/ (Links to External Site)
|
Cause:
Boundary error, Input validation error
|
Underlying OS:
Linux (Conectiva)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 13 Jan 2005 11:41:22 -0200
Subject: [Conectiva-updates] [CLA-2005:915] Conectiva Security Announcement
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : php4
SUMMARY : Fixes for multiple php4 vulnerabilities
DATE : 2005-01-13 11:40:00
ID : CLA-2005:915
RELEVANT
RELEASES : 9, 10
- -------------------------------------------------------------------------
DESCRIPTION
PHP[1] is a very popular scripting language used by web servers to
offer dynamic content.
This announcement fixes seven vulnerabilities[2] found by Stefan
Esser and four other vulnerabilities. For further information, please
refer to php4's changelog[3].
SOLUTION
It is recommended that all PHP4 users upgrade their packages.
IMPORTANT:
If PHP4 is being used as an Apache module, the web server has to be
restarted after the upgrade if it was already running. To do so,
please run, as root:
# service httpd stop
(wait a few seconds and check with "ps ax|grep httpd" if there are
any httpd processes running. On a busy webserver this could take a
little longer.)
# service httpd start
REFERENCES
1.http://www.php.net/
2.http://www.hardened-php.net/advisories/012004.txt
3.http://www.php.net/release_4_3_10.php
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/10/SRPMS/php4-4.3.10-72720U10_5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-dba-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-devel-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-doc-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-doc-es-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-doc-pt_BR-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-imap-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-ldap-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-mcrypt-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-mhash-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-mnogosearch-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-mssql-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-mysql-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-odbc-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-pgsql-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-snmp-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-sybase-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/php4-sybase-ct-4.3.10-72720U10_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/php4-4.3.10-26997U90_4cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-devel-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-doc-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-doc-es-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-doc-pt_BR-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-imap-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-ldap-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-mcrypt-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-mysql-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-odbc-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-pgsql-4.3.10-26997U90_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/php4-snmp-4.3.10-26997U90_4cl.i386.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions regarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFB5nqB42jd0JmAcZARAo9lAKC2Uq1I72LJYv5p3uQ0bi9Ng17xXACg0hFG
t/1oYcJTYvRM3xMLokvAIPg=
=I5j8
-----END PGP SIGNATURE-----
______________________________________________________________________
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
|
|
