(Red Hat Issues Fix) PHP phpinfo() Array Validation Bug Lets Remote Users Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1016141 |
|
SecurityTracker URL: http://securitytracker.com/id/1016141
|
|
CVE Reference:
CVE-2006-0996
(Links to External Site)
|
Date: May 23 2006
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 4.4.2, 5.1.2
|
Description:
A vulnerability was reported in PHP in the phpinfo() function. A remote user may be able to conduct cross-site scripting attacks.
The phpinfo() function does not properly filter HTML code from user-supplied input before displaying the input when an array of more than 4096 bytes is supplied. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the PHP software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Some demonstration exploit URLs are provided:
phpinfo.php?cx[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]=[XSS]
phpinfo.php?cx[]=ccccc..~4096chars...ccc[XSS]
The vulnerability resides in php_print_gpcse_array().
Maksymilian Arciemowicz (cXIb8O3) of SecurityReason.com reported this vulnerability.
The original advisory is available at:
http://securityreason.com/achievement_securityalert/34
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHP software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
Red Hat has issued a fix.
Red Hat Enterprise Linux AS (v. 2.1)
SRPMS:
php-4.1.2-2.6.src.rpm 45a9fe88de571c85e3081199bed74270
IA-32:
php-4.1.2-2.6.i386.rpm 14f4090b987d3a53ebd5278f88aba75e
php-devel-4.1.2-2.6.i386.rpm bd0c6ce444d08bf6002fd26afefa1bc6
php-imap-4.1.2-2.6.i386.rpm c391602eaa50cd5e8901930cf818ac3f
php-ldap-4.1.2-2.6.i386.rpm e15c85a1b5e27a040517e05c1c34b6d9
php-manual-4.1.2-2.6.i386.rpm 87d7b10bc154c5621a361e07aa18a4e7
php-mysql-4.1.2-2.6.i386.rpm 897ddcd4b93844382675a755758b58b3
php-odbc-4.1.2-2.6.i386.rpm 0d51b96ef16708abdfe404131de8efd5
php-pgsql-4.1.2-2.6.i386.rpm 4516d7c5ed4925fe7c83456954bee094
IA-64:
php-4.1.2-2.6.ia64.rpm e01b0e9ee6b70a1b4abe4232b7744b5e
php-devel-4.1.2-2.6.ia64.rpm 33b846c0a0b290eacab2020211d409c7
php-imap-4.1.2-2.6.ia64.rpm 743bd48d892450eaabc2b33b73d1ff05
php-ldap-4.1.2-2.6.ia64.rpm 3d9e92ff7fbcb55430ce028b3b445d9a
php-manual-4.1.2-2.6.ia64.rpm 165923a244da4768d11b4135dc405c7d
php-mysql-4.1.2-2.6.ia64.rpm 9af447bf493c788ebc77e2cd6748e9ca
php-odbc-4.1.2-2.6.ia64.rpm dc3a195e812eff951c380ba68d62c81e
php-pgsql-4.1.2-2.6.ia64.rpm e3e9126c718e3595278a9d435f2081d7
Red Hat Enterprise Linux ES (v. 2.1)
SRPMS:
php-4.1.2-2.6.src.rpm 45a9fe88de571c85e3081199bed74270
IA-32:
php-4.1.2-2.6.i386.rpm 14f4090b987d3a53ebd5278f88aba75e
php-devel-4.1.2-2.6.i386.rpm bd0c6ce444d08bf6002fd26afefa1bc6
php-imap-4.1.2-2.6.i386.rpm c391602eaa50cd5e8901930cf818ac3f
php-ldap-4.1.2-2.6.i386.rpm e15c85a1b5e27a040517e05c1c34b6d9
php-manual-4.1.2-2.6.i386.rpm 87d7b10bc154c5621a361e07aa18a4e7
php-mysql-4.1.2-2.6.i386.rpm 897ddcd4b93844382675a755758b58b3
php-odbc-4.1.2-2.6.i386.rpm 0d51b96ef16708abdfe404131de8efd5
php-pgsql-4.1.2-2.6.i386.rpm 4516d7c5ed4925fe7c83456954bee094
Red Hat Enterprise Linux WS (v. 2.1)
SRPMS:
php-4.1.2-2.6.src.rpm 45a9fe88de571c85e3081199bed74270
IA-32:
php-4.1.2-2.6.i386.rpm 14f4090b987d3a53ebd5278f88aba75e
php-devel-4.1.2-2.6.i386.rpm bd0c6ce444d08bf6002fd26afefa1bc6
php-imap-4.1.2-2.6.i386.rpm c391602eaa50cd5e8901930cf818ac3f
php-ldap-4.1.2-2.6.i386.rpm e15c85a1b5e27a040517e05c1c34b6d9
php-manual-4.1.2-2.6.i386.rpm 87d7b10bc154c5621a361e07aa18a4e7
php-mysql-4.1.2-2.6.i386.rpm 897ddcd4b93844382675a755758b58b3
php-odbc-4.1.2-2.6.i386.rpm 0d51b96ef16708abdfe404131de8efd5
php-pgsql-4.1.2-2.6.i386.rpm 4516d7c5ed4925fe7c83456954bee094
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
SRPMS:
php-4.1.2-2.6.src.rpm 45a9fe88de571c85e3081199bed74270
IA-64:
php-4.1.2-2.6.ia64.rpm e01b0e9ee6b70a1b4abe4232b7744b5e
php-devel-4.1.2-2.6.ia64.rpm 33b846c0a0b290eacab2020211d409c7
php-imap-4.1.2-2.6.ia64.rpm 743bd48d892450eaabc2b33b73d1ff05
php-ldap-4.1.2-2.6.ia64.rpm 3d9e92ff7fbcb55430ce028b3b445d9a
php-manual-4.1.2-2.6.ia64.rpm 165923a244da4768d11b4135dc405c7d
php-mysql-4.1.2-2.6.ia64.rpm 9af447bf493c788ebc77e2cd6748e9ca
php-odbc-4.1.2-2.6.ia64.rpm dc3a195e812eff951c380ba68d62c81e
php-pgsql-4.1.2-2.6.ia64.rpm e3e9126c718e3595278a9d435f2081d7
The Red Hat advisory is available at:
http://rhn.redhat.com/errata/RHSA-2006-0501.html
|
Vendor URL: www.php.net/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Red Hat Enterprise)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 23 May 2006 16:42:31 -0400
Subject: Moderate: php security update
|
http://rhn.redhat.com/errata/RHSA-2006-0501.html
CVE-2005-2933
CVE-2006-0208
CVE-2006-0996
CVE-2006-1990
|
|
