SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   PHP Vendors:   PHP Group
(Red Hat Issues Fix) PHP Input Validation Hole Permits Cross-Site Scripting Attacks and Other Bugs Have Unspecified Impact
SecurityTracker Alert ID:  1016574
SecurityTracker URL:  http://securitytracker.com/id/1016574
CVE Reference:   CVE-2006-3016, CVE-2006-3017, CVE-2006-3018   (Links to External Site)
Date:  Jul 25 2006
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 5.1.3
Description:   Several vulnerabilities were reported in PHP. A remote user can conduct cross-site scripting attacks. Other security related flaws were reported but the impact was not specified.

The phpinfo() function does not properly filter HTML code from user-supplied input before displaying the input. For scripts that invoke phpinfo(), a user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Php software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A user may be able to trigger a buffer overflow in the wordwrap() function. The impact was not specified.

A user may be able to trigger a heap corruption within the session extension. The impact was not specified.

A user may be able to cause a variable to persist after the unset() function is called. The impact was not specified.
Impact:   In some cases, a user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHP software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The specific impact depends on the applications that use PHP.

The impact of the other vulnerabilities was not disclosed.
Solution:   Red Hat has released a fix.

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/php-4.1.2-2.8.src.rpm
b00da9890a6407ceeefde6af712335a8 php-4.1.2-2.8.src.rpm

i386:
49c5170d0254ab6852ed1a0ec99ee005 php-4.1.2-2.8.i386.rpm
fbbf8ecb1d8212fb61ab03cb582fa6ba php-devel-4.1.2-2.8.i386.rpm
a8cc27adc804ac40f5530f5bc305209b php-imap-4.1.2-2.8.i386.rpm
2b9e509db230478986a620bccf3c3595 php-ldap-4.1.2-2.8.i386.rpm
296c22cd73b830fc0455a3cc00b38858 php-manual-4.1.2-2.8.i386.rpm
a083c9ad5a0aef8c528abb1123bb88aa php-mysql-4.1.2-2.8.i386.rpm
7df60aec5a0b642ea6e8fcb8ae4e0bc4 php-odbc-4.1.2-2.8.i386.rpm
bdbfcb35354ad079d4a15a4054f2caf8 php-pgsql-4.1.2-2.8.i386.rpm

ia64:
0de57ca1d1f8ad29f509288a9c67f501 php-4.1.2-2.8.ia64.rpm
b386f3eacea485b36525055006fa89c5 php-devel-4.1.2-2.8.ia64.rpm
91b7f7262828ad5c9f17d8e1e02bd9e1 php-imap-4.1.2-2.8.ia64.rpm
bb5d71d5964ed4e3ebaba5c1e755599c php-ldap-4.1.2-2.8.ia64.rpm
2d1d721016880e26c041d36af289288f php-manual-4.1.2-2.8.ia64.rpm
74de741c6420b49591eb82e8d3109286 php-mysql-4.1.2-2.8.ia64.rpm
ac98627c368011e8bc123fab619131fa php-odbc-4.1.2-2.8.ia64.rpm
101f908d73b7182821a6ca553df4c3f5 php-pgsql-4.1.2-2.8.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/php-4.1.2-2.8.src.rpm
b00da9890a6407ceeefde6af712335a8 php-4.1.2-2.8.src.rpm

ia64:
0de57ca1d1f8ad29f509288a9c67f501 php-4.1.2-2.8.ia64.rpm
b386f3eacea485b36525055006fa89c5 php-devel-4.1.2-2.8.ia64.rpm
91b7f7262828ad5c9f17d8e1e02bd9e1 php-imap-4.1.2-2.8.ia64.rpm
bb5d71d5964ed4e3ebaba5c1e755599c php-ldap-4.1.2-2.8.ia64.rpm
2d1d721016880e26c041d36af289288f php-manual-4.1.2-2.8.ia64.rpm
74de741c6420b49591eb82e8d3109286 php-mysql-4.1.2-2.8.ia64.rpm
ac98627c368011e8bc123fab619131fa php-odbc-4.1.2-2.8.ia64.rpm
101f908d73b7182821a6ca553df4c3f5 php-pgsql-4.1.2-2.8.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/php-4.1.2-2.8.src.rpm
b00da9890a6407ceeefde6af712335a8 php-4.1.2-2.8.src.rpm

i386:
49c5170d0254ab6852ed1a0ec99ee005 php-4.1.2-2.8.i386.rpm
fbbf8ecb1d8212fb61ab03cb582fa6ba php-devel-4.1.2-2.8.i386.rpm
a8cc27adc804ac40f5530f5bc305209b php-imap-4.1.2-2.8.i386.rpm
2b9e509db230478986a620bccf3c3595 php-ldap-4.1.2-2.8.i386.rpm
296c22cd73b830fc0455a3cc00b38858 php-manual-4.1.2-2.8.i386.rpm
a083c9ad5a0aef8c528abb1123bb88aa php-mysql-4.1.2-2.8.i386.rpm
7df60aec5a0b642ea6e8fcb8ae4e0bc4 php-odbc-4.1.2-2.8.i386.rpm
bdbfcb35354ad079d4a15a4054f2caf8 php-pgsql-4.1.2-2.8.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/php-4.1.2-2.8.src.rpm
b00da9890a6407ceeefde6af712335a8 php-4.1.2-2.8.src.rpm

i386:
49c5170d0254ab6852ed1a0ec99ee005 php-4.1.2-2.8.i386.rpm
fbbf8ecb1d8212fb61ab03cb582fa6ba php-devel-4.1.2-2.8.i386.rpm
a8cc27adc804ac40f5530f5bc305209b php-imap-4.1.2-2.8.i386.rpm
2b9e509db230478986a620bccf3c3595 php-ldap-4.1.2-2.8.i386.rpm
296c22cd73b830fc0455a3cc00b38858 php-manual-4.1.2-2.8.i386.rpm
a083c9ad5a0aef8c528abb1123bb88aa php-mysql-4.1.2-2.8.i386.rpm
7df60aec5a0b642ea6e8fcb8ae4e0bc4 php-odbc-4.1.2-2.8.i386.rpm
bdbfcb35354ad079d4a15a4054f2caf8 php-pgsql-4.1.2-2.8.i386.rpm

The Red Hat advisory is available at:

https://rhn.redhat.com/errata/RHSA-2006-0567.html
Vendor URL:  www.php.net/release_5_1_3.php (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:   Linux (Red Hat Enterprise)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 15 2006 PHP Input Validation Hole Permits Cross-Site Scripting Attacks and Other Bugs Have Unspecified Impact


 Source Message Contents
Date:  Tue, 25 Jul 2006 08:25:12 -0400
Subject:  [RHSA-2006:0567-01] Moderate: php security update


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Moderate: php security update
Advisory ID:       RHSA-2006:0567-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2006-0567.html
Issue date:        2006-07-25
Updated on:        2006-07-25
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2002-2214 CVE-2006-1494 CVE-2006-3017 
- ---------------------------------------------------------------------

1. Summary:

Updated PHP packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 2.1

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386

3. Problem description:

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Web server. 

A flaw was found in the zend_hash_del() PHP function. For PHP scripts that
rely on the use of the unset() function, a remote attacker could force
variable initialization to be bypassed. This would be a security issue
particularly for installations that enable the "register_globals" setting.
"register_globals" is disabled by default in Red Hat Enterprise Linux.
(CVE-2006-3017)

A directory traversal vulnerability was found in PHP. Local users could
bypass open_basedir restrictions allowing remote attackers to create files
in arbitrary directories via the tempnam() function. (CVE-2006-1494)

A flaw was found in the PHP IMAP MIME header decoding function.  An
attacker could craft a message with an overly long header which caused
PHP to crash.  (CVE-2002-2214)

Users of PHP should upgrade to these updated packages, which contain
backported patches that resolve these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

195495 - CVE-2002-2214 php imap To header buffer overflow
196257 - CVE-2006-3017 zend_hash_del bug
197050 - CVE-2006-1494 PHP tempname open_basedir issue

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/php-4.1.2-2.8.src.rpm
b00da9890a6407ceeefde6af712335a8  php-4.1.2-2.8.src.rpm

i386:
49c5170d0254ab6852ed1a0ec99ee005  php-4.1.2-2.8.i386.rpm
fbbf8ecb1d8212fb61ab03cb582fa6ba  php-devel-4.1.2-2.8.i386.rpm
a8cc27adc804ac40f5530f5bc305209b  php-imap-4.1.2-2.8.i386.rpm
2b9e509db230478986a620bccf3c3595  php-ldap-4.1.2-2.8.i386.rpm
296c22cd73b830fc0455a3cc00b38858  php-manual-4.1.2-2.8.i386.rpm
a083c9ad5a0aef8c528abb1123bb88aa  php-mysql-4.1.2-2.8.i386.rpm
7df60aec5a0b642ea6e8fcb8ae4e0bc4  php-odbc-4.1.2-2.8.i386.rpm
bdbfcb35354ad079d4a15a4054f2caf8  php-pgsql-4.1.2-2.8.i386.rpm

ia64:
0de57ca1d1f8ad29f509288a9c67f501  php-4.1.2-2.8.ia64.rpm
b386f3eacea485b36525055006fa89c5  php-devel-4.1.2-2.8.ia64.rpm
91b7f7262828ad5c9f17d8e1e02bd9e1  php-imap-4.1.2-2.8.ia64.rpm
bb5d71d5964ed4e3ebaba5c1e755599c  php-ldap-4.1.2-2.8.ia64.rpm
2d1d721016880e26c041d36af289288f  php-manual-4.1.2-2.8.ia64.rpm
74de741c6420b49591eb82e8d3109286  php-mysql-4.1.2-2.8.ia64.rpm
ac98627c368011e8bc123fab619131fa  php-odbc-4.1.2-2.8.ia64.rpm
101f908d73b7182821a6ca553df4c3f5  php-pgsql-4.1.2-2.8.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/php-4.1.2-2.8.src.rpm
b00da9890a6407ceeefde6af712335a8  php-4.1.2-2.8.src.rpm

ia64:
0de57ca1d1f8ad29f509288a9c67f501  php-4.1.2-2.8.ia64.rpm
b386f3eacea485b36525055006fa89c5  php-devel-4.1.2-2.8.ia64.rpm
91b7f7262828ad5c9f17d8e1e02bd9e1  php-imap-4.1.2-2.8.ia64.rpm
bb5d71d5964ed4e3ebaba5c1e755599c  php-ldap-4.1.2-2.8.ia64.rpm
2d1d721016880e26c041d36af289288f  php-manual-4.1.2-2.8.ia64.rpm
74de741c6420b49591eb82e8d3109286  php-mysql-4.1.2-2.8.ia64.rpm
ac98627c368011e8bc123fab619131fa  php-odbc-4.1.2-2.8.ia64.rpm
101f908d73b7182821a6ca553df4c3f5  php-pgsql-4.1.2-2.8.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/php-4.1.2-2.8.src.rpm
b00da9890a6407ceeefde6af712335a8  php-4.1.2-2.8.src.rpm

i386:
49c5170d0254ab6852ed1a0ec99ee005  php-4.1.2-2.8.i386.rpm
fbbf8ecb1d8212fb61ab03cb582fa6ba  php-devel-4.1.2-2.8.i386.rpm
a8cc27adc804ac40f5530f5bc305209b  php-imap-4.1.2-2.8.i386.rpm
2b9e509db230478986a620bccf3c3595  php-ldap-4.1.2-2.8.i386.rpm
296c22cd73b830fc0455a3cc00b38858  php-manual-4.1.2-2.8.i386.rpm
a083c9ad5a0aef8c528abb1123bb88aa  php-mysql-4.1.2-2.8.i386.rpm
7df60aec5a0b642ea6e8fcb8ae4e0bc4  php-odbc-4.1.2-2.8.i386.rpm
bdbfcb35354ad079d4a15a4054f2caf8  php-pgsql-4.1.2-2.8.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/php-4.1.2-2.8.src.rpm
b00da9890a6407ceeefde6af712335a8  php-4.1.2-2.8.src.rpm

i386:
49c5170d0254ab6852ed1a0ec99ee005  php-4.1.2-2.8.i386.rpm
fbbf8ecb1d8212fb61ab03cb582fa6ba  php-devel-4.1.2-2.8.i386.rpm
a8cc27adc804ac40f5530f5bc305209b  php-imap-4.1.2-2.8.i386.rpm
2b9e509db230478986a620bccf3c3595  php-ldap-4.1.2-2.8.i386.rpm
296c22cd73b830fc0455a3cc00b38858  php-manual-4.1.2-2.8.i386.rpm
a083c9ad5a0aef8c528abb1123bb88aa  php-mysql-4.1.2-2.8.i386.rpm
7df60aec5a0b642ea6e8fcb8ae4e0bc4  php-odbc-4.1.2-2.8.i386.rpm
bdbfcb35354ad079d4a15a4054f2caf8  php-pgsql-4.1.2-2.8.i386.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2214
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3017
http://www.php.net/register_globals 
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2006 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFExg2lXlSAg2UNWIIRAlBqAKCasxXredz0b35TY/KcKofrlFYTlgCdHeA5
sh05mr/MHMArqz1zE6X3Fkk=
=oEw2
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC