OpenPKG Security Advisory
OpenPKG-SA-2006.023
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2006.023 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2006.023 Advisory Published: 2009-07-03 02:56 UTC Issue Id (internal): OpenPKG-SI-20061017.01 Issue First Created: 2006-10-17 Issue Last Modified: 2006-12-07 Issue Revision: 09
Subject Name: PHP Subject Summary: Personal HomePage (PHP) Subject Home: http://www.php.net/ Subject Versions: * <= 5.1.6 Vulnerability Id: CVE-2006-4625, CVE-2006-4812, CVE-2006-5178 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: Attack Impact: privilege escalation, arbitrary code execution Description: According to a security advisory [1] from Maksymilian Arciemowicz, a vulnerability exists in the programming language PHP [0] which allows local users to bypass certain Apache HTTP server "httpd.conf" options, such as "safe_mode" and "open_basedir", via the "ini_restore" function, which resets the values to their "php.ini" (master value) defaults. CVE-2006-4625 According to a security advisory [2] from the Hardened-PHP project, an integer overflow bug exists in the programming language PHP [0] which allows remote attackers to execute arbitrary code via an argument to the "unserialize" PHP function with a large value for the number of array elements, which triggers the overflow in the underlying Zend Engine "ecalloc" function. CVE-2006-4812 According to a security advisory [3] from the Hardened-PHP project, a race condition in the "symlink" function of the programming language PHP [0] exists which allows local users to bypass the "open_basedir" restriction by using a combination of "symlink", "mkdir", and "unlink" functions to change the file path after the "open_basedir" check and before the file is opened by the underlying system, as demonstrated by symlinking a symlink into a subdirectory, to point to a parent directory via ".." sequences, and then unlinking the resulting symlink. CVE-2006-5178 References: [0] http://www.php.net/ [1] http://securityreason.com/achievement_securityalert/42 [2] http://www.hardened-php.net/advisory_092006.133.html [3] http://www.hardened-php.net/advisory_082006.132.html
Primary Package Name: php Primary Package Home: http://openpkg.org/go/package/php Affected Distribution: Affected Branch: Affected Package: OpenPKG Enterprise E1.0-SOLID n/a OpenPKG Community 2-STABLE-20061018 n/a OpenPKG Community 2-STABLE php-5.1.5-2.20060818 OpenPKG Community CURRENT php-5.1.6-20061013 Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID n/a OpenPKG Community 2-STABLE-20061018 n/a OpenPKG Community 2-STABLE php-5.1.6-2.20061018 OpenPKG Community CURRENT php-5.1.6-20061017
