USN-232-1: PHP vulnerabilities

23 December 2005

php4, php5 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 5.10
  • Ubuntu 5.04
  • Ubuntu 4.10

Software Description

Details

Eric Romang discovered a local Denial of Service vulnerability in the handling of the ‘session.save_path’ parameter in PHP’s Apache 2.0 module. By setting this parameter to an invalid value in an .htaccess file, a local user could crash the Apache server. (CVE-2005-3319)

A Denial of Service flaw was found in the EXIF module. By sending an image with specially crafted EXIF data to a PHP program that automatically evaluates them (e. g. a web gallery), a remote attacker could cause an infinite recursion in the PHP interpreter, which caused the web server to crash. (CVE-2005-3353)

Stefan Esser reported a Cross Site Scripting vulnerability in the phpinfo() function. By tricking a user into retrieving a specially crafted URL to a PHP page that exposes phpinfo(), a remote attacker could inject arbitrary HTML or web script into the output page and possibly steal private data like cookies or session identifiers. (CVE-2005-3388)

Stefan Esser discovered a vulnerability of the parse_str() function when it is called with just one argument. By calling such programs with specially crafted parameters, a remote attacker could enable the ‘register_globals’ option which is normally turned off for security reasons. Once this option is enabled, the remote attacker could exploit other security flaws of PHP programs which are normally protected by ‘register_globals’ being deactivated. (CVE-2005-3389)

Stefan Esser discovered that a remote attacker could overwrite the $GLOBALS array in PHP programs that allow file uploads and run with ‘register_globals’ enabled. Depending on the particular application, this can lead to unexpected vulnerabilities. (CVE-2005-3390)

The ‘gd’ image processing and cURL modules did not properly check processed file names against the ‘open_basedir’ and ‘safe_mode’ restrictions, which could be exploited to circumvent these limitations. (CVE-2005-3391)

Another bypass of the ‘open_basedir’ and ‘safe_mode’ restrictions was found in virtual() function. A local attacker could exploit this to circumvent these restrictions with specially crafted PHP INI files when virtual Apache 2.0 hosts are used. (CVE-2005-3392)

The mb_send_mail() function did not properly check its arguments for invalid embedded line breaks. By setting the ‘To:’ field of an email to a specially crafted value in a PHP web mail application, a remote attacker could inject arbitrary headers into the sent email. (CVE-2005-3883)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 5.10
libapache2-mod-php4
libapache2-mod-php5
php4
php4-cgi
php4-cli
php4-curl
php4-gd
php5
php5-cgi
php5-cli
php5-curl
php5-gd
Ubuntu 5.04
libapache2-mod-php4
libapache2-mod-php5
php4
php4-cgi
php4-cli
php4-curl
php4-gd
php5
php5-cgi
php5-cli
php5-curl
php5-gd
Ubuntu 4.10
libapache2-mod-php4
libapache2-mod-php5
php4
php4-cgi
php4-cli
php4-curl
php4-gd
php5
php5-cgi
php5-cli
php5-curl
php5-gd

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

References