PHP Prior to 5.2.2/4.4.7 Multiple Remote Buffer Overflow Vulnerabilities

Bugtraq ID:	23813
Class:	Boundary Condition Error
CVE:	CVE-2007-1864 CVE-2007-2509 CVE-2007-2510 CVE-2007-2511
Remote:	Yes
Local:	No
Published:	May 04 2007 12:00AM
Updated:	Mar 19 2015 09:32AM
Credit:	Ilia Alshanetsky and Stanislav Maylshev independently discovered these vulnerabilities.
Vulnerable:	Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Trustix Secure Linux 3.0.5 Trustix Secure Linux 3.0 Trustix Secure Linux 2.2 Trustix Secure Enterprise Linux 2.0 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise SDK 10.SP1 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Novell Linux POS 9 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc rPath rPath Linux 1 RedHat Enterprise Linux WS 4 RedHat Enterprise Linux WS 3 RedHat Enterprise Linux WS 2.1 IA64 RedHat Enterprise Linux WS 2.1 RedHat Enterprise Linux ES 4 RedHat Enterprise Linux ES 3 RedHat Enterprise Linux ES 2.1 IA64 RedHat Enterprise Linux ES 2.1 RedHat Desktop 4.0 RedHat Desktop 3.0 RedHat Advanced Workstation for the Itanium Processor 2.1 IA64 RedHat Advanced Workstation for the Itanium Processor 2.1 Red Hat Enterprise Linux Desktop 5 client Red Hat Enterprise Linux AS 4 Red Hat Enterprise Linux AS 3 Red Hat Enterprise Linux AS 2.1 IA64 Red Hat Enterprise Linux AS 2.1 Red Hat Enterprise Linux 5 Server PHP PHP 5.2.1 + Ubuntu Ubuntu Linux 7.04 sparc + Ubuntu Ubuntu Linux 7.04 powerpc + Ubuntu Ubuntu Linux 7.04 i386 + Ubuntu Ubuntu Linux 7.04 amd64 PHP PHP 5.1.6 + Ubuntu Ubuntu Linux 6.10 sparc + Ubuntu Ubuntu Linux 6.10 powerpc + Ubuntu Ubuntu Linux 6.10 i386 + Ubuntu Ubuntu Linux 6.10 amd64 PHP PHP 5.1.5 PHP PHP 5.1.4 PHP PHP 5.1.3 -RC1 PHP PHP 5.1.3 PHP PHP 5.1.2 PHP PHP 5.1.1 PHP PHP 5.1 PHP PHP 5.0.5 PHP PHP 5.0.4 PHP PHP 5.0.3 PHP PHP 5.0.2 PHP PHP 5.0.1 PHP PHP 5.0 candidate 3 PHP PHP 5.0 candidate 2 PHP PHP 5.0 candidate 1 PHP PHP 5.0 .0 PHP PHP 4.4.6 PHP PHP 4.4.5 PHP PHP 4.4.4 PHP PHP 4.4.3 PHP PHP 4.4.2 PHP PHP 4.4.1 PHP PHP 4.4 .0 PHP PHP 4.3.11 PHP PHP 4.3.10 PHP PHP 4.3.9 PHP PHP 4.3.8 + Mandriva Linux Mandrake 10.1 x86_64 + Mandriva Linux Mandrake 10.1 + S.u.S.E. Linux Personal 9.2 + Turbolinux Turbolinux Server 10.0 + Ubuntu Ubuntu Linux 4.1 ppc + Ubuntu Ubuntu Linux 4.1 ia64 + Ubuntu Ubuntu Linux 4.1 ia32 PHP PHP 4.3.7 PHP PHP 4.3.6 PHP PHP 4.3.5 PHP PHP 4.3.4 PHP PHP 4.3.3 + S.u.S.E. Linux Personal 9.0 x86_64 + S.u.S.E. Linux Personal 9.0 + Turbolinux Home + Turbolinux Turbolinux 10 F... + Turbolinux Turbolinux Desktop 10.0 PHP PHP 4.3.2 PHP PHP 4.3.1 PHP PHP 4.3 PHP PHP 4.2.3 PHP PHP 4.2.2 PHP PHP 4.2.1 - FreeBSD FreeBSD 4.6 - FreeBSD FreeBSD 4.5 - FreeBSD FreeBSD 4.4 - FreeBSD FreeBSD 4.3 + Slackware Linux 8.1 PHP PHP 4.2 .0 PHP PHP 4.2 -dev PHP PHP 4.1.2 PHP PHP 4.1.1 PHP PHP 4.1 .0 + S.u.S.E. Linux 8.0 i386 + S.u.S.E. Linux 8.0 PHP PHP 4.0.7 RC3 PHP PHP 4.0.7 RC2 PHP PHP 4.0.7 RC1 PHP PHP 4.0.7 PHP PHP 4.0.6 PHP PHP 4.0.5 PHP PHP 4.0.4 PHP PHP 4.0.3 pl1 + S.u.S.E. Linux 6.4 ppc + S.u.S.E. Linux 6.4 i386 + S.u.S.E. Linux 6.4 alpha + S.u.S.E. Linux 6.4 PHP PHP 4.0.3 + Debian Linux 2.2 sparc + Debian Linux 2.2 powerpc + Debian Linux 2.2 IA-32 + Debian Linux 2.2 arm + Debian Linux 2.2 alpha + Debian Linux 2.2 68k + Debian Linux 2.2 + Sun Cobalt Control Station 4100CS + Sun Cobalt Qube3 Japanese 4000WGJ + Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ + Sun Cobalt Qube3 Japanese w/Caching 4010WGJ + Sun Cobalt RaQ XTR 3500R + Sun Cobalt RaQ XTR Japanese 3500R-ja PHP PHP 4.0.2 PHP PHP 4.0.1 pl2 PHP PHP 4.0.1 pl1 PHP PHP 4.0.1 + Sun Cobalt Qube3 4000WG + Sun Cobalt Qube3 w/ Caching and RAID 4100WG + Sun Cobalt Qube3 w/Caching 4010WG + Sun Cobalt RaQ4 3001R + Sun Cobalt RaQ4 Japanese RAID 3100R-ja + Sun Cobalt RaQ4 RAID 3100R PHP PHP 4.0 0 PHP PHP 5.2 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 4.0 Gentoo Linux Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 Avaya Communication Manager 2.0 Avaya Communication Manager 4.0 Avaya CCS 3.1.1 Avaya Aura SIP Enablement Services 3.1.1 Avaya Aura Application Enablement Services 4.0
Not Vulnerable:	PHP PHP 5.2.2 PHP PHP 4.4.7 - Slackware Linux 10.2 - Slackware Linux 11.0 - Slackware Linux -current

PHP Prior to 5.2.2/4.4.7 Multiple Remote Buffer Overflow Vulnerabilities

PHP is prone to three remote buffer-overflow vulnerabilities because the application fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers.

An attacker can exploit these issues to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver, denying service to legitimate users.

All three issues affect PHP 5.2.1 and prior versions; PHP 4.4.6 and prior versions are affected only by one of the issues.

Few details are available at the moment. These issues may have been previously described in other BIDs. This record may be updated or retired if further analysis shows that these issues have been reported in the past.

PHP Prior to 5.2.2/4.4.7 Multiple Remote Buffer Overflow Vulnerabilities

Currently we are not aware of any exploits for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

PHP Prior to 5.2.2/4.4.7 Multiple Remote Buffer Overflow Vulnerabilities

Solution:
The vendor has released PHP 5.2.2 and 4.4.7 to address these issues. Please see the referenced advisories for more information.


PHP PHP 4.0 0

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.1

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.1 pl2

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.2

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.3 pl1

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.3

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.5

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.7 RC1

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.7 RC2

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.7

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.1 .0

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.2 -dev

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.2.1

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.3

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.3.2

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.3.3

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.3.5

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.3.6

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.3.8

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.3.9

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.4.1

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.4.2

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.4.4

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.4.5

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.4.6

• PHP php-4.4.7-Win32.zip
  http://www.php.net/get/php-4.4.7-Win32.zip/from/a/mirror


• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.0 .0

• PHP php-5.2.2-win32-installer.msi
  http://www.php.net/get/php-5.2.2-win32-installer.msi/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.0 candidate 1

• PHP php-5.2.2-win32-installer.msi
  http://www.php.net/get/php-5.2.2-win32-installer.msi/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.0.1

• PHP php-5.2.2-win32-installer.msi
  http://www.php.net/get/php-5.2.2-win32-installer.msi/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.0.2

• PHP php-5.2.2-win32-installer.msi
  http://www.php.net/get/php-5.2.2-win32-installer.msi/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.0.4

• PHP php-5.2.2-win32-installer.msi
  http://www.php.net/get/php-5.2.2-win32-installer.msi/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.1

• PHP php-5.2.2-win32-installer.msi
  http://www.php.net/get/php-5.2.2-win32-installer.msi/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.1.1

• PHP php-5.2.2-win32-installer.msi
  http://www.php.net/get/php-5.2.2-win32-installer.msi/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.1.3 -RC1

• PHP php-5.2.2-win32-installer.msi
  http://www.php.net/get/php-5.2.2-win32-installer.msi/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.1.4

• PHP php-5.2.2-win32-installer.msi
  http://www.php.net/get/php-5.2.2-win32-installer.msi/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.1.5

• PHP php-5.2.2-win32-installer.msi
  http://www.php.net/get/php-5.2.2-win32-installer.msi/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.1.6

• PHP php-5.2.2-win32-installer.msi
  http://www.php.net/get/php-5.2.2-win32-installer.msi/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.2.1

• PHP php-5.2.2-win32-installer.msi
  http://www.php.net/get/php-5.2.2-win32-installer.msi/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP Prior to 5.2.2/4.4.7 Multiple Remote Buffer Overflow Vulnerabilities

References:

• ASA-2007-231 PHP security update (Avaya)
  
• PHP 4.4.7 Release Announcement (PHP)
  
• PHP 5.2.2 Release Announcement (PHP)
  
• PHP Homepage (PHP Group)
  
• USN-462-1 - php5 vulnerabilities (Ubuntu)
  
• RHSA-2007:0348-2 php security update (Red Hat)
  
• RHSA-2007:0349-2 php security update (Red Hat)
  
• RHSA-2007:0888-2 - php security update (Red Hat)
  
• RHSA-2007:0889-5 php security update (Red Hat)
  
• SUSE Security Announcement SUSE-SA:2007:044 (SUSE)