23.10.2007: PHP 5.x COM functions safe_mode and disable_function bypass ^medium

An exploit for PHP's COM objects on the 5.x series has been reported by shinnai - an issue that allows for a bypass of safe_mode and disable_function settings.

The exploit has been published as a PHP file for easy testing on your Windows/PHP installation (it was tested on WinXP Pro SP2 on both the CLI and Apache). No additional modules are needed for this exploit - only the COM functions and a Windows system.

The issue comes from an overflow in the str_repeat function allowing for the execution of whatever applications the developer wants on the remote Windows machine (including the ability to create and remove files and directories). There is no path for this issue currently (should be corrected in the next minor PHP release).

17.07.2007: PHP "glob()" Code Execution Vulnerability ^low

shinnai has discovered a vulnerability in PHP, which can be exploited by malicious, local users to bypass certain security restrictions.

The vulnerability is caused due to an error in the handling of an uninitialized structure inside the "glob()" function. This can be exploited to execute arbitrary code, which may lead to security restrictions (e.g. the "disable_functions" directive) being bypassed.

The vulnerability is confirmed in the 5.2.3 win32 installer. Other versions may also be affected.

Solution:
Fixed in the CVS repository.

08.01.2007: Wordpress Security Update ^high

For all those not reading security mailinglists. It is time to upgrade your WordPress blog (if you are among those, not using Serendipity). Today WordPress 2.0.6 was released that fixes several security vulnerabilities. Among these security fixes are two dangerous vulnerabilities reported by us.


The first vulnerability is an XSS (Cross Site Scripting) hole in WordPress's own CSRF protection. [READ MORE]


And the second vulnerability is a very interesting SQL injection. Very interesting, because it abuses charset conversion support to bypass the database escaping routines. Our demo exploit uses UTF-7. [READ MORE]



Both vulnerabilities have the potential to compromise the admin account, which in case of WordPress might allow arbitrary PHP code execution due to WordPress features.

05.12.2006: Remote code execution vulnerability in the uploadprogressmeter extension ^medium

The fileupload extension contained a possible remote code execution vulnerability that can be abused by malicious POST fileupload requests.

Suhosin did not only stop this possible code execution exploit but helped ordinary users to detect it in the first place. Once again a dangerous and unknown vulnerability was killed once and for all by the simple use of Suhosin-Patch.

This remote vulnerability was patched in CVS.

22.11.2006: New PostNuke version closes security holes ^high

A vulnerability has been removed from version 0.764 of PostNuke, a PHP content management system, that allowed attackers to inject their own PHP scripts and execute them with the web server's rights. The problem was caused by faulty filtering of the PNSVlang variable in the error.php module, the bug report claims. This in turn enabled directory traversal ? a breaking out from the standard paths proscribed by the system. Still, the hole could only be used to embed and execute locally stored PHP scripts, which means that further steps were required for a successful attack.

15.11.2006: Dotdeb PHP Email Header Injection Vulnerability ^high

Quote from http://www.dotdeb.org
"Dotdeb is an unofficial repository containing many packages for the Debian stable (aka .Sarge.) distribution :
* PHP, versions 4 & 5,
* MySQL,versions 4.1 & 5.0,
* Qmail,
* Vpopmail...

Its goal is to turn easily your Debian GNU/Linux boxes into powerful, stable and up-to-date LAMP servers."

It was discovered that the Dotdeb PHP packages are patched with a mail() protection patch that was originally created by Steve
Bennett and is nowadays developed at choon.net. This patch adds an X-PHP-Script header to outgoing mails that contains the name of the server, the script and the calling IP.

Unfortunately the script name is directly copied from PHP's PHP_SELF variable without further processing. Because PHP_SELF does not only contain the script name but also the urldecoded content of PATH_INFO this allows injection of arbitrary content into the email headers.

Because of this vulnerability on every PHP server that uses this patch every PHP script that uses the mail() function can be used to send either spam mail or tricked into disclosing sensitive content by injecting Bcc: headers.

A possible attack could be injecting Bcc: headers into password reminder/password reset mails sent out by forums to break into the administrator account.

06.11.2006: PHP HTML Entity Encoder Heap Overflow Vulnerability (PHP 5 <= 5.1.6, PHP 4 <= 4.4.4) ^high

Bufferoverflows in htmlentities() and htmlspecialchars() may result in arbitrary remote code execution.

While we were searching for a hole in htmlspecialchars() and htmlentities() to bypass the encoding of certain chars to exploit a possible eval() injection hole in another application we discovered that the implementation contains a possible bufferoverflow that can be triggered when the UTF-8 charset is selected.

Unfortunately the whole purpose of both functions is to prepare userinput for HTML output. Therefore they are used in most PHP applications as protection against XSS and are always exposed to userinput.

By triggering the overflow it is possible to overwrite heap management structures with a limited charset. This can result in remote code execution. Exploitability has been proven against for example Linux with glibc 2.3 in a test environment. It depends on the heap layout, the OS heap implementation and the used Zend Memory Manager.

10.10.2006: dvisory 09/2006: PHP unserialize() Array Creation Integer Overflow ^high

The PHP 5 branch of the PHP source code lacks the protection against possible integer overflows inside ecalloc() that is present in the PHP 4 branch and also for several years part of our Hardening-Patch and our new Suhosin-Patch.
It was discovered that such an integer overflow can be triggered when user input is passed to the unserialize() function. Earlier vulnerabilities in PHP's unserialize() that were also discovered by one of our audits in December 2004 are unrelated to the newly discovered flaw, but they have shown, that the unserialize() function is exposed to user-input in many popular PHP applications. Examples for applications that use the content of COOKIE variables with unserialize() are phpBB and Serendipity.

The successful exploitation of this integer overflow will result in arbitrary code execution.

05.06.2006: DokuWiki PHP code execution vulnerability in spellchecker ^high

While searching for the perfect Wiki PHP application for my own german/korean wiki I tested DokuWiki and found an ugly security hole, that allows remote PHP code injection through it's AJAX spellchecking service.

02.06.2006: PHP-Sicherheit: Vorsicht vor popen() und proc_open() ^medium

Zugriffe auf das Dateisystem eines Webservers sind allgemein ein großes Problem und werden fachkundig mittels open_basedir abgesichert. Der Start von Shell-Kommandos in PHP-Scripts ermöglicht es Angreifern, diese Beschränkungen zu umgehen, sodass sie Leserechte auf weite Teile des Dateisystems erhalten: Außer Systemdateien des /etc-Verzeichnisses sind auch temporäre Dateien mit Session-Informationen fremder Nutzer einsehbar. Von anderen Webpräsenzen auf demselben Server sind die Passwörter der .htpasswd-Dateien beziehungsweise MySQL-Zugangsdaten einsehbar.

• [02.06.2006]: MySQL Multibyte Encoding SQL Injection Vulnerability
• [02.06.2006]: Drupal Taxonomy Module Cross-Site Scripting Vulnerability
• [02.06.2006]: Squirrelmail plugin.php Local File Inclusion Vulnerability
• [30.05.2006]: cURL Safe Mode Bypass PHP
• [11.05.2006]: Jadu CMS "register.php" Cross-Site Scripting Vulnerabilities
• [08.05.2006]: PAJAX XSS and File Inclusion
• [01.05.2006]: PHP Newsfeed SQL Injection Vulnerabilities
• [01.05.2006]: phpwcms Multiple Vulnerabilities
• [01.05.2006]: TextFileBB BBcode Script Insertion Vulnerability
• [01.05.2006]: PHP Pro Publish SQL Injection Vulnerabilities