News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP.net:
PHP 5.2.6 Released
May 02, 2008 @ 07:51:13

The PHP development team has released the latest version in the PHP 5.2.x series today - version 5.2.6:

This release focuses on improving the stability ofthe PHP 5.2.x branch with over 120 bug fixes, several of which are security related.All users of PHP are encouraged to upgrade to this release. Further details about the PHP 5.2.6 release can be found in the release announcement for 5.2.6, the full list of changes is available in the ChangeLog for PHP 5.

Security updates include prevention of a buffer overflow in FastCGI mode, an integer overflow in printf, correction for a safe_mode bypass method in cURL and the bundling of PCRE 7.6 to update the regular expression functionality of the language.

You can grab this latest release from the downloads page on PHP.net (or your favorite mirror) - both the source and the Windows binaries.

0 comments voice your opinion now!
release php5 series security overflow pcre safemode download


Milw0rm.com:
Exploit - PHP5 COM Object Security Bypass (Windows)
October 23, 2007 @ 09:31:00

An exploit for PHP's COM objects on the 5.x series has been reported by shinnai - an issue that allows for a bypass of safe_mode and disable_function settings.

The exploit has been published as a PHP file for easy testing on your Windows/PHP installation (it was tested on WinXP Pro SP2 on both the CLI and Apache). No additional modules are needed for this exploit - only the COM functions and a Windows system.

The issue comes from an overflow in the str_repeat function allowing for the execution of whatever applications the developer wants on the remote Windows machine (including the ability to create and remove files and directories). There is no path for this issue currently (should be corrected in the next minor PHP release).

0 comments voice your opinion now!
com object security bypass safemode disablefunction overflow strrepeat com object security bypass safemode disablefunction overflow strrepeat


PHP Security Blog:
Chunk_split() Overflow not fixed at all...
June 05, 2007 @ 07:41:00

In this new post to the PHP Security blog, Stefan Esser points out that an issue that was previously marked as corrected - a problem with the chunk_split function - hasn't completely been corrected.

This [bugfix] fixes the chunk_split() overflow (found by SEC-CONSULT) that was according to the PHP 5.2.3 release notes already fixed. The original fix was however not only broken but complete nonsense. If you can read C you will see that the integer overflow was not fixed in PHP 5.2.3 but simply moved into a separate line and an additional bogus if clause was added.

Stefan includes a simple four line code example to illustrate his point.

0 comments voice your opinion now!
chunksplit overflow bug chunksplit overflow bug


Secunia.com:
PHP Integer Overflow Vulnerability and Security Bypass
June 01, 2007 @ 11:33:00

Secunia has released an advisory for PHP today related to an issue caused by an integer overflow that could allow for bypassing of security of an application.

A weakness and a vulnerability have been reported in PHP 5, where the vulnerability has unknown impact and the weakness can be exploited by malicious, local users to bypass certain security restrictions.

The issue is caused by issues with the chunk_split and realpath functions that can lead to a bypass of the open_basedir restriction on a server.

The issue is marked as "moderately critical" and it is suggested that users update to PHP 5.2.3 to correct the issue.

0 comments voice your opinion now!
integer overflow vulnerability security bypass openbasedir integer overflow vulnerability security bypass openbasedir


Stefan Esser's Blog:
PHP 4 - Reference Counter Overflow Fix
May 21, 2007 @ 08:47:00

Stefan Esser has a new post mentioning a new patch that he's created to help correct an issue with the ZVAL Reference Counter that could cause a buffer overflow in an application.

When a PHP application is run in PHP 4 it can overflow the variable reference counter because it is only 16 bit wide. Whenever this happens it will result in a double destruction of the underlying variable. A local attacker can easily create PHP code that uses such a double destruction to execute arbitrary code within the process executing PHP (e.g. webserver process). This allows bypassing restrictions enforced by disable_functions, open_basedir, SAFE_MODE or to launch direct local root exploits against the target system.

The patch [tar.gz] fixes the issue and keeps from breaking anything from the past (backwards compatibility). You can either grab it now and apply it to your distribution (the sooner the better) or wait until it gets merged into the PHP CVS version and released with the next bug fix release.

0 comments voice your opinion now!
reference counter overflow patch fix php4 reference counter overflow patch fix php4


Secunia:
Cisco Products PHP "htmlentities()" and "htmlspecialchars()" Buffer Overflows
April 26, 2007 @ 07:55:00

Cicso product users should check out this latest issue Secunia has released today - a problem with the htmlentities and htmlspecialchars functions that can lead to buffer overflows.

The vulnerabilities are caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the affected application.

Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected.

Products affected include the Network Analysis Modules (NAM) for Cisco 6500 switch, Cisco 7600 router/Branch Routers and the CiscoWorks Wireless LAN Solution Engine (WLSE) and CiscoWorks Wireless LAN Solution (among others, check out the advisory for a more complete list).

There are some patches that have been released to correct this issue (like the one for the Cisco Unified Application Environment) but others are still yet to come. They recommend limiting access to only trusted IPs and devices only to reduce the risk of the problem being exploited.

1 comment voice your opinion now!
cisco buffer overflow htmlspecialchars htmlentities advisory cisco buffer overflow htmlspecialchars htmlentities advisory


Hardened-PHP Project:
PHP HTML Entity Encoder Heap Overflow Vulnerability
November 03, 2006 @ 12:58:00

The Hardened-PHP Project has put out another advisory for the PHP distribution itself, versions 5.1.6/4.4.4 and below dealing with the HTML entity encoder heap.

While we were searching for a hole in htmlspecialchars() and htmlentities() to bypass the encoding of certain chars to exploit a possible eval() injection hole in another application we discovered that the implementation contains a possible bufferoverflow that can be triggered when the UTF-8 charset is selected.

The issue has been corrected in the latest PHP 5 release - version 5.2 - but is still present in the PHP 4.4 series (they have a recommended patch until the new version is posted). You can get complete information about this issue from the full vulnerability listing.

0 comments voice your opinion now!
html entity encoded heap overflow vulnerability download update html entity encoded heap overflow vulnerability download update


Hardened-PHP Project:
Advisory - PHP unserialize() Array Creation Integer Overflow
October 09, 2006 @ 13:41:22

The Hardened-PHP project has just released another advisory about core PHP functionality, specifically in the unserialize function when dealing with arrays.

The PHP 5 branch of the PHP source code lacks the protection against possible integer overflows inside ecalloc() that is present in the PHP 4 branch and also for several years part of our Hardening-Patch and our new Suhosin-Patch.

It was discovered that such an integer overflow can be triggered when user input is passed to the unserialize() function.

You can get the full details from this advisory release including a recommendation to patch the installation until it is corrected in the current distribution.

0 comments voice your opinion now!
advisory unserialize core array creation integer overflow advisory unserialize core array creation integer overflow


Wez Furlong's Blog:
Calling SQLBindParameter and avoiding a datetime overflow.
November 25, 2005 @ 06:44:58

Wez Furlong has this post today with a look at a problem he had with dates and gSOAP.

I've spent a lot of time with ODBC recently, working on interfacing our PostalEngine product with SQL Server. One of the things that caused me a LOT of trouble is binding date/time values into our stored procedure calls. One of the reasons that it was hard work was lack of documentation-by-example.

When this [code] is run, the execute fails with SQLSTATE 22008, Date time overflow. Everything looks correct in the code, and most of the values we're passing are based on the description of the parameter provided by ODBC, so what's going on?

After "several hours", he figures it out, the problem being a result of the precision field. He also includes an example of the "magic number" to put in their field to get things to parse correctly...

0 comments voice your opinion now!
sqlbindparameter SOAP datetime overflow sqlbindparameter SOAP datetime overflow



Community Events





Don't see your event here?
Let us know!


library symfony update zendserver laravel interview install opinion tips deployment framework series introduction package community api list release language podcast

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework