Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200608-28 ] PHP: Arbitary code execution
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2663

PostPosted: Tue Aug 29, 2006 3:26 pm    Post subject: [ GLSA 200608-28 ] PHP: Arbitary code execution Reply with quote

Gentoo Linux Security Advisory

Title: PHP: Arbitary code execution (GLSA 200608-28)
Severity: normal
Exploitable: remote
Date: August 29, 2006
Updated: March 29, 2008
Bug(s): #143126
ID: 200608-28

Synopsis

PHP contains a function that, when used, could allow a remote attacker to execute arbitrary code.

Background

PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.

Affected Packages

Package: dev-lang/php
Vulnerable: < 5.1.4-r6
Unaffected: >= 4.4.3-r1 < 4.4.4
Unaffected: >= 4.4.4-r4 < 4.4.5
Unaffected: >= 4.4.6 < 4.4.7
Unaffected: >= 4.4.7 < 4.4.8
Unaffected: >= 4.4.8_pre20070816 < 4.4.9
Unaffected: >= 5.1.4-r6
Architectures: All supported architectures


Description

The sscanf() PHP function contains an array boundary error that can be exploited to dereference a null pointer. This can possibly allow the bypass of the safe mode protection by executing arbitrary code.

Impact

A remote attacker might be able to exploit this vulnerability in PHP applications making use of the sscanf() function, potentially resulting in the execution of arbitrary code or the execution of scripted contents in the context of the affected site.

Workaround

There is no known workaround at this time.

Resolution

All PHP 4.x users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-4.4.3-r1"
All PHP 5.x users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-5.1.4-r6"


References

CVE-2006-4020


Last edited by GLSA on Sat Mar 29, 2008 4:18 am; edited 4 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum