===================================================================== CERT-Renater Note d'Information No. 2005/VULN718 _____________________________________________________________________ DATE : 17/11/2005 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running php. ====================================================================== _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2005:213 http://www.mandriva.com/security/ _______________________________________________________________________ Package : php Date : November 16, 2005 Affected: 10.1, 10.2, 2006.0, Corporate 2.1, Corporate 3.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: A number of vulnerabilities were discovered in PHP: An issue with fopen_wrappers.c would not properly restrict access to other directories when the open_basedir directive included a trailing slash (CVE-2005-3054); this issue does not affect Corporate Server 2.1. An issue with the apache2handler SAPI in mod_php could allow an attacker to cause a Denial of Service via the session.save_path option in an .htaccess file or VirtualHost stanza (CVE-2005-3319); this issue does not affect Corporate Server 2.1. A Denial of Service vulnerability was discovered in the way that PHP processes EXIF image data which could allow an attacker to cause PHP to crash by supplying carefully crafted EXIF image data (CVE-2005-3353). A cross-site scripting vulnerability was discovered in the phpinfo() function which could allow for the injection of javascript or HTML content onto a page displaying phpinfo() output, or to steal data such as cookies (CVE-2005-3388). A flaw in the parse_str() function could allow for the enabling of register_globals, even if it was disabled in the PHP configuration file (CVE-2005-3389). A vulnerability in the way that PHP registers global variables during a file upload request could allow a remote attacker to overwrite the $GLOBALS array which could potentially lead the execution of arbitrary PHP commands. This vulnerability only affects systems with register_globals enabled (CVE-2005-3390). The updated packages have been patched to address this issue. Once the new packages have been installed, you will need to restart your Apache server using "service httpd restart" in order for the new packages to take effect ("service httpd2-naat restart" for MNF2). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3054 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3319 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3353 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3390 http://www.hardened-php.net/advisory_202005.79.html http://www.hardened-php.net/advisory_192005.78.html http://www.hardened-php.net/advisory_182005.77.html _______________________________________________________________________ Updated Packages: Mandriva Linux 10.1: 3966e335bc3a2ae6dffbbc8e83575865 10.1/RPMS/libphp_common432-4.3.8-3.6.101mdk.i586.rpm 199fa9e0baf46bda77e660555626ed4e 10.1/RPMS/php432-devel-4.3.8-3.6.101mdk.i586.rpm 05ef30fa2004ffd60f4519fd41a444e3 10.1/RPMS/php-cgi-4.3.8-3.6.101mdk.i586.rpm fe48fbbb47b3bcdab5054ffdd2067b6a 10.1/RPMS/php-cli-4.3.8-3.6.101mdk.i586.rpm 90b47f8c1515b5043d513db11d6607ca 10.1/SRPMS/php-4.3.8-3.6.101mdk.src.rpm Mandriva Linux 10.1/X86_64: 9fe206e55dca158523dab0a85f1a5dec x86_64/10.1/RPMS/lib64php_common432-4.3.8-3.6.101mdk.x86_64.rpm d36a3e7f90980388196aa58b6dbb94af x86_64/10.1/RPMS/php432-devel-4.3.8-3.6.101mdk.x86_64.rpm 416b3bacf2b57f1a9cae5ca172e39135 x86_64/10.1/RPMS/php-cgi-4.3.8-3.6.101mdk.x86_64.rpm 0c27298aadb7d0a847a93316ce4d9d57 x86_64/10.1/RPMS/php-cli-4.3.8-3.6.101mdk.x86_64.rpm 90b47f8c1515b5043d513db11d6607ca x86_64/10.1/SRPMS/php-4.3.8-3.6.101mdk.src.rpm Mandriva Linux 10.2: e972e5e5cadb586a390a39bffa1cb56e 10.2/RPMS/libphp_common432-4.3.10-7.4.102mdk.i586.rpm c26646613d41a7f3e82b5d2d11c21b7c 10.2/RPMS/php432-devel-4.3.10-7.4.102mdk.i586.rpm 098e0a1e4b8b597bf95461fc085c037a 10.2/RPMS/php-cgi-4.3.10-7.4.102mdk.i586.rpm 99f0eaa02942f7b6753309ca56979100 10.2/RPMS/php-cli-4.3.10-7.4.102mdk.i586.rpm 7df363e2e2309ec26b40c3490a0d75ae 10.2/SRPMS/php-4.3.10-7.4.102mdk.src.rpm Mandriva Linux 10.2/X86_64: d9d33311690b0c5f69e3834a5ba6bc10 x86_64/10.2/RPMS/lib64php_common432-4.3.10-7.4.102mdk.x86_64.rpm f5d2b45ace0ab4208ba911159a47e429 x86_64/10.2/RPMS/php432-devel-4.3.10-7.4.102mdk.x86_64.rpm 0c7e0acb3bd80a9a7220ecf919b3d795 x86_64/10.2/RPMS/php-cgi-4.3.10-7.4.102mdk.x86_64.rpm 7df6f5a5b19c07e9fa3d6851f210f847 x86_64/10.2/RPMS/php-cli-4.3.10-7.4.102mdk.x86_64.rpm 7df363e2e2309ec26b40c3490a0d75ae x86_64/10.2/SRPMS/php-4.3.10-7.4.102mdk.src.rpm Mandriva Linux 2006.0: 826c36fdb07b7c341a39507b679e31a9 2006.0/RPMS/libphp5_common5-5.0.4-9.1.20060mdk.i586.rpm 2be5d91979fa3c8f77744a86fee8a423 2006.0/RPMS/php-cgi-5.0.4-9.1.20060mdk.i586.rpm 950c43ac1569610fa31b15803fc50d40 2006.0/RPMS/php-cli-5.0.4-9.1.20060mdk.i586.rpm 1a19b2cc5607bf65c3fe7a339f97ce72 2006.0/RPMS/php-devel-5.0.4-9.1.20060mdk.i586.rpm e8d70f64d363821fe29e7cf39e93cd71 2006.0/RPMS/php-exif-5.0.4-1.1.20060mdk.i586.rpm fe70481a5316019e303e45e5f0e59adb 2006.0/RPMS/php-fcgi-5.0.4-9.1.20060mdk.i586.rpm 9c6a477d87cebf040cee39b75423c040 2006.0/SRPMS/php-5.0.4-9.1.20060mdk.src.rpm f2b058c92a3c2107f97a4b07d34dc1c8 2006.0/SRPMS/php-exif-5.0.4-1.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 044e1542f327cf7552fa4d4124843f1f x86_64/2006.0/RPMS/lib64php5_common5-5.0.4-9.1.20060mdk.x86_64.rpm 60f4edc9196ea58d9614c3f2ed66a9f6 x86_64/2006.0/RPMS/php-cgi-5.0.4-9.1.20060mdk.x86_64.rpm 9f6c1eb1a1da44518993957d13eb10bf x86_64/2006.0/RPMS/php-cli-5.0.4-9.1.20060mdk.x86_64.rpm 3c5d616931098f198eeb0f41011144aa x86_64/2006.0/RPMS/php-devel-5.0.4-9.1.20060mdk.x86_64.rpm d16ba71605fc37881443605025534440 x86_64/2006.0/RPMS/php-exif-5.0.4-1.1.20060mdk.x86_64.rpm 0f10f24c8b43317904a79ac66f0405de x86_64/2006.0/RPMS/php-fcgi-5.0.4-9.1.20060mdk.x86_64.rpm 9c6a477d87cebf040cee39b75423c040 x86_64/2006.0/SRPMS/php-5.0.4-9.1.20060mdk.src.rpm f2b058c92a3c2107f97a4b07d34dc1c8 x86_64/2006.0/SRPMS/php-exif-5.0.4-1.1.20060mdk.src.rpm Corporate Server 2.1: 18b1c4dab517ae624ee96b7558112d84 corporate/2.1/RPMS/php-4.2.3-4.6.C21mdk.i586.rpm 25e79b0cbb0b1ed8c0915db93efe7863 corporate/2.1/RPMS/php-common-4.2.3-4.6.C21mdk.i586.rpm c818089e5fe42953da5ca48855c52a39 corporate/2.1/RPMS/php-devel-4.2.3-4.6.C21mdk.i586.rpm aaafac3f547795f1e4ab50094fb05bb8 corporate/2.1/RPMS/php-pear-4.2.3-4.6.C21mdk.i586.rpm 590fd7d0a4340ac62e443a1c1543fe60 corporate/2.1/SRPMS/php-4.2.3-4.6.C21mdk.src.rpm Corporate Server 2.1/X86_64: d3ad20980ced61773e64fc0cd347dbc0 x86_64/corporate/2.1/RPMS/php-4.2.3-4.6.C21mdk.x86_64.rpm 74dc4c2cd5a48ebc77d081ae64fe38cd x86_64/corporate/2.1/RPMS/php-common-4.2.3-4.6.C21mdk.x86_64.rpm 5acad2f71a4e4728a986f08a7966846a x86_64/corporate/2.1/RPMS/php-devel-4.2.3-4.6.C21mdk.x86_64.rpm 39856102ebde84daad4d917cfa94b067 x86_64/corporate/2.1/RPMS/php-pear-4.2.3-4.6.C21mdk.x86_64.rpm 590fd7d0a4340ac62e443a1c1543fe60 x86_64/corporate/2.1/SRPMS/php-4.2.3-4.6.C21mdk.src.rpm Corporate 3.0: c2b5c67cd95e5ea7725a98c516b9742f corporate/3.0/RPMS/libphp_common432-4.3.4-4.8.C30mdk.i586.rpm a8eef95a35ce6916836ee78d1d473939 corporate/3.0/RPMS/php432-devel-4.3.4-4.8.C30mdk.i586.rpm 6c00ce7c4952e9cfcbc654a594d94b18 corporate/3.0/RPMS/php-cgi-4.3.4-4.8.C30mdk.i586.rpm fad4d2d37aeae89eb52ab10a35b8b3b4 corporate/3.0/RPMS/php-cli-4.3.4-4.8.C30mdk.i586.rpm 97ed320ad4011d18f69f8f957295a7d7 corporate/3.0/SRPMS/php-4.3.4-4.8.C30mdk.src.rpm Corporate 3.0/X86_64: db82bf6b28383e687974a6e3ea8ef632 x86_64/corporate/3.0/RPMS/lib64php_common432-4.3.4-4.8.C30mdk.x86_64.rpm 740b5d6160992055e5e84dc03480cf45 x86_64/corporate/3.0/RPMS/php432-devel-4.3.4-4.8.C30mdk.x86_64.rpm 6e2fd52cca98a8b208acaec013cb7630 x86_64/corporate/3.0/RPMS/php-cgi-4.3.4-4.8.C30mdk.x86_64.rpm 679c794a8904940946d8cb52e529413a x86_64/corporate/3.0/RPMS/php-cli-4.3.4-4.8.C30mdk.x86_64.rpm 97ed320ad4011d18f69f8f957295a7d7 x86_64/corporate/3.0/SRPMS/php-4.3.4-4.8.C30mdk.src.rpm Multi Network Firewall 2.0: 82bae104a4800c62bf0a007d5af84941 mnf/2.0/RPMS/libphp_common432-4.3.4-4.8.M20mdk.i586.rpm b64e2f00d014aa894d94271351b1cef0 mnf/2.0/RPMS/php432-devel-4.3.4-4.8.M20mdk.i586.rpm c306907caa4c66c77653a2f264fdcdbe mnf/2.0/RPMS/php-cgi-4.3.4-4.8.M20mdk.i586.rpm 46b577275216cfc259a6caba5d4b82f3 mnf/2.0/RPMS/php-cli-4.3.4-4.8.M20mdk.i586.rpm c528b16fd83ddd8732609863ffe0a16a mnf/2.0/SRPMS/php-4.3.4-4.8.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================