Month of PHP Bugsがアップデートされています。気がつけば4件から、9件11件に・・・

11	PHP WDDX Session Deserialization Information Leak Vulnerability	Numerical keys in session data in WDDX format might leak an arbitrary portion of stack data into PHP variables.	MOPB-11-2007.php	CVE-2007-0908
10	PHP php_binary Session Deserialization Information Leak Vulnerability	Malformed session data in php_binary format might leak a portion of heap data into PHP variables.	MOPB-10-2007.php	CVE-NO-NAME
9	PHP wddx_deserialize() String Append Buffer Overflow Vulnerability	Malformed WDDX data might trigger an exploitable buffer overflow that was introduced by a pseudo security fix.	MOPB-09-2007.php	CVE-NO-NAME
8	[http://www.php-security.org/MOPB/MOPB-08-2007.html:title=PHP 4 phpinfo() XSS Vulnerability (Deja-vu)	phpinfo() does not escape the content of user supplied arrays in GET, POST or COOKIE variables when it displays them which leads to an XSS vulnerability.]	MOPB-08-2007.phpt	HPHP-18-2005/CVE-NO-NAME
7	Zend Platform ini_modifier Local Root Vulnerability	The ini_modifier of the Zend Platform can be tricked by a local user to edit the system php.ini file, which can be used to obtain root privileges.	Not needed	CVE-NO-NAME
6	Zend Platform Insecure File Permission Local Root Vulnerability	Several binaries and shellscripts installed by the Zend Platform are installed with unsafe permissions that might allow an attacker to gain root privileges.	Not needed	CVE-NO-NAME
5	PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability	Deserialisation of malformed PHP arrays from within unserialize() might result in a tight endless loop exhausting CPU ressources on 64bit systems.	Not needed	CVE-2007-0988
4	PHP 4 unserialize() ZVAL Reference Counter Overflow	During unserialisation of user supplied data that contains a lot of references to a variable the internal 16bit zval reference counter can overflow. This leads to an exploitable double dtor condition.	MOPB-04-2007.php	CVE-NO-NAME/MOPB-01-2007

ちょっとまとめてみた。

WDDX data formatのセッション処理でKey_lengthの数値が初期化されないバグだそうです。

• MOPB-11-2007:PHP WDDX Session Deserialization Information Leak Vulnerability

The PHP WDDX extension comes with a serialization handler that adds support for the WDDX data format to PHP's session handling. When this data contains a numerical key the key_length variable is not properly initialized which will leak an arbitrary amount of stack data into the session array keys

Affected are PHP 4 < 4.4.5 and PHP < 5.2.1

php_binaryのヒープ情報に脆弱性があって、126バイトを超えたら配列にセッションキーが入ってしまう？

• MOPB-10-2007:PHP php_binary Session Deserialization Information Leak Vulnerability

The PHP session extension comes with a serialization handler called 'php_binary' that is vulnerable to a heap information leak vulnerability. This security hole is the result of a missing boundary check and allows leaking up to 126 bytes following the serialized data into array keys of the session.

Affected are PHP 4 < 4.4.5 and PHP < 5.2.1

PHP CVSバージョンにおいて文字の置き換えにおける問題があるそうです。CVSバージョンのみ影響を受けるそうなので影響少ないですね。

• MOPB-09-2007:PHP wddx_deserialize() String Append Buffer Overflow Vulnerability

Since Stefan Esser left the PHP Security Response Team there have been countless of pseudo security fixes to the PHP CVS

Affected is only the CVS version of PHP.

PHP-4.4.3のphpinfo() においてXSSの脆弱性が存在するそうです。

• MOPB-08-2007:PHP 4 phpinfo() XSS Vulnerability (Deja-vu)

With PHP 4.4.3 a previously fixed bug that was disclosed at the end of October 2005 by the Hardened-PHP Project was reintroduced. Again phpinfo() does not escape the content of user supplied arrays in GET, POST or COOKIE variables when it displays them which leads to an XSS vulnerability.

Affected are PHP versions 4.4.3 to 4.4.6

Zendにおいてphp.iniを修正するGUIでローカルユーザーがGUIパスワードを見ることができるみたいです。

• BONUS-07-2007:Zend Platform ini_modifier Local Root Vulnerability

Zend Platform comes with an ini_modifier that is used by the GUI to alter the php.ini file. By abusing a vulnerability within the ini_modifier it is possible for a local attacker to edit the php.ini file without knowing the necessary GUI password.

Affected is Zend Platform <= 2.2.3

Zendによって入れられる実行ファイルやShellスクリプトの権限が安全じゃないそうです。Zendをインストールした人かWebサーバーのユーザーになっているそうです。

• BONUS-06-2007:Zend Platform Insecure File Permission Local Root Vulnerability

Several binaries and shellscripts installed by the Zend Platform come with insecure file permissions. Certain files are incorrectly owned by the Web server user or owned by the user account, who installed the Zend Platform.

Affected is Zend Platform <= 2.2.3

64Bitのシステムでzend_hash_initを実行するとエンドレスループに陥りCPUリソースを喰うそうです。

• MOPB-05-2007:PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability

A user supplied serialized string might trigger on 64 bit systems a tight endless loop within zend_hash_init() exhausting CPU ressources.

Affected is PHP 4.4.4/5.2.0 and below.