The initiators of the Month of PHP Bugs (MOPB) have published vulnerabilities in the Zend engine, PHP4, and the current developer version of the script language. Software updates have already been provided for a few of these7 flaws.
One of the flaws reported concerns PHP version 4.4.3 up to the current version 4.4.6. The phpinfo() function provides information about the PHP environment, including the content of variables transmitted during the request. A vulnerability to cross-site scripting (XXS) occurs when these variables are not correctly filtered. The developers already attempted to remedy the flaw in PHP 4.4.1, but they apparently missed something by incompletely backporting the correct functions from PHP5 into PHP4, leaving PHP4 still vulnerable to XSS.
In the developer version (CVS) of PHP, the developers opened up a new hole when they tried to improve insecure function calls, such as by replacing strncpy or sprintf with strlcpy or spprintf. They then made a mistake in the WDDX functions, which are used to share data between web applications. The use of strlcpy instead of strlcat can cause a buffer overflow in the processing of specially prepared WDDX packets.
As a "bonus", two security holes are marked in the Zend platform. Thanks to insecure file rights, attackers can escalate their privileges up to the root level, for instance, when they penetrate the server through a hole in PHP. In addition, another vulnerability allows php.ini to be modified so that attackers can again escalate their rights. The flaws are found in version 2.2.3 of the Zend platform and previous. Updating to version 3 solves the problem.
- Zend Platform Insecure File Permission Local Root Vulnerability, MOPB project security report
- Zend Platform ini_modifier Local Root Vulnerability, MOPB project security report
- PHP 4 phpinfo() XSS Vulnerability (Deja-vu), MOPB project security report
- PHP wddx_deserialize() String Append Buffer Overflow Vulnerability, MOPB project security report
- Download the current version of Zend