Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 195880

Summary: CVE-2005-3388 multiple PHP issues (CVE-2006-1990 CVE-2005-3389 CVE-2005-3390)
Product: [Retired] Stronghold for Red Hat Linux Reporter: Mark J. Cox <mjc>
Component: phpAssignee: Joe Orton <jorton>
Status: CLOSED ERRATA QA Contact: Stronghold Engineering List <stronghold-eng-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: stronghold-eng-list
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHSA-2006-0549 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-07-27 19:57:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark J. Cox 2006-06-19 07:53:11 UTC 
Several security issues were found in the PHP package in Stronghold 4.0:

The wordwrap() PHP function did not properly check for integer overflow in
the way the "break" parameter was handled. An attacker who could control a
string passed to the "break" parameter could cause a heap overflow.
(CVE-2006-1990)

The phpinfo() PHP function did not properly sanitize long strings. This
could allow an attacker to perform cross-site scripting attacks against
sites that had publicly-available PHP scripts that called phpinfo().
(CVE-2006-0996)

A flaw in the way PHP registered global variables during a file upload
request was discovered. A remote attacker could submit a carefully crafted
multipart/form-data POST request that could overwrite the $GLOBALS array,
which could alter expected script behavior and possibly lead to the
execution of arbitrary PHP commands. Note that this vulnerability only
affects installations which have register_globals enabled in the PHP
configuration file, which is neither a default nor recommended option.
(CVE-2005-3390)

A flaw in the PHP parse_str() function was discovered. If a PHP script
passed only one argument to the parse_str() function, and the script was
forced to abort execution during operation (for example, due to the
memory_limit setting), the register_globals may be enabled even if it was
disabled in the PHP configuration file. This vulnerability only affects
installations that have PHP scripts using the parse_str function in this
way. (CVE-2005-3389) 

A Cross-Site Scripting flaw in the phpinfo() function was discovered. If a
victim was tricked into following a malicious URL to a site with a page
displaying the phpinfo() output, it was possible to inject javascript or
HTML content into the displayed page or steal data such as cookies. This
vulnerability only affects installations that allow users to view the
output of the phpinfo() function. As the phpinfo() function outputs a large
amount of information about the current state of PHP, it should only be
used during debugging or if protected by authentication. (CVE-2005-3388) 

A buffer overflow flaw was discovered in uw-imap, the University of
Washington's IMAP Server. php-imap is compiled against the static c-client
libraries from imap and therefore needed to be recompiled against the fixed
version. (CVE-2005-2933)
Comment 2 Red Hat Bugzilla 2006-07-27 19:57:33 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0549.html