Bug 195880 - CVE-2005-3388 multiple PHP issues (CVE-2006-1990 CVE-2005-3389 CVE-2005-3390)
Summary: CVE-2005-3388 multiple PHP issues (CVE-2006-1990 CVE-2005-3389 CVE-2005-3390)
Status: CLOSED ERRATA
Alias: None
Product: Stronghold for Red Hat Linux
Classification: Retired
Component: php (Show other bugs)
(Show other bugs)
Version: 4.0
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Stronghold Engineering List
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-06-19 07:53 UTC by Mark J. Cox
Modified: 2007-04-18 17:44 UTC (History)
1 user (show)

Fixed In Version: RHSA-2006-0549
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-07-27 19:57:33 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0549 normal SHIPPED_LIVE Moderate: php security update for Stronghold 2006-07-27 04:00:00 UTC

Description Mark J. Cox 2006-06-19 07:53:11 UTC
Several security issues were found in the PHP package in Stronghold 4.0:

The wordwrap() PHP function did not properly check for integer overflow in
the way the "break" parameter was handled. An attacker who could control a
string passed to the "break" parameter could cause a heap overflow.
(CVE-2006-1990)

The phpinfo() PHP function did not properly sanitize long strings. This
could allow an attacker to perform cross-site scripting attacks against
sites that had publicly-available PHP scripts that called phpinfo().
(CVE-2006-0996)

A flaw in the way PHP registered global variables during a file upload
request was discovered. A remote attacker could submit a carefully crafted
multipart/form-data POST request that could overwrite the $GLOBALS array,
which could alter expected script behavior and possibly lead to the
execution of arbitrary PHP commands. Note that this vulnerability only
affects installations which have register_globals enabled in the PHP
configuration file, which is neither a default nor recommended option.
(CVE-2005-3390)

A flaw in the PHP parse_str() function was discovered. If a PHP script
passed only one argument to the parse_str() function, and the script was
forced to abort execution during operation (for example, due to the
memory_limit setting), the register_globals may be enabled even if it was
disabled in the PHP configuration file. This vulnerability only affects
installations that have PHP scripts using the parse_str function in this
way. (CVE-2005-3389) 

A Cross-Site Scripting flaw in the phpinfo() function was discovered. If a
victim was tricked into following a malicious URL to a site with a page
displaying the phpinfo() output, it was possible to inject javascript or
HTML content into the displayed page or steal data such as cookies. This
vulnerability only affects installations that allow users to view the
output of the phpinfo() function. As the phpinfo() function outputs a large
amount of information about the current state of PHP, it should only be
used during debugging or if protected by authentication. (CVE-2005-3388) 

A buffer overflow flaw was discovered in uw-imap, the University of
Washington's IMAP Server. php-imap is compiled against the static c-client
libraries from imap and therefore needed to be recompiled against the fixed
version. (CVE-2005-2933)

Comment 2 Red Hat Bugzilla 2006-07-27 19:57:33 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0549.html



Note You need to log in before you can comment on or make changes to this bug.