Bug 195880 - CVE-2005-3388 multiple PHP issues (CVE-2006-1990 CVE-2005-3389 CVE-2005-3390)
CVE-2005-3388 multiple PHP issues (CVE-2006-1990 CVE-2005-3389 CVE-2005-3390)
Status: CLOSED ERRATA
Product: Stronghold for Red Hat Linux
Classification: Retired
Component: php (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
Stronghold Engineering List
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-19 03:53 EDT by Mark J. Cox (Product Security)
Modified: 2007-04-18 13:44 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2006-0549
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-07-27 15:57:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2006-06-19 03:53:11 EDT
Several security issues were found in the PHP package in Stronghold 4.0:

The wordwrap() PHP function did not properly check for integer overflow in
the way the "break" parameter was handled. An attacker who could control a
string passed to the "break" parameter could cause a heap overflow.
(CVE-2006-1990)

The phpinfo() PHP function did not properly sanitize long strings. This
could allow an attacker to perform cross-site scripting attacks against
sites that had publicly-available PHP scripts that called phpinfo().
(CVE-2006-0996)

A flaw in the way PHP registered global variables during a file upload
request was discovered. A remote attacker could submit a carefully crafted
multipart/form-data POST request that could overwrite the $GLOBALS array,
which could alter expected script behavior and possibly lead to the
execution of arbitrary PHP commands. Note that this vulnerability only
affects installations which have register_globals enabled in the PHP
configuration file, which is neither a default nor recommended option.
(CVE-2005-3390)

A flaw in the PHP parse_str() function was discovered. If a PHP script
passed only one argument to the parse_str() function, and the script was
forced to abort execution during operation (for example, due to the
memory_limit setting), the register_globals may be enabled even if it was
disabled in the PHP configuration file. This vulnerability only affects
installations that have PHP scripts using the parse_str function in this
way. (CVE-2005-3389) 

A Cross-Site Scripting flaw in the phpinfo() function was discovered. If a
victim was tricked into following a malicious URL to a site with a page
displaying the phpinfo() output, it was possible to inject javascript or
HTML content into the displayed page or steal data such as cookies. This
vulnerability only affects installations that allow users to view the
output of the phpinfo() function. As the phpinfo() function outputs a large
amount of information about the current state of PHP, it should only be
used during debugging or if protected by authentication. (CVE-2005-3388) 

A buffer overflow flaw was discovered in uw-imap, the University of
Washington's IMAP Server. php-imap is compiled against the static c-client
libraries from imap and therefore needed to be recompiled against the fixed
version. (CVE-2005-2933)
Comment 2 Red Hat Bugzilla 2006-07-27 15:57:33 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0549.html

Note You need to log in before you can comment on or make changes to this bug.