Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 920517 - (CVE-2006-4023) CVE-2006-4023 php: Improper validation of strings in ip2long function (remote attackers able to obtain network information and facilitate other attacks)
CVE-2006-4023 php: Improper validation of strings in ip2long function (remote...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20060729,reported=2...
: Security
Depends On: 920519
Blocks: 920533
  Show dependency treegraph
 
Reported: 2013-03-12 06:02 EDT by Jan Lieskovsky
Modified: 2015-07-31 07:47 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-04-09 04:19:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Jan Lieskovsky 2013-03-12 06:02:16 EDT 
Common Vulnerabilities and Exposures assigned an identifier CVE-2006-4023 to the following vulnerability:

The ip2long function in PHP 5.1.4 and earlier may incorrectly validate an arbitrary string and return a valid network IP address, which allows remote attackers to obtain network information and facilitate other attacks, as demonstrated using SQL injection in the X-FORWARDED-FOR Header in index.php in MiniBB 2.0. NOTE: it could be argued that the ip2long behavior represents a risk for security-relevant issues in a way that is similar to strcpy's role in buffer overflows, in which case this would be a class of implementation bugs that would require separate CVE items for each PHP application that uses ip2long in a security-relevant manner.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4023
[2] http://www.securityfocus.com/archive/1/archive/1/441529/100/100/threaded
[3] http://www.securityfocus.com/archive/1/archive/1/441708/100/100/threaded
[4] http://retrogod.altervista.org/php_ip2long.htm
[5] http://securitytracker.com/id?1016609
Comment 1 Jan Lieskovsky 2013-03-12 06:05:00 EDT 
Public reproducer details (from [4]):
-------------------------------------
.. the php ip2long() function can be tricked to return a valid IPv4 Internet
network address instead of "-1" even if the ip address argument is not a valid
one, through the injection of some chars, ex:

<?php
 for ($i=0; $i<=255; $i++)
 {
  echo $i.":".ip2long("1.1.1.1".chr($i)."'or'a'='a'/*")."\r\n";
 }
?>

when chr($i) is chr(0), chr(9), chr(10), chr(11), chr(12), chr(13) or chr(32)

it gives the following (valid) result:

16843009

..
Comment 2 Jan Lieskovsky 2013-03-12 06:06:42 EDT 
This issue affects the versions of the php and php53 packages, as shipped with Red Hat Enterprise Linux 5.

--

This issue affects the version of the php package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the php package, as shipped with Fedora release of 17 and 18. Please schedule an update (once there is upstream patch available).
Comment 3 Jan Lieskovsky 2013-03-12 06:07:19 EDT 
Created php tracking bugs for this issue

Affects: fedora-all [bug 920519]
Comment 4 Jan Lieskovsky 2013-03-12 06:09:50 EDT 
Statement:

(none)
Comment 5 Remi Collet 2013-03-12 11:47:19 EDT 
Since PHP 5.2.10, ip2long use "inet_pton" system function
(when available, which is the case in RHEL/Fedora).

So, with php >= 5.3, only when chr(0) returns a valid result.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.