Rapid7 VulnDB

RHSA-2009:0337: php security update

Back to Search

RHSA-2009:0337: php security update

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
12/23/2008
Created
07/25/2018
Added
09/12/2009
Modified
07/04/2017

Description

PHP is an HTML-embedded scripting language commonly used with the ApacheHTTP Web server.A heap-based buffer overflow flaw was found in PHP's mbstring extension. Aremote attacker able to pass arbitrary input to a PHP script using mbstringconversion functions could cause the PHP interpreter to crash or,possibly, execute arbitrary code. (CVE-2008-5557)A flaw was found in the handling of the "mbstring.func_overload"configuration setting. A value set for one virtual host, or in a user's.htaccess file, was incorrectly applied to other virtual hosts on the sameserver, causing the handling of multibyte character strings to not workcorrectly. (CVE-2009-0754)A buffer overflow flaw was found in PHP's imageloadfont function. If a PHPscript allowed a remote attacker to load a carefully crafted font file, itcould cause the PHP interpreter to crash or, possibly, execute arbitrarycode. (CVE-2008-3658)A flaw was found in the way PHP handled certain file extensions whenrunning in FastCGI mode. If the PHP interpreter was being executed viaFastCGI, a remote attacker could create a request which would cause the PHPinterpreter to crash. (CVE-2008-3660)A memory disclosure flaw was found in the PHP gd extension's imagerotatefunction. A remote attacker able to pass arbitrary values as the"background color" argument of the function could, possibly, view portionsof the PHP interpreter's memory. (CVE-2008-5498)All php users are advised to upgrade to these updated packages, whichcontain backported patches to resolve these issues. The httpd web servermust be restarted for the changes to take effect.

Solution(s)

  • redhat-upgrade-php
  • redhat-upgrade-php-devel
  • redhat-upgrade-php-domxml
  • redhat-upgrade-php-gd
  • redhat-upgrade-php-imap
  • redhat-upgrade-php-ldap
  • redhat-upgrade-php-mbstring
  • redhat-upgrade-php-mysql
  • redhat-upgrade-php-ncurses
  • redhat-upgrade-php-odbc
  • redhat-upgrade-php-pear
  • redhat-upgrade-php-pgsql
  • redhat-upgrade-php-snmp
  • redhat-upgrade-php-xmlrpc

References

  • redhat-upgrade-php
  • redhat-upgrade-php-devel
  • redhat-upgrade-php-domxml
  • redhat-upgrade-php-gd
  • redhat-upgrade-php-imap
  • redhat-upgrade-php-ldap
  • redhat-upgrade-php-mbstring
  • redhat-upgrade-php-mysql
  • redhat-upgrade-php-ncurses
  • redhat-upgrade-php-odbc
  • redhat-upgrade-php-pear
  • redhat-upgrade-php-pgsql
  • redhat-upgrade-php-snmp
  • redhat-upgrade-php-xmlrpc

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;