CVE-2006-4486
https://notcve.org/view.php?id=CVE-2006-4486
Integer overflow in memory allocation routines in PHP before 5.1.6, when running on a 64-bit system, allows context-dependent attackers to bypass the memory_limit restriction. Desbordamiento de enteros en rutinas de asignación de memoria en PHP anterior a 5.1.6, cuando se ejecuta en sistemas de 64 bits, permite a atacantes dependientes de contexto evitar la restricción memory_limit. • ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc http://rhn.redhat.com/errata/RHSA-2006-0688.html http://secunia.com/advisories/21546 http://secunia.com/advisories/22004 http://secunia.com/advisories/22069 http://secunia.com/advisories/22225 http://secunia.com/advisories/22331 http://secunia.com/advisories/22440 http://secunia.com/advisories/22487 http://secunia.com/advisories/22538 http://secunia.com/advisories/25945 http://securitytracker.com/id • CWE-189: Numeric Errors •
CVE-2006-4483
https://notcve.org/view.php?id=CVE-2006-4483
The cURL extension files (1) ext/curl/interface.c and (2) ext/curl/streams.c in PHP before 5.1.5 permit the CURLOPT_FOLLOWLOCATION option when open_basedir or safe_mode is enabled, which allows attackers to perform unauthorized actions, possibly related to the realpath cache. Los ficheros con extensión cURL (1) ext/curl/interface.c y(2) ext/curl/streams.c en PHP anterior a 5.1.5 permite la opción CURLOPT_FOLLOWLOCATION cuando open_basedir o safe_mode está habilitado, lo cual permite a un atacante realizar acciones no autorizadas, posiblemente relacionado con la caché realpath. • http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.6&r2=1.62.2.14.2.7 http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/interface.c?view=log http://cvs.php.net/viewvc.cgi/php-src/ext/curl/streams.c?r1=1.14.2.2.2.3&r2=1.14.2.2.2.4 http://secunia.com/advisories/21546 http://secunia.com/advisories/22039 http://secunia.com/advisories/30411 http://securitytracker.com/id?1016984 http://wiki.rpath.com/wiki/Advisor • CWE-862: Missing Authorization •
CVE-2006-4484 – gd: GIF handling buffer overflow
https://notcve.org/view.php?id=CVE-2006-4484
Buffer overflow in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the GD extension in PHP before 5.1.5 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array. Desbordamiento de búfer en la función LWZReadByte_ en ext/gd/libgd/gd_gif_in.c en la extensión GD en PHP anterior a 5.1.5 permite a atacantes remotos tener un impacto desconocido mediante un fichero GIF con input_code_size mayor que MAX_LWZ_BITS, lo cual dispara un desbordamiento al inicializar el array tabla. • ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc http://bugs.php.net/bug.php?id=38112 http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.10&r2=1.11 http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?view=log http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html http://rhn.redhat.com/errata/RHSA-2006-0688 •
CVE-2006-4481
https://notcve.org/view.php?id=CVE-2006-4481
The (1) file_exists and (2) imap_reopen functions in PHP before 5.1.5 do not check for the safe_mode and open_basedir settings, which allows local users to bypass the settings. NOTE: the error_log function is covered by CVE-2006-3011, and the imap_open function is covered by CVE-2006-1017. Las funciones (1) file_exists y (2) imap_reopen en PHP before 5.1.5 no validan para las configuraciones safe_mode y open_basedir, lo cual permite a un usuario local evitar las configuraciones. NOTA: la función error_log está cubierta por CVE-2006-3011, y la función imap_open está cubierta por CVE-2006-1017. • http://secunia.com/advisories/21546 http://secunia.com/advisories/21768 http://secunia.com/advisories/21842 http://secunia.com/advisories/22039 http://www.mandriva.com/security/advisories?name=MDKSA-2006:162 http://www.novell.com/linux/security/advisories/2006_52_php.html http://www.php.net/release_5_1_5.php http://www.securityfocus.com/bid/19582 http://www.ubuntu.com/usn/usn-342-1 http://www.vupen.com/english/advisories/2006/3318 •
CVE-2006-4433
https://notcve.org/view.php?id=CVE-2006-4433
PHP before 4.4.3 and 5.x before 5.1.4 does not limit the character set of the session identifier (PHPSESSID) for third party session handlers, which might make it easier for remote attackers to exploit other vulnerabilities by inserting PHP code into the PHPSESSID, which is stored in the session file. NOTE: it could be argued that this not a vulnerability in PHP itself, rather a design limitation that enables certain attacks against session handlers that do not account for this limitation. PHP anterior a 4.4.3 y 5.x anterior a 5.1.4 no limita el conjunto de caracteres del identificador de sesión (PHPSESSID) para manejadores de sesión de terceros, lo cual puede hacer más fácil a atacantes remotos explotar otras vulnerabilidades insertando código PHP en el PHPSESSID, que es guardado en el fichero de sesión. NOTA: puede ser argumentado que no es una vulnerabilidad en PHP en si misma, sino más bien una limitación de diseño que habilita ciertos ataques sobre manejadores de sesión que no tienen en cuenta esta limitación. • http://secunia.com/advisories/21573 http://securityreason.com/securityalert/1466 http://www.hardened-php.net/advisory_052006.128.html http://www.osvdb.org/28233 http://www.osvdb.org/28273 http://www.securityfocus.com/archive/1/444263/100/0/threaded http://www.vupen.com/english/advisories/2006/3388 •