CVE-2007-1401 – PHP 4.4.6 - 'crack_opendict()' Local Buffer Overflow
https://notcve.org/view.php?id=CVE-2007-1401
Buffer overflow in the crack extension (CrackLib), as bundled with PHP 4.4.6 and other versions before 5.0.0, might allow local users to gain privileges via a long argument to the crack_opendict function. Desbordamiento de búfer en la extensión crack (CrackLib), como "atado" con PHP 4.4.6 y otras versiones anteriores 5.5.0, podría permitir a usuarios locales ganar privilegios a través de un argumento en la función crack_opendict. • https://www.exploit-db.com/exploits/3431 http://retrogod.altervista.org/php_446_crack_opendict_local_bof.html http://securityreason.com/securityalert/2405 http://www.securityfocus.com/archive/1/462226/100/0/threaded •
CVE-2007-1399 – PHP 5.2.0 / PHP with PECL ZIP 1.8.3 - 'zip://' URL Wrapper Buffer Overflow
https://notcve.org/view.php?id=CVE-2007-1399
Stack-based buffer overflow in the zip:// URL wrapper in PECL ZIP 1.8.3 and earlier, as bundled with PHP 5.2.0 and 5.2.1, allows remote attackers to execute arbitrary code via a long zip:// URL, as demonstrated by actively triggering URL access from a remote PHP interpreter via avatar upload or blog pingback. Desbordamiento de búfer basado en pila en el envoltorio (wrapper) de URL zip:// en PECL ZIP 1.8.3 y anteriores, como ha sido incluido en PHP 5.2.0 y 5.2.1, permite a atacantes remotos ejecutar código de su elección mediante una URL zip:// larga, como ha sido demostrado accediendo activamente a la URL desde un intérprete PHP remoto mediante una subida avatar o notificación de que el blog ha sido enlazado (blog pingback). • https://www.exploit-db.com/exploits/3440 http://lists.suse.com/archive/suse-security-announce/2007-Mar/0003.html http://secunia.com/advisories/24471 http://secunia.com/advisories/24514 http://secunia.com/advisories/25938 http://www.debian.org/security/2007/dsa-1330 http://www.osvdb.org/32782 http://www.php-security.org/MOPB/MOPB-16-2007.html http://www.securityfocus.com/bid/22883 http://www.vupen.com/english/advisories/2007/0898 https://exchange.xforce.ibmcloud. •
CVE-2007-1411 – PHP 4.4.6 - 'mssql_[p]connect()' Local Buffer Overflow
https://notcve.org/view.php?id=CVE-2007-1411
Buffer overflow in PHP 4.4.6 and earlier, and unspecified PHP 5 versions, allows local and possibly remote attackers to execute arbitrary code via long server name arguments to the (1) mssql_connect and (2) mssql_pconnect functions. Desbordamiento de búfer en PHP 4.4.6 y versiones anteriores, y versiones no especificadas de PHP 5, permite a usuarios locales y posiblemente remotos ejecutar código de su elección mediante argumentos de nombre de servidor larga en las funciones (1) mssql_connect y (2) mssql_pconnect. • https://www.exploit-db.com/exploits/3417 http://retrogod.altervista.org/php_446_mssql_connect_bof.html http://secunia.com/advisories/24353 http://securityreason.com/securityalert/2407 http://www.securityfocus.com/archive/1/462010/100/0/threaded http://www.securityfocus.com/bid/22832 http://www.vupen.com/english/advisories/2007/0867 https://exchange.xforce.ibmcloud.com/vulnerabilities/32885 •
CVE-2007-1396
https://notcve.org/view.php?id=CVE-2007-1396
The import_request_variables function in PHP 4.0.7 through 4.4.6, and 5.x before 5.2.2, when called without a prefix, does not prevent the (1) GET, (2) POST, (3) COOKIE, (4) FILES, (5) SERVER, (6) SESSION, and other superglobals from being overwritten, which allows remote attackers to spoof source IP address and Referer data, and have other unspecified impact. NOTE: it could be argued that this is a design limitation of PHP and that only the misuse of this feature, i.e. implementation bugs in applications, should be included in CVE. However, it has been fixed by the vendor. La función import_request_variables en PHP versión 4.0.7 hasta 4.4.6 y versión 5.x anterior a 5.2.2, cuando se llama sin prefijo, no impide que (1) GET, (2) POST, (3) COOKIE, (4) FILES, (5) SERVER, (6) SESSION y otras super globales se sobrescriban, lo que permite a atacantes remotos suplantar la dirección IP de origen y el datos Referer, y tienen otro impacto no especificado. NOTA: se podría argumentar que se trata de una limitación de diseño de PHP y que sólo el uso inapropiado de esta característica, es decir, errores de implementación en aplicaciones, debe incluirse en el CVE. • http://lists.opensuse.org/opensuse-security-announce/2007-07/msg00006.html http://secunia.com/advisories/26048 http://securityreason.com/securityalert/2406 http://us2.php.net/releases/4_4_7.php http://us2.php.net/releases/5_2_2.php http://www.securityfocus.com/archive/1/462263/100/0/threaded http://www.securityfocus.com/archive/1/462457/100/0/threaded http://www.securityfocus.com/archive/1/462658/100/0/threaded http://www.securityfocus.com/archive/1/462800/100/0 •
CVE-2007-1376 – PHP < 4.4.5/5.2.1 - 'shmop' SSL RSA Private-Key Disclosure
https://notcve.org/view.php?id=CVE-2007-1376
The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x series, do not verify that their arguments correspond to a shmop resource, which allows context-dependent attackers to read and write arbitrary memory locations via arguments associated with an inappropriate resource, as demonstrated by a GD Image resource. Las funciones shomp en PHP anterior a 4.4.5, y anterior a 5.2.1 en las series 5.x, no verifica que sus argumentos corresponden a un recurso shmop, lo caul permite a atacantes dependientes del contexto leer y escribir localizaciones de memoria de su elección a través de argumentos asociados con un recurso inapropiado, como se demostró con un recurso de imagen GD. • https://www.exploit-db.com/exploits/3427 https://www.exploit-db.com/exploits/3426 http://secunia.com/advisories/24606 http://secunia.com/advisories/25056 http://secunia.com/advisories/25057 http://secunia.com/advisories/25062 http://security.gentoo.org/glsa/glsa-200703-21.xml http://www.debian.org/security/2007/dsa-1283 http://www.novell.com/linux/security/advisories/2007_32_php.html http://www.osvdb.org/32781 http://www.php-security.org/MOPB/MOPB-15-2007.ht •