ID CVE-2005-0525
Summary The php_next_marker function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote attackers to cause a denial of service (infinite loop) via a JPEG image with an invalid marker value, which causes a negative length value to be passed to php_stream_seek.
References
Vulnerable Configurations
  • PHP PHP 4.2.2
    cpe:2.3:a:php:php:4.2.2
  • PHP PHP 4.3.9
    cpe:2.3:a:php:php:4.3.9
  • PHP 4.3.10 -
    cpe:2.3:a:php:php:4.3.10
  • PHP 5.0.3 -
    cpe:2.3:a:php:php:5.0.3
CVSS
Base: 5.0 (as of 07-06-2005 - 22:06)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2005-006.NASL
    description The remote host is missing Security Update 2005-006. This security update contains security fixes for the following application : - AFP Server - Bluetooth - CoreGraphics - Folder Permissions - launchd - LaunchServices - NFS - PHP - VPN These programs have multiple vulnerabilities, some of which may lead to arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 18437
    published 2005-06-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18437
    title Mac OS X Multiple Vulnerabilities (Security Update 2005-006)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-708.NASL
    description An iDEFENSE researcher discovered two problems in the image processing functions of PHP, a server-side, HTML-embedded scripting language, of which one is present in PHP3 as well. When reading a JPEG image, PHP can be tricked into an endless loop due to insufficient input validation.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 18053
    published 2005-04-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18053
    title Debian DSA-708-1 : php3 - missing input sanitising
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-105-1.NASL
    description Two Denial of Service vulnerabilities have been discovered in the getimagesize() function. getimagesize() uses format specific internal functions php_handle_iff() and php_handle_jpeg() which get stuck in infinite loops when certain (invalid) size parameters are read from the image. In web applications that allow users to upload arbitrary image files, a remote attacker could render the server unavailable by uploading specially crafted images. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-05-27
    plugin id 20491
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20491
    title Ubuntu 4.10 : php4 vulnerabilities (USN-105-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-729.NASL
    description An iDEFENSE researcher discovered two problems in the image processing functions of PHP, a server-side, HTML-embedded scripting language, of which one is present in woody as well. When reading a JPEG image, PHP can be tricked into an endless loop due to insufficient input validation.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 18516
    published 2005-06-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18516
    title Debian DSA-729-1 : php4 - missing input sanitising
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200504-15.NASL
    description The remote host is affected by the vulnerability described in GLSA-200504-15 (PHP: Multiple vulnerabilities) An integer overflow and an unbound recursion were discovered in the processing of Image File Directory tags in PHP's EXIF module (CAN-2005-1042, CAN-2005-1043). Furthermore, two infinite loops have been discovered in the getimagesize() function when processing IFF or JPEG images (CAN-2005-0524, CAN-2005-0525). Impact : A remote attacker could craft an image file with a malicious EXIF IFD tag, a large IFD nesting level or invalid size parameters and send it to a web application that would process this user-provided image using one of the affected functions. This could result in denying service on the attacked server and potentially executing arbitrary code with the rights of the web server. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 18081
    published 2005-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18081
    title GLSA-200504-15 : PHP: Multiple vulnerabilities
  • NASL family CGI abuses
    NASL id PHP_IMAGE_FILE_DOS.NASL
    description According to its banner, the version of PHP installed on the remote host is vulnerable to a denial of service attack due to its failure to properly validate file data in the routines 'php_handle_iff' and 'php_handle_jpeg', which are called by the PHP function 'getimagesize'. Using a specially crafted image file, an attacker can trigger an infinite loop when 'getimagesize' is called, perhaps even remotely in the cases where image uploads are allowed.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17687
    published 2005-04-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17687
    title PHP Multiple Image Processing Functions File Handling DoS
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-405.NASL
    description Updated PHP packages that fix various security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0524 and CVE-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way that it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1043 to this issue. Several bug fixes are also included in this update : - The security fixes in RHSA-2004-687 to the 'unserializer' code introduced some performance issues. - In the gd extension, the 'imagecopymerge' function did not correctly handle transparency. The original image was being obscured in the resultant image. - In the curl extension, safe mode was not enforced for 'file:///' URL lookups (CVE-2004-1392). Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21818
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21818
    title CentOS 3 : PHP (CESA-2005:405)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SA_2005_023.NASL
    description The remote host is missing the patch for the advisory SUSE-SA:2005:023 (php4, php5). This update fixes the following security issues in the PHP scripting language: - A bug in getimagesize() EXIF handling which could lead to a denial of service attack. This is tracked by the Mitre CVE IDs CVE-2005-0524 and CVE-2005-0525. Additionally this non-security bug was fixed: - Performance problems of unserialize() caused by previous security fix to unserialize were fixed. All SUSE Linux based distributions shipping php4 and php5 were affected.
    last seen 2019-02-21
    modified 2016-12-27
    plugin id 18057
    published 2005-04-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18057
    title SUSE-SA:2005:023: php4, php5
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-406.NASL
    description Updated PHP packages that fix various security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0524 and CVE-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1043 to this issue. Several bug fixes are also included in this update : - some performance issues in the unserialize() function have been fixed - the behaviour of the interpreter when handling integer overflow during conversion of a floating variable to an integer has been reverted to match the behaviour used upstream; the integer will now be wrapped rather than truncated - a fix for the virtual() function in the Apache httpd module which would flush the response prematurely - the hard-coded default 'safe mode' setting is now 'disabled' rather than 'enabled'; to match the default /etc/php.ini setting - in the curl extension, safe mode was not enforced for 'file:///' URL lookups (CVE-2004-1392). Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 23981
    published 2007-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23981
    title CentOS 4 : PHP (CESA-2005:406)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-406.NASL
    description Updated PHP packages that fix various security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0524 and CVE-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1043 to this issue. Several bug fixes are also included in this update : - some performance issues in the unserialize() function have been fixed - the behaviour of the interpreter when handling integer overflow during conversion of a floating variable to an integer has been reverted to match the behaviour used upstream; the integer will now be wrapped rather than truncated - a fix for the virtual() function in the Apache httpd module which would flush the response prematurely - the hard-coded default 'safe mode' setting is now 'disabled' rather than 'enabled'; to match the default /etc/php.ini setting - in the curl extension, safe mode was not enforced for 'file:///' URL lookups (CVE-2004-1392). Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 18198
    published 2005-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18198
    title RHEL 4 : PHP (RHSA-2005:406)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-405.NASL
    description Updated PHP packages that fix various security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0524 and CVE-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way that it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1043 to this issue. Several bug fixes are also included in this update : - The security fixes in RHSA-2004-687 to the 'unserializer' code introduced some performance issues. - In the gd extension, the 'imagecopymerge' function did not correctly handle transparency. The original image was being obscured in the resultant image. - In the curl extension, safe mode was not enforced for 'file:///' URL lookups (CVE-2004-1392). Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 18163
    published 2005-04-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18163
    title RHEL 3 : PHP (RHSA-2005:405)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-072.NASL
    description A number of vulnerabilities are addressed in this PHP update : Stefano Di Paolo discovered integer overflows in PHP's pack(), unpack(), and shmop_write() functions which could allow a malicious script to break out of safe mode and execute arbitrary code with privileges of the PHP interpreter (CVE-2004-1018; this was previously fixed in Mandrakelinux >= 10.0 in MDKSA-2004:151). Stefan Esser discovered two safe mode bypasses which would allow malicious scripts to circumvent path restrictions by using virtual_popen() with a current directory containing shell meta- characters (CVE-2004-1063) or by creating a specially crafted directory whose length exceeded the capacity of realpath() (CVE-2004-1064; both of these were previously fixed in Mandrakelinux >= 10.0 in MDKSA-2004:151). Two Denial of Service vulnerabilities were found in the getimagesize() function which uses the format-specific internal functions php_handle_iff() and php_handle_jpeg() which would get stuck in infinite loops when certain (invalid) size parameters are read from the image (CVE-2005-0524 and CVE-2005-0525). An integer overflow was discovered in the exif_process_IFD_TAG() function in PHP's EXIF module. EXIF tags with a specially crafted 'Image File Directory' (IFD) tag would cause a buffer overflow which could be exploited to execute arbitrary code with the privileges of the PHP server (CVE-2005-1042). Another vulnerability in the EXIF module was also discovered where headers with a large IFD nesting level would cause an unbound recursion which would eventually overflow the stack and cause the executed program to crash (CVE-2004-1043). All of these issues are addressed in the Corporate Server 2.1 packages and the last three issues for all other platforms, which had previously included the first two issues but had not been mentioned in MDKSA-2004:151.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 18091
    published 2005-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18091
    title Mandrake Linux Security Advisory : php (MDKSA-2005:072)
oval via4
accepted 2013-04-29T04:15:24.134-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description The php_next_marker function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote attackers to cause a denial of service (infinite loop) via a JPEG image with an invalid marker value, which causes a negative length value to be passed to php_stream_seek.
family unix
id oval:org.mitre.oval:def:11703
status accepted
submitted 2010-07-09T03:56:16-04:00
title The php_next_marker function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote attackers to cause a denial of service (infinite loop) via a JPEG image with an invalid marker value, which causes a negative length value to be passed to php_stream_seek.
version 23
redhat via4
advisories
  • rhsa
    id RHSA-2005:405
  • rhsa
    id RHSA-2005:406
refmap via4
apple APPLE-SA-2005-06-08
debian
  • DSA-708
  • DSA-729
gentoo GLSA-200504-15
idefense 20050331 PHP getimagesize() Multiple Denial of Service Vulnerabilities
mandrake MDKSA-2005:072
osvdb 15184
sectrack 1013619
secunia 14792
suse SUSE-SA:2005:023
vupen ADV-2005-0305
Last major update 07-03-2011 - 21:20
Published 02-05-2005 - 00:00
Last modified 02-05-2018 - 21:29
Back to Top