ID CVE-2006-1990
Summary Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396.
References
Vulnerable Configurations
  • PHP 4.4.2 -
    cpe:2.3:a:php:php:4.4.2
  • PHP 5.1.2 -
    cpe:2.3:a:php:php:5.1.2
CVSS
Base: 5.0 (as of 25-04-2006 - 14:30)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-122.NASL
    description Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function. One instance in gd_io_dp.c does not appear to be corrected in the embedded copy of GD used in php to build the php-gd package. (CVE-2004-0941) Integer overflows were reported in the GD Graphics Library (libgd) 2.0.28, and possibly other versions. These overflows allow remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx() function. PHP, as packaged in Mandriva Linux, contains an embedded copy of the GD library, used to build the php-gd package. (CVE-2004-0990) The c-client library 2000, 2001, or 2004 for PHP 3.x, 4.x, and 5.x, when used in applications that accept user-controlled input for the mailbox argument to the imap_open function, allow remote attackers to obtain access to an IMAP stream data structure and conduct unauthorized IMAP actions. (CVE-2006-1017) Integer overflow in the wordwrap function in string.c in might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396. (CVE-2006-1990) The previous update for this issue did not resolve the issue on 64bit platforms. The cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to bypass safe mode and read files via a file:// request containing nul characters. (CVE-2006-2563) Buffer consumption vulnerability in the tempnam function in PHP 5.1.4 and 4.x before 4.4.3 allows local users to bypass restrictions and create PHP files with fixed names in other directories via a pathname argument longer than MAXPATHLEN, which prevents a unique string from being appended to the filename. (CVE-2006-2660) The LZW decoding in the gdImageCreateFromGifPtr function in the Thomas Boutell graphics draw (GD) library (aka libgd) 2.0.33 allows remote attackers to cause a denial of service (CPU consumption) via malformed GIF data that causes an infinite loop. PHP, as packaged in Mandriva Linux, contains an embedded copy of the GD library, used to build the php-gd package. (CVE-2006-2906) The error_log function in PHP allows local users to bypass safe mode and open_basedir restrictions via a 'php://' or other scheme in the third argument, which disables safe mode. (CVE-2006-3011) An unspecified vulnerability in session.c in PHP before 5.1.3 has unknown impact and attack vectors, related to 'certain characters in session names', including special characters that are frequently associated with CRLF injection, SQL injection, and cross-site scripting (XSS) vulnerabilities. NOTE: while the nature of the vulnerability is unspecified, it is likely that this is related to a violation of an expectation by PHP applications that the session name is alphanumeric, as implied in the PHP manual for session_name(). (CVE-2006-3016) An unspecified vulnerability in PHP before 5.1.3 can prevent a variable from being unset even when the unset function is called, which might cause the variable's value to be used in security-relevant operations. (CVE-2006-3017) An unspecified vulnerability in the session extension functionality in PHP before 5.1.3 has unkown impact and attack vectors related to heap corruption. (CVE-2006-3018) Multiple heap-based buffer overflows in the (1) str_repeat and (2) wordwrap functions in ext/standard/string.c in PHP before 5.1.5, when used on a 64-bit system, have unspecified impact and attack vectors, a different vulnerability than CVE-2006-1990. (CVE-2006-4482) The cURL extension files (1) ext/curl/interface.c and (2) ext/curl/streams.c in PHP before 5.1.5 permit the CURLOPT_FOLLOWLOCATION option when open_basedir or safe_mode is enabled, which allows attackers to perform unauthorized actions, possibly related to the realpath cache. (CVE-2006-4483) Unspecified vulnerability in PHP before 5.1.6, when running on a 64-bit system, has unknown impact and attack vectors related to the memory_limit restriction. (CVE-2006-4486) The GD related issues (CVE-2004-0941, CVE-2004-0990, CVE-2006-2906) affect only Corporate 3 and Mandrake Network Firewall 2. The php-curl issues (CVE-2006-2563, CVE-2006-4483) affect only Mandriva 2006.0. Updated packages have been patched to address all these issues. Once these packages have been installed, you will need to restart Apache (service httpd restart) in order for the changes to take effect.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 22053
    published 2006-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22053
    title Mandrake Linux Security Advisory : php (MDKSA-2006:122)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-091.NASL
    description An integer overflow in the wordwrap() function could allow attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, triggering a heap-based buffer overflow (CVE-2006-1990). The substr_compare() function in PHP 5.x and 4.4.2 could allow attackers to cause a Denial of Service (memory access violation) via an out-of-bounds offset argument (CVE-2006-1991). The second vulnerability only affects Mandriva Linux 2006; earlier versions shipped with older versions of PHP that do not contain the substr_compare() function.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 21602
    published 2006-05-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21602
    title Mandrake Linux Security Advisory : php (MDKSA-2006:091)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_PHP5-1590.NASL
    description This update fixes the following security issues: - invalid charactes in session names were not blocked - a bug in zend_hash_del() allowed attackers to prevent unsetting of some variables - bugs in the substr_compare() and wordwrap function could crash php (CVE-2006-1991, CVE-2006-1990) - a memory leak in the imagecreatefromgif() function
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27389
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27389
    title openSUSE 10 Security Update : php5 (php5-1590)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0568.NASL
    description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A directory traversal vulnerability was found in PHP. Local users could bypass open_basedir restrictions allowing remote attackers to create files in arbitrary directories via the tempnam() function. (CVE-2006-1494) The wordwrap() PHP function did not properly check for integer overflow in the handling of the 'break' parameter. An attacker who could control the string passed to the 'break' parameter could cause a heap overflow. (CVE-2006-1990) A flaw was found in the zend_hash_del() PHP function. For PHP scripts that rely on the use of the unset() function, a remote attacker could force variable initialization to be bypassed. This would be a security issue particularly for installations that enable the 'register_globals' setting. 'register_globals' is disabled by default in Red Hat Enterprise Linux. (CVE-2006-3017) Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 22044
    published 2006-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22044
    title RHEL 3 / 4 : php (RHSA-2006:0568)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200605-08.NASL
    description The remote host is affected by the vulnerability described in GLSA-200605-08 (PHP: Multiple vulnerabilities) Several vulnerabilities were discovered on PHP4 and PHP5 by Infigo, Tonu Samuel and Maksymilian Arciemowicz. These included a buffer overflow in the wordwrap() function, restriction bypasses in the copy() and tempname() functions, a cross-site scripting issue in the phpinfo() function, a potential crash in the substr_compare() function and a memory leak in the non-binary-safe html_entity_decode() function. Impact : Remote attackers might be able to exploit these issues in PHP applications making use of the affected functions, potentially resulting in the execution of arbitrary code, Denial of Service, execution of scripted contents in the context of the affected site, security bypass or information leak. Workaround : There is no known workaround at this point.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 21350
    published 2006-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21350
    title GLSA-200605-08 : PHP: Multiple vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0501.NASL
    description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996) The error handling output was found to not properly escape HTML output in certain cases. An attacker could use this flaw to perform cross-site scripting attacks against sites where both display_errors and html_errors are enabled. (CVE-2006-0208) A buffer overflow flaw was discovered in uw-imap, the University of Washington's IMAP Server. php-imap is compiled against the static c-client libraries from imap and therefore needed to be recompiled against the fixed version. (CVE-2005-2933) The wordwrap() PHP function did not properly check for integer overflow in the handling of the 'break' parameter. An attacker who could control the string passed to the 'break' parameter could cause a heap overflow. (CVE-2006-1990) Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 21594
    published 2006-05-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21594
    title RHEL 2.1 : php (RHSA-2006:0501)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0568.NASL
    description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A directory traversal vulnerability was found in PHP. Local users could bypass open_basedir restrictions allowing remote attackers to create files in arbitrary directories via the tempnam() function. (CVE-2006-1494) The wordwrap() PHP function did not properly check for integer overflow in the handling of the 'break' parameter. An attacker who could control the string passed to the 'break' parameter could cause a heap overflow. (CVE-2006-1990) A flaw was found in the zend_hash_del() PHP function. For PHP scripts that rely on the use of the unset() function, a remote attacker could force variable initialization to be bypassed. This would be a security issue particularly for installations that enable the 'register_globals' setting. 'register_globals' is disabled by default in Red Hat Enterprise Linux. (CVE-2006-3017) Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 22037
    published 2006-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22037
    title CentOS 3 / 4 : php (CESA-2006:0568)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-320-1.NASL
    description The phpinfo() PHP function did not properly sanitize long strings. A remote attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). Please note that it is not recommended to publicly expose phpinfo(). (CVE-2006-0996) An information disclosure has been reported in the html_entity_decode() function. A script which uses this function to process arbitrary user-supplied input could be exploited to expose a random part of memory, which could potentially reveal sensitive data. (CVE-2006-1490) The wordwrap() function did not sufficiently check the validity of the 'break' argument. An attacker who could control the string passed to the 'break' parameter could cause a heap overflow; however, this should not happen in practical applications. (CVE-2006-1990) The substr_compare() function did not sufficiently check the validity of the 'offset' argument. A script which passes untrusted user-defined values to this parameter could be exploited to crash the PHP interpreter. (CVE-2006-1991) In certain situations, using unset() to delete a hash entry could cause the deletion of the wrong element, which would leave the specified variable defined. This could potentially cause information disclosure in security-relevant operations. (CVE-2006-3017) In certain situations the session module attempted to close a data file twice, which led to memory corruption. This could potentially be exploited to crash the PHP interpreter, though that could not be verified. (CVE-2006-3018) This update also fixes various bugs which allowed local scripts to bypass open_basedir and 'safe mode' restrictions by passing special arguments to tempnam() (CVE-2006-1494, CVE-2006-2660), copy() (CVE-2006-1608), the curl module (CVE-2006-2563), or error_log() (CVE-2006-3011). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27897
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27897
    title Ubuntu 5.04 / 5.10 / 6.06 LTS : php4, php5 vulnerabilities (USN-320-1)
  • NASL family CGI abuses
    NASL id PHP_4_4_3.NASL
    description According to its banner, the version of PHP installed on the remote host is older than 4.4.3 / 5.1.4. Such versions may be affected by several issues, including a buffer overflow, heap corruption, and a flaw by which a variable may survive a call to 'unset()'.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 22268
    published 2006-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22268
    title PHP < 4.4.3 / 5.1.4 Multiple Vulnerabilities
oval via4
accepted 2013-04-29T04:21:24.583-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396.
family unix
id oval:org.mitre.oval:def:9696
status accepted
submitted 2010-07-09T03:56:16-04:00
title Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396.
version 23
redhat via4
advisories
  • rhsa
    id RHSA-2006:0501
  • rhsa
    id RHSA-2006:0549
  • rhsa
    id RHSA-2006:0568
refmap via4
apple APPLE-SA-2006-11-28
bugtraq 20061005 rPSA-2006-0182-1 php php-mysql php-pgsql
cert TA06-333A
confirm
gentoo GLSA-200605-08
mandrake MDKSA-2006:091
mandriva MDKSA-2006:122
misc http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-04-02
sectrack 1015979
secunia
  • 19803
  • 20052
  • 20222
  • 20269
  • 20676
  • 21031
  • 21050
  • 21125
  • 21135
  • 21252
  • 21564
  • 21723
  • 22225
  • 23155
sgi 20060701-01-U
suse SUSE-SA:2006:031
turbo TLSA-2006-38
ubuntu USN-320-1
vupen
  • ADV-2006-1500
  • ADV-2006-4750
xf php-wordwrap-string-bo(26001)
Last major update 19-02-2017 - 00:12
Published 24-04-2006 - 19:02
Last modified 18-10-2018 - 12:37
Back to Top