ID CVE-2007-0911
Summary Off-by-one error in the str_ireplace function in PHP 5.2.1 might allow context-dependent attackers to cause a denial of service (crash).
References
Vulnerable Configurations
  • PHP 5.2.1
    cpe:2.3:a:php:php:5.2.1
CVSS
Base: 7.8 (as of 14-02-2007 - 14:39)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
exploit-db via4
description PHP 5.2.1 STR_IReplace Remote Denial of Service Vulnerability. CVE-2007-0911. Dos exploit for php platform
id EDB-ID:29577
last seen 2016-02-03
modified 2007-02-09
published 2007-02-09
reporter Thomas Hruska
source https://www.exploit-db.com/download/29577/
title PHP 5.2.1 STR_IReplace Remote Denial of Service Vulnerability
nessus via4
  • NASL family CGI abuses
    NASL id PHP_4_4_7_OR_5_2_2.NASL
    description According to its banner, the version of PHP installed on the remote host is older than 4.4.7 / 5.2.2. Such versions may be affected by several issues, including buffer overflows in the GD library.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 25159
    published 2007-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25159
    title PHP < 4.4.7 / 5.2.2 Multiple Vulnerabilities
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200703-21.NASL
    description The remote host is affected by the vulnerability described in GLSA-200703-21 (PHP: Multiple vulnerabilities) Several vulnerabilities were found in PHP by the Hardened-PHP Project and other researchers. These vulnerabilities include a heap-based buffer overflow in htmlentities() and htmlspecialchars() if called with UTF-8 parameters, and an off-by-one error in str_ireplace(). Other vulnerabilities were also found in the PHP4 branch, including possible overflows, stack corruptions and a format string vulnerability in the *print() functions on 64 bit systems. Impact : Remote attackers might be able to exploit these issues in PHP applications making use of the affected functions, potentially resulting in the execution of arbitrary code, Denial of Service, execution of scripted contents in the context of the affected site, security bypass or information leak. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 24887
    published 2007-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24887
    title GLSA-200703-21 : PHP: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_PHP5-2687.NASL
    description CVE-2007-0906: Multiple buffer overflows in PHP before 5.2.1 allow attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors in the (1) session, (2) zip, (3) imap, and (4) sqlite extensions; (5) stream filters; and the (6) str_replace, (7) mail, (8) ibase_delete_user, (9) ibase_add_user, and (10) ibase_modify_user functions. CVE-2007-0907: Buffer underflow in PHP before 5.2.1 allows attackers to cause a denial of service via unspecified vectors involving the sapi_header_op function. CVE-2007-0908: The wddx extension in PHP before 5.2.1 allows remote attackers to obtain sensitive information via unspecified vectors. CVE-2007-0909: Multiple format string vulnerabilities in PHP before 5.2.1 might allow attackers to execute arbitrary code via format string specifiers to (1) all of the *print functions on 64-bit systems, and (2) the odbc_result_all function. CVE-2007-0910: Unspecified vulnerability in PHP before 5.2.1 allows attackers to 'clobber' certain super-global variables via unspecified vectors. CVE-2007-0911: Off-by-one error in the str_ireplace function in PHP 5.2.1 might allow context-dependent attackers to cause a denial of service (crash). CVE-2006-6383: PHP 5.2.0 and 4.4 allows local users to bypass safe_mode and open_basedir restrictions via a malicious path and a null byte before a ';' in a session_save_path argument, followed by an allowed path, which causes a parsing inconsistency in which PHP validates the allowed path but sets session.save_path to the malicious path. And another fix for open_basedir was added to stop mixing up its setting in a virtual host environment.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27390
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27390
    title openSUSE 10 Security Update : php5 (php5-2687)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-2684.NASL
    description This update fixes security problems also fixed in PHP 5.2.1, including following problems : - Multiple buffer overflows in PHP before 5.2.1 allow attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors in the (1) session, (2) zip, (3) imap, and (4) sqlite extensions; (5) stream filters; and the (6) str_replace, (7) mail, (8) ibase_delete_user, (9) ibase_add_user, and (10) ibase_modify_user functions. (CVE-2007-0906) - Buffer underflow in PHP before 5.2.1 allows attackers to cause a denial of service via unspecified vectors involving the sapi_header_op function. (CVE-2007-0907) - The wddx extension in PHP before 5.2.1 allows remote attackers to obtain sensitive information via unspecified vectors. (CVE-2007-0908) - Multiple format string vulnerabilities in PHP before 5.2.1 might allow attackers to execute arbitrary code via format string specifiers to (1) all of the *print functions on 64-bit systems, and (2) the odbc_result_all function. (CVE-2007-0909) - Unspecified vulnerability in PHP before 5.2.1 allows attackers to 'clobber' certain super-global variables via unspecified vectors. (CVE-2007-0910) - Off-by-one error in the str_ireplace function in PHP 5.2.1 might allow context-dependent attackers to cause a denial of service (crash). (CVE-2007-0911) - PHP 5.2.0 and 4.4 allows local users to bypass safe_mode and open_basedir restrictions via a malicious path and a null byte before a ';' in a session_save_path argument, followed by an allowed path, which causes a parsing inconsistency in which PHP validates the allowed path but sets session.save_path to the malicious path. And another fix for open_basedir was added to stop mixing up its setting in a virtual host environment. (CVE-2006-6383)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29377
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29377
    title SuSE 10 Security Update : PHP5 (ZYPP Patch Number 2684)
refmap via4
bid 22505
bugtraq 20070209 PHP 5.2.1 crash bug
gentoo GLSA-200703-21
misc http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.36&r2=1.445.2.14.2.37
mlist
  • [php-dev] 20070209 PHP 5.2.1 crashing Apache/IIS...
  • [php-dev] 20070210 Re: PHP 5.2.1 crashing Apache/IIS...
osvdb 33952
secunia
  • 24514
  • 24606
suse SUSE-SA:2007:020
statements via4
contributor Mark J Cox
lastmodified 2007-02-16
organization Red Hat
statement Not vulnerable. This flaw is a regression of the fix for CVE-2007-0906 affecting PHP version 5.2.1 only which results in any use of str_replace() causing a crash regardless of user input. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.
Last major update 17-10-2016 - 23:43
Published 13-02-2007 - 18:28
Last modified 16-10-2018 - 12:35
Back to Top