ID CVE-2007-1001
Summary Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.
References
Vulnerable Configurations
  • PHP 4.0 -
    cpe:2.3:a:php:php:4.0
  • PHP PHP 4.0 Beta 1
    cpe:2.3:a:php:php:4.0:beta1
  • PHP PHP 4.0 Beta 2
    cpe:2.3:a:php:php:4.0:beta2
  • PHP PHP 4.0 Beta 3
    cpe:2.3:a:php:php:4.0:beta3
  • PHP PHP 4.0 Beta 4
    cpe:2.3:a:php:php:4.0:beta4
  • PHP PHP 4.0 Beta 4 Patch Level 1
    cpe:2.3:a:php:php:4.0:beta_4_patch1
  • PHP 4.0 Release Candidate 1
    cpe:2.3:a:php:php:4.0:rc1
  • PHP 4.0 Release Candidate 2
    cpe:2.3:a:php:php:4.0:rc2
  • PHP PHP 4.0.0
    cpe:2.3:a:php:php:4.0.0
  • PHP 4.0.1 -
    cpe:2.3:a:php:php:4.0.1
  • cpe:2.3:a:php:php:4.0.1:patch1
    cpe:2.3:a:php:php:4.0.1:patch1
  • cpe:2.3:a:php:php:4.0.1:patch2
    cpe:2.3:a:php:php:4.0.1:patch2
  • PHP PHP 4.0.2
    cpe:2.3:a:php:php:4.0.2
  • PHP PHP 4.0.3
    cpe:2.3:a:php:php:4.0.3
  • cpe:2.3:a:php:php:4.0.3:patch1
    cpe:2.3:a:php:php:4.0.3:patch1
  • PHP 4.0.4 -
    cpe:2.3:a:php:php:4.0.4
  • cpe:2.3:a:php:php:4.0.4:patch1
    cpe:2.3:a:php:php:4.0.4:patch1
  • PHP 4.0.5 -
    cpe:2.3:a:php:php:4.0.5
  • PHP 4.0.6 -
    cpe:2.3:a:php:php:4.0.6
  • PHP 4.0.7 -
    cpe:2.3:a:php:php:4.0.7
  • PHP 4.0.7 Release Candidate 1
    cpe:2.3:a:php:php:4.0.7:rc1
  • PHP 4.0.7 Release Candidate 2
    cpe:2.3:a:php:php:4.0.7:rc2
  • PHP 4.0.7 Release Candidate 3
    cpe:2.3:a:php:php:4.0.7:rc3
  • PHP 4.1.0 -
    cpe:2.3:a:php:php:4.1.0
  • PHP PHP 4.1.1
    cpe:2.3:a:php:php:4.1.1
  • PHP PHP 4.1.2
    cpe:2.3:a:php:php:4.1.2
  • cpe:2.3:a:php:php:4.2:-:dev
    cpe:2.3:a:php:php:4.2:-:dev
  • PHP 4.2.0 -
    cpe:2.3:a:php:php:4.2.0
  • PHP 4.2.1 -
    cpe:2.3:a:php:php:4.2.1
  • PHP PHP 4.2.2
    cpe:2.3:a:php:php:4.2.2
  • PHP 4.2.3 -
    cpe:2.3:a:php:php:4.2.3
  • PHP 4.3.0 -
    cpe:2.3:a:php:php:4.3.0
  • PHP PHP 4.3.1
    cpe:2.3:a:php:php:4.3.1
  • PHP 4.3.2 -
    cpe:2.3:a:php:php:4.3.2
  • PHP 4.3.3 -
    cpe:2.3:a:php:php:4.3.3
  • PHP 4.3.4 -
    cpe:2.3:a:php:php:4.3.4
  • PHP 4.3.5 -
    cpe:2.3:a:php:php:4.3.5
  • PHP 4.3.6 -
    cpe:2.3:a:php:php:4.3.6
  • PHP 4.3.7 -
    cpe:2.3:a:php:php:4.3.7
  • PHP PHP 4.3.8
    cpe:2.3:a:php:php:4.3.8
  • PHP PHP 4.3.9
    cpe:2.3:a:php:php:4.3.9
  • PHP 4.3.10 -
    cpe:2.3:a:php:php:4.3.10
  • PHP 4.3.11 -
    cpe:2.3:a:php:php:4.3.11
  • PHP 4.4.0 -
    cpe:2.3:a:php:php:4.4.0
  • PHP 4.4.1 -
    cpe:2.3:a:php:php:4.4.1
  • PHP 4.4.2 -
    cpe:2.3:a:php:php:4.4.2
  • PHP 4.4.3 -
    cpe:2.3:a:php:php:4.4.3
  • PHP 4.4.4 -
    cpe:2.3:a:php:php:4.4.4
  • PHP 4.4.5 -
    cpe:2.3:a:php:php:4.4.5
  • PHP 4.4.6 -
    cpe:2.3:a:php:php:4.4.6
  • cpe:2.3:a:php:php:5.0:rc1
    cpe:2.3:a:php:php:5.0:rc1
  • cpe:2.3:a:php:php:5.0:rc2
    cpe:2.3:a:php:php:5.0:rc2
  • cpe:2.3:a:php:php:5.0:rc3
    cpe:2.3:a:php:php:5.0:rc3
  • PHP 5.0.0 -
    cpe:2.3:a:php:php:5.0.0
  • PHP PHP 5.0.0 Beta1
    cpe:2.3:a:php:php:5.0.0:beta1
  • PHP PHP 5.0.0 Beta2
    cpe:2.3:a:php:php:5.0.0:beta2
  • PHP PHP 5.0.0 Beta3
    cpe:2.3:a:php:php:5.0.0:beta3
  • PHP PHP 5.0.0 Beta4
    cpe:2.3:a:php:php:5.0.0:beta4
  • PHP PHP 5.0.0 RC1
    cpe:2.3:a:php:php:5.0.0:rc1
  • PHP PHP 5.0.0 RC2
    cpe:2.3:a:php:php:5.0.0:rc2
  • PHP PHP 5.0.0 RC3
    cpe:2.3:a:php:php:5.0.0:rc3
  • PHP 5.0.1 -
    cpe:2.3:a:php:php:5.0.1
  • PHP 5.0.2 -
    cpe:2.3:a:php:php:5.0.2
  • PHP 5.0.3 -
    cpe:2.3:a:php:php:5.0.3
  • PHP 5.0.4 -
    cpe:2.3:a:php:php:5.0.4
  • PHP 5.0.5 -
    cpe:2.3:a:php:php:5.0.5
  • PHP 5.1.0 -
    cpe:2.3:a:php:php:5.1.0
  • PHP PHP 5.1.1
    cpe:2.3:a:php:php:5.1.1
  • PHP 5.1.2 -
    cpe:2.3:a:php:php:5.1.2
  • PHP PHP 5.1.3
    cpe:2.3:a:php:php:5.1.3
  • PHP 5.1.4
    cpe:2.3:a:php:php:5.1.4
  • PHP 5.1.5 -
    cpe:2.3:a:php:php:5.1.5
  • PHP PHP 5.1.6
    cpe:2.3:a:php:php:5.1.6
  • PHP 5.2.0
    cpe:2.3:a:php:php:5.2.0
  • PHP 5.2.1 -
    cpe:2.3:a:php:php:5.2.1
CVSS
Base: 6.8 (as of 06-04-2007 - 09:54)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description PHP 5.2.1 GD Extension WBMP File Integer Overflow Vulnerabilities. CVE-2007-1001 . Dos exploit for php platform
id EDB-ID:29823
last seen 2016-02-03
modified 2007-04-07
published 2007-04-07
reporter Ivan Fratric
source https://www.exploit-db.com/download/29823/
title PHP <= 5.2.1 GD Extension WBMP File Integer Overflow Vulnerabilities
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_F5E52BF5FC7711DB8163000E0C2E438A.NASL
    description The PHP development team reports : Security Enhancements and Fixes in PHP 5.2.2 and PHP 4.4.7 : - Fixed CVE-2007-1001, GD wbmp used with invalid image size - Fixed asciiz byte truncation inside mail() - Fixed a bug in mb_parse_str() that can be used to activate register_globals - Fixed unallocated memory access/double free in in array_user_key_compare() - Fixed a double free inside session_regenerate_id() - Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers. - Limit nesting level of input variables with max_input_nesting_level as fix for. - Fixed CRLF injection inside ftp_putcmd(). - Fixed a possible super-global overwrite inside import_request_variables(). - Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library. Security Enhancements and Fixes in PHP 5.2.2 only : - Fixed a header injection via Subject and To parameters to the mail() function - Fixed wrong length calculation in unserialize S type. - Fixed substr_compare and substr_count information leak. - Fixed a remotely trigger-able buffer overflow inside make_http_soap_request(). - Fixed a buffer overflow inside user_filter_factory_create(). Security Enhancements and Fixes in PHP 4.4.7 only : - XSS in phpinfo()
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25207
    published 2007-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25207
    title FreeBSD : php -- multiple vulnerabilities (f5e52bf5-fc77-11db-8163-000e0c2e438a)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2007-127-01.NASL
    description New php packages are available for Slackware 10.2, 11.0, and -current to improve the stability and security of PHP. Quite a few bugs were fixed -- please see http://www.php.net for a detailed list. All sites that use PHP are encouraged to upgrade. Please note that we haven't tested all PHP applications for backwards compatibility with this new upgrade, so you should have the old package on hand just in case. Both PHP 4.4.7 and PHP 5.2.2 updates have been provided.
    last seen 2019-02-21
    modified 2018-06-27
    plugin id 25174
    published 2007-05-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25174
    title Slackware 10.2 / 11.0 / current : php (SSA:2007-127-01)
  • NASL family CGI abuses
    NASL id PHP_4_4_7_OR_5_2_2.NASL
    description According to its banner, the version of PHP installed on the remote host is older than 4.4.7 / 5.2.2. Such versions may be affected by several issues, including buffer overflows in the GD library.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 25159
    published 2007-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25159
    title PHP < 4.4.7 / 5.2.2 Multiple Vulnerabilities
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2007-007.NASL
    description The remote host is running a version of Mac OS X 10.4 or 10.3 which does not have the security update 2007-007 applied. This update contains several security fixes for the following programs : - bzip2 - CFNetwork - CoreAudio - cscope - gnuzip - iChat - Kerberos - mDNSResponder - PDFKit - PHP - Quartz Composer - Samba - SquirrelMail - Tomcat - WebCore - WebKit
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 25830
    published 2007-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25830
    title Mac OS X Multiple Vulnerabilities (Security Update 2007-007)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-089.NASL
    description A heap-based buffer overflow vulnerability was found in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution (CVE-2007-1001). A DoS flaw was found in how PHP processed a deeply nested array. A remote attacker could cause the PHP intrerpreter to creash by submitting an input variable with a deeply nested array (CVE-2007-1285). A vulnerability in the way the mbstring extension set global variables was discovered where a script using the mb_parse_str() function to set global variables could be forced to to enable the register_globals configuration option, possibly resulting in global variable injection (CVE-2007-1583). A vulnerability in how PHP's mail() function processed header data was discovered. If a script sent mail using a subject header containing a string from an untrusted source, a remote attacker could send bulk email to unintended recipients (CVE-2007-1718). A buffer overflow in the sqlite_decode_function() in the bundled sqlite library could allow context-dependent attackers to execute arbitrary code (CVE-2007-1887). Updated packages have been patched to correct these issues. Also note that the default use of the Hardened PHP patch helped to protect against some of these issues prior to patching.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 25113
    published 2007-04-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25113
    title Mandrake Linux Security Advisory : php (MDKSA-2007:089)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-3289.NASL
    description This Update fixes numerous vulnerabilities in PHP. Most of them were made public during the 'Month of PHP Bugs'. The vulnerabilities potentially lead to crashes, information leaks or even execution of malicious code. CVE-2007-1380, CVE-2007-0988, CVE-2007-1375, CVE-2007-1454 CVE-2007-1453, CVE-2007-1521, CVE-2007-1522, CVE-2007-1376 CVE-2007-1583, CVE-2007-1460, CVE-2007-1461, CVE-2007-1484 CVE-2007-1700, CVE-2007-1717, CVE-2007-1718, CVE-2007-1001 CVE-2007-1824, CVE-2007-1889, CVE-2007-1900
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27150
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27150
    title openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-3289)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0155.NASL
    description Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285) A flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass arbitrary data to PHP's unserialize() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1286) A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A double free flaw was found in PHP's session_decode() function. If a remote attacker was able to pass arbitrary data to PHP's session_decode() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1711) A flaw was discovered in the way PHP's mail() function processed header data. If a script sent mail using a Subject header containing a string from an untrusted source, a remote attacker could send bulk e-mail to unintended recipients. (CVE-2007-1718) A heap based buffer overflow flaw was discovered in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution. (CVE-2007-1001) A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash. (CVE-2007-0455) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25043
    published 2007-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25043
    title CentOS 3 / 4 : php (CESA-2007:0155)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-090.NASL
    description A heap-based buffer overflow vulnerability was found in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution (CVE-2007-1001). A DoS flaw was found in how PHP processed a deeply nested array. A remote attacker could cause the PHP intrerpreter to creash by submitting an input variable with a deeply nested array (CVE-2007-1285). The internal filter module in PHP in certain instances did not properly strip HTML tags, which allowed a remote attacker conduct cross-site scripting (XSS) attacks (CVE-2007-1454). A vulnerability in the way the mbstring extension set global variables was discovered where a script using the mb_parse_str() function to set global variables could be forced to to enable the register_globals configuration option, possibly resulting in global variable injection (CVE-2007-1583). A vulnerability in how PHP's mail() function processed header data was discovered. If a script sent mail using a subject header containing a string from an untrusted source, a remote attacker could send bulk email to unintended recipients (CVE-2007-1718). Updated packages have been patched to correct these issues. Also note that the default use of Suhosin helped to protect against some of these issues prior to patching.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 37164
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37164
    title Mandrake Linux Security Advisory : php (MDKSA-2007:090)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0155.NASL
    description Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285) A flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass arbitrary data to PHP's unserialize() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1286) A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A double free flaw was found in PHP's session_decode() function. If a remote attacker was able to pass arbitrary data to PHP's session_decode() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1711) A flaw was discovered in the way PHP's mail() function processed header data. If a script sent mail using a Subject header containing a string from an untrusted source, a remote attacker could send bulk e-mail to unintended recipients. (CVE-2007-1718) A heap based buffer overflow flaw was discovered in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution. (CVE-2007-1001) A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash. (CVE-2007-0455) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25068
    published 2007-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25068
    title RHEL 3 / 4 : php (RHSA-2007:0155)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200705-19.NASL
    description The remote host is affected by the vulnerability described in GLSA-200705-19 (PHP: Multiple vulnerabilities) Several vulnerabilities were found in PHP, most of them during the Month Of PHP Bugs (MOPB) by Stefan Esser. The most severe of these vulnerabilities are integer overflows in wbmp.c from the GD library (CVE-2007-1001) and in the substr_compare() PHP 5 function (CVE-2007-1375). Ilia Alshanetsky also reported a buffer overflow in the make_http_soap_request() and in the user_filter_factory_create() functions (CVE-2007-2510, CVE-2007-2511), and Stanislav Malyshev discovered another buffer overflow in the bundled XMLRPC library (CVE-2007-1864). Additionally, the session_regenerate_id() and the array_user_key_compare() functions contain a double-free vulnerability (CVE-2007-1484, CVE-2007-1521). Finally, there exist implementation errors in the Zend engine, in the mb_parse_str(), the unserialize() and the mail() functions and other elements. Impact : Remote attackers might be able to exploit these issues in PHP applications making use of the affected functions, potentially resulting in the execution of arbitrary code, Denial of Service, execution of scripted contents in the context of the affected site, security bypass or information leak. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 25340
    published 2007-05-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25340
    title GLSA-200705-19 : PHP: Multiple vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0153.NASL
    description Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A heap based buffer overflow flaw was discovered in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution. (CVE-2007-1001) A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash. (CVE-2007-0455) A flaw was discovered in the way PHP's mail() function processed header data. If a script sent mail using a Subject header containing a string from an untrusted source, a remote attacker could send bulk e-mail to unintended recipients. (CVE-2007-1718) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25325
    published 2007-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25325
    title RHEL 5 : php (RHSA-2007:0153)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-3290.NASL
    description This Update fixes numerous vulnerabilities in PHP. Most of them were made public during the 'Month of PHP Bugs'. The vulnerabilities potentially lead to crashes, information leaks or even execution of malicious code. CVE-2007-1380 / CVE-2007-0988 / CVE-2007-1375 / CVE-2007-1521 / CVE-2007-1376 / CVE-2007-1583 / CVE-2007-1461 / CVE-2007-1484 / CVE-2007-1700 / CVE-2007-1717 / CVE-2007-1718 / CVE-2007-1001 / CVE-2007-1824
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29378
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29378
    title SuSE 10 Security Update : PHP5 (ZYPP Patch Number 3290)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0153.NASL
    description Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A heap based buffer overflow flaw was discovered in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution. (CVE-2007-1001) A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash. (CVE-2007-0455) A flaw was discovered in the way PHP's mail() function processed header data. If a script sent mail using a Subject header containing a string from an untrusted source, a remote attacker could send bulk e-mail to unintended recipients. (CVE-2007-1718) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25095
    published 2007-04-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25095
    title CentOS 5 : php (CESA-2007:0153)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL7859.NASL
    description The remote BIG-IP device is missing a patch required by a security advisory.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 78215
    published 2014-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78215
    title F5 Networks BIG-IP : Multiple PHP vulnerabilities (SOL7859)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0155.NASL
    description From Red Hat Security Advisory 2007:0155 : Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285) A flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass arbitrary data to PHP's unserialize() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1286) A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A double free flaw was found in PHP's session_decode() function. If a remote attacker was able to pass arbitrary data to PHP's session_decode() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1711) A flaw was discovered in the way PHP's mail() function processed header data. If a script sent mail using a Subject header containing a string from an untrusted source, a remote attacker could send bulk e-mail to unintended recipients. (CVE-2007-1718) A heap based buffer overflow flaw was discovered in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution. (CVE-2007-1001) A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash. (CVE-2007-0455) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67471
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67471
    title Oracle Linux 3 / 4 : php (ELSA-2007-0155)
oval via4
accepted 2013-04-29T04:02:49.319-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.
family unix
id oval:org.mitre.oval:def:10179
status accepted
submitted 2010-07-09T03:56:16-04:00
title Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.
version 24
redhat via4
advisories
  • rhsa
    id RHSA-2007:0153
  • rhsa
    id RHSA-2007:0155
  • rhsa
    id RHSA-2007:0162
rpms
  • php-0:5.1.6-11.el5
  • php-bcmath-0:5.1.6-11.el5
  • php-cli-0:5.1.6-11.el5
  • php-common-0:5.1.6-11.el5
  • php-dba-0:5.1.6-11.el5
  • php-devel-0:5.1.6-11.el5
  • php-gd-0:5.1.6-11.el5
  • php-imap-0:5.1.6-11.el5
  • php-ldap-0:5.1.6-11.el5
  • php-mbstring-0:5.1.6-11.el5
  • php-mysql-0:5.1.6-11.el5
  • php-ncurses-0:5.1.6-11.el5
  • php-odbc-0:5.1.6-11.el5
  • php-pdo-0:5.1.6-11.el5
  • php-pgsql-0:5.1.6-11.el5
  • php-snmp-0:5.1.6-11.el5
  • php-soap-0:5.1.6-11.el5
  • php-xml-0:5.1.6-11.el5
  • php-xmlrpc-0:5.1.6-11.el5
  • php-0:4.3.2-40.ent
  • php-devel-0:4.3.2-40.ent
  • php-imap-0:4.3.2-40.ent
  • php-ldap-0:4.3.2-40.ent
  • php-mysql-0:4.3.2-40.ent
  • php-odbc-0:4.3.2-40.ent
  • php-pgsql-0:4.3.2-40.ent
  • php-0:4.3.9-3.22.4
  • php-devel-0:4.3.9-3.22.4
  • php-domxml-0:4.3.9-3.22.4
  • php-gd-0:4.3.9-3.22.4
  • php-imap-0:4.3.9-3.22.4
  • php-ldap-0:4.3.9-3.22.4
  • php-mbstring-0:4.3.9-3.22.4
  • php-mysql-0:4.3.9-3.22.4
  • php-ncurses-0:4.3.9-3.22.4
  • php-odbc-0:4.3.9-3.22.4
  • php-pear-0:4.3.9-3.22.4
  • php-pgsql-0:4.3.9-3.22.4
  • php-snmp-0:4.3.9-3.22.4
  • php-xmlrpc-0:4.3.9-3.22.4
refmap via4
apple APPLE-SA-2007-07-31
bid
  • 23357
  • 25159
bugtraq
  • 20070407 PHP <= 5.2.1 wbmp file handling integer overflow
  • 20070418 rPSA-2007-0073-1 php php-mysql php-pgsql
confirm
gentoo GLSA-200705-19
mandriva
  • MDKSA-2007:087
  • MDKSA-2007:088
  • MDKSA-2007:089
  • MDKSA-2007:090
misc
secunia
  • 24814
  • 24909
  • 24924
  • 24945
  • 24965
  • 25056
  • 25151
  • 25445
  • 26235
slackware SSA:2007-127
suse SUSE-SA:2007:032
vupen
  • ADV-2007-1269
  • ADV-2007-2732
xf php-gd-overflow(33453)
statements via4
contributor Mark J Cox
lastmodified 2008-02-14
organization Red Hat
statement This issue was fixed in php package updates for Red Hat Enterprise Linux and Red Hat Application Stack: http://rhn.redhat.com/cve/CVE-2007-1001.html This issue did not affect the versions of gd as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
Last major update 08-09-2011 - 00:00
Published 05-04-2007 - 20:19
Last modified 30-10-2018 - 12:25
Back to Top