ID CVE-2007-1711
Summary Double free vulnerability in the unserializer in PHP 4.4.5 and 4.4.6 allows context-dependent attackers to execute arbitrary code by overwriting variables pointing to (1) the GLOBALS array or (2) the session data in _SESSION. NOTE: this issue was introduced when attempting to patch CVE-2007-1701 (MOPB-31-2007).
References
Vulnerable Configurations
  • PHP 4.4.5 -
    cpe:2.3:a:php:php:4.4.5
  • PHP 4.4.6 -
    cpe:2.3:a:php:php:4.4.6
CVSS
Base: 6.8 (as of 28-03-2007 - 21:58)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description PHP 4.4.5 / 4.4.6 session_decode() Double Free Exploit PoC. CVE-2007-1711. Dos exploit for linux platform
id EDB-ID:3586
last seen 2016-01-31
modified 2007-03-27
published 2007-03-27
reporter Stefan Esser
source https://www.exploit-db.com/download/3586/
title PHP 4.4.5 / 4.4.6 session_decode Double Free Exploit PoC
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2007-007.NASL
    description The remote host is running a version of Mac OS X 10.4 or 10.3 which does not have the security update 2007-007 applied. This update contains several security fixes for the following programs : - bzip2 - CFNetwork - CoreAudio - cscope - gnuzip - iChat - Kerberos - mDNSResponder - PDFKit - PHP - Quartz Composer - Samba - SquirrelMail - Tomcat - WebCore - WebKit
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 25830
    published 2007-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25830
    title Mac OS X Multiple Vulnerabilities (Security Update 2007-007)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1282.NASL
    description Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-1286 Stefan Esser discovered an overflow in the object reference handling code of the unserialize() function, which allows the execution of arbitrary code if malformed input is passed from an application. - CVE-2007-1380 Stefan Esser discovered that the session handler performs insufficient validation of variable name length values, which allows information disclosure through a heap information leak. - CVE-2007-1521 Stefan Esser discovered a double free vulnerability in the session_regenerate_id() function, which allows the execution of arbitrary code. - CVE-2007-1711 Stefan Esser discovered a double free vulnerability in the session management code, which allows the execution of arbitrary code. - CVE-2007-1718 Stefan Esser discovered that the mail() function performs insufficient validation of folded mail headers, which allows mail header injection. - CVE-2007-1777 Stefan Esser discovered that the extension to handle ZIP archives performs insufficient length checks, which allows the execution of arbitrary code.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25099
    published 2007-04-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25099
    title Debian DSA-1282-1 : php4 - several vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1283.NASL
    description Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-1286 Stefan Esser discovered an overflow in the object reference handling code of the unserialize() function, which allows the execution of arbitrary code if malformed input is passed from an application. - CVE-2007-1375 Stefan Esser discovered that an integer overflow in the substr_compare() function allows information disclosure of heap memory. - CVE-2007-1376 Stefan Esser discovered that insufficient validation of shared memory functions allows the disclosure of heap memory. - CVE-2007-1380 Stefan Esser discovered that the session handler performs insufficient validation of variable name length values, which allows information disclosure through a heap information leak. - CVE-2007-1453 Stefan Esser discovered that the filtering framework performs insufficient input validation, which allows the execution of arbitrary code through a buffer underflow. - CVE-2007-1454 Stefan Esser discovered that the filtering framework can be bypassed with a special whitespace character. - CVE-2007-1521 Stefan Esser discovered a double free vulnerability in the session_regenerate_id() function, which allows the execution of arbitrary code. - CVE-2007-1583 Stefan Esser discovered that a programming error in the mb_parse_str() function allows the activation of 'register_globals'. - CVE-2007-1700 Stefan Esser discovered that the session extension incorrectly maintains the reference count of session variables, which allows the execution of arbitrary code. - CVE-2007-1711 Stefan Esser discovered a double free vulnerability in the session management code, which allows the execution of arbitrary code. - CVE-2007-1718 Stefan Esser discovered that the mail() function performs insufficient validation of folded mail headers, which allows mail header injection. - CVE-2007-1777 Stefan Esser discovered that the extension to handle ZIP archives performs insufficient length checks, which allows the execution of arbitrary code. - CVE-2007-1824 Stefan Esser discovered an off-by-one error in the filtering framework, which allows the execution of arbitrary code. - CVE-2007-1887 Stefan Esser discovered that a buffer overflow in the sqlite extension allows the execution of arbitrary code. - CVE-2007-1889 Stefan Esser discovered that the PHP memory manager performs an incorrect type cast, which allows the execution of arbitrary code through buffer overflows. - CVE-2007-1900 Stefan Esser discovered that incorrect validation in the email filter extension allows the injection of mail headers. The oldstable distribution (sarge) doesn't include php5.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25100
    published 2007-04-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25100
    title Debian DSA-1283-1 : php5 - several vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0154.NASL
    description Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285) A flaw was found in the way PHP's unserialize() function processes data. If a remote attacker is able to pass arbitrary data to PHP's unserialize() function, it may be possible for them to execute arbitrary code as the apache user. (CVE-2007-1286) A double free flaw was found in PHP's session_decode() function. If a remote attacker is able to pass arbitrary data to PHP's session_decode() function, it may be possible for them to execute arbitrary code as the apache user. (CVE-2007-1711) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25067
    published 2007-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25067
    title RHEL 2.1 : php (RHSA-2007:0154)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0155.NASL
    description Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285) A flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass arbitrary data to PHP's unserialize() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1286) A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A double free flaw was found in PHP's session_decode() function. If a remote attacker was able to pass arbitrary data to PHP's session_decode() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1711) A flaw was discovered in the way PHP's mail() function processed header data. If a script sent mail using a Subject header containing a string from an untrusted source, a remote attacker could send bulk e-mail to unintended recipients. (CVE-2007-1718) A heap based buffer overflow flaw was discovered in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution. (CVE-2007-1001) A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash. (CVE-2007-0455) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25043
    published 2007-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25043
    title CentOS 3 / 4 : php (CESA-2007:0155)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0155.NASL
    description Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285) A flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass arbitrary data to PHP's unserialize() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1286) A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A double free flaw was found in PHP's session_decode() function. If a remote attacker was able to pass arbitrary data to PHP's session_decode() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1711) A flaw was discovered in the way PHP's mail() function processed header data. If a script sent mail using a Subject header containing a string from an untrusted source, a remote attacker could send bulk e-mail to unintended recipients. (CVE-2007-1718) A heap based buffer overflow flaw was discovered in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution. (CVE-2007-1001) A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash. (CVE-2007-0455) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25068
    published 2007-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25068
    title RHEL 3 / 4 : php (RHSA-2007:0155)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200705-19.NASL
    description The remote host is affected by the vulnerability described in GLSA-200705-19 (PHP: Multiple vulnerabilities) Several vulnerabilities were found in PHP, most of them during the Month Of PHP Bugs (MOPB) by Stefan Esser. The most severe of these vulnerabilities are integer overflows in wbmp.c from the GD library (CVE-2007-1001) and in the substr_compare() PHP 5 function (CVE-2007-1375). Ilia Alshanetsky also reported a buffer overflow in the make_http_soap_request() and in the user_filter_factory_create() functions (CVE-2007-2510, CVE-2007-2511), and Stanislav Malyshev discovered another buffer overflow in the bundled XMLRPC library (CVE-2007-1864). Additionally, the session_regenerate_id() and the array_user_key_compare() functions contain a double-free vulnerability (CVE-2007-1484, CVE-2007-1521). Finally, there exist implementation errors in the Zend engine, in the mb_parse_str(), the unserialize() and the mail() functions and other elements. Impact : Remote attackers might be able to exploit these issues in PHP applications making use of the affected functions, potentially resulting in the execution of arbitrary code, Denial of Service, execution of scripted contents in the context of the affected site, security bypass or information leak. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 25340
    published 2007-05-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25340
    title GLSA-200705-19 : PHP: Multiple vulnerabilities
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL7859.NASL
    description The remote BIG-IP device is missing a patch required by a security advisory.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 78215
    published 2014-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78215
    title F5 Networks BIG-IP : Multiple PHP vulnerabilities (SOL7859)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0155.NASL
    description From Red Hat Security Advisory 2007:0155 : Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285) A flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass arbitrary data to PHP's unserialize() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1286) A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A double free flaw was found in PHP's session_decode() function. If a remote attacker was able to pass arbitrary data to PHP's session_decode() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1711) A flaw was discovered in the way PHP's mail() function processed header data. If a script sent mail using a Subject header containing a string from an untrusted source, a remote attacker could send bulk e-mail to unintended recipients. (CVE-2007-1718) A heap based buffer overflow flaw was discovered in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution. (CVE-2007-1001) A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash. (CVE-2007-0455) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67471
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67471
    title Oracle Linux 3 / 4 : php (ELSA-2007-0155)
oval via4
accepted 2013-04-29T04:05:23.562-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Double free vulnerability in the unserializer in PHP 4.4.5 and 4.4.6 allows context-dependent attackers to execute arbitrary code by overwriting variables pointing to (1) the GLOBALS array or (2) the session data in _SESSION. NOTE: this issue was introduced when attempting to patch CVE-2007-1701 (MOPB-31-2007).
family unix
id oval:org.mitre.oval:def:10406
status accepted
submitted 2010-07-09T03:56:16-04:00
title Double free vulnerability in the unserializer in PHP 4.4.5 and 4.4.6 allows context-dependent attackers to execute arbitrary code by overwriting variables pointing to (1) the GLOBALS array or (2) the session data in _SESSION. NOTE: this issue was introduced when attempting to patch CVE-2007-1701 (MOPB-31-2007).
version 23
redhat via4
advisories
  • rhsa
    id RHSA-2007:0154
  • rhsa
    id RHSA-2007:0155
  • rhsa
    id RHSA-2007:0163
rpms
  • php-0:4.3.2-40.ent
  • php-devel-0:4.3.2-40.ent
  • php-imap-0:4.3.2-40.ent
  • php-ldap-0:4.3.2-40.ent
  • php-mysql-0:4.3.2-40.ent
  • php-odbc-0:4.3.2-40.ent
  • php-pgsql-0:4.3.2-40.ent
  • php-0:4.3.9-3.22.4
  • php-devel-0:4.3.9-3.22.4
  • php-domxml-0:4.3.9-3.22.4
  • php-gd-0:4.3.9-3.22.4
  • php-imap-0:4.3.9-3.22.4
  • php-ldap-0:4.3.9-3.22.4
  • php-mbstring-0:4.3.9-3.22.4
  • php-mysql-0:4.3.9-3.22.4
  • php-ncurses-0:4.3.9-3.22.4
  • php-odbc-0:4.3.9-3.22.4
  • php-pear-0:4.3.9-3.22.4
  • php-pgsql-0:4.3.9-3.22.4
  • php-snmp-0:4.3.9-3.22.4
  • php-xmlrpc-0:4.3.9-3.22.4
refmap via4
apple APPLE-SA-2007-07-31
bid
  • 23121
  • 25159
bugtraq 20070418 rPSA-2007-0073-1 php php-mysql php-pgsql
confirm
debian
  • DSA-1282
  • DSA-1283
gentoo GLSA-200705-19
mandriva
  • MDKSA-2007:087
  • MDKSA-2007:088
misc http://www.php-security.org/MOPB/MOPB-32-2007.html
secunia
  • 24910
  • 24924
  • 24941
  • 24945
  • 25025
  • 25062
  • 25445
  • 26235
vupen ADV-2007-2732
xf php-deserializer-code-execution(33575)
Last major update 05-11-2012 - 22:35
Published 26-03-2007 - 21:19
Last modified 16-10-2018 - 12:40
Back to Top