ID CVE-2007-1887
Summary Buffer overflow in the sqlite_decode_binary function in the bundled sqlite library in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows context-dependent attackers to execute arbitrary code via an empty value of the in parameter, as demonstrated by calling the sqlite_udf_decode_binary function with a 0x01 character.
References
Vulnerable Configurations
  • PHP 4.0.0
    cpe:2.3:a:php:php:4.0
  • PHP PHP 4.0 Beta 1
    cpe:2.3:a:php:php:4.0:beta1
  • PHP PHP 4.0 Beta 2
    cpe:2.3:a:php:php:4.0:beta2
  • PHP PHP 4.0 Beta 3
    cpe:2.3:a:php:php:4.0:beta3
  • PHP PHP 4.0 Beta 4
    cpe:2.3:a:php:php:4.0:beta4
  • PHP PHP 4.0 Beta 4 Patch Level 1
    cpe:2.3:a:php:php:4.0:beta_4_patch1
  • cpe:2.3:a:php:php:4.0:rc1
    cpe:2.3:a:php:php:4.0:rc1
  • cpe:2.3:a:php:php:4.0:rc2
    cpe:2.3:a:php:php:4.0:rc2
  • PHP PHP 4.0.0
    cpe:2.3:a:php:php:4.0.0
  • PHP PHP 4.0.1
    cpe:2.3:a:php:php:4.0.1
  • cpe:2.3:a:php:php:4.0.1:patch1
    cpe:2.3:a:php:php:4.0.1:patch1
  • cpe:2.3:a:php:php:4.0.1:patch2
    cpe:2.3:a:php:php:4.0.1:patch2
  • PHP PHP 4.0.2
    cpe:2.3:a:php:php:4.0.2
  • PHP PHP 4.0.3
    cpe:2.3:a:php:php:4.0.3
  • cpe:2.3:a:php:php:4.0.3:patch1
    cpe:2.3:a:php:php:4.0.3:patch1
  • PHP PHP 4.0.4
    cpe:2.3:a:php:php:4.0.4
  • cpe:2.3:a:php:php:4.0.4:patch1
    cpe:2.3:a:php:php:4.0.4:patch1
  • PHP PHP 4.0.5
    cpe:2.3:a:php:php:4.0.5
  • PHP PHP 4.0.6
    cpe:2.3:a:php:php:4.0.6
  • PHP PHP 4.0.7
    cpe:2.3:a:php:php:4.0.7
  • cpe:2.3:a:php:php:4.0.7:rc1
    cpe:2.3:a:php:php:4.0.7:rc1
  • cpe:2.3:a:php:php:4.0.7:rc2
    cpe:2.3:a:php:php:4.0.7:rc2
  • cpe:2.3:a:php:php:4.0.7:rc3
    cpe:2.3:a:php:php:4.0.7:rc3
  • PHP PHP 4.1.0
    cpe:2.3:a:php:php:4.1.0
  • PHP PHP 4.1.1
    cpe:2.3:a:php:php:4.1.1
  • PHP PHP 4.1.2
    cpe:2.3:a:php:php:4.1.2
  • cpe:2.3:a:php:php:4.2:-:dev
    cpe:2.3:a:php:php:4.2:-:dev
  • PHP PHP 4.2.0
    cpe:2.3:a:php:php:4.2.0
  • PHP PHP 4.2.1
    cpe:2.3:a:php:php:4.2.1
  • PHP PHP 4.2.2
    cpe:2.3:a:php:php:4.2.2
  • PHP PHP 4.2.3
    cpe:2.3:a:php:php:4.2.3
  • PHP PHP 4.3.0
    cpe:2.3:a:php:php:4.3.0
  • PHP PHP 4.3.1
    cpe:2.3:a:php:php:4.3.1
  • PHP PHP 4.3.2
    cpe:2.3:a:php:php:4.3.2
  • PHP PHP 4.3.3
    cpe:2.3:a:php:php:4.3.3
  • PHP PHP 4.3.4
    cpe:2.3:a:php:php:4.3.4
  • PHP PHP 4.3.5
    cpe:2.3:a:php:php:4.3.5
  • PHP PHP 4.3.6
    cpe:2.3:a:php:php:4.3.6
  • PHP PHP 4.3.7
    cpe:2.3:a:php:php:4.3.7
  • PHP PHP 4.3.8
    cpe:2.3:a:php:php:4.3.8
  • PHP PHP 4.3.9
    cpe:2.3:a:php:php:4.3.9
  • PHP PHP 4.3.10
    cpe:2.3:a:php:php:4.3.10
  • PHP PHP 4.3.11
    cpe:2.3:a:php:php:4.3.11
  • PHP PHP 4.4.0
    cpe:2.3:a:php:php:4.4.0
  • PHP PHP 4.4.1
    cpe:2.3:a:php:php:4.4.1
  • PHP PHP 4.4.2
    cpe:2.3:a:php:php:4.4.2
  • PHP PHP 4.4.3
    cpe:2.3:a:php:php:4.4.3
  • PHP PHP 4.4.4
    cpe:2.3:a:php:php:4.4.4
  • cpe:2.3:a:php:php:5.0:rc1
    cpe:2.3:a:php:php:5.0:rc1
  • cpe:2.3:a:php:php:5.0:rc2
    cpe:2.3:a:php:php:5.0:rc2
  • cpe:2.3:a:php:php:5.0:rc3
    cpe:2.3:a:php:php:5.0:rc3
  • PHP PHP 5.0.0
    cpe:2.3:a:php:php:5.0.0
  • PHP PHP 5.0.0 Beta1
    cpe:2.3:a:php:php:5.0.0:beta1
  • PHP PHP 5.0.0 Beta2
    cpe:2.3:a:php:php:5.0.0:beta2
  • PHP PHP 5.0.0 Beta3
    cpe:2.3:a:php:php:5.0.0:beta3
  • PHP PHP 5.0.0 Beta4
    cpe:2.3:a:php:php:5.0.0:beta4
  • PHP PHP 5.0.0 RC1
    cpe:2.3:a:php:php:5.0.0:rc1
  • PHP PHP 5.0.0 RC2
    cpe:2.3:a:php:php:5.0.0:rc2
  • PHP PHP 5.0.0 RC3
    cpe:2.3:a:php:php:5.0.0:rc3
  • PHP PHP 5.0.1
    cpe:2.3:a:php:php:5.0.1
  • PHP PHP 5.0.2
    cpe:2.3:a:php:php:5.0.2
  • PHP PHP 5.0.3
    cpe:2.3:a:php:php:5.0.3
  • PHP PHP 5.0.4
    cpe:2.3:a:php:php:5.0.4
  • PHP PHP 5.0.5
    cpe:2.3:a:php:php:5.0.5
  • PHP PHP 5.1.0
    cpe:2.3:a:php:php:5.1.0
  • PHP PHP 5.1.1
    cpe:2.3:a:php:php:5.1.1
  • PHP PHP 5.1.2
    cpe:2.3:a:php:php:5.1.2
  • PHP PHP 5.1.3
    cpe:2.3:a:php:php:5.1.3
  • PHP 5.1.4
    cpe:2.3:a:php:php:5.1.4
  • PHP PHP 5.1.5
    cpe:2.3:a:php:php:5.1.5
  • PHP PHP 5.1.6
    cpe:2.3:a:php:php:5.1.6
  • PHP 5.2.0
    cpe:2.3:a:php:php:5.2.0
CVSS
Base: 7.5 (as of 10-04-2007 - 09:52)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-089.NASL
    description A heap-based buffer overflow vulnerability was found in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution (CVE-2007-1001). A DoS flaw was found in how PHP processed a deeply nested array. A remote attacker could cause the PHP intrerpreter to creash by submitting an input variable with a deeply nested array (CVE-2007-1285). A vulnerability in the way the mbstring extension set global variables was discovered where a script using the mb_parse_str() function to set global variables could be forced to to enable the register_globals configuration option, possibly resulting in global variable injection (CVE-2007-1583). A vulnerability in how PHP's mail() function processed header data was discovered. If a script sent mail using a subject header containing a string from an untrusted source, a remote attacker could send bulk email to unintended recipients (CVE-2007-1718). A buffer overflow in the sqlite_decode_function() in the bundled sqlite library could allow context-dependent attackers to execute arbitrary code (CVE-2007-1887). Updated packages have been patched to correct these issues. Also note that the default use of the Hardened PHP patch helped to protect against some of these issues prior to patching.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 25113
    published 2007-04-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25113
    title Mandrake Linux Security Advisory : php (MDKSA-2007:089)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-2215.NASL
    description This update includes the latest release of PHP 5.2. A number of security issues have been fixed. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 27759
    published 2007-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27759
    title Fedora 7 : php-5.2.4-1.fc7 (2007-2215)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1283.NASL
    description Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-1286 Stefan Esser discovered an overflow in the object reference handling code of the unserialize() function, which allows the execution of arbitrary code if malformed input is passed from an application. - CVE-2007-1375 Stefan Esser discovered that an integer overflow in the substr_compare() function allows information disclosure of heap memory. - CVE-2007-1376 Stefan Esser discovered that insufficient validation of shared memory functions allows the disclosure of heap memory. - CVE-2007-1380 Stefan Esser discovered that the session handler performs insufficient validation of variable name length values, which allows information disclosure through a heap information leak. - CVE-2007-1453 Stefan Esser discovered that the filtering framework performs insufficient input validation, which allows the execution of arbitrary code through a buffer underflow. - CVE-2007-1454 Stefan Esser discovered that the filtering framework can be bypassed with a special whitespace character. - CVE-2007-1521 Stefan Esser discovered a double free vulnerability in the session_regenerate_id() function, which allows the execution of arbitrary code. - CVE-2007-1583 Stefan Esser discovered that a programming error in the mb_parse_str() function allows the activation of 'register_globals'. - CVE-2007-1700 Stefan Esser discovered that the session extension incorrectly maintains the reference count of session variables, which allows the execution of arbitrary code. - CVE-2007-1711 Stefan Esser discovered a double free vulnerability in the session management code, which allows the execution of arbitrary code. - CVE-2007-1718 Stefan Esser discovered that the mail() function performs insufficient validation of folded mail headers, which allows mail header injection. - CVE-2007-1777 Stefan Esser discovered that the extension to handle ZIP archives performs insufficient length checks, which allows the execution of arbitrary code. - CVE-2007-1824 Stefan Esser discovered an off-by-one error in the filtering framework, which allows the execution of arbitrary code. - CVE-2007-1887 Stefan Esser discovered that a buffer overflow in the sqlite extension allows the execution of arbitrary code. - CVE-2007-1889 Stefan Esser discovered that the PHP memory manager performs an incorrect type cast, which allows the execution of arbitrary code through buffer overflows. - CVE-2007-1900 Stefan Esser discovered that incorrect validation in the email filter extension allows the injection of mail headers. The oldstable distribution (sarge) doesn't include php5.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25100
    published 2007-04-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25100
    title Debian DSA-1283-1 : php5 - several vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-455-1.NASL
    description Stefan Esser discovered multiple vulnerabilities in the 'Month of PHP bugs'. The substr_compare() function did not sufficiently verify its length argument. This might be exploited to read otherwise unaccessible memory, which might lead to information disclosure. (CVE-2007-1375) The shared memory (shmop) functions did not verify resource types, thus they could be called with a wrong resource type that might contain user-supplied data. This could be exploited to read and write arbitrary memory addresses of the PHP interpreter. This issue does not affect Ubuntu 7.04. (CVE-2007-1376) The php_binary handler of the session extension was missing a boundary check. When unserializing overly long variable names this could be exploited to read up to 126 bytes of memory, which might lead to information disclosure. (CVE-2007-1380) The internal array_user_key_compare() function, as used for example by the PHP function uksort(), incorrectly handled memory unreferencing of its arguments. This could have been exploited to execute arbitrary code with the privileges of the PHP interpreter, and thus circumventing any disable_functions, open_basedir, or safe_mode restrictions. (CVE-2007-1484) The session_regenerate_id() function did not properly clean up the former session identifier variable. This could be exploited to crash the PHP interpreter, possibly also remotely. (CVE-2007-1521) Under certain conditions the mb_parse_str() could cause the register_globals configuration option to become permanently enabled. This opened an attack vector for a large and common class of vulnerabilities. (CVE-2007-1583) The session extension did not set the correct reference count value for the session variables. By unsetting _SESSION and HTTP_SESSION_VARS (or tricking a PHP script into doing that) this could be exploited to execute arbitrary code with the privileges of the PHP interpreter. This issue does not affect Ubuntu 7.04. (CVE-2007-1700) The mail() function did not correctly escape control characters in multiline email headers. This could be remotely exploited to inject arbitrary email headers. (CVE-2007-1718) The php_stream_filter_create() function had an off-by-one buffer overflow in the handling of wildcards. This could be exploited to remotely crash the PHP interpreter. This issue does not affect Ubuntu 7.04. (CVE-2007-1824) When calling the sqlite_udf_decode_binary() with special arguments, a buffer overflow happened. Depending on the application this could be locally or remotely exploited to execute arbitrary code with the privileges of the PHP interpreter. (CVE-2007-1887 CVE-2007-1888) The FILTER_VALIDATE_EMAIL filter extension used a wrong regular expression that allowed injecting a newline character at the end of the email string. This could be exploited to inject arbitrary email headers. This issue only affects Ubuntu 7.04. (CVE-2007-1900). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28053
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28053
    title Ubuntu 6.06 LTS / 6.10 / 7.04 : php5 vulnerabilities (USN-455-1)
  • NASL family CGI abuses
    NASL id PHP_4_4_5.NASL
    description According to its banner, the version of PHP installed on the remote host is older than 4.4.5. Such versions may be affected by several issues, including buffer overflows, format string vulnerabilities, arbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and clobbering of super-globals.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 24906
    published 2007-04-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24906
    title PHP < 4.4.5 Multiple Vulnerabilities
  • NASL family CGI abuses
    NASL id PHP_5_2_1.NASL
    description According to its banner, the version of PHP installed on the remote host is older than 5.2.1. Such versions may be affected by several issues, including buffer overflows, format string vulnerabilities, arbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and clobbering of super-globals.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 24907
    published 2007-04-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24907
    title PHP < 5.2.1 Multiple Vulnerabilities
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200710-02.NASL
    description The remote host is affected by the vulnerability described in GLSA-200710-02 (PHP: Multiple vulnerabilities) Several vulnerabilities were found in PHP. Mattias Bengtsson and Philip Olausson reported integer overflows in the gdImageCreate() and gdImageCreateTrueColor() functions of the GD library which can cause heap-based buffer overflows (CVE-2007-3996). Gerhard Wagner discovered an integer overflow in the chunk_split() function that can lead to a heap-based buffer overflow (CVE-2007-2872). Its incomplete fix caused incorrect buffer size calculation due to precision loss, also resulting in a possible heap-based buffer overflow (CVE-2007-4661 and CVE-2007-4660). A buffer overflow in the sqlite_decode_binary() of the SQLite extension found by Stefan Esser that was addressed in PHP 5.2.1 was not fixed correctly (CVE-2007-1887). Stefan Esser discovered an error in the zend_alter_ini_entry() function handling a memory_limit violation (CVE-2007-4659). Stefan Esser also discovered a flaw when handling interruptions with userspace error handlers that can be exploited to read arbitrary heap memory (CVE-2007-1883). Disclosure of sensitive memory can also be triggered due to insufficient boundary checks in the strspn() and strcspn() functions, an issue discovered by Mattias Bengtsson and Philip Olausson (CVE-2007-4657) Stefan Esser reported incorrect validation in the FILTER_VALIDATE_EMAIL filter of the Filter extension allowing arbitrary email header injection (CVE-2007-1900). NOTE: This CVE was referenced, but not fixed in GLSA 200705-19. Stanislav Malyshev found an error with unknown impact in the money_format() function when processing '%i' and '%n' tokens (CVE-2007-4658). zatanzlatan reported a buffer overflow in the php_openssl_make_REQ() function with unknown impact when providing a manipulated SSL configuration file (CVE-2007-4662). Possible memory corruption when trying to read EXIF data in exif_read_data() and exif_thumbnail() occurred with unknown impact. Several vulnerabilities that allow bypassing of open_basedir and other restrictions were reported, including the glob() function (CVE-2007-4663), the session_save_path(), ini_set(), and error_log() functions which can allow local command execution (CVE-2007-3378), involving the readfile() function (CVE-2007-3007), via the Session extension (CVE-2007-4652), via the MySQL extension (CVE-2007-3997) and in the dl() function which allows loading extensions outside of the specified directory (CVE-2007-4825). Multiple Denial of Service vulnerabilities were discovered, including a long 'library' parameter in the dl() function (CVE-2007-4887), in several iconv and xmlrpc functions (CVE-2007-4840 and CVE-2007-4783), in the setlocale() function (CVE-2007-4784), in the glob() and fnmatch() function (CVE-2007-4782 and CVE-2007-3806), a floating point exception in the wordwrap() function (CVE-2007-3998), a stack exhaustion via deeply nested arrays (CVE-2007-4670), an infinite loop caused by a specially crafted PNG image in the png_read_info() function of libpng (CVE-2007-2756) and several issues related to array conversion. Impact : Remote attackers might be able to exploit these issues in PHP applications making use of the affected functions, potentially resulting in the execution of arbitrary code, Denial of Service, execution of scripted contents in the context of the affected site, security bypass or information leak. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 26942
    published 2007-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26942
    title GLSA-200710-02 : PHP: Multiple vulnerabilities
oval via4
accepted 2015-04-20T04:02:25.271-04:00
class vulnerability
contributors
  • name Michael Wood
    organization Hewlett-Packard
  • name Sushant Kumar Singh
    organization Hewlett-Packard
  • name Sushant Kumar Singh
    organization Hewlett-Packard
  • name Prashant Kumar
    organization Hewlett-Packard
  • name Mike Cokus
    organization The MITRE Corporation
description Buffer overflow in the sqlite_decode_binary function in the bundled sqlite library in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows context-dependent attackers to execute arbitrary code via an empty value of the in parameter, as demonstrated by calling the sqlite_udf_decode_binary function with a 0x01 character.
family unix
id oval:org.mitre.oval:def:5348
status accepted
submitted 2008-10-30T17:10:24.000-04:00
title HP-UX running Apache, Remote Arbitrary Code Execution, Cross Site Scripting (XSS)
version 41
refmap via4
bid 23235
confirm
debian DSA-1283
fedora FEDORA-2007-2215
gentoo GLSA-200710-02
hp
  • HPSBUX02262
  • SSRT071447
mandriva
  • MDKSA-2007:088
  • MDKSA-2007:089
misc http://www.php-security.org/MOPB/MOPB-41-2007.html
secunia
  • 24909
  • 25057
  • 25062
  • 27037
  • 27102
  • 27110
ubuntu USN-455-1
vupen
  • ADV-2007-2016
  • ADV-2007-3386
xf php-sqlitedecodebinary-bo(33766)
statements via4
contributor Mark J Cox
lastmodified 2007-04-16
organization Red Hat
statement Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1.
Last major update 05-11-2012 - 22:36
Published 05-04-2007 - 21:19
Last modified 30-10-2018 - 12:25
Back to Top