ID CVE-2008-1384
Summary Integer overflow in PHP 5.2.5 and earlier allows context-dependent attackers to cause a denial of service and possibly have unspecified other impact via a printf format parameter with a large width specifier, related to the php_sprintf_appendstring function in formatted_print.c and probably other functions for formatted strings (aka *printf functions).
References
Vulnerable Configurations
  • PHP 5.2.5
    cpe:2.3:a:php:php:5.2.5
CVSS
Base: 5.0 (as of 28-03-2008 - 11:26)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200811-05.NASL
    description The remote host is affected by the vulnerability described in GLSA-200811-05 (PHP: Multiple vulnerabilities) Several vulnerabilitites were found in PHP: PHP ships a vulnerable version of the PCRE library which allows for the circumvention of security restrictions or even for remote code execution in case of an application which accepts user-supplied regular expressions (CVE-2008-0674). Multiple crash issues in several PHP functions have been discovered. Ryan Permeh reported that the init_request_info() function in sapi/cgi/cgi_main.c does not properly consider operator precedence when calculating the length of PATH_TRANSLATED (CVE-2008-0599). An off-by-one error in the metaphone() function may lead to memory corruption. Maksymilian Arciemowicz of SecurityReason Research reported an integer overflow, which is triggerable using printf() and related functions (CVE-2008-1384). Andrei Nigmatulin reported a stack-based buffer overflow in the FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050). Stefan Esser reported that PHP does not correctly handle multibyte characters inside the escapeshellcmd() function, which is used to sanitize user input before its usage in shell commands (CVE-2008-2051). Stefan Esser reported that a short-coming in PHP's algorithm of seeding the random number generator might allow for predictible random numbers (CVE-2008-2107, CVE-2008-2108). The IMAP extension in PHP uses obsolete c-client API calls making it vulnerable to buffer overflows as no bounds checking can be done (CVE-2008-2829). Tavis Ormandy reported a heap-based buffer overflow in pcre_compile.c in the PCRE version shipped by PHP when processing user-supplied regular expressions (CVE-2008-2371). CzechSec reported that specially crafted font files can lead to an overflow in the imageloadfont() function in ext/gd/gd.c, which is part of the GD extension (CVE-2008-3658). Maksymilian Arciemowicz of SecurityReason Research reported that a design error in PHP's stream wrappers allows to circumvent safe_mode checks in several filesystem-related PHP functions (CVE-2008-2665, CVE-2008-2666). Laurent Gaffie discovered a buffer overflow in the internal memnstr() function, which is used by the PHP function explode() (CVE-2008-3659). An error in the FastCGI SAPI when processing a request with multiple dots preceding the extension (CVE-2008-3660). Impact : These vulnerabilities might allow a remote attacker to execute arbitrary code, to cause a Denial of Service, to circumvent security restrictions, to disclose information, and to manipulate files. Workaround : There is no known workaround at this time.
    last seen 2019-01-16
    modified 2018-07-11
    plugin id 34787
    published 2008-11-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34787
    title GLSA-200811-05 : PHP: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_APACHE2-MOD_PHP5-080625.NASL
    description This update of php5 fixes : - possible stack-based buffer overflow CVE-2008-2050 - incomplete escapeshellcmd() CVE-2008-2051 - printf() integer overflow CVE-2008-1384 - insecure GENERATE_SEED macro CVE-2008-2107 - timezone update for DST in Pakistan
    last seen 2018-09-01
    modified 2016-12-21
    plugin id 39912
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39912
    title openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-61)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1572.NASL
    description Several vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3806 The glob function allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via an invalid value of the flags parameter. - CVE-2008-1384 Integer overflow allows context-dependent attackers to cause a denial of service and possibly have other impact via a printf format parameter with a large width specifier. - CVE-2008-2050 Stack-based buffer overflow in the FastCGI SAPI. - CVE-2008-2051 The escapeshellcmd API function could be attacked via incomplete multibyte chars.
    last seen 2019-01-16
    modified 2018-11-28
    plugin id 32306
    published 2008-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=32306
    title Debian DSA-1572-1 : php5 - several vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-022.NASL
    description A vulnerability in PHP allowed context-dependent attackers to cause a denial of service (crash) via a certain long string in the glob() or fnmatch() functions (CVE-2007-4782). A vulnerability in the cURL library in PHP allowed context-dependent attackers to bypass safe_mode and open_basedir restrictions and read arbitrary files using a special URL request (CVE-2007-4850). An integer overflow in PHP allowed context-dependent attackers to cause a denial of serivce via a special printf() format parameter (CVE-2008-1384). A stack-based buffer overflow in the FastCGI SAPI in PHP has unknown impact and attack vectors (CVE-2008-2050). A buffer overflow in the imageloadfont() function in PHP allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via a crafted font file (CVE-2008-3658). A buffer overflow in the memnstr() function allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via the delimiter argument to the explode() function (CVE-2008-3659). PHP, when used as a FastCGI module, allowed remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension (CVE-2008-3660). An array index error in the imageRotate() function in PHP allowed context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument to the function for an indexed image (CVE-2008-5498). The updated packages have been patched to correct these issues.
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 36294
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36294
    title Mandriva Linux Security Advisory : php (MDVSA-2009:022)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-628-1.NASL
    description It was discovered that PHP did not properly check the length of the string parameter to the fnmatch function. An attacker could cause a denial of service in the PHP interpreter if a script passed untrusted input to the fnmatch function. (CVE-2007-4782) Maksymilian Arciemowicz discovered a flaw in the cURL library that allowed safe_mode and open_basedir restrictions to be bypassed. If a PHP application were tricked into processing a bad file:// request, an attacker could read arbitrary files. (CVE-2007-4850) Rasmus Lerdorf discovered that the htmlentities and htmlspecialchars functions did not correctly stop when handling partial multibyte sequences. A remote attacker could exploit this to read certain areas of memory, possibly gaining access to sensitive information. This issue affects Ubuntu 8.04 LTS, and an updated fix is included for Ubuntu 6.06 LTS, 7.04 and 7.10. (CVE-2007-5898) It was discovered that the output_add_rewrite_var function would sometimes leak session id information to forms targeting remote URLs. Malicious remote sites could use this information to gain access to a PHP application user's login credentials. This issue only affects Ubuntu 8.04 LTS. (CVE-2007-5899) It was discovered that PHP did not properly calculate the length of PATH_TRANSLATED. If a PHP application were tricked into processing a malicious URI, and attacker may be able to execute arbitrary code with application privileges. (CVE-2008-0599) An integer overflow was discovered in the php_sprintf_appendstring function. Attackers could exploit this to cause a denial of service. (CVE-2008-1384) Andrei Nigmatulin discovered stack-based overflows in the FastCGI SAPI of PHP. An attacker may be able to leverage this issue to perform attacks against PHP applications. (CVE-2008-2050) It was discovered that the escapeshellcmd did not properly process multibyte characters. An attacker may be able to bypass quoting restrictions and possibly execute arbitrary code with application privileges. (CVE-2008-2051) It was discovered that the GENERATE_SEED macro produced a predictable seed under certain circumstances. Attackers may by able to easily predict the results of the rand and mt_rand functions. (CVE-2008-2107, CVE-2008-2108) Tavis Ormandy discovered that the PCRE library did not correctly handle certain in-pattern options. An attacker could cause PHP applications using pcre to crash, leading to a denial of service. USN-624-1 fixed vulnerabilities in the pcre3 library. This update provides the corresponding update for PHP. (CVE-2008-2371) It was discovered that php_imap used obsolete API calls. If a PHP application were tricked into processing a malicious IMAP request, an attacker could cause a denial of service or possibly execute code with application privileges. (CVE-2008-2829). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-28
    plugin id 33575
    published 2008-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33575
    title Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : php5 vulnerabilities (USN-628-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_F6377F0812A711DDBAB70016179B2DD5.NASL
    description CVE reports : Integer overflow in PHP 5.2.5 and earlier allows context-dependent attackers to cause a denial of service and possibly have unspecified other impact via a printf format parameter with a large width specifier, related to the php_sprintf_appendstring function in formatted_print.c and probably other functions for formatted strings (aka *printf functions).
    last seen 2019-01-16
    modified 2018-12-19
    plugin id 32128
    published 2008-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=32128
    title FreeBSD : php -- integer overflow vulnerability (f6377f08-12a7-11dd-bab7-0016179b2dd5)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-5379.NASL
    description This update of php5 fixes : - possible stack-based buffer overflow CVE-2008-2050 - incomplete escapeshellcmd() CVE-2008-2051 - printf() integer overflow CVE-2008-1384 - insecure GENERATE_SEED macro CVE-2008-2107 - timezone update for DST in Pakistan
    last seen 2018-09-02
    modified 2016-12-22
    plugin id 33381
    published 2008-07-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33381
    title openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-5379)
  • NASL family CGI abuses
    NASL id PHP_5_2_6.NASL
    description According to its banner, the version of PHP installed on the remote host is older than 5.2.6. Such versions may be affected by the following issues : - A stack-based buffer overflow in FastCGI SAPI. - An integer overflow in printf(). - An security issue arising from improper calculation of the length of PATH_TRANSLATED in cgi_main.c. - A safe_mode bypass in cURL. - Incomplete handling of multibyte chars inside escapeshellcmd(). - Issues in the bundled PCRE fixed by version 7.6.
    last seen 2019-01-16
    modified 2018-11-15
    plugin id 32123
    published 2008-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=32123
    title PHP < 5.2.6 Multiple Vulnerabilities
refmap via4
bid 28392
bugtraq
  • 20080321 {securityreason.com}PHP 5 *printf() - Integer Overflow
  • 20080523 rPSA-2008-0176-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl
  • 20080527 rPSA-2008-0178-1 php php-mysql php-pgsql
confirm
debian DSA-1572
gentoo GLSA-200811-05
mandriva
  • MDVSA-2009:022
  • MDVSA-2009:023
secunia
  • 30158
  • 30345
  • 30411
  • 30967
  • 31200
  • 32746
sreasonres 20080320 PHP 5.2.5 and prior : *printf() functions Integer Overflow
suse SUSE-SR:2008:014
ubuntu USN-628-1
xf php-phpsprintfappendstring-overflow(41386)
statements via4
contributor Mark J Cox
lastmodified 2008-03-28
organization Red Hat
statement Red Hat do not consider this to be a security vulnerability: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1384
Last major update 30-10-2012 - 22:54
Published 27-03-2008 - 13:44
Last modified 11-10-2018 - 16:33
Back to Top