ID CVE-2008-2107
Summary The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 32-bit systems, performs a multiplication using values that can produce a zero seed in rare circumstances, which allows context-dependent attackers to predict subsequent values of the rand and mt_rand functions and possibly bypass protection mechanisms that rely on an unknown initial seed.
References
Vulnerable Configurations
  • PHP 4.4.7 -
    cpe:2.3:a:php:php:4.4.7
  • cpe:2.3:a:php:php:5
    cpe:2.3:a:php:php:5
  • PHP PHP 5.0.0 Beta1
    cpe:2.3:a:php:php:5.0.0:beta1
  • PHP PHP 5.0.0 Beta2
    cpe:2.3:a:php:php:5.0.0:beta2
  • PHP PHP 5.0.0 Beta3
    cpe:2.3:a:php:php:5.0.0:beta3
  • PHP PHP 5.0.0 RC1
    cpe:2.3:a:php:php:5.0.0:rc1
  • PHP PHP 5.0.0 RC2
    cpe:2.3:a:php:php:5.0.0:rc2
  • PHP PHP 5.0.0 RC3
    cpe:2.3:a:php:php:5.0.0:rc3
  • PHP 5.0.1 -
    cpe:2.3:a:php:php:5.0.1
  • PHP 5.0.2 -
    cpe:2.3:a:php:php:5.0.2
  • PHP 5.0.3 -
    cpe:2.3:a:php:php:5.0.3
  • PHP 5.0.4 -
    cpe:2.3:a:php:php:5.0.4
  • PHP 5.0.5 -
    cpe:2.3:a:php:php:5.0.5
  • PHP 5.1.0 -
    cpe:2.3:a:php:php:5.1.0
  • PHP PHP 5.1.1
    cpe:2.3:a:php:php:5.1.1
  • PHP 5.1.2 -
    cpe:2.3:a:php:php:5.1.2
  • PHP PHP 5.1.3
    cpe:2.3:a:php:php:5.1.3
  • PHP 5.1.4
    cpe:2.3:a:php:php:5.1.4
  • PHP 5.1.5 -
    cpe:2.3:a:php:php:5.1.5
  • PHP PHP 5.1.6
    cpe:2.3:a:php:php:5.1.6
  • PHP 5.2.0
    cpe:2.3:a:php:php:5.2.0
  • PHP 5.2.1 -
    cpe:2.3:a:php:php:5.2.1
  • PHP 5.2.2 -
    cpe:2.3:a:php:php:5.2.2
  • PHP 5.2.3 -
    cpe:2.3:a:php:php:5.2.3
  • PHP 5.2.4 -
    cpe:2.3:a:php:php:5.2.4
CVSS
Base: 7.5 (as of 08-05-2008 - 10:05)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2008-0544.NASL
    description From Red Hat Security Advisory 2008:0544 : Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user's session ID would be included in the form data passed to that URL. (CVE-2007-5899) It was discovered that PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) Users of PHP should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 67711
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67711
    title Oracle Linux 3 / 5 : php (ELSA-2008-0544)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2008-0545.NASL
    description From Red Hat Security Advisory 2008:0545 : Updated php packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) The PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user's session ID would be included in the form data passed to that URL. (CVE-2007-5899) It was discovered that the PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) As well, these updated packages fix the following bug : * after 2008-01-01, when using PEAR version 1.3.6 or older, it was not possible to use the PHP Extension and Application Repository (PEAR) to upgrade or install packages. In these updated packages, PEAR has been upgraded to version 1.4.9, which restores support for the current pear.php.net update server. The following changes were made to the PEAR packages included in php-pear: Console_Getopt and Archive_Tar are now included by default, and XML_RPC has been upgraded to version 1.5.0. All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 67712
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67712
    title Oracle Linux 4 : php (ELSA-2008-0545)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-5379.NASL
    description This update of php5 fixes : - possible stack-based buffer overflow CVE-2008-2050 - incomplete escapeshellcmd() CVE-2008-2051 - printf() integer overflow CVE-2008-1384 - insecure GENERATE_SEED macro CVE-2008-2107 - timezone update for DST in Pakistan
    last seen 2018-09-02
    modified 2016-12-22
    plugin id 33381
    published 2008-07-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33381
    title openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-5379)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2008-0545.NASL
    description Updated php packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) The PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user's session ID would be included in the form data passed to that URL. (CVE-2007-5899) It was discovered that the PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) As well, these updated packages fix the following bug : * after 2008-01-01, when using PEAR version 1.3.6 or older, it was not possible to use the PHP Extension and Application Repository (PEAR) to upgrade or install packages. In these updated packages, PEAR has been upgraded to version 1.4.9, which restores support for the current pear.php.net update server. The following changes were made to the PEAR packages included in php-pear: Console_Getopt and Archive_Tar are now included by default, and XML_RPC has been upgraded to version 1.5.0. All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43693
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43693
    title CentOS 4 : php (CESA-2008:0545)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-3606.NASL
    description This release updates PHP to the latest upstream version 5.2.6, fixing multiple bugs and security issues. See upstream release notes for further details: http://www.php.net/releases/5_2_6.php It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) It was discovered that a PHP script using the transparent session ID configuration option, or using the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form which is posted to a third-party website, the user's session ID would be included in the form data and passed to that website. (CVE-2007-5899) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 33231
    published 2008-06-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33231
    title Fedora 9 : php-5.2.6-2.fc9 (2008-3606)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20080716_PHP_ON_SL5_X.NASL
    description It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user's session ID would be included in the form data passed to that URL. (CVE-2007-5899) It was discovered that PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108)
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60445
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60445
    title Scientific Linux Security Update : php on SL5.x i386/x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-628-1.NASL
    description It was discovered that PHP did not properly check the length of the string parameter to the fnmatch function. An attacker could cause a denial of service in the PHP interpreter if a script passed untrusted input to the fnmatch function. (CVE-2007-4782) Maksymilian Arciemowicz discovered a flaw in the cURL library that allowed safe_mode and open_basedir restrictions to be bypassed. If a PHP application were tricked into processing a bad file:// request, an attacker could read arbitrary files. (CVE-2007-4850) Rasmus Lerdorf discovered that the htmlentities and htmlspecialchars functions did not correctly stop when handling partial multibyte sequences. A remote attacker could exploit this to read certain areas of memory, possibly gaining access to sensitive information. This issue affects Ubuntu 8.04 LTS, and an updated fix is included for Ubuntu 6.06 LTS, 7.04 and 7.10. (CVE-2007-5898) It was discovered that the output_add_rewrite_var function would sometimes leak session id information to forms targeting remote URLs. Malicious remote sites could use this information to gain access to a PHP application user's login credentials. This issue only affects Ubuntu 8.04 LTS. (CVE-2007-5899) It was discovered that PHP did not properly calculate the length of PATH_TRANSLATED. If a PHP application were tricked into processing a malicious URI, and attacker may be able to execute arbitrary code with application privileges. (CVE-2008-0599) An integer overflow was discovered in the php_sprintf_appendstring function. Attackers could exploit this to cause a denial of service. (CVE-2008-1384) Andrei Nigmatulin discovered stack-based overflows in the FastCGI SAPI of PHP. An attacker may be able to leverage this issue to perform attacks against PHP applications. (CVE-2008-2050) It was discovered that the escapeshellcmd did not properly process multibyte characters. An attacker may be able to bypass quoting restrictions and possibly execute arbitrary code with application privileges. (CVE-2008-2051) It was discovered that the GENERATE_SEED macro produced a predictable seed under certain circumstances. Attackers may by able to easily predict the results of the rand and mt_rand functions. (CVE-2008-2107, CVE-2008-2108) Tavis Ormandy discovered that the PCRE library did not correctly handle certain in-pattern options. An attacker could cause PHP applications using pcre to crash, leading to a denial of service. USN-624-1 fixed vulnerabilities in the pcre3 library. This update provides the corresponding update for PHP. (CVE-2008-2371) It was discovered that php_imap used obsolete API calls. If a PHP application were tricked into processing a malicious IMAP request, an attacker could cause a denial of service or possibly execute code with application privileges. (CVE-2008-2829). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 33575
    published 2008-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33575
    title Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : php5 vulnerabilities (USN-628-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_APACHE2-MOD_PHP5-080625.NASL
    description This update of php5 fixes : - possible stack-based buffer overflow CVE-2008-2050 - incomplete escapeshellcmd() CVE-2008-2051 - printf() integer overflow CVE-2008-1384 - insecure GENERATE_SEED macro CVE-2008-2107 - timezone update for DST in Pakistan
    last seen 2018-09-01
    modified 2016-12-21
    plugin id 39912
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39912
    title openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-61)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-128.NASL
    description A number of vulnerabilities have been found and corrected in PHP : php-cgi in PHP prior to 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors (CVE-2008-0599). The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown impact and context-dependent attack vectors related to incomplete multibyte characters (CVE-2008-2051). Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, CVE-2008-2108). The IMAP module in PHP uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request (CVE-2008-2829). In addition, the updated packages provide a number of bug fixes. The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 36486
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36486
    title Mandriva Linux Security Advisory : php (MDVSA-2008:128)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200811-05.NASL
    description The remote host is affected by the vulnerability described in GLSA-200811-05 (PHP: Multiple vulnerabilities) Several vulnerabilitites were found in PHP: PHP ships a vulnerable version of the PCRE library which allows for the circumvention of security restrictions or even for remote code execution in case of an application which accepts user-supplied regular expressions (CVE-2008-0674). Multiple crash issues in several PHP functions have been discovered. Ryan Permeh reported that the init_request_info() function in sapi/cgi/cgi_main.c does not properly consider operator precedence when calculating the length of PATH_TRANSLATED (CVE-2008-0599). An off-by-one error in the metaphone() function may lead to memory corruption. Maksymilian Arciemowicz of SecurityReason Research reported an integer overflow, which is triggerable using printf() and related functions (CVE-2008-1384). Andrei Nigmatulin reported a stack-based buffer overflow in the FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050). Stefan Esser reported that PHP does not correctly handle multibyte characters inside the escapeshellcmd() function, which is used to sanitize user input before its usage in shell commands (CVE-2008-2051). Stefan Esser reported that a short-coming in PHP's algorithm of seeding the random number generator might allow for predictible random numbers (CVE-2008-2107, CVE-2008-2108). The IMAP extension in PHP uses obsolete c-client API calls making it vulnerable to buffer overflows as no bounds checking can be done (CVE-2008-2829). Tavis Ormandy reported a heap-based buffer overflow in pcre_compile.c in the PCRE version shipped by PHP when processing user-supplied regular expressions (CVE-2008-2371). CzechSec reported that specially crafted font files can lead to an overflow in the imageloadfont() function in ext/gd/gd.c, which is part of the GD extension (CVE-2008-3658). Maksymilian Arciemowicz of SecurityReason Research reported that a design error in PHP's stream wrappers allows to circumvent safe_mode checks in several filesystem-related PHP functions (CVE-2008-2665, CVE-2008-2666). Laurent Gaffie discovered a buffer overflow in the internal memnstr() function, which is used by the PHP function explode() (CVE-2008-3659). An error in the FastCGI SAPI when processing a request with multiple dots preceding the extension (CVE-2008-3660). Impact : These vulnerabilities might allow a remote attacker to execute arbitrary code, to cause a Denial of Service, to circumvent security restrictions, to disclose information, and to manipulate files. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 34787
    published 2008-11-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34787
    title GLSA-200811-05 : PHP: Multiple vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0544.NASL
    description Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user's session ID would be included in the form data passed to that URL. (CVE-2007-5899) It was discovered that PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) Users of PHP should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 33510
    published 2008-07-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33510
    title RHEL 3 / 5 : php (RHSA-2008:0544)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-127.NASL
    description A number of vulnerabilities have been found and corrected in PHP : The htmlentities() and htmlspecialchars() functions in PHP prior to 5.2.5 accepted partial multibyte sequences, which has unknown impact and attack vectors (CVE-2007-5898). The output_add_rewrite_var() function in PHP prior to 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which could allow a remote attacker to obtain potentially sensitive information by reading the requests for this URL (CVE-2007-5899). php-cgi in PHP prior to 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors (CVE-2008-0599). The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown impact and context-dependent attack vectors related to incomplete multibyte characters (CVE-2008-2051). Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, CVE-2008-2108). The IMAP module in PHP uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request (CVE-2008-2829). In addition, this update also corrects an issue with some float to string conversions. The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 38042
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38042
    title Mandriva Linux Security Advisory : php (MDVSA-2008:127)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-126.NASL
    description A number of vulnerabilities have been found and corrected in PHP : PHP 5.2.1 would allow context-dependent attackers to read portions of heap memory by executing certain scripts with a serialized data input string beginning with 'S:', which did not properly track the number of input bytes being processed (CVE-2007-1649). A vulnerability in the chunk_split() function in PHP prior to 5.2.4 has unknown impact and attack vectors, related to an incorrect size calculation (CVE-2007-4660). The htmlentities() and htmlspecialchars() functions in PHP prior to 5.2.5 accepted partial multibyte sequences, which has unknown impact and attack vectors (CVE-2007-5898). The output_add_rewrite_var() function in PHP prior to 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which could allow a remote attacker to obtain potentially sensitive information by reading the requests for this URL (CVE-2007-5899). The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown impact and context-dependent attack vectors related to incomplete multibyte characters (CVE-2008-2051). Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, CVE-2008-2108). The IMAP module in PHP uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request (CVE-2008-2829). The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 37584
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37584
    title Mandriva Linux Security Advisory : php (MDVSA-2008:126)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0545.NASL
    description Updated php packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) The PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user's session ID would be included in the form data passed to that URL. (CVE-2007-5899) It was discovered that the PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) As well, these updated packages fix the following bug : * after 2008-01-01, when using PEAR version 1.3.6 or older, it was not possible to use the PHP Extension and Application Repository (PEAR) to upgrade or install packages. In these updated packages, PEAR has been upgraded to version 1.4.9, which restores support for the current pear.php.net update server. The following changes were made to the PEAR packages included in php-pear: Console_Getopt and Archive_Tar are now included by default, and XML_RPC has been upgraded to version 1.5.0. All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 33511
    published 2008-07-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33511
    title RHEL 4 : php (RHSA-2008:0545)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-3864.NASL
    description This release updates PHP to the latest upstream version 5.2.6, fixing multiple bugs and security issues. See upstream release notes for further details: http://www.php.net/releases/5_2_5.php http://www.php.net/releases/5_2_6.php It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. An attacker could use this flaw to conduct cross-site scripting attack against users of such browsers. (CVE-2007-5898) It was discovered that a PHP script using the transparent session ID configuration option, or using the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form which is posted to a third-party website, the user's session ID would be included in the form data and passed to that website. (CVE-2007-5899) It was discovered that PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 33232
    published 2008-06-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33232
    title Fedora 8 : php-5.2.6-2.fc8 (2008-3864)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0546.NASL
    description Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) The PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user's session ID would be included in the form data passed to that URL. (CVE-2007-5899) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) Integer overflow and memory requirements miscalculation issues were discovered in the Perl-Compatible Regular Expression (PCRE) library used by PHP to process regular expressions. These issues could cause a crash, or possibly execute an arbitrary code with the privileges of the PHP script that processes regular expressions from untrusted sources. Note: PHP packages shipped with Red Hat Enterprise Linux 2.1 did not use the system-level PCRE library. By default they used an embedded copy of the library included with the PHP package. (CVE-2006-7228, CVE-2007-1660) Users of PHP should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 33512
    published 2008-07-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33512
    title RHEL 2.1 : php (RHSA-2008:0546)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2008-0544.NASL
    description Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user's session ID would be included in the form data passed to that URL. (CVE-2007-5899) It was discovered that PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) Users of PHP should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 33524
    published 2008-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33524
    title CentOS 3 / 5 : php (CESA-2008:0544)
  • NASL family CGI abuses
    NASL id PHP_5_2_5.NASL
    description According to its banner, the version of PHP installed on the remote host is older than 5.2.5. Such versions may be affected by various issues, including but not limited to several buffer overflows.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 28181
    published 2007-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28181
    title PHP < 5.2.5 Multiple Vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1789.NASL
    description Several remote vulnerabilities have been discovered in the PHP 5 hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems. The following four vulnerabilities have already been fixed in the stable (lenny) version of php5 prior to the release of lenny. This update now addresses them for etch (oldstable) as well : - CVE-2008-2107 / CVE-2008-2108 The GENERATE_SEED macro has several problems that make predicting generated random numbers easier, facilitating attacks against measures that use rand() or mt_rand() as part of a protection. - CVE-2008-5557 A buffer overflow in the mbstring extension allows attackers to execute arbitrary code via a crafted string containing an HTML entity. - CVE-2008-5624 The page_uid and page_gid variables are not correctly set, allowing use of some functionality intended to be restricted to root. - CVE-2008-5658 Directory traversal vulnerability in the ZipArchive::extractTo function allows attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences. This update also addresses the following three vulnerabilities for both oldstable (etch) and stable (lenny) : - CVE-2008-5814 Cross-site scripting (XSS) vulnerability, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML. - CVE-2009-0754 When running on Apache, PHP allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server. - CVE-2009-1271 The JSON_parser function allows a denial of service (segmentation fault) via a malformed string to the json_decode API function. Furthermore, two updates originally scheduled for the next point update for oldstable are included in the etch package : - Let PHP use the system timezone database instead of the embedded timezone database which is out of date. - From the source tarball, the unused 'dbase' module has been removed which contained licensing problems.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 38691
    published 2009-05-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38691
    title Debian DSA-1789-1 : php5 - several vulnerabilities
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20080716_PHP_ON_SL4_X.NASL
    description It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) The PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user's session ID would be included in the form data passed to that URL. (CVE-2007-5899) It was discovered that the PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) As well, these updated packages fix the following bug : - after 2008-01-01, when using PEAR version 1.3.6 or older, it was not possible to use the PHP Extension and Application Repository (PEAR) to upgrade or install packages. In these updated packages, PEAR has been upgraded to version 1.4.9, which restores support for the current pear.php.net update server. The following changes were made to the PEAR packages included in php-pear: Console_Getopt and Archive_Tar are now included by default, and XML_RPC has been upgraded to version 1.5.0.
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60444
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60444
    title Scientific Linux Security Update : php on SL4.x i386/x86_64
oval via4
accepted 2013-04-29T04:07:21.570-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 32-bit systems, performs a multiplication using values that can produce a zero seed in rare circumstances, which allows context-dependent attackers to predict subsequent values of the rand and mt_rand functions and possibly bypass protection mechanisms that rely on an unknown initial seed.
family unix
id oval:org.mitre.oval:def:10644
status accepted
submitted 2010-07-09T03:56:16-04:00
title The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 32-bit systems, performs a multiplication using values that can produce a zero seed in rare circumstances, which allows context-dependent attackers to predict subsequent values of the rand and mt_rand functions and possibly bypass protection mechanisms that rely on an unknown initial seed.
version 24
redhat via4
advisories
  • rhsa
    id RHSA-2008:0505
  • rhsa
    id RHSA-2008:0544
  • rhsa
    id RHSA-2008:0545
  • rhsa
    id RHSA-2008:0546
  • rhsa
    id RHSA-2008:0582
rpms
  • php-0:4.3.2-48.ent
  • php-devel-0:4.3.2-48.ent
  • php-imap-0:4.3.2-48.ent
  • php-ldap-0:4.3.2-48.ent
  • php-mysql-0:4.3.2-48.ent
  • php-odbc-0:4.3.2-48.ent
  • php-pgsql-0:4.3.2-48.ent
  • php-0:5.1.6-20.el5_2.1
  • php-bcmath-0:5.1.6-20.el5_2.1
  • php-cli-0:5.1.6-20.el5_2.1
  • php-common-0:5.1.6-20.el5_2.1
  • php-dba-0:5.1.6-20.el5_2.1
  • php-devel-0:5.1.6-20.el5_2.1
  • php-gd-0:5.1.6-20.el5_2.1
  • php-imap-0:5.1.6-20.el5_2.1
  • php-ldap-0:5.1.6-20.el5_2.1
  • php-mbstring-0:5.1.6-20.el5_2.1
  • php-mysql-0:5.1.6-20.el5_2.1
  • php-ncurses-0:5.1.6-20.el5_2.1
  • php-odbc-0:5.1.6-20.el5_2.1
  • php-pdo-0:5.1.6-20.el5_2.1
  • php-pgsql-0:5.1.6-20.el5_2.1
  • php-snmp-0:5.1.6-20.el5_2.1
  • php-soap-0:5.1.6-20.el5_2.1
  • php-xml-0:5.1.6-20.el5_2.1
  • php-xmlrpc-0:5.1.6-20.el5_2.1
  • php-0:4.3.9-3.22.12
  • php-devel-0:4.3.9-3.22.12
  • php-domxml-0:4.3.9-3.22.12
  • php-gd-0:4.3.9-3.22.12
  • php-imap-0:4.3.9-3.22.12
  • php-ldap-0:4.3.9-3.22.12
  • php-mbstring-0:4.3.9-3.22.12
  • php-mysql-0:4.3.9-3.22.12
  • php-ncurses-0:4.3.9-3.22.12
  • php-odbc-0:4.3.9-3.22.12
  • php-pear-0:4.3.9-3.22.12
  • php-pgsql-0:4.3.9-3.22.12
  • php-snmp-0:4.3.9-3.22.12
  • php-xmlrpc-0:4.3.9-3.22.12
refmap via4
bugtraq 20080506 Advisory SE-2008-02: PHP GENERATE_SEED() Weak Random Number Seed Vulnerability
debian DSA-1789
fedora
  • FEDORA-2008-3606
  • FEDORA-2008-3864
fulldisc 20080506 Advisory SE-2008-02: PHP GENERATE_SEED() Weak Random Number Seed Vulnerability
gentoo GLSA-200811-05
mandriva
  • MDVSA-2008:125
  • MDVSA-2008:126
  • MDVSA-2008:127
  • MDVSA-2008:128
  • MDVSA-2008:129
  • MDVSA-2008:130
misc http://www.sektioneins.de/advisories/SE-2008-02.txt
secunia
  • 30757
  • 30828
  • 30967
  • 31119
  • 31124
  • 31200
  • 32746
  • 35003
sreason 3859
suse SUSE-SR:2008:014
ubuntu USN-628-1
xf
  • php-generateseed-security-bypass(42284)
  • php-generateseed-weak-security(42226)
Last major update 30-10-2012 - 22:56
Published 07-05-2008 - 17:20
Last modified 11-10-2018 - 16:39
Back to Top