ID CVE-2008-2829
Summary php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message, related to the rfc822_write_address function.
References
Vulnerable Configurations
  • PHP 4.4.9 -
    cpe:2.3:a:php:php:4.4.9
  • PHP 5.2.5 -
    cpe:2.3:a:php:php:5.2.5
  • PHP 5.2.6 -
    cpe:2.3:a:php:php:5.2.6
  • Canonical Ubuntu Linux 6.06 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:6.06:-:-:-:lts
  • Canonical Ubuntu Linux 7.04
    cpe:2.3:o:canonical:ubuntu_linux:7.04
  • Canonical Ubuntu Linux 7.10
    cpe:2.3:o:canonical:ubuntu_linux:7.10
  • Canonical Ubuntu Linux 8.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:8.04:-:-:-:lts
CVSS
Base: 5.0 (as of 23-06-2008 - 17:29)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_APACHE2-MOD_PHP5-081114.NASL
    description This update fixes a buffer overflow in php_imap.c that uses an old IMAP API. This bug can be exploited to execute arbitrary code remotely via long IMAP requests. (CVE-2008-2829)
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 39914
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39914
    title openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-310)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-5787.NASL
    description This update fixes a buffer overflow in php_imap.c that uses an old IMAP API. This bug can be exploited to execute arbitrary code remotely via long IMAP requests. (CVE-2008-2829)
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 35004
    published 2008-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35004
    title openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-5787)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_5_7.NASL
    description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 38744
    published 2009-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38744
    title Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-628-1.NASL
    description It was discovered that PHP did not properly check the length of the string parameter to the fnmatch function. An attacker could cause a denial of service in the PHP interpreter if a script passed untrusted input to the fnmatch function. (CVE-2007-4782) Maksymilian Arciemowicz discovered a flaw in the cURL library that allowed safe_mode and open_basedir restrictions to be bypassed. If a PHP application were tricked into processing a bad file:// request, an attacker could read arbitrary files. (CVE-2007-4850) Rasmus Lerdorf discovered that the htmlentities and htmlspecialchars functions did not correctly stop when handling partial multibyte sequences. A remote attacker could exploit this to read certain areas of memory, possibly gaining access to sensitive information. This issue affects Ubuntu 8.04 LTS, and an updated fix is included for Ubuntu 6.06 LTS, 7.04 and 7.10. (CVE-2007-5898) It was discovered that the output_add_rewrite_var function would sometimes leak session id information to forms targeting remote URLs. Malicious remote sites could use this information to gain access to a PHP application user's login credentials. This issue only affects Ubuntu 8.04 LTS. (CVE-2007-5899) It was discovered that PHP did not properly calculate the length of PATH_TRANSLATED. If a PHP application were tricked into processing a malicious URI, and attacker may be able to execute arbitrary code with application privileges. (CVE-2008-0599) An integer overflow was discovered in the php_sprintf_appendstring function. Attackers could exploit this to cause a denial of service. (CVE-2008-1384) Andrei Nigmatulin discovered stack-based overflows in the FastCGI SAPI of PHP. An attacker may be able to leverage this issue to perform attacks against PHP applications. (CVE-2008-2050) It was discovered that the escapeshellcmd did not properly process multibyte characters. An attacker may be able to bypass quoting restrictions and possibly execute arbitrary code with application privileges. (CVE-2008-2051) It was discovered that the GENERATE_SEED macro produced a predictable seed under certain circumstances. Attackers may by able to easily predict the results of the rand and mt_rand functions. (CVE-2008-2107, CVE-2008-2108) Tavis Ormandy discovered that the PCRE library did not correctly handle certain in-pattern options. An attacker could cause PHP applications using pcre to crash, leading to a denial of service. USN-624-1 fixed vulnerabilities in the pcre3 library. This update provides the corresponding update for PHP. (CVE-2008-2371) It was discovered that php_imap used obsolete API calls. If a PHP application were tricked into processing a malicious IMAP request, an attacker could cause a denial of service or possibly execute code with application privileges. (CVE-2008-2829). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 33575
    published 2008-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33575
    title Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : php5 vulnerabilities (USN-628-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-128.NASL
    description A number of vulnerabilities have been found and corrected in PHP : php-cgi in PHP prior to 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors (CVE-2008-0599). The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown impact and context-dependent attack vectors related to incomplete multibyte characters (CVE-2008-2051). Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, CVE-2008-2108). The IMAP module in PHP uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request (CVE-2008-2829). In addition, the updated packages provide a number of bug fixes. The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 36486
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36486
    title Mandriva Linux Security Advisory : php (MDVSA-2008:128)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2008-339-01.NASL
    description New php packages are available for Slackware 12.0, 12.1, and -current to fix security issues, as well as make improvements and fix bugs.
    last seen 2019-02-21
    modified 2016-12-09
    plugin id 35035
    published 2008-12-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35035
    title Slackware 12.0 / 12.1 / current : php (SSA:2008-339-01)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200811-05.NASL
    description The remote host is affected by the vulnerability described in GLSA-200811-05 (PHP: Multiple vulnerabilities) Several vulnerabilitites were found in PHP: PHP ships a vulnerable version of the PCRE library which allows for the circumvention of security restrictions or even for remote code execution in case of an application which accepts user-supplied regular expressions (CVE-2008-0674). Multiple crash issues in several PHP functions have been discovered. Ryan Permeh reported that the init_request_info() function in sapi/cgi/cgi_main.c does not properly consider operator precedence when calculating the length of PATH_TRANSLATED (CVE-2008-0599). An off-by-one error in the metaphone() function may lead to memory corruption. Maksymilian Arciemowicz of SecurityReason Research reported an integer overflow, which is triggerable using printf() and related functions (CVE-2008-1384). Andrei Nigmatulin reported a stack-based buffer overflow in the FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050). Stefan Esser reported that PHP does not correctly handle multibyte characters inside the escapeshellcmd() function, which is used to sanitize user input before its usage in shell commands (CVE-2008-2051). Stefan Esser reported that a short-coming in PHP's algorithm of seeding the random number generator might allow for predictible random numbers (CVE-2008-2107, CVE-2008-2108). The IMAP extension in PHP uses obsolete c-client API calls making it vulnerable to buffer overflows as no bounds checking can be done (CVE-2008-2829). Tavis Ormandy reported a heap-based buffer overflow in pcre_compile.c in the PCRE version shipped by PHP when processing user-supplied regular expressions (CVE-2008-2371). CzechSec reported that specially crafted font files can lead to an overflow in the imageloadfont() function in ext/gd/gd.c, which is part of the GD extension (CVE-2008-3658). Maksymilian Arciemowicz of SecurityReason Research reported that a design error in PHP's stream wrappers allows to circumvent safe_mode checks in several filesystem-related PHP functions (CVE-2008-2665, CVE-2008-2666). Laurent Gaffie discovered a buffer overflow in the internal memnstr() function, which is used by the PHP function explode() (CVE-2008-3659). An error in the FastCGI SAPI when processing a request with multiple dots preceding the extension (CVE-2008-3660). Impact : These vulnerabilities might allow a remote attacker to execute arbitrary code, to cause a Denial of Service, to circumvent security restrictions, to disclose information, and to manipulate files. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 34787
    published 2008-11-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34787
    title GLSA-200811-05 : PHP: Multiple vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-127.NASL
    description A number of vulnerabilities have been found and corrected in PHP : The htmlentities() and htmlspecialchars() functions in PHP prior to 5.2.5 accepted partial multibyte sequences, which has unknown impact and attack vectors (CVE-2007-5898). The output_add_rewrite_var() function in PHP prior to 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which could allow a remote attacker to obtain potentially sensitive information by reading the requests for this URL (CVE-2007-5899). php-cgi in PHP prior to 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors (CVE-2008-0599). The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown impact and context-dependent attack vectors related to incomplete multibyte characters (CVE-2008-2051). Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, CVE-2008-2108). The IMAP module in PHP uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request (CVE-2008-2829). In addition, this update also corrects an issue with some float to string conversions. The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 38042
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38042
    title Mandriva Linux Security Advisory : php (MDVSA-2008:127)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-126.NASL
    description A number of vulnerabilities have been found and corrected in PHP : PHP 5.2.1 would allow context-dependent attackers to read portions of heap memory by executing certain scripts with a serialized data input string beginning with 'S:', which did not properly track the number of input bytes being processed (CVE-2007-1649). A vulnerability in the chunk_split() function in PHP prior to 5.2.4 has unknown impact and attack vectors, related to an incorrect size calculation (CVE-2007-4660). The htmlentities() and htmlspecialchars() functions in PHP prior to 5.2.5 accepted partial multibyte sequences, which has unknown impact and attack vectors (CVE-2007-5898). The output_add_rewrite_var() function in PHP prior to 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which could allow a remote attacker to obtain potentially sensitive information by reading the requests for this URL (CVE-2007-5899). The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown impact and context-dependent attack vectors related to incomplete multibyte characters (CVE-2008-2051). Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, CVE-2008-2108). The IMAP module in PHP uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request (CVE-2008-2829). The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 37584
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37584
    title Mandriva Linux Security Advisory : php (MDVSA-2008:126)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_27D01223C45711DDA7210030843D3802.NASL
    description Secunia reports : Some vulnerabilities have been reported in PHP, where some have an unknown impact and others can potentially be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. An input validation error exists within the 'ZipArchive::extractTo()' function when extracting ZIP archives. This can be exploited to extract files to arbitrary locations outside the specified directory via directory traversal sequences in a specially crafted ZIP archive. An error in the included PCRE library can be exploited to cause a buffer overflow. The problem is that the 'BG(page_uid)' and 'BG(page_gid)' variables are not initialized. No further information is currently available. The problem is that the 'php_value' order is incorrect for Apache configurations. No further information is currently available. An error in the GD library can be exploited to cause a crash via a specially crafted font file.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 35051
    published 2008-12-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35051
    title FreeBSD : php -- multiple vulnerabilities (27d01223-c457-11dd-a721-0030843d3802)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-3768.NASL
    description Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A directory traversal flaw was found in PHP's ZipArchive::extractTo function. If PHP is used to extract a malicious ZIP archive, it could allow an attacker to write arbitrary files anywhere the PHP process has write permissions. (CVE-2008-5658) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the 'background color' argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had 'display_errors' enabled, a remote attacker able to set a specially crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814) A flaw was found in the handling of the 'mbstring.func_overload' configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A flaw was found in PHP's json_decode function. A remote attacker could use this flaw to create a specially crafted string which could cause the PHP interpreter to crash while being decoded in a PHP script. (CVE-2009-1271) A flaw was found in the use of the uw-imap library by the PHP 'imap' extension. This could cause the PHP interpreter to crash if the 'imap' extension was used to read specially crafted mail messages with long headers. (CVE-2008-2829) http://www.php.net/releases/5_2_7.php http://www.php.net/releases/5_2_8.php http://www.php.net/releases/5_2_9.php http://www.php.net/ChangeLog-5.php#5.2.9 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 38956
    published 2009-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38956
    title Fedora 10 : maniadrive-1.2-13.fc10 / php-5.2.9-2.fc10 (2009-3768)
  • NASL family CGI abuses
    NASL id PHP_5_2_7.NASL
    description According to its banner, the version of PHP installed on the remote host is prior to 5.2.7. It is, therefore, affected by multiple vulnerabilities : - There is a buffer overflow flaw in the bundled PCRE library that allows a denial of service attack. (CVE-2008-2371) - Multiple directory traversal vulnerabilities exist in functions such as 'posix_access', 'chdir', and 'ftok' that allow a remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 and CVE-2008-2666). - A buffer overflow flaw in 'php_imap.c' may be triggered when processing long message headers due to the use of obsolete API calls. This can be exploited to cause a denial of service or to execute arbitrary code. (CVE-2008-2829) - A buffer overflow in the 'imageloadfont' function in 'ext/gd/gd.c' can be triggered when a specially crafted font is given. This can be exploited to cause a denial of service or to execute arbitrary code. (CVE-2008-3658) - A buffer overflow flaw exists in PHP's internal function 'memnstr' which can be exploited by an attacker using the delimiter argument to the 'explode' function. This can be used to cause a denial of service or to execute arbitrary code. (CVE-2008-3659) - When PHP is used as a FastCGI module, an attacker by requesting a file whose file name extension is preceded by multiple dots can cause a denial of service. (CVE-2008-3660) - A heap-based buffer overflow flaw in the mbstring extension can be triggered via a specially crafted string containing an HTML entity that is not handled during Unicode conversion. This can be exploited to execute arbitrary code.(CVE-2008-5557) - Improper initialization of global variables 'page_uid' and 'page_gid' when PHP is used as an Apache module allows the bypassing of security restriction due to SAPI 'php_getuid' function overloading. (CVE-2008-5624) - PHP does not enforce the correct restrictions when 'safe_mode' is enabled through a 'php_admin_flag' setting in 'httpd.conf'. This allows an attacker, by placing a specially crafted 'php_value' entry in '.htaccess', to able to write to arbitrary files. (CVE-2008-5625) - The 'ZipArchive::extractTo' function in the ZipArchive extension fails to filter directory traversal sequences from file names. An attacker can exploit this to write to arbitrary files. (CVE-2008-5658) - Under limited circumstances, an attacker can cause a file truncation to occur when calling the 'dba_replace' function with an invalid argument. (CVE-2008-7068) - A buffer overflow error exists in the function 'date_from_ISO8601' function within file 'xmlrpc.c' because user-supplied input is improperly validated. This can be exploited by a remote attacker to cause a denial of service or to execute arbitrary code. (CVE-2014-8626)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 35043
    published 2008-12-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35043
    title PHP 5 < 5.2.7 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-3848.NASL
    description Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A directory traversal flaw was found in PHP's ZipArchive::extractTo function. If PHP is used to extract a malicious ZIP archive, it could allow an attacker to write arbitrary files anywhere the PHP process has write permissions. (CVE-2008-5658) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the 'background color' argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had 'display_errors' enabled, a remote attacker able to set a specially crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814) A flaw was found in the handling of the 'mbstring.func_overload' configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A flaw was found in PHP's json_decode function. A remote attacker could use this flaw to create a specially crafted string which could cause the PHP interpreter to crash while being decoded in a PHP script. (CVE-2009-1271) A flaw was found in the use of the uw-imap library by the PHP 'imap' extension. This could cause the PHP interpreter to crash if the 'imap' extension was used to read specially crafted mail messages with long headers. (CVE-2008-2829) http://www.php.net/releases/5_2_7.php http://www.php.net/releases/5_2_8.php http://www.php.net/releases/5_2_9.php http://www.php.net/ChangeLog-5.php#5.2.9 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 38957
    published 2009-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38957
    title Fedora 9 : maniadrive-1.2-13.fc9 / php-5.2.9-2.fc9 (2009-3848)
refmap via4
apple APPLE-SA-2009-05-12
bid 29829
bugtraq 20090302 rPSA-2009-0035-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl
cert TA09-133A
confirm
fedora
  • FEDORA-2009-3768
  • FEDORA-2009-3848
gentoo GLSA-200811-05
hp
  • HPSBUX02431
  • HPSBUX02465
  • SSRT090085
  • SSRT090192
mandriva
  • MDVSA-2008:126
  • MDVSA-2008:127
  • MDVSA-2008:128
misc http://bugs.php.net/bug.php?id=42862
mlist
  • [oss-security] 20080619 CVE request: php 5.2.6 ext/imap buffer overflows
  • [oss-security] 20080624 Re: CVE request: php 5.2.6 ext/imap buffer overflows
osvdb 46641
secunia
  • 31200
  • 32746
  • 35074
  • 35306
  • 35650
suse SUSE-SR:2008:027
ubuntu USN-628-1
vupen ADV-2009-1297
xf php-phpimap-dos(43357)
statements via4
contributor Mark J Cox
lastmodified 2008-07-24
organization Red Hat
statement Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. For more details see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2829
Last major update 30-10-2012 - 22:58
Published 23-06-2008 - 16:41
Last modified 01-11-2018 - 11:09
Back to Top