ID CVE-2010-2531
Summary The var_export function in PHP 5.2 before 5.2.14 and 5.3 before 5.3.3 flushes the output buffer to the user when certain fatal errors occur, even if display_errors is off, which allows remote attackers to obtain sensitive information by causing the application to exceed limits for memory, execution time, or recursion.
References
Vulnerable Configurations
  • PHP 5.2.9
    cpe:2.3:a:php:php:5.2.9
  • PHP 5.2.12
    cpe:2.3:a:php:php:5.2.12
  • PHP 5.2.10
    cpe:2.3:a:php:php:5.2.10
  • PHP 5.2.11
    cpe:2.3:a:php:php:5.2.11
  • PHP 5.2.5
    cpe:2.3:a:php:php:5.2.5
  • PHP 5.2.0
    cpe:2.3:a:php:php:5.2.0
  • PHP 5.2.4
    cpe:2.3:a:php:php:5.2.4
  • PHP 5.2.6
    cpe:2.3:a:php:php:5.2.6
  • PHP 5.2.8
    cpe:2.3:a:php:php:5.2.8
  • PHP 5.2.3
    cpe:2.3:a:php:php:5.2.3
  • PHP 5.2.1
    cpe:2.3:a:php:php:5.2.1
  • PHP 5.2.2
    cpe:2.3:a:php:php:5.2.2
  • PHP 5.2.13
    cpe:2.3:a:php:php:5.2.13
  • PHP 5.3.0
    cpe:2.3:a:php:php:5.3.0
  • PHP 5.3.1
    cpe:2.3:a:php:php:5.3.1
  • PHP 5.3.2
    cpe:2.3:a:php:php:5.3.2
CVSS
Base: 4.3 (as of 23-08-2010 - 15:52)
Impact:
Exploitability:
CWE CWE-200
CAPEC
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
  • Reusing Session IDs (aka Session Replay)
    This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_6_5.NASL
    description The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.5. Mac OS X 10.6.5 contains security fixes for the following products : - AFP Server - Apache mod_perl - Apache - AppKit - ATS - CFNetwork - CoreGraphics - CoreText - CUPS - Directory Services - diskdev_cmds - Disk Images - Flash Player plug-in - gzip - Image Capture - ImageIO - Image RAW - Kernel - MySQL - neon - Networking - OpenLDAP - OpenSSL - Password Server - PHP - Printing - python - QuickLook - QuickTime - Safari RSS - Time Machine - Wiki Server - X11 - xar
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 50548
    published 2010-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50548
    title Mac OS X 10.6.x < 10.6.5 Multiple Vulnerabilities
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2010-007.NASL
    description The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2010-007 applied. This security update contains fixes for the following products : - AFP Server - Apache mod_perl - ATS - CFNetwork - CoreGraphics - CoreText - CUPS - Directory Services - diskdev_cmds - Disk Images - Flash Player plug-in - gzip - ImageIO - Image RAW - MySQL - Password Server - PHP - Printing - python - QuickLook - Safari RSS - Wiki Server - X11
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 50549
    published 2010-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50549
    title Mac OS X Multiple Vulnerabilities (Security Update 2010-007)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-139.NASL
    description This is a maintenance and security update that upgrades php to 5.2.14 for CS4/MES5/2008.0/2009.0/2009.1. Security Enhancements and Fixes in PHP 5.2.14 : - Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs (CVE-2010-2531). - Fixed a possible interruption array leak in strrchr().(CVE-2010-2484) - Fixed a possible interruption array leak in strchr(), strstr(), substr(), chunk_split(), strtok(), addcslashes(), str_repeat(), trim(). - Fixed a possible memory corruption in substr_replace(). - Fixed SplObjectStorage unserialization problems (CVE-2010-2225). - Fixed a possible stack exaustion inside fnmatch(). - Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288). - Fixed handling of session variable serialization on certain prefix characters. - Fixed a possible arbitrary memory access inside sqlite extension. Reported by Mateusz Kocielski. Additionally some of the third-party extensions has been upgraded and/or rebuilt for the new php version. Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=4 90
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 48197
    published 2010-07-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=48197
    title Mandriva Linux Security Advisory : php (MDVSA-2010:139)
  • NASL family CGI abuses
    NASL id PHP_5_2_14.NASL
    description According to its banner, the version of PHP 5.2 installed on the remote host is older than 5.2.14. Such versions may be affected by several security issues : - An error exists when processing invalid XML-RPC requests that can lead to a NULL pointer dereference. (bug #51288) (CVE-2010-0397) - An error exists in the function 'fnmatch' that can lead to stack exhaustion. - An error exists in the sqlite extension that could allow arbitrary memory access. - A memory corruption error exists in the function 'substr_replace'. - The following functions are not properly protected against function interruptions : addcslashes, chunk_split, html_entity_decode, iconv_mime_decode, iconv_substr, iconv_mime_encode, htmlentities, htmlspecialchars, str_getcsv, http_build_query, strpbrk, strstr, str_pad, str_word_count, wordwrap, strtok, setcookie, strip_tags, trim, ltrim, rtrim, parse_str, pack, unpack, uasort, preg_match, strrchr, strchr, substr, str_repeat (CVE-2010-1860, CVE-2010-1862, CVE-2010-1864, CVE-2010-2097, CVE-2010-2100, CVE-2010-2101, CVE-2010-2190, CVE-2010-2191, CVE-2010-2484) - The following opcodes are not properly protected against function interruptions : ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW (CVE-2010-2191) - The default session serializer contains an error that can be exploited when assigning session variables having user defined names. Arbitrary serialized values can be injected into sessions by including the PS_UNDEF_MARKER, '!', character in variable names. - A use-after-free error exists in the function 'spl_object_storage_attach'. (CVE-2010-2225) - An information disclosure vulnerability exists in the function 'var_export' when handling certain error conditions. (CVE-2010-2531)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 48244
    published 2010-08-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=48244
    title PHP 5.2 < 5.2.14 Multiple Vulnerabilities
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2010-005.NASL
    description The remote host is running a version of Mac OS X 10.6 or 10.5 that does not have Security Update 2010-005 applied. This security update contains fixes for the following products : - ATS - CFNetwork - ClamAV - CoreGraphics - libsecurity - PHP - Samba
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 48424
    published 2010-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=48424
    title Mac OS X Multiple Vulnerabilities (Security Update 2010-005)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_APACHE2-MOD_PHP5-100928.NASL
    description PHP was updated to version 5.2.14 to fix several security issues : - [CVE-2010-1860](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-1860) - [CVE-2010-1862](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-1862) - [CVE-2010-1864](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-1864) - [CVE-2010-1914](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-1914) - [CVE-2010-1915](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-1915) - [CVE-2010-1917](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-1917) - [CVE-2010-2093](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2093) - [CVE-2010-2094](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2094) - [CVE-2010-2097](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2097) - [CVE-2010-2100](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2100) - [CVE-2010-2101](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2101) - [CVE-2010-2190](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2190) - [CVE-2010-2191](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2191) - [CVE-2010-2225](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2225) - [CVE-2010-2484](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2484) - [CVE-2010-2531](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2531) - [CVE-2010-3062](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-3062) - [CVE-2010-3063](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-3063) - [CVE-2010-3064](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-3064) - [CVE-2010-3065](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-3065)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 49752
    published 2010-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49752
    title openSUSE Security Update : apache2-mod_php5 (openSUSE-SU-2010:0678-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_APACHE2-MOD_PHP5-100813.NASL
    description PHP was updated to version 5.3.3 to fix serveral security issues. (CVE-2010-0397, CVE-2010-1860, CVE-2010-1862, CVE-2010-1864, CVE-2010-1866, CVE-2010-1914, CVE-2010-1915, CVE-2010-1917, CVE-2010-2093, CVE-2010-2094, CVE-2010-2097, CVE-2010-2100, CVE-2010-2101, CVE-2010-2190, CVE-2010-2191, CVE-2010-2225, CVE-2010-2531, CVE-2010-2950, CVE-2010-3062, CVE-2010-3063, CVE-2010-3064, CVE-2010-3065)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 49210
    published 2010-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49210
    title openSUSE Security Update : apache2-mod_php5 (openSUSE-SU-2010:0599-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_APACHE2-MOD_PHP5-100805.NASL
    description PHP was updated to version 5.2.14 to fix serveral security issues : - CVE-2010-1860 - CVE-2010-1862 - CVE-2010-1864 - CVE-2010-1914 - CVE-2010-1915 - CVE-2010-1917 - CVE-2010-2093 - CVE-2010-2094 - CVE-2010-2097 - CVE-2010-2100 - CVE-2010-2101 - CVE-2010-2190 - CVE-2010-2191 - CVE-2010-2225 - CVE-2010-2484 - CVE-2010-2531 - CVE-2010-3062 - CVE-2010-3063 - CVE-2010-3064 - CVE-2010-3065
    last seen 2018-09-01
    modified 2013-10-25
    plugin id 50890
    published 2010-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50890
    title SuSE 11 / 11.1 Security Update : Apache 2 (SAT Patch Numbers 2880 / 2881)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2010-0919.NASL
    description From Red Hat Security Advisory 2010:0919 : Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. An input validation flaw was discovered in the PHP session serializer. If a PHP script generated session variable names from untrusted user input, a remote attacker could use this flaw to inject an arbitrary variable into the PHP session. (CVE-2010-3065) An information leak flaw was discovered in the PHP var_export() function implementation. If some fatal error occurred during the execution of this function (such as the exhaustion of memory or script execution time limit), part of the function's output was sent to the user as script output, possibly leading to the disclosure of sensitive information. (CVE-2010-2531) A numeric truncation error and an input validation flaw were found in the way the PHP utf8_decode() function decoded partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use these flaws to perform a cross-site scripting attack. (CVE-2009-5016, CVE-2010-3870) It was discovered that the PHP lcg_value() function used insufficient entropy to seed the pseudo-random number generator. A remote attacker could possibly use this flaw to predict values returned by the function, which are used to generate session identifiers by default. This update changes the function's implementation to use more entropy during seeding. (CVE-2010-1128) It was discovered that the PHP fnmatch() function did not restrict the length of the pattern argument. A remote attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted matching patterns. (CVE-2010-1917) A NULL pointer dereference flaw was discovered in the PHP XML-RPC extension. A malicious XML-RPC client or server could use this flaw to crash the PHP interpreter via a specially crafted XML-RPC request. (CVE-2010-0397) All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 68150
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68150
    title Oracle Linux 4 / 5 : php (ELSA-2010-0919)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0919.NASL
    description Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. An input validation flaw was discovered in the PHP session serializer. If a PHP script generated session variable names from untrusted user input, a remote attacker could use this flaw to inject an arbitrary variable into the PHP session. (CVE-2010-3065) An information leak flaw was discovered in the PHP var_export() function implementation. If some fatal error occurred during the execution of this function (such as the exhaustion of memory or script execution time limit), part of the function's output was sent to the user as script output, possibly leading to the disclosure of sensitive information. (CVE-2010-2531) A numeric truncation error and an input validation flaw were found in the way the PHP utf8_decode() function decoded partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use these flaws to perform a cross-site scripting attack. (CVE-2009-5016, CVE-2010-3870) It was discovered that the PHP lcg_value() function used insufficient entropy to seed the pseudo-random number generator. A remote attacker could possibly use this flaw to predict values returned by the function, which are used to generate session identifiers by default. This update changes the function's implementation to use more entropy during seeding. (CVE-2010-1128) It was discovered that the PHP fnmatch() function did not restrict the length of the pattern argument. A remote attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted matching patterns. (CVE-2010-1917) A NULL pointer dereference flaw was discovered in the PHP XML-RPC extension. A malicious XML-RPC client or server could use this flaw to crash the PHP interpreter via a specially crafted XML-RPC request. (CVE-2010-0397) All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 50841
    published 2010-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50841
    title RHEL 4 / 5 : php (RHSA-2010:0919)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2266.NASL
    description Several vulnerabilities were discovered in PHP, which could lead to denial of service or potentially the execution of arbitrary code. - CVE-2010-2531 An information leak was found in the var_export() function. - CVE-2011-0421 The Zip module could crash. - CVE-2011-0708 An integer overflow was discovered in the Exif module. - CVE-2011-1466 An integer overflow was discovered in the Calendar module. - CVE-2011-1471 The Zip module was prone to denial of service through malformed archives. - CVE-2011-2202 Path names in form based file uploads (RFC 1867) were incorrectly validated. This update also fixes two bugs, which are not treated as security issues, but fixed nonetheless, see README.Debian.security for details on the scope of security support for PHP (CVE-2011-0420, CVE-2011-1153 ).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 55486
    published 2011-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55486
    title Debian DSA-2266-1 : php5 - several vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2010-0919.NASL
    description Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. An input validation flaw was discovered in the PHP session serializer. If a PHP script generated session variable names from untrusted user input, a remote attacker could use this flaw to inject an arbitrary variable into the PHP session. (CVE-2010-3065) An information leak flaw was discovered in the PHP var_export() function implementation. If some fatal error occurred during the execution of this function (such as the exhaustion of memory or script execution time limit), part of the function's output was sent to the user as script output, possibly leading to the disclosure of sensitive information. (CVE-2010-2531) A numeric truncation error and an input validation flaw were found in the way the PHP utf8_decode() function decoded partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use these flaws to perform a cross-site scripting attack. (CVE-2009-5016, CVE-2010-3870) It was discovered that the PHP lcg_value() function used insufficient entropy to seed the pseudo-random number generator. A remote attacker could possibly use this flaw to predict values returned by the function, which are used to generate session identifiers by default. This update changes the function's implementation to use more entropy during seeding. (CVE-2010-1128) It was discovered that the PHP fnmatch() function did not restrict the length of the pattern argument. A remote attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted matching patterns. (CVE-2010-1917) A NULL pointer dereference flaw was discovered in the PHP XML-RPC extension. A malicious XML-RPC client or server could use this flaw to crash the PHP interpreter via a specially crafted XML-RPC request. (CVE-2010-0397) All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 50862
    published 2010-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50862
    title CentOS 4 / 5 : php (CESA-2010:0919)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-989-1.NASL
    description Auke van Slooten discovered that PHP incorrectly handled certain xmlrpc requests. An attacker could exploit this issue to cause the PHP server to crash, resulting in a denial of service. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 9.04 and 9.10. (CVE-2010-0397) It was discovered that the pseudorandom number generator in PHP did not provide the expected entropy. An attacker could exploit this issue to predict values that were intended to be random, such as session cookies. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 9.04 and 9.10. (CVE-2010-1128) It was discovered that PHP did not properly handle directory pathnames that lacked a trailing slash character. An attacker could exploit this issue to bypass safe_mode restrictions. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 9.04 and 9.10. (CVE-2010-1129) Grzegorz Stachowiak discovered that the PHP session extension did not properly handle semicolon characters. An attacker could exploit this issue to bypass safe_mode restrictions. This issue only affected Ubuntu 8.04 LTS, 9.04 and 9.10. (CVE-2010-1130) Stefan Esser discovered that PHP incorrectly decoded remote HTTP chunked encoding streams. An attacker could exploit this issue to cause the PHP server to crash and possibly execute arbitrary code with application privileges. This issue only affected Ubuntu 10.04 LTS. (CVE-2010-1866) Mateusz Kocielski discovered that certain PHP SQLite functions incorrectly handled empty SQL queries. An attacker could exploit this issue to possibly execute arbitrary code with application privileges. (CVE-2010-1868) Mateusz Kocielski discovered that PHP incorrectly handled certain arguments to the fnmatch function. An attacker could exploit this flaw and cause the PHP server to consume all available stack memory, resulting in a denial of service. (CVE-2010-1917) Stefan Esser discovered that PHP incorrectly handled certain strings in the phar extension. An attacker could exploit this flaw to possibly view sensitive information. This issue only affected Ubuntu 10.04 LTS. (CVE-2010-2094, CVE-2010-2950) Stefan Esser discovered that PHP incorrectly handled deserialization of SPLObjectStorage objects. A remote attacker could exploit this issue to view sensitive information and possibly execute arbitrary code with application privileges. This issue only affected Ubuntu 8.04 LTS, 9.04, 9.10 and 10.04 LTS. (CVE-2010-2225) It was discovered that PHP incorrectly filtered error messages when limits for memory, execution time, or recursion were exceeded. A remote attacker could exploit this issue to possibly view sensitive information. (CVE-2010-2531) Stefan Esser discovered that the PHP session serializer incorrectly handled the PS_UNDEF_MARKER marker. An attacker could exploit this issue to alter arbitrary session variables. (CVE-2010-3065). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 49306
    published 2010-09-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49306
    title Ubuntu 6.06 LTS / 8.04 LTS / 9.04 / 9.10 / 10.04 LTS : php5 vulnerabilities (USN-989-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-7110.NASL
    description PHP was updated to version 5.2.14 to fix serveral security issues : - CVE-2010-1860 - CVE-2010-1862 - CVE-2010-1864 - CVE-2010-1914 - CVE-2010-1915 - CVE-2010-1917 - CVE-2010-2093 - CVE-2010-2094 - CVE-2010-2097 - CVE-2010-2100 - CVE-2010-2101 - CVE-2010-2190 - CVE-2010-2191 - CVE-2010-2225 - CVE-2010-2484 - CVE-2010-2531 - CVE-2010-3062 - CVE-2010-3063 - CVE-2010-3064 - CVE-2010-3065
    last seen 2018-09-01
    modified 2012-05-17
    plugin id 49830
    published 2010-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49830
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 7110)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_APACHE2-MOD_PHP5-100812.NASL
    description PHP was updated to version 5.3.3 to fix serveral security issues. (CVE-2010-0397, CVE-2010-1860, CVE-2010-1862, CVE-2010-1864, CVE-2010-1866, CVE-2010-1914, CVE-2010-1915, CVE-2010-1917, CVE-2010-2093, CVE-2010-2094, CVE-2010-2097, CVE-2010-2100, CVE-2010-2101, CVE-2010-2190, CVE-2010-2191, CVE-2010-2225, CVE-2010-2531, CVE-2010-2950, CVE-2010-3062, CVE-2010-3063, CVE-2010-3064, CVE-2010-3065)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75429
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75429
    title openSUSE Security Update : apache2-mod_php5 (openSUSE-SU-2010:0599-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201110-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-201110-06 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker could execute arbitrary code, obtain sensitive information from process memory, bypass intended access restrictions, or cause a Denial of Service in various ways. A remote attacker could cause a Denial of Service in various ways, bypass spam detections, or bypass open_basedir restrictions. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 56459
    published 2011-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56459
    title GLSA-201110-06 : PHP: Multiple vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-140.NASL
    description This is a maintenance and security update that upgrades php to 5.3.3 for 2010.0/2010.1. Security Enhancements and Fixes in PHP 5.3.3 : - Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs (CVE-2010-2531). - Fixed a possible resource destruction issues in shm_put_var(). - Fixed a possible information leak because of interruption of XOR operator. - Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks. - Fixed a possible memory corruption in ArrayObject::uasort(). - Fixed a possible memory corruption in parse_str(). - Fixed a possible memory corruption in pack(). - Fixed a possible memory corruption in substr_replace(). - Fixed a possible memory corruption in addcslashes(). - Fixed a possible stack exhaustion inside fnmatch(). - Fixed a possible dechunking filter buffer overflow. - Fixed a possible arbitrary memory access inside sqlite extension. - Fixed string format validation inside phar extension. - Fixed handling of session variable serialization on certain prefix characters. - Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288). - Fixed SplObjectStorage unserialization problems (CVE-2010-2225). - Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user. - Fixed possible buffer overflows when handling error packets in mysqlnd. Additionally some of the third-party extensions and required dependencies has been upgraded and/or rebuilt for the new php version.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 48198
    published 2010-07-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=48198
    title Mandriva Linux Security Advisory : php (MDVSA-2010:140)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20101129_PHP_ON_SL4_X.NASL
    description An input validation flaw was discovered in the PHP session serializer. If a PHP script generated session variable names from untrusted user input, a remote attacker could use this flaw to inject an arbitrary variable into the PHP session. (CVE-2010-3065) An information leak flaw was discovered in the PHP var_export() function implementation. If some fatal error occurred during the execution of this function (such as the exhaustion of memory or script execution time limit), part of the function's output was sent to the user as script output, possibly leading to the disclosure of sensitive information. (CVE-2010-2531) A numeric truncation error and an input validation flaw were found in the way the PHP utf8_decode() function decoded partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use these flaws to perform a cross-site scripting attack. (CVE-2009-5016, CVE-2010-3870) It was discovered that the PHP lcg_value() function used insufficient entropy to seed the pseudo-random number generator. A remote attacker could possibly use this flaw to predict values returned by the function, which are used to generate session identifiers by default. This update changes the function's implementation to use more entropy during seeding. (CVE-2010-1128) It was discovered that the PHP fnmatch() function did not restrict the length of the pattern argument. A remote attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted matching patterns. (CVE-2010-1917) A NULL pointer dereference flaw was discovered in the PHP XML-RPC extension. A malicious XML-RPC client or server could use this flaw to crash the PHP interpreter via a specially crafted XML-RPC request. (CVE-2010-0397) After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60908
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60908
    title Scientific Linux Security Update : php on SL4.x, SL5.x i386/x86_64
  • NASL family CGI abuses
    NASL id PHP_5_3_3.NASL
    description According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.3. Such versions may be affected by several security issues : - An error exists when processing invalid XML-RPC requests that can lead to a NULL pointer dereference. (bug #51288) (CVE-2010-0397) - An error exists in the function 'shm_put_var' that is related to resource destruction. - An error exists in the function 'fnmatch' that can lead to stack exhaustion. (CVE-2010-1917) - A memory corruption error exists related to call-time pass by reference and callbacks. - The dechunking filter is vulnerable to buffer overflow. - An error exists in the sqlite extension that could allow arbitrary memory access. - An error exists in the 'phar' extension related to string format validation. - The functions 'mysqlnd_list_fields' and 'mysqlnd_change_user' are vulnerable to buffer overflow. - The Mysqlnd extension is vulnerable to buffer overflow attack when handling error packets. - The following functions are not properly protected against function interruptions : addcslashes, chunk_split, html_entity_decode, iconv_mime_decode, iconv_substr, iconv_mime_encode, htmlentities, htmlspecialchars, str_getcsv, http_build_query, strpbrk, strtr, str_pad, str_word_count, wordwrap, strtok, setcookie, strip_tags, trim, ltrim, rtrim, substr_replace, parse_str, pack, unpack, uasort, preg_match, strrchr (CVE-2010-1860, CVE-2010-1862, CVE-2010-1864, CVE-2010-2097, CVE-2010-2100, CVE-2010-2101, CVE-2010-2190, CVE-2010-2191, CVE-2010-2484) - The following opcodes are not properly protected against function interruptions : ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW, XOR (CVE-2010-2191) - The default session serializer contains an error that can be exploited when assigning session variables having user defined names. Arbitrary serialized values can be injected into sessions by including the PS_UNDEF_MARKER, '!', character in variable names. - A use-after-free error exists in the function 'spl_object_storage_attach'. (CVE-2010-2225) - An information disclosure vulnerability exists in the function 'var_export' when handling certain error conditions. (CVE-2010-2531)
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 48245
    published 2010-08-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=48245
    title PHP 5.3 < 5.3.3 Multiple Vulnerabilities
  • NASL family Web Servers
    NASL id HPSMH_6_3_0_22.NASL
    description According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote host is earlier than 6.3. Such versions are reportedly affected by the following vulnerabilities : - An error exists in the function 'fnmatch' in the bundled version of PHP that can lead to stack exhaustion. (CVE-2010-1917) - An information disclosure vulnerability exists in the 'var_export' function in the bundled version of PHP that can be triggered when handling certain error conditions. (CVE-2010-2531) - A double free vulnerability in the 'ssl3_get_key_exchange()' function in the third-party OpenSSL library could be abused to crash the application. (CVE-2010-2939) - A format string vulnerability in the phar extension in the bundled version of PHP could lead to the disclosure of memory contents and possibly allow execution of arbitrary code via a specially crafted 'phar://' URI. (CVE-2010-2950) - A NULL pointer dereference in 'ZipArchive::getArchiveComment' included with the bundled version of PHP can be abused to crash the application. (CVE-2010-3709) - The bundled version of libxml2 may read from invalid memory locations when processing malformed XPath expressions, resulting in an application crash. (CVE-2010-4008) - An error in the 'mb_strcut()' function in the bundled version of PHP can be exploited by passing a large 'length' parameter to disclose potentially sensitive information from the heap. (CVE-2010-4156) - An as-yet unspecified remote code execution vulnerability could allow an authenticated user to execute arbitrary code with system privileges. (CVE-2011-1540) - An as-yet unspecified, unauthorized access vulnerability could lead to a complete system compromise. (CVE-2011-1541)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 53532
    published 2011-04-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53532
    title HP System Management Homepage < 6.3 Multiple Vulnerabilities
redhat via4
advisories
rhsa
id RHSA-2010:0919
rpms
  • php-0:4.3.9-3.31
  • php-devel-0:4.3.9-3.31
  • php-domxml-0:4.3.9-3.31
  • php-gd-0:4.3.9-3.31
  • php-imap-0:4.3.9-3.31
  • php-ldap-0:4.3.9-3.31
  • php-mbstring-0:4.3.9-3.31
  • php-mysql-0:4.3.9-3.31
  • php-ncurses-0:4.3.9-3.31
  • php-odbc-0:4.3.9-3.31
  • php-pear-0:4.3.9-3.31
  • php-pgsql-0:4.3.9-3.31
  • php-snmp-0:4.3.9-3.31
  • php-xmlrpc-0:4.3.9-3.31
  • php-0:5.1.6-27.el5_5.3
  • php-bcmath-0:5.1.6-27.el5_5.3
  • php-cli-0:5.1.6-27.el5_5.3
  • php-common-0:5.1.6-27.el5_5.3
  • php-dba-0:5.1.6-27.el5_5.3
  • php-devel-0:5.1.6-27.el5_5.3
  • php-gd-0:5.1.6-27.el5_5.3
  • php-imap-0:5.1.6-27.el5_5.3
  • php-ldap-0:5.1.6-27.el5_5.3
  • php-mbstring-0:5.1.6-27.el5_5.3
  • php-mysql-0:5.1.6-27.el5_5.3
  • php-ncurses-0:5.1.6-27.el5_5.3
  • php-odbc-0:5.1.6-27.el5_5.3
  • php-pdo-0:5.1.6-27.el5_5.3
  • php-pgsql-0:5.1.6-27.el5_5.3
  • php-snmp-0:5.1.6-27.el5_5.3
  • php-soap-0:5.1.6-27.el5_5.3
  • php-xml-0:5.1.6-27.el5_5.3
  • php-xmlrpc-0:5.1.6-27.el5_5.3
refmap via4
apple
  • APPLE-SA-2010-08-24-1
  • APPLE-SA-2010-11-10-1
confirm
debian DSA-2266
hp
  • HPSBMA02662
  • HPSBOV02763
  • SSRT100409
  • SSRT100826
mlist
  • [oss-security] 20100713 CVE request, php var_export
  • [oss-security] 20100716 Re: Re: CVE request, php var_export
secunia 42410
suse
  • SUSE-SR:2010:017
  • SUSE-SR:2010:018
vupen ADV-2010-3081
Last major update 22-08-2016 - 22:01
Published 20-08-2010 - 18:00
Back to Top