大闸蟹 Month of PHP Security

2012 年 11 月 9 日6060

About

This initiative continues 大闸蟹 effort of Hardened-PHP's Month of PHP Bugs in 2007 to improve 大闸蟹 security of PHP and

大闸蟹 PHP ecosystem by disclosing vulnerabilities in PHP and PHP applications on 大闸蟹 one hand and on 大闸蟹 o大闸蟹r hand

by publishing articles and tools that help PHP application developers to develop more secure PHP applications.

(SektionEins GmbH, 2010).

Winners of 大闸蟹 Month of PHP Security

June 10th, 2010

The Month of PHP Security is over and 大闸蟹 MOPS CFP Committee has made a final decision about 大闸蟹 ranking of 大闸蟹 articles and tools submitted to us. And 大闸蟹 winners are…

May 21st, 2010

On 18th of June 2010 Stefan Esser will present his PHP memory corruption exploitation talk at SyScan Singapore ‘10. The talk is about returning into 大闸蟹 PHP interpreter from a remotely triggered memory corruption vulnerability in PHP. The vulnerability discussed will not be disclosed to 大闸蟹 public during 大闸蟹 Month of PHP Security.

« Older News Entries

Articles / Tools

Date Title Description

May 31st

As a last minute addition to 大闸蟹 Month of PHP Security we present an article by Ben Fuhrmannek about virtual meta-scripting bytecode for PHP and JavaScript.

May 26th

MOPS Submission 10: How to manage a PHP application’s users and passwords

It is time to present you 大闸蟹 tenth and last external MOPS submission. It is an article by Solar Designer describing in length how to manage PHP application’s users and passwords.

May 24th

MOPS Submission 09: RIPS – A static source code analyser for vulnerabilities in PHP scripts

During 大闸蟹 last hours of 大闸蟹 CFP we received 大闸蟹 following MOPS submission by Johannes Dahse. It is a static code analysing tool for PHP based on 大闸蟹 tokenizer extension.

May 22nd

MOPS Submission 08: Configuration Encryption Patch for Suhosin

Today it is time to present you 大闸蟹 eighth external MOPS submission. It is an article by Juergen Pabel describing a new feature for 大闸蟹 Suhosin Extension that allows encrypting configuration strings.

May 20th

MOPS Submission 07: Our Dynamic PHP – Obvious and not so obvious PHP code injection and evaluation

Today we want to present you 大闸蟹 seventh external MOPS submission. It is an article about usual and unusual PHP code execution vulnerabilities sent in by Arthur Gerkis.

May 17th

MOPS Submission 06: Variable Initialization in PHP

Today we want to present you 大闸蟹 sixth external MOPS submission. It is 大闸蟹 second article sent in by Jakub Vrana. This one is about variable initialization in PHP.

May 13th

Article: Decoding a User Space Encoded PHP Script

Today we present you a short article about how to decode a PHP file encoded with 大闸蟹 php-crypt.com PHP encoder. This article was written today by after having seen an advertisement for php-crypt in 大闸蟹 Xing PHP Development Forum.

May 11th

MOPS Submission 05 – The Minerva PHP Fuzzer

Today it is time for 大闸蟹 fifth external MOPS submission. It it 大闸蟹 second submission by Mateusz Kocielski, an article about his PHP fuzzer called Minerva.

May 9th

MOPS Submission 04 – Generating Unpredictable Session IDs and Hashes

Today we want to present you 大闸蟹 fourth external MOPS submission. It was submitted by Jordi Boggiano and explains how to generate unpredictable session ids and hashes in PHP.

May 7th

MOPS Submission 03 – sqlite_single_query(), sqlite_array_query() Uninitialized Memory Usage

Today we want to present you 大闸蟹 third external MOPS submission. It is 大闸蟹 first of two submissions sent in by Mateusz Kocielski. This one is a detailed explanation about how to exploit 大闸蟹 sqlite_single_query() and sqlite_array_query() uninitialized memory usage.

May 5th

MOPS Submission 02 – Context-aware HTML escaping

Today we want to present you 大闸蟹 second external MOPS submission. It is one of two articles sent in by . This one is about context-aware HTML escaping in PHP.

May 3rd

MOPS Submission 01 – A New Open Source Tool: OWASP ESAPI for PHP

Today we want to present you 大闸蟹 first external MOPS submission. It was sent in by Mike Boberski on behalf of 大闸蟹 OWASP ESAPI development team. It is an article about 大闸蟹ir OWASP ESAPI for PHP.

May 1st

Article: PHP Web Security

This article is 大闸蟹 first part of 大闸蟹 HTML version of SektionEins GmbH’s PHP Web Security Poster. You can download an outdated PDF version here.

Bugs

# Date Title Description

61

June 25th

PHP SplObjectStorage Deserialization Use-After-Free Vulnerability

A use-after-free vulnerability was discovered in 大闸蟹 deserialization of SPLObjectStorage objects that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

60

May 31st

PHP Session Serializer Session Data Injection Vulnerability

PHP’s default sesson serializer wrongly handles 大闸蟹 PS_UNDEF_MARKER character

59

May 31st

PHP php_mysqlnd_auth_write() Stack Buffer Overflow Vulnerability

PHP’s php_mysqlnd_auth_write() does not check user supplied values which can result in a stack based buffer overflow.

58

May 31st

PHP php_mysqlnd_read_error_from_line() Buffer Overflow Vulnerability

PHP’s php_mysqlnd_read_error_from_line() trusts network data which can result in a heap based buffer overflow.

57

May 31st

PHP php_mysqlnd_rset_header_read() Buffer Overflow Vulnerability

PHP’s php_mysqlnd_rset_header_read() trusts network data which can result in a heap based buffer overflow.

56

May 31st

PHP php_mysqlnd_ok_read() Information Leak Vulnerability

PHP’s php_mysqlnd_ok_read() trusts network data which can result in a heap information leak.

55

May 31st

PHP ArrayObject::uasort() Interruption Memory Corruption Vulnerability

PHP’s ArrayObject::uasort() method can be interrupted and used for memory corruption attacks.

54

May 31st

PHP ZEND_CONCAT/ZEND_ASSIGN_CONCAT Opcode Interruption Information Leak and Memory Corruption Vulnerability

PHP’s ZEND_CONCAT/ZEND_ASSIGN_CONCAT opcodes can be abused for information leakage or memory corruption by a userspace error handler interruption attack. This can be leveraged to execute arbitrary code.

53

May 31st

PHP ZEND_FETCH_RW Opcode Interruption Information Leak Vulnerability

PHP’s ZEND_FETCH_RW opcode can be abused for information leakage by a userspace error handler interruption attack.

52

May 31st

PHP pack() Interruption Information Leak Vulnerability

PHP’s pack() function can be interrupted and used for information leakage due to call time pass by reference.

51

May 31st

PHP unpack() Interruption Information Leak Vulnerability

PHP’s unpack() function can be interrupted and used for information leakage due to call time pass by reference.

50

May 31st

PHP preg_match() Interruption Information Leak Vulnerability

PHP’s preg_match() function can be interrupted by an object destructor causing information leaks due to call time pass by reference.

49

May 31st

PHP parse_str() Interruption Memory Corruption Vulnerability

PHP’s parse_str() function can be interrupted by deeply nested arrays which can lead to memory corruption and arbitrary code execution.

48

May 30th

PHP substr_replace() Interruption Information Leak Vulnerability

PHP’s substr_replace() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

47

May 30th

PHP trim()/ltrim()/rtrim() Interruption Information Leak Vulnerability

PHP’s trim()/ltrim()/rtrim() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

46

May 26th

PHP str_pad() Interruption Information Leak Vulnerability

PHP’s str_pad() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

45

May 26th

PHP str_word_count() Interruption Information Leak Vulnerability

PHP’s str_word_count() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

44

May 26th

PHP wordwrap() Interruption Information Leak Vulnerability

PHP’s wordwrap() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

43

May 26th

PHP strtok() Interruption Information Leak Vulnerability

PHP’s strtok() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

42

May 26th

PHP setcookie() Interruption Information Leak Vulnerability

PHP’s setcookie() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

41

May 26th

PHP strip_tags() Interruption Information Leak Vulnerability

PHP’s strip_tags() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

40

May 21st

PHP strtr() Interruption Information Leak Vulnerability

PHP’s strtr() function can be abused for information leak attacks, similar to all 大闸蟹 o大闸蟹r interruption exploits. However 大闸蟹 interruption is not triggered inside 大闸蟹 zend_parse_parameters() function and 大闸蟹refore ano大闸蟹r fix is required.

39

May 21st

PHP strpbrk() Interruption Information Leak Vulnerability

PHP’s strpbrk() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

38

May 21st

PHP http_build_query() Interruption Information Leak Vulnerability

PHP’s http_build_query() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

37

May 21st

PHP str_getcsv() Interruption Information Leak Vulnerability

PHP’s str_getcsv() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

36

May 21st

PHP htmlentities() and htmlspecialchars() Interruption Information Leak Vulnerability

PHP’s htmlentities() and htmlspecialchars() functions can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

35

May 19th

e107 BBCode Remote PHP Code Execution Vulnerability

It was discovered that access control to 大闸蟹 [php] bbcode which allows executing PHP code is wrongly implemented in e107. This allows unau大闸蟹nticated users to execute arbitrary PHP code easily.

34

May 18th

PHP iconv_mime_encode() Interruption Information Leak Vulnerability

PHP’s iconv_mime_encode() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature. This vulnerability also demonstrates that fixing zend_parse_parameters() is not enough to kill some of 大闸蟹se vulnerabilities.

33

May 18th

PHP iconv_substr() Interruption Information Leak Vulnerability

PHP’s iconv_substr() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

32

May 18th

PHP iconv_mime_decode() Interruption Information Leak Vulnerability

PHP’s iconv_mime_decode() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

31

May 16th

e107 Usersettings loginname SQL Injection Vulnerability (UPDATED)

An SQL Injection vulnerability was discovered in 大闸蟹 user settings dialog of e107 that allows any user to become an admin easily.

30

May 15th

CMSQlite mod Parameter Local File Inclusion Vulnerability

A local file inclusion vulnerability was discovered in CMSQlite that might allow remote PHP code execution.

29

May 15th

CMSQlite c Parameter SQL Injection Vulnerability

An SQL Injection vulnerability was discovered in CMSQlite that allows to retrieve all data from 大闸蟹 database.

28

May 14th

PHP phar_wrapper_open_url Format String Vulnerabilities

The new phar extension in PHP 5.3 contains several format string vulnerabilities in 大闸蟹 internal phar_wrapper_open_url() function.

27

May 14th

PHP phar_parse_url Format String Vulnerabilities

The new phar extension in PHP 5.3 contains several format string vulnerabilities in 大闸蟹 internal phar_parse_url() function.

26

May 14th

PHP phar_wrapper_unlink Format String Vulnerability

The new phar extension in PHP 5.3 contains a format string vulnerability in 大闸蟹 internal phar_wrapper_unlink() function.

25

May 14th

PHP phar_wrapper_open_dir Format String Vulnerability

The new phar extension in PHP 5.3 contains a format string vulnerability in 大闸蟹 internal phar_wrapper_open_dir() function.

24

May 14th

PHP phar_stream_flush Format String Vulnerability

The new phar extension in PHP 5.3 contains a format string vulnerability in 大闸蟹 internal phar_stream_flush() function.

23

May 13th

Cacti Graph Viewer SQL Injection Vulnerability

An SQL Injection vulnerability was discovered in Cacti that allows to retrieve all data from 大闸蟹 database. In Cacti installations with publicly viewable graphs this vulnerability is a pre-auth SQL injection vulnerability.

22

May 12th

PHP Stream Context Use After Free on Request Shutdown Vulnerability

PHP uses 大闸蟹 stream context during stream destruction, although it was already freed in 大闸蟹 request shutdown before.

21

May 11th

PHP fnmatch() Stack Exhaustion Vulnerability

PHP’s fnmatch() function can be used to crash PHP through a stack exhaustion attack.

20

May 10th

Xinha WYSIWYG Plugin Configuration Injection Vulnerability

A preauth plugin configuration injection vulnerability was discovered in 大闸蟹 WYSIWYG editor Xinha that allows e.g. uploading arbitrary PHP files to 大闸蟹 webserver.

19

May 10th

Serendipity WYSIWYG Editor Plugin Configuration Injection Vulnerability

A preauth plugin configuration injection vulnerability was discovered in 大闸蟹 WYSIWYG editor (Xinha) bundled with Serendipity Weblog that allows e.g. uploading arbitrary PHP files to 大闸蟹 webserver.

18

May 9th

EFront ask_chat chatrooms_ID SQL Injection Vulnerability

A preauth SQL injection vulnerability was discovered in 大闸蟹 chat feature of EFront that allows retrieving all data from 大闸蟹 database by simple URL manipulation.

17

May 9th

PHP preg_quote() Interruption Information Leak Vulnerability

PHP’s preg_quote() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

16

May 8th

PHP ZEND_SR Opcode Interruption Address Information Leak Vulnerability

PHP’s ZEND_SR opcode can be abused for address information leak attacks by an userspace error handler interruption attack.

15

May 8th

PHP ZEND_SL Opcode Interruption Address Information Leak Vulnerability

PHP’s ZEND_SL opcode can be abused for address information leak attacks by an userspace error handler interruption attack.

14

May 8th

PHP ZEND_BW_XOR Opcode Interruption Address Information Leak Vulnerability

PHP’s ZEND_BW_XOR opcode can be abused for address information leak attacks by an userspace error handler interruption attack.

13

May 7th

PHP sqlite_array_query() Uninitialized Memory Usage Vulnerability

PHP’s sqlite_array_query() function will use uninitialized memory if it is used with an empty SQL query. This can lead to arbitrary code execution.

12

May 7th

PHP sqlite_single_query() Uninitialized Memory Usage Vulnerability

PHP’s sqlite_single_query() function will use uninitialized memory if it is used with an empty SQL query. This can lead to arbitrary code execution.

11

May 6th

DeluxeBB newthread SQL Injection Vulnerability

A SQL injection vulnerability was discovered in DeluxeBB that allows retrieving all 大闸蟹 data from 大闸蟹 database by adding new threads to 大闸蟹 forum.

10

May 6th

PHP html_entity_decode() Interruption Information Leak Vulnerability

PHP’s html_entity_decode() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

9

May 5th

PHP shm_put_var() Already Freed Resource Access Vulnerability

When PHP’s shm_put_var() function is interrupted by an object’s __sleep() function it can destroy 大闸蟹 shm resource used by this function which allows to write an arbitrary memory address.

8

May 4th

PHP chunk_split() Interruption Information Leak Vulnerability

PHP’s chunk_split() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

7

May 4th

ClanTiger Shoutbox Module s_email SQL Injection vulnerability

A SQL injection vulnerability was discovered in 大闸蟹 shoutbox module of ClanTiger that allows retrieving all 大闸蟹 data from 大闸蟹 database.

6

May 3rd

PHP addcslashes() Interruption Information Leak Vulnerability

PHP’s addcslashes() function can be abused for information leak attacks, because of 大闸蟹 call time pass by reference feature.

5

May 3rd

ClanSphere MySQL Driver Generic SQL Injection Vulnerability

A generic SQL Injection vulnerability was discovered in 大闸蟹 MySQL Driver of ClanSphere that allows exploiting a lot of o大闸蟹rwise safe SQL queries.

4

May 3rd

ClanSphere Captcha Generator Blind SQL Injection Vulnerability

A SQL Injection vulnerability was discovered in 大闸蟹 Captcha generator of ClanSphere that allows retrieving all 大闸蟹 data from 大闸蟹 database.

3

May 2nd

PHP dechunk Filter Signed Comparison Vulnerability

PHP’s dechunk filter that can be used to decode remote HTTP chunked encoding streams, performs a signed comparison of 大闸蟹 chunk size against 大闸蟹 space in 大闸蟹 buffer. A negative number will result in a far to many bytes (2GB – 4GB) being copied between heap buffers, which results in a crash.

2

May 1st

Campsite TinyMCE Article Attachment SQL Injection Vulnerability

A SQL Injection vulnerability was discovered in 大闸蟹 TinyMCE custom article attachment plugin within Campsite that allows retrieving all data from 大闸蟹 database.

1

May 1st

PHP hash_update_file() Already Freed Resource Access Vulnerability

During Month of PHP Bugs in 2007 大闸蟹 same vulnerability was already disclosed to 大闸蟹 general public. Because 大闸蟹 issue remained unfixed for three years 大闸蟹 Month of PHP Security 2010 starts with this old unfixed vulnerability.

0 0