the Month of PHP Security
About
This initiative continues the effort of Hardened-PHP's Month of PHP Bugs in 2007 to improve the security of PHP and
the PHP ecosystem by disclosing vulnerabilities in PHP and PHP applications on the one hand and on the other hand
by publishing articles and tools that help PHP application developers to develop more secure PHP applications.
(SektionEins GmbH, 2010).
Winners of the Month of PHP Security
June 10th, 2010
The Month of PHP Security is over and the MOPS CFP Committee has made a final decision about the ranking of the articles and tools submitted to us. And the winners are…
May 21st, 2010
On 18th of June 2010 Stefan Esser will present his PHP memory corruption exploitation talk at SyScan Singapore ‘10. The talk is about returning into the PHP interpreter from a remotely triggered memory corruption vulnerability in PHP. The vulnerability discussed will not be disclosed to the public during the Month of PHP Security.
« Older News Entries
Articles / Tools
May 31st
As a last minute addition to the Month of PHP Security we present an article by Ben Fuhrmannek about virtual meta-scripting bytecode for PHP and JavaScript.
May 26th
MOPS Submission 10: How to manage a PHP application’s users and passwords
It is time to present you the tenth and last external MOPS submission. It is an article by Solar Designer describing in length how to manage PHP application’s users and passwords.
May 24th
MOPS Submission 09: RIPS – A static source code analyser for vulnerabilities in PHP scripts
During the last hours of the CFP we received the following MOPS submission by Johannes Dahse. It is a static code analysing tool for PHP based on the tokenizer extension.
May 22nd
MOPS Submission 08: Configuration Encryption Patch for Suhosin
Today it is time to present you the eighth external MOPS submission. It is an article by Juergen Pabel describing a new feature for the Suhosin Extension that allows encrypting configuration strings.
May 20th
MOPS Submission 07: Our Dynamic PHP – Obvious and not so obvious PHP code injection and evaluation
Today we want to present you the seventh external MOPS submission. It is an article about usual and unusual PHP code execution vulnerabilities sent in by Arthur Gerkis.
May 17th
MOPS Submission 06: Variable Initialization in PHP
Today we want to present you the sixth external MOPS submission. It is the second article sent in by Jakub Vrana. This one is about variable initialization in PHP.
May 13th
Article: Decoding a User Space Encoded PHP Script
Today we present you a short article about how to decode a PHP file encoded with the php-crypt.com PHP encoder. This article was written today by after having seen an advertisement for php-crypt in the Xing PHP Development Forum.
May 11th
MOPS Submission 05 – The Minerva PHP Fuzzer
Today it is time for the fifth external MOPS submission. It it the second submission by Mateusz Kocielski, an article about his PHP fuzzer called Minerva.
May 9th
MOPS Submission 04 – Generating Unpredictable Session IDs and Hashes
Today we want to present you the fourth external MOPS submission. It was submitted by Jordi Boggiano and explains how to generate unpredictable session ids and hashes in PHP.
May 7th
MOPS Submission 03 – sqlite_single_query(), sqlite_array_query() Uninitialized Memory Usage
Today we want to present you the third external MOPS submission. It is the first of two submissions sent in by Mateusz Kocielski. This one is a detailed explanation about how to exploit the sqlite_single_query() and sqlite_array_query() uninitialized memory usage.
May 5th
MOPS Submission 02 – Context-aware HTML escaping
Today we want to present you the second external MOPS submission. It is one of two articles sent in by . This one is about context-aware HTML escaping in PHP.
May 3rd
MOPS Submission 01 – A New Open Source Tool: OWASP ESAPI for PHP
Today we want to present you the first external MOPS submission. It was sent in by Mike Boberski on behalf of the OWASP ESAPI development team. It is an article about their OWASP ESAPI for PHP.
May 1st
Article: PHP Web Security
This article is the first part of the HTML version of SektionEins GmbH’s PHP Web Security Poster. You can download an outdated PDF version here.
Bugs
61
June 25th
PHP SplObjectStorage Deserialization Use-After-Free Vulnerability
A use-after-free vulnerability was discovered in the deserialization of SPLObjectStorage objects that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
60
May 31st
PHP Session Serializer Session Data Injection Vulnerability
PHP’s default sesson serializer wrongly handles the PS_UNDEF_MARKER character
59
May 31st
PHP php_mysqlnd_auth_write() Stack Buffer Overflow Vulnerability
PHP’s php_mysqlnd_auth_write() does not check user supplied values which can result in a stack based buffer overflow.
58
May 31st
PHP php_mysqlnd_read_error_from_line() Buffer Overflow Vulnerability
PHP’s php_mysqlnd_read_error_from_line() trusts network data which can result in a heap based buffer overflow.
57
May 31st
PHP php_mysqlnd_rset_header_read() Buffer Overflow Vulnerability
PHP’s php_mysqlnd_rset_header_read() trusts network data which can result in a heap based buffer overflow.
56
May 31st
PHP php_mysqlnd_ok_read() Information Leak Vulnerability
PHP’s php_mysqlnd_ok_read() trusts network data which can result in a heap information leak.
55
May 31st
PHP ArrayObject::uasort() Interruption Memory Corruption Vulnerability
PHP’s ArrayObject::uasort() method can be interrupted and used for memory corruption attacks.
54
May 31st
PHP ZEND_CONCAT/ZEND_ASSIGN_CONCAT Opcode Interruption Information Leak and Memory Corruption Vulnerability
PHP’s ZEND_CONCAT/ZEND_ASSIGN_CONCAT opcodes can be abused for information leakage or memory corruption by a userspace error handler interruption attack. This can be leveraged to execute arbitrary code.
53
May 31st
PHP ZEND_FETCH_RW Opcode Interruption Information Leak Vulnerability
PHP’s ZEND_FETCH_RW opcode can be abused for information leakage by a userspace error handler interruption attack.
52
May 31st
PHP pack() Interruption Information Leak Vulnerability
PHP’s pack() function can be interrupted and used for information leakage due to call time pass by reference.
51
May 31st
PHP unpack() Interruption Information Leak Vulnerability
PHP’s unpack() function can be interrupted and used for information leakage due to call time pass by reference.
50
May 31st
PHP preg_match() Interruption Information Leak Vulnerability
PHP’s preg_match() function can be interrupted by an object destructor causing information leaks due to call time pass by reference.
49
May 31st
PHP parse_str() Interruption Memory Corruption Vulnerability
PHP’s parse_str() function can be interrupted by deeply nested arrays which can lead to memory corruption and arbitrary code execution.
48
May 30th
PHP substr_replace() Interruption Information Leak Vulnerability
PHP’s substr_replace() function can be abused for information leak attacks, because of the call time pass by reference feature.
47
May 30th
PHP trim()/ltrim()/rtrim() Interruption Information Leak Vulnerability
PHP’s trim()/ltrim()/rtrim() function can be abused for information leak attacks, because of the call time pass by reference feature.
46
May 26th
PHP str_pad() Interruption Information Leak Vulnerability
PHP’s str_pad() function can be abused for information leak attacks, because of the call time pass by reference feature.
45
May 26th
PHP str_word_count() Interruption Information Leak Vulnerability
PHP’s str_word_count() function can be abused for information leak attacks, because of the call time pass by reference feature.
44
May 26th
PHP wordwrap() Interruption Information Leak Vulnerability
PHP’s wordwrap() function can be abused for information leak attacks, because of the call time pass by reference feature.
43
May 26th
PHP strtok() Interruption Information Leak Vulnerability
PHP’s strtok() function can be abused for information leak attacks, because of the call time pass by reference feature.
42
May 26th
PHP setcookie() Interruption Information Leak Vulnerability
PHP’s setcookie() function can be abused for information leak attacks, because of the call time pass by reference feature.
41
May 26th
PHP strip_tags() Interruption Information Leak Vulnerability
PHP’s strip_tags() function can be abused for information leak attacks, because of the call time pass by reference feature.
40
May 21st
PHP strtr() Interruption Information Leak Vulnerability
PHP’s strtr() function can be abused for information leak attacks, similar to all the other interruption exploits. However the interruption is not triggered inside the zend_parse_parameters() function and therefore another fix is required.
39
May 21st
PHP strpbrk() Interruption Information Leak Vulnerability
PHP’s strpbrk() function can be abused for information leak attacks, because of the call time pass by reference feature.
38
May 21st
PHP http_build_query() Interruption Information Leak Vulnerability
PHP’s http_build_query() function can be abused for information leak attacks, because of the call time pass by reference feature.
37
May 21st
PHP str_getcsv() Interruption Information Leak Vulnerability
PHP’s str_getcsv() function can be abused for information leak attacks, because of the call time pass by reference feature.
36
May 21st
PHP htmlentities() and htmlspecialchars() Interruption Information Leak Vulnerability
PHP’s htmlentities() and htmlspecialchars() functions can be abused for information leak attacks, because of the call time pass by reference feature.
35
May 19th
e107 BBCode Remote PHP Code Execution Vulnerability
It was discovered that access control to the [php] bbcode which allows executing PHP code is wrongly implemented in e107. This allows unauthenticated users to execute arbitrary PHP code easily.
34
May 18th
PHP iconv_mime_encode() Interruption Information Leak Vulnerability
PHP’s iconv_mime_encode() function can be abused for information leak attacks, because of the call time pass by reference feature. This vulnerability also demonstrates that fixing zend_parse_parameters() is not enough to kill some of these vulnerabilities.
33
May 18th
PHP iconv_substr() Interruption Information Leak Vulnerability
PHP’s iconv_substr() function can be abused for information leak attacks, because of the call time pass by reference feature.
32
May 18th
PHP iconv_mime_decode() Interruption Information Leak Vulnerability
PHP’s iconv_mime_decode() function can be abused for information leak attacks, because of the call time pass by reference feature.
31
May 16th
e107 Usersettings loginname SQL Injection Vulnerability (UPDATED)
An SQL Injection vulnerability was discovered in the user settings dialog of e107 that allows any user to become an admin easily.
30
May 15th
CMSQlite mod Parameter Local File Inclusion Vulnerability
A local file inclusion vulnerability was discovered in CMSQlite that might allow remote PHP code execution.
29
May 15th
CMSQlite c Parameter SQL Injection Vulnerability
An SQL Injection vulnerability was discovered in CMSQlite that allows to retrieve all data from the database.
28
May 14th
PHP phar_wrapper_open_url Format String Vulnerabilities
The new phar extension in PHP 5.3 contains several format string vulnerabilities in the internal phar_wrapper_open_url() function.
27
May 14th
PHP phar_parse_url Format String Vulnerabilities
The new phar extension in PHP 5.3 contains several format string vulnerabilities in the internal phar_parse_url() function.
26
May 14th
PHP phar_wrapper_unlink Format String Vulnerability
The new phar extension in PHP 5.3 contains a format string vulnerability in the internal phar_wrapper_unlink() function.
25
May 14th
PHP phar_wrapper_open_dir Format String Vulnerability
The new phar extension in PHP 5.3 contains a format string vulnerability in the internal phar_wrapper_open_dir() function.
24
May 14th
PHP phar_stream_flush Format String Vulnerability
The new phar extension in PHP 5.3 contains a format string vulnerability in the internal phar_stream_flush() function.
23
May 13th
Cacti Graph Viewer SQL Injection Vulnerability
An SQL Injection vulnerability was discovered in Cacti that allows to retrieve all data from the database. In Cacti installations with publicly viewable graphs this vulnerability is a pre-auth SQL injection vulnerability.
22
May 12th
PHP Stream Context Use After Free on Request Shutdown Vulnerability
PHP uses the stream context during stream destruction, although it was already freed in the request shutdown before.
21
May 11th
PHP fnmatch() Stack Exhaustion Vulnerability
PHP’s fnmatch() function can be used to crash PHP through a stack exhaustion attack.
20
May 10th
Xinha WYSIWYG Plugin Configuration Injection Vulnerability
A preauth plugin configuration injection vulnerability was discovered in the WYSIWYG editor Xinha that allows e.g. uploading arbitrary PHP files to the webserver.
19
May 10th
Serendipity WYSIWYG Editor Plugin Configuration Injection Vulnerability
A preauth plugin configuration injection vulnerability was discovered in the WYSIWYG editor (Xinha) bundled with Serendipity Weblog that allows e.g. uploading arbitrary PHP files to the webserver.
18
May 9th
EFront ask_chat chatrooms_ID SQL Injection Vulnerability
A preauth SQL injection vulnerability was discovered in the chat feature of EFront that allows retrieving all data from the database by simple URL manipulation.
17
May 9th
PHP preg_quote() Interruption Information Leak Vulnerability
PHP’s preg_quote() function can be abused for information leak attacks, because of the call time pass by reference feature.
16
May 8th
PHP ZEND_SR Opcode Interruption Address Information Leak Vulnerability
PHP’s ZEND_SR opcode can be abused for address information leak attacks by an userspace error handler interruption attack.
15
May 8th
PHP ZEND_SL Opcode Interruption Address Information Leak Vulnerability
PHP’s ZEND_SL opcode can be abused for address information leak attacks by an userspace error handler interruption attack.
14
May 8th
PHP ZEND_BW_XOR Opcode Interruption Address Information Leak Vulnerability
PHP’s ZEND_BW_XOR opcode can be abused for address information leak attacks by an userspace error handler interruption attack.
13
May 7th
PHP sqlite_array_query() Uninitialized Memory Usage Vulnerability
PHP’s sqlite_array_query() function will use uninitialized memory if it is used with an empty SQL query. This can lead to arbitrary code execution.
12
May 7th
PHP sqlite_single_query() Uninitialized Memory Usage Vulnerability
PHP’s sqlite_single_query() function will use uninitialized memory if it is used with an empty SQL query. This can lead to arbitrary code execution.
11
May 6th
DeluxeBB newthread SQL Injection Vulnerability
A SQL injection vulnerability was discovered in DeluxeBB that allows retrieving all the data from the database by adding new threads to the forum.
10
May 6th
PHP html_entity_decode() Interruption Information Leak Vulnerability
PHP’s html_entity_decode() function can be abused for information leak attacks, because of the call time pass by reference feature.
9
May 5th
PHP shm_put_var() Already Freed Resource Access Vulnerability
When PHP’s shm_put_var() function is interrupted by an object’s __sleep() function it can destroy the shm resource used by this function which allows to write an arbitrary memory address.
8
May 4th
PHP chunk_split() Interruption Information Leak Vulnerability
PHP’s chunk_split() function can be abused for information leak attacks, because of the call time pass by reference feature.
7
May 4th
ClanTiger Shoutbox Module s_email SQL Injection vulnerability
A SQL injection vulnerability was discovered in the shoutbox module of ClanTiger that allows retrieving all the data from the database.
6
May 3rd
PHP addcslashes() Interruption Information Leak Vulnerability
PHP’s addcslashes() function can be abused for information leak attacks, because of the call time pass by reference feature.
5
May 3rd
ClanSphere MySQL Driver Generic SQL Injection Vulnerability
A generic SQL Injection vulnerability was discovered in the MySQL Driver of ClanSphere that allows exploiting a lot of otherwise safe SQL queries.
4
May 3rd
ClanSphere Captcha Generator Blind SQL Injection Vulnerability
A SQL Injection vulnerability was discovered in the Captcha generator of ClanSphere that allows retrieving all the data from the database.
3
May 2nd
PHP dechunk Filter Signed Comparison Vulnerability
PHP’s dechunk filter that can be used to decode remote HTTP chunked encoding streams, performs a signed comparison of the chunk size against the space in the buffer. A negative number will result in a far to many bytes (2GB – 4GB) being copied between heap buffers, which results in a crash.
2
May 1st
Campsite TinyMCE Article Attachment SQL Injection Vulnerability
A SQL Injection vulnerability was discovered in the TinyMCE custom article attachment plugin within Campsite that allows retrieving all data from the database.
1
May 1st
PHP hash_update_file() Already Freed Resource Access Vulnerability
During Month of PHP Bugs in 2007 the same vulnerability was already disclosed to the general public. Because the issue remained unfixed for three years the Month of PHP Security 2010 starts with this old unfixed vulnerability.