Computer Security
[EN] securityvulns.ru no-pyccku


PHP variables unset use after free vulnerability
Published:25.03.2007
Source:
SecurityVulns ID:7473
Type:library
Threat Level:
6/10
Description:There is no access counters for _SESSION and HTTP_SESSION_VARS variables, making it possible to trigger use-after-free conditions by unsetting these variables. In addition, it's possible to deserealize these variables.
Affected:PHP : PHP 4.4
 PHP : PHP 5.2
CVE:CVE-2007-1711 (Double free vulnerability in the unserializer in PHP 4.4.5 and 4.4.6 allows context-dependent attackers to execute arbitrary code by overwriting variables pointing to (1) the GLOBALS array or (2) the session data in _SESSION. NOTE: this issue was introduced when attempting to patch CVE-2007-1701 (MOPB-31-2007).)
 CVE-2007-1701 (PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:".)
 CVE-2007-1700 (The session extension in PHP 4 before 4.4.5, and PHP 5 before 5.2.1, calculates the reference count for the session variables without considering the internal pointer from the session globals, which allows context-dependent attackers to execute arbitrary code via a crafted string in the session_register after unsetting HTTP_SESSION_VARS and _SESSION, which destroys the session data Hashtable.)
Original documentdocumentPHP-SECURITY, MOPB-32-2007:PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability (25.03.2007)
 documentPHP-SECURITY, MOPB-31-2007:PHP _SESSION Deserialization Overwrite Vulnerability (25.03.2007)
 documentPHP-SECURITY, MOPB-30-2007:PHP _SESSION unset() Vulnerability (25.03.2007)
Files:PHP _SESSION unset() Vulnerability
 PHP session_decode() _SESSION Overwrite Vulnerability
 PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod