PHP session_regenerate_id() Function Double Free

2007-03-14T09:21:15
ID OSVDB:33936
Type osvdb
Reporter OSVDB
Modified 2007-03-14T09:21:15

Description

Vulnerability Description

PHP contains a flaw that may allow a context-dependent attacker to gain elevated privileges. The issue occurs when an attacker interrupts the session_regenerate_id function (i.e. by calling a userspace error handler) which triggers a double free. This may allow an attacker to execute arbitrary code.

Solution Description

Upgrade to version 4.4.7, 5.2.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

PHP contains a flaw that may allow a context-dependent attacker to gain elevated privileges. The issue occurs when an attacker interrupts the session_regenerate_id function (i.e. by calling a userspace error handler) which triggers a double free. This may allow an attacker to execute arbitrary code.

References:

Vendor URL: http://www.php.net/ Secunia Advisory ID:25025 Secunia Advisory ID:25062 Secunia Advisory ID:26235 Secunia Advisory ID:24505 Secunia Advisory ID:25057 Secunia Advisory ID:25445 Related OSVDB ID: 33937 Other Advisory URL: http://www.php-security.org/MOPB/MOPB-22-2007.html Other Advisory URL: http://www.us.debian.org/security/2007/dsa-1282 Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200705-19.xml Other Advisory URL: http://www.ubuntu.com/usn/usn-455-1 Other Advisory URL: http://www.us.debian.org/security/2007/dsa-1283 Other Advisory URL: http://docs.info.apple.com/article.html?artnum=306172 FrSIRT Advisory: ADV-2007-0960 CVE-2007-1521 Bugtraq ID: 22968