PHP vulnerabilities

2006-07-19T00:00:00
ID USN-320-1
Type ubuntu
Reporter Ubuntu
Modified 2006-07-19T00:00:00

Description

The phpinfo() PHP function did not properly sanitize long strings. A remote attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). Please note that it is not recommended to publicly expose phpinfo(). (CVE-2006-0996)

An information disclosure has been reported in the html_entity_decode() function. A script which uses this function to process arbitrary user-supplied input could be exploited to expose a random part of memory, which could potentially reveal sensitive data. (CVE-2006-1490)

The wordwrap() function did not sufficiently check the validity of the ‘break’ argument. An attacker who could control the string passed to the ‘break’ parameter could cause a heap overflow; however, this should not happen in practical applications. (CVE-2006-1990)

The substr_compare() function did not sufficiently check the validity of the ‘offset’ argument. A script which passes untrusted user-defined values to this parameter could be exploited to crash the PHP interpreter. (CVE-2006-1991)

In certain situations, using unset() to delete a hash entry could cause the deletion of the wrong element, which would leave the specified variable defined. This could potentially cause information disclosure in security-relevant operations. (CVE-2006-3017)

In certain situations the session module attempted to close a data file twice, which led to memory corruption. This could potentially be exploited to crash the PHP interpreter, though that could not be verified. (CVE-2006-3018)

This update also fixes various bugs which allowed local scripts to bypass open_basedir and ‘safe mode’ restrictions by passing special arguments to tempnam() (CVE-2006-1494, CVE-2006-2660), copy() (CVE-2006-1608), the curl module (CVE-2006-2563), or error_log() (CVE-2006-3011).