Hardened-PHP Project Advisories

Advisory 03/2007: Multiple Browsers Cross Domain Charset Inheritance Vulnerability

stefan@hardened-php.net (Stefan Esser) — Fri, 23 Feb 2007 20:32:27 +0000

It was discovered that several web browser will render web-pages without a defined charset with the charset of the parent page when put into an (i)frame. This might allow bypassing XSS filters with for example UTF-7 payload.

Advisory 02/2007: WordPress Trackback Charset Decoding SQL Injection Vulnerability

stefan@hardened-php.net (Stefan Esser) — Fri, 05 Jan 2007 15:07:12 +0000

It was discovered that WordPress's support of trackbacks in different charsets can be used to bypass WordPress's SQL injection protection. This might result in a compromise of the admin account and the execution of arbitrary PHP code on the server

Advisory 01/2007: WordPress CSRF Protection XSS Vulnerability

stefan@hardened-php.net (Stefan Esser) — Fri, 05 Jan 2007 15:02:29 +0000

It was discovered that the CSRF protection of WordPress's administration interface is vulnerable to an XSS vulnerability which might result in a compromise of the admin account and the execution of arbitrary PHP code on the server

Advisory 14/2006: Dotdeb PHP Email Header Injection Vulnerability

stefan@hardened-php.net (Stefan Esser) — Tue, 14 Nov 2006 16:27:48 +0000

A vulnerability in Dotdebs PHP packages was discovered that allows abusing any PHP script that uses mail() as spamrobot. Furthermore this vulnerability might lead to disclosure of sensitive information sent out by email.

Advisory 13/2006: PHP HTML Entity Encoder Heap Overflow Vulnerability

stefan@hardened-php.net (Stefan Esser) — Thu, 02 Nov 2006 22:07:12 +0000

A heap overflow in PHP's HTML entity encoder was discovered that can be triggered through the htmlentities() and htmlspecialchars() functions. Successfull exploitation results in arbitrary remote code execution.

Advisory 12/2006: phpMyAdmin - error.php XSS Vulnerability

stefan@hardened-php.net (Stefan Esser) — Thu, 02 Nov 2006 07:49:45 +0000

An user supplied charset in the error displaying script of phpMyAdmin allows XSS.

Advisory 11/2006: Serendipity Weblog XSS Vulnerabilities

stefan@hardened-php.net (Stefan Esser) — Thu, 19 Oct 2006 15:26:27 +0000

Multiple XSS vulnerabilities within the administration interface of Serendipity were found that allow Cross Site Scripting attacks against the blog admin.

Advisory 10/2006: ViewVC Undefined Charset UTF-7 XSS Vulnerability

stefan@hardened-php.net (Stefan Esser) — Sun, 15 Oct 2006 14:13:27 +0000

A missing default charset definition in ViewVC allows XSS attacks against browsers interpreting UTF-7.

Advisory 09/2006: PHP unserialize() Array Creation Integer Overflow

stefan@hardened-php.net (Stefan Esser) — Mon, 09 Oct 2006 06:41:24 +0000

It was discovered that userinput passed to the unserialize() function might trigger an integer overflow in array creation that might result in remote code execution.

Advisory 08/2006: PHP open_basedir Race Condition Vulnerability

stefan@hardened-php.net (Stefan Esser) — Tue, 03 Oct 2006 15:29:35 +0000

A design flaw of PHP's open_basedir feature allows bypassing it's restrictions with the symlink() function.

Advisory 07/2006: phpMyAdmin Multiple CSRF Vulnerabilities

stefan@hardened-php.net (Stefan Esser) — Sun, 01 Oct 2006 17:53:49 +0000

Multiple vulnerabilities within phpMyAdmin were discovered that allow bypassing it's protection against CSRF which might lead to the execution of arbitrary SQL queries.

Advisory 06/2006: PHProjekt (Remote) Include Vulnerabilities

stefan@hardened-php.net (Stefan Esser) — Fri, 29 Sep 2006 10:57:53 +0000

An unverified path variable might allow an attacker to inject and execute arbitrary PHP code within PHProjekt.

Advisory 05/2006 - Zend Platform Multiple Remote Vulnerabilities

stefan@hardened-php.net (Stefan Esser) — Thu, 24 Aug 2006 11:23:22 +0000

Multiple remote vulnerabilities in the Zend Platform Session Handler have been discovered that can even lead to remote (PHP) code execution.

Advisory 04/2006: DokuWiki PHP code execution vulnerability in spellchecker

stefan@hardened-php.net (Stefan Esser) — Mon, 05 Jun 2006 08:01:13 +0000

A vulnerability in DokuWiki's spellchecker allows normal wiki visitors to execute arbritrary PHP code through injection into a preg_replace() call, that uses the /e modifier.

Advisory 03/2006: KisMAC Cisco Vendor Tag Encapsulated SSID Overflow

stefan@hardened-php.net (Stefan Esser) — Thu, 23 Mar 2006 07:11:19 +0000

A vulnerability in the passive wifi scanner KisMAC was discovered that allows execution of arbitrary code through a single manipulated 80211 management frame.

Advisory 02/2006: PHP ext/mysqli Format String Vulnerability

stefan@hardened-php.net (Stefan Esser) — Thu, 12 Jan 2006 16:36:23 +0000

A format string vulnerability in the exception handling of the new mysqli extension for PHP may result in remote code execution.

Advisory 01/2006: PHP ext/session HTTP Response Splitting Vulnerability

stefan@hardened-php.net (Stefan Esser) — Thu, 12 Jan 2006 16:28:49 +0000

Due to a flaw in the session handling of PHP, applications using PHP5's session extension are vulnerable to HTTP Response Splitting attacks.

Advisory 26/2005: TinyMCE Compressor Vulnerabilities

stefan@hardened-php.net (Stefan Esser) — Tue, 27 Dec 2005 17:48:07 +0000

TinyMCE Compressor uses unchecked user input directly within filenames or prints it into the output buffer which allows disclosure of arbitrary files and XSS attacks

Advisory 25/2005: phpMyAdmin Variables Overwrite Vulnerability

stefan@hardened-php.net (Stefan Esser) — Wed, 07 Dec 2005 09:50:47 +0000

A vulnerability within the redesigned register_globals emulation layer of phpMyAdmin can be used to overwrite f.e. arbitrary configuration values and therefore eventually lead to execution of arbitrary code or injection of XSS.

Advisory 24/2005: libcurl URL parsing vulnerability

stefan@hardened-php.net (Stefan Esser) — Wed, 07 Dec 2005 08:37:26 +0000

A vulnerability in the URL parser of (lib)Curl may lead to a heap overflow and unintended code execution, when a certain kind of malformed URL is requested through (lib)Curl.

Advisory 23/2005: vTiger multiple vulnerabilities

christopher.kunz@hardened-php.net (Christopher Kunz) — Thu, 24 Nov 2005 10:07:39 +0000

Multiple vulnerabilities in the commercial SugarCRM fork vTiger allow for privilege escalation, local and remote code execution, Cross-Site scripting and authentication bypass. Attack classes found are SQL injection, XSS, unsafe file inclusion.

Advisory 22/2005:Multiple vulnerabilities in phpSysInfo

christopher.kunz@hardened-php.net (Christopher Kunz) — Fri, 11 Nov 2005 10:08:34 +0000

Due to incorrect handling of global variables, attackers can view arbitrary files, perform XSS and HTTP Response Splitting attacks on a vulnerable phpSysInfo instance.

Advisory 21/2005: Multiple vulnerabilities in PHPKIT

christopher.kunz@hardened-php.net (Christopher Kunz) — Tue, 08 Nov 2005 00:35:57 +0000

Multiple vulnerabilities in the commercial community management system PHPKIT allow for password hash disclosure, XSS and remote code execution.

Advisory 20/2005: PHP File-Upload $GLOBALS Overwrite Vulnerability

stefan@hardened-php.net (Stefan Esser) — Mon, 31 Oct 2005 12:38:10 +0000

$GLOBALS overwrite can lead to unexpected behaviour of PHP applications, which can lead to execution of remote PHP code in many situations.

Advisory 19/2005: PHP register_globals Activation Vulnerability in parse_str()

stefan@hardened-php.net (Stefan Esser) — Mon, 31 Oct 2005 12:37:51 +0000

Unsafe termination of parse_str() by the memory_limit request shutdown may result in the register_globals directive turned back on.

Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

stefan@hardened-php.net (Stefan Esser) — Mon, 31 Oct 2005 12:37:31 +0000

A Cross Site Scripting (XSS) Vulnerability in phpinfo() could f.e. lead to cookie data exposure if an info script is left on a production server.

Advisory 17/2005: phpBB Multiple Vulnerabilities

stefan@hardened-php.net (Stefan Esser) — Sun, 30 Oct 2005 23:51:27 +0000

Multiple vulnerabilities within phpBB <= 2.0.17 allow XSS, SQL injection and even remote PHP code execution.

Advisory 16/2005: phpMyAdmin Local File Inclusion Vulnerability

stefan@hardened-php.net (Stefan Esser) — Sat, 22 Oct 2005 13:17:51 +0000

A design flaw within phpMyAdmin allows inclusion of arbitrary files, which usually leads to remote code execution.

Advisory 15/2005: PHPXMLRPC Remote PHP Code Injection Vulnerability

stefan@hardened-php.net (Stefan Esser) — Mon, 15 Aug 2005 12:17:19 +0000

A malformed XMLRPC request can result in execution of arbitrary injected PHP code in applications using PHPXMLRPC.

Advisory 14/2005: PEAR XML_RPC Remote PHP Code Injection Vulnerability

stefan@hardened-php.net (Stefan Esser) — Mon, 15 Aug 2005 12:17:11 +0000

A malformed XMLRPC request can result in execution of arbitrary injected PHP code in applications using PEAR XML_RPC.