VRDA Feed : Provides information for vulnerability impact analysis

VRDA Feed by

Vulnerability Response Decision Assistance Feed : Information for vulnerability impact analysis

[ about VRDA Feed | JPCERT/CC ]

Vulnerability Analysis Result (Revision No : 1)

[ Download XML ]

VRDA-091218-001

PHP Multiple Vulnerabilities

http://www.php.net/releases/5_2_12.php

The PHP development team would like to announce the immediate availability of PHP 5.2.12. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release.

About This Analysis Information

Analysis Information Provider:

JPCERT/CC

First Published:

2009-12-18

Source Information Category:

Advisory, Alert

Last Updated:

2009-12-18

Affected Product Tags

cpe:/a:php:php (PHP PHP)

Vulnerability Analysis Results

[Information Source Reliability]^[?]

Low^[?]

Medium^[?]

High^[?]

[Impact Level]^[?]

Low^[?]

Low-Medium^[?]

Medium-High^[?]

High^[?]

[Access Required]^[?]

Physical^[?]

Local^[?]

Non-routed^[?]

Routed^[?]

[Authentication]^[?]

Privileged^[?]

Standard^[?]

Limited^[?]

None or Unnecessary^[?]

[User Interaction Required]^[?]

Complex^[?]

Simple^[?]

None^[?]

[Technical Difficulty]^[?]

High^[?]

Medium-High^[?]

Low-Medium^[?]

Low^[?]

[Availability of Remediation]^[?]

Official Patch^[?]

Official Workaround^[?]

Unofficial Patch^[?]

None^[?]

[Incident Activity]^[?]

None^[?]

Exploit or PoC^[?]

Activity Observed^[?]

Alternatives

References

Common Vulnerabilities and Exposures (CVE) CVE-2009-3557

The tempnam function in ext/standard/file.c in PHP 5.2.11 and earlier,and 5.3.x before 5.3.1, allows context-dependent attackers to bypasssafe_mode restrictions, and create files in group-writable orworld-writable directories, via the dir and prefix arguments.

Common Vulnerabilities and Exposures (CVE) CVE-2009-3558

The posix_mkfifo function in ext/posix/posix.c in PHP 5.2.11 andearlier, and 5.3.x before 5.3.1, allows context-dependent attackers tobypass open_basedir restrictions, and create FIFO files, via thepathname and mode arguments, as demonstrated by creating a .htaccessfile.

Common Vulnerabilities and Exposures (CVE) CVE-2009-4017

PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number oftemporary files created when handling a multipart/form-data POSTrequest, which allows remote attackers to cause a denial of service(resource exhaustion), and makes it easier for remote attackers toexploit local file inclusion vulnerabilities, via multiple requests,related to lack of support for the max_file_uploads directive.

Common Vulnerabilities and Exposures (CVE) CVE-2009-4142

Common Vulnerabilities and Exposures (CVE) CVE-2009-4143