VRDA Feed by JPCERT/CC
  Vulnerability Response Decision Assistance Feed : 脆弱性脅威分析用情報の定型データ配信
[ about VRDA Feed | JPCERT/CC



 
分析対象脆弱性情報 (リビジョン番号 : 1) [ Download XML
VRDA-091218-001
PHP における複数の脆弱性
http://www.php.net/releases/5_2_12.php

The PHP development team would like to announce the immediate availability of PHP 5.2.12. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release.




この情報について
分析情報提供元:
 		JPCERT/CC
 		初版公開日:
 		2009-12-18
分析対象脆弱性情報の分類:
 		アドバイザリ・注意喚起
 		最終更新日:
 		2009-12-18




脆弱性の影響を受ける製品の識別子
cpe:/a:php:php     (PHP PHP)
 


脆弱性の分析内容
[分析に利用した情報の信頼性] [?]
 [?]

 [?]
X [?]
[影響の大きさ] [?]
 [?]

小~中 [?]
X 中~大 [?]
 [?]
[攻撃経路] [?]
物理アクセス [?]

ローカルマシン上 [?]
同一セグメント上 [?]
X インターネット経由 [?]
[認証レベル] [?]
管理者アカウント [?]

一般ユーザアカウント [?]
フリーアカウント [?]
X 不要 [?]
[攻撃成立に必要なユーザの関与] [?]
複雑 [?]

X 簡単 [?]
不要 [?]
[攻撃の難易度] [?]
 [?]

中~高 [?]
低~中 [?]
 [?]
[対策の有無] [?]
X 公式パッチ有り [?]

公式回避策有り [?]
非公式回避策・パッチ有り [?]
なし [?]
[インシデントの発生状況] [?]
活動なし [?]

X Exploit/PoCあり [?]
活動あり [?]
関連情報




参考情報
Common Vulnerabilities and Exposures (CVE) CVE-2009-3557
The tempnam function in ext/standard/file.c in PHP 5.2.11 and earlier,and 5.3.x before 5.3.1, allows context-dependent attackers to bypasssafe_mode restrictions, and create files in group-writable orworld-writable directories, via the dir and prefix arguments.




Common Vulnerabilities and Exposures (CVE) CVE-2009-3558
The posix_mkfifo function in ext/posix/posix.c in PHP 5.2.11 andearlier, and 5.3.x before 5.3.1, allows context-dependent attackers tobypass open_basedir restrictions, and create FIFO files, via thepathname and mode arguments, as demonstrated by creating a .htaccessfile.




Common Vulnerabilities and Exposures (CVE) CVE-2009-4017
PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number oftemporary files created when handling a multipart/form-data POSTrequest, which allows remote attackers to cause a denial of service(resource exhaustion), and makes it easier for remote attackers toexploit local file inclusion vulnerabilities, via multiple requests,related to lack of support for the max_file_uploads directive.




Common Vulnerabilities and Exposures (CVE) CVE-2009-4142




Common Vulnerabilities and Exposures (CVE) CVE-2009-4143




Copyright © 2009 JPCERT/CC All Rights Reserved.