Summary

When the mail() function is called with a message that contains an ASCIIZ byte it considers it the end of the message. PHP applications not filtering ASCIIZ strings from user input before embedding it into the message are therefore vulnerable to arbitrary email truncation.

Affected versions

Affected are PHP 4 <= 4.4.6 and PHP 5 <= 5.2.1

Detailed information

Web applications sending email with PHP's mail() function often craft the email message with a construct like this...

Summary

When security fixes for MOPB-31-2007 were developed we demonstrated to the PHP developers that their first two attempts were not a fix for the vulnerability and only killed our described exploit path, while other exploit paths were still useable.

During the search for the correct fix a wrong backport to PHP 4 was performed that introduced a double free vulnerability into the standard php deserializer. This can lead to arbitrary code execution through modified session data...

Summary

When register_globals is activated the deserialization of the session data can overwrite any global variable, including the _SESSION array. Because of its special implementation this can result in arbitrary code execution.

Affected versions

Affected are PHP 4 < 4.4.5 and PHP 5 < 5.2.1

Detailed information

The summary says it all. For further clarification test the exploit...

Summary

The session extension does not set the correct reference count value for the session variables, because it does not include the internal pointer from within the session globals. Due to this unsetting _SESSION and HTTP_SESSION_VARS will destroy the Hashtable containing the session data although the session extension still has an internal pointer to it and still uses it internally. This allows replacing the Hashtable through a specially prepared string and leads to code execution...

Summary

The new S: data type added to PHP 5.2.1's serialisation format is completely broken. The new feature it is supposed to add, the handling of escaped strings does not work at all and leads to disclosure of heap memory content...