CVE-2007-0908
published 2007-02-13CVE-2007-0908: The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical…
PriorityP335medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
11.75%
95.5th percentile
The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| php | php | — | — |
| php | php | >= 4.0.0 < 4.4.5 | 4.4.5 |
| php | php | >= 5.0.0 < 5.2.1 | 5.2.1 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_ubuntu7.5HIGH
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP regression
vendor_ubuntu·2007-03-08·CVSS 7.5
[HIGH] PHP regression
Title: PHP regression
Summary: PHP regression
USN-424-1 fixed vulnerabilities in PHP. However, some upstream changes
were not included, which caused errors in the stream filters. This
update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple buffer overflows have been discovered in various PHP modules.
If a PHP application processes untrusted data with functions of the
session or zip module, or various string functions, a remote attacker
could exploit this to execute arbitrary code with the privileges of
the web server. (CVE-2007-0906)
The sapi_header_op() function had a buffer underflow that could be
exploited to crash the PHP interpreter. (CVE-2007-0907)
The wddx unserialization handler did not correctly check for some
buffer boundaries and
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2007-02-22·CVSS 7.5
CVE-2007-0906 [HIGH] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: PHP vulnerabilities
Multiple buffer overflows have been discovered in various PHP modules.
If a PHP application processes untrusted data with functions of the
session or zip module, or various string functions, a remote attacker
could exploit this to execute arbitrary code with the privileges of
the web server. (CVE-2007-0906)
The sapi_header_op() function had a buffer underflow that could be
exploited to crash the PHP interpreter. (CVE-2007-0907)
The wddx unserialization handler did not correctly check for some
buffer boundaries and had an uninitialized variable. By unserializing
untrusted data, this could be exploited to expose memory regions that
were not meant to be accessible. Depending on the PHP application this
could lead to disclosure of pot
Red Hat
security flaw
vendor_redhat·2007-02-14·CVSS 5.0
CVE-2007-0908 [MEDIUM] security flaw
security flaw
The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.
GHSA
GHSA-cp4j-q49w-68jf: The WDDX deserializer in the wddx extension in PHP 5 before 5
ghsa_unreviewed·2022-05-03
CVE-2007-0908 [MEDIUM] CWE-20 GHSA-cp4j-q49w-68jf: The WDDX deserializer in the wddx extension in PHP 5 before 5
The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.
No detection rules found.
Bugzilla
CVE-2007-0908 security flaw
bugzilla·2018-08-16·CVSS 5.0
CVE-2007-0908 [MEDIUM] CVE-2007-0908 security flaw
CVE-2007-0908 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.
Bugzilla
CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)
bugzilla·2007-02-23·CVSS 7.5
CVE-2007-0906 [HIGH] CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)
CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2007-0089.html
Bugzilla
CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)
bugzilla·2007-02-20·CVSS 7.5
CVE-2007-0906 [HIGH] CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)
CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2007-0081.html
Bugzilla
CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)
bugzilla·2007-02-20·CVSS 7.5
CVE-2007-0906 [HIGH] CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)
CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)
+++ This bug was initially created as a clone of Bug #228858 +++
Description of problem:
1. If unserializing untrusted data on 64-bit platforms the
zend_hash_init() function can be forced to enter an infinite loop,
consuming CPU resources, for a limited length of time, until the
script timeout alarm aborts the script (CVE-2007-0988)
2. If a script uses the imap_mail_compose() function to create a new MIME
message based on an input body from an untrusted source, an attacker may be able
to force a heap overflow (CVE-2006-0906)
3. If the format string could passed to one of the functions in the printf()
family could be controlled by an attacker via untrusted data, then an
out-of-b
Bugzilla
CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)
bugzilla·2007-02-16·CVSS 7.5
CVE-2007-0906 [HIGH] CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)
CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)
+++ This bug was initially created as a clone of Bug #228858 +++
Description of problem:
1. If unserializing untrusted data on 64-bit platforms the
zend_hash_init() function can be forced to enter an infinite loop,
consuming CPU resources, for a limited length of time, until the
script timeout alarm aborts the script (CVE-NO-NAME)
2. If a script uses the imap_mail_compose() function to create a new MIME
message based on an input body from an untrusted source, an attacker may be able
to force a heap overflow (CVE-2006-0906)
3. If the format string could passed to one of the functions in the printf()
family could be controlled by an attacker via untrusted data, then an
out-of-bou
Bugzilla
CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)
bugzilla·2007-02-15·CVSS 7.5
CVE-2007-0906 [HIGH] CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)
CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)
Description of problem:
1. If unserializing untrusted data on 64-bit platforms the
zend_hash_init() function can be forced to enter an infinite loop,
consuming CPU resources, for a limited length of time, until the
script timeout alarm aborts the script (CVE-NO-NAME)
2. If a script uses the imap_mail_compose() function to create a new MIME
message based on an input body from an untrusted source, an attacker may be able
to force a heap overflow (CVE-2006-0906)
3. If the format string could passed to one of the functions in the printf()
family could be controlled by an attacker via untrusted data, then an
out-of-bounds memory read could crash the Apache child process (CVE-2006-090
ftp://patches.sgi.com/support/free/security/advisories/20070201-01-P.aschttp://lists.suse.com/archive/suse-security-announce/2007-Mar/0003.htmlhttp://osvdb.org/32766http://rhn.redhat.com/errata/RHSA-2007-0089.htmlhttp://secunia.com/advisories/24089http://secunia.com/advisories/24195http://secunia.com/advisories/24217http://secunia.com/advisories/24236http://secunia.com/advisories/24248http://secunia.com/advisories/24284http://secunia.com/advisories/24295http://secunia.com/advisories/24322http://secunia.com/advisories/24419http://secunia.com/advisories/24421http://secunia.com/advisories/24432http://secunia.com/advisories/24514http://secunia.com/advisories/24606http://secunia.com/advisories/24642http://security.gentoo.org/glsa/glsa-200703-21.xmlhttp://securityreason.com/securityalert/2321http://support.avaya.com/elmodocs2/security/ASA-2007-101.htmhttp://support.avaya.com/elmodocs2/security/ASA-2007-136.htmhttp://www.mandriva.com/security/advisories?name=MDKSA-2007:048http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.010.htmlhttp://www.php-security.org/MOPB/MOPB-11-2007.htmlhttp://www.php.net/ChangeLog-5.php#5.2.1http://www.php.net/releases/5_2_1.phphttp://www.redhat.com/support/errata/RHSA-2007-0076.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0081.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0082.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0088.htmlhttp://www.securityfocus.com/archive/1/461462/100/0/threadedhttp://www.securityfocus.com/bid/22496http://www.securityfocus.com/bid/22806http://www.securitytracker.com/id?1017671http://www.trustix.org/errata/2007/0009/http://www.ubuntu.com/usn/usn-424-1http://www.ubuntu.com/usn/usn-424-2http://www.us.debian.org/security/2007/dsa-1264http://www.vupen.com/english/advisories/2007/0546https://exchange.xforce.ibmcloud.com/vulnerabilities/32493https://issues.rpath.com/browse/RPL-1088https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11185ftp://patches.sgi.com/support/free/security/advisories/20070201-01-P.aschttp://lists.suse.com/archive/suse-security-announce/2007-Mar/0003.htmlhttp://osvdb.org/32766http://rhn.redhat.com/errata/RHSA-2007-0089.htmlhttp://secunia.com/advisories/24089http://secunia.com/advisories/24195http://secunia.com/advisories/24217http://secunia.com/advisories/24236http://secunia.com/advisories/24248http://secunia.com/advisories/24284http://secunia.com/advisories/24295http://secunia.com/advisories/24322http://secunia.com/advisories/24419http://secunia.com/advisories/24421http://secunia.com/advisories/24432http://secunia.com/advisories/24514http://secunia.com/advisories/24606http://secunia.com/advisories/24642http://security.gentoo.org/glsa/glsa-200703-21.xmlhttp://securityreason.com/securityalert/2321http://support.avaya.com/elmodocs2/security/ASA-2007-101.htmhttp://support.avaya.com/elmodocs2/security/ASA-2007-136.htmhttp://www.mandriva.com/security/advisories?name=MDKSA-2007:048http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.010.htmlhttp://www.php-security.org/MOPB/MOPB-11-2007.htmlhttp://www.php.net/ChangeLog-5.php#5.2.1http://www.php.net/releases/5_2_1.phphttp://www.redhat.com/support/errata/RHSA-2007-0076.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0081.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0082.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0088.htmlhttp://www.securityfocus.com/archive/1/461462/100/0/threadedhttp://www.securityfocus.com/bid/22496http://www.securityfocus.com/bid/22806http://www.securitytracker.com/id?1017671http://www.trustix.org/errata/2007/0009/http://www.ubuntu.com/usn/usn-424-1http://www.ubuntu.com/usn/usn-424-2http://www.us.debian.org/security/2007/dsa-1264http://www.vupen.com/english/advisories/2007/0546https://exchange.xforce.ibmcloud.com/vulnerabilities/32493https://issues.rpath.com/browse/RPL-1088https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11185
2007-02-13
Published