FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

php -- _ecalloc Integer Overflow Vulnerability

Affected packages
php5 < 5.1.6_1
5 <= mod_php5 < 5.1.6_1
5 <= php5-cgi < 5.1.6_1
5 <= php5-cli < 5.1.6_1
5 <= php5-dtc < 5.1.6_1
5 <= php5-horde < 5.1.6_1
5 <= php5-nms < 5.1.6_1

Details

VuXML ID e329550b-54f7-11db-a5ae-00508d6a62df
Discovery 2006-09-30
Entry 2006-10-06
Modified 2013-04-01

Stefan Esser reports:

The PHP 5 branch of the PHP source code lacks the protection against possible integer overflows inside ecalloc() that is present in the PHP 4 branch and also for several years part of our Hardening-Patch and our new Suhosin-Patch.

It was discovered that such an integer overflow can be triggered when user input is passed to the unserialize() function. Earlier vulnerabilities in PHP's unserialize() that were also discovered by one of our audits in December 2004 are unrelated to the newly discovered flaw, but they have shown, that the unserialize() function is exposed to user-input in many popular PHP applications. Examples for applications that use the content of COOKIE variables with unserialize() are phpBB and Serendipity.

The successful exploitation of this integer overflow will result in arbitrary code execution.

References

CVE Name CVE-2006-4812
URL http://secunia.com/advisories/22280/
URL http://www.hardened-php.net/advisory_092006.133.html