SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: PHP openssl_x509_parse() Memory Corruption Vulnerability
Release Date: 2013/12/13
Last Modified: 2013/12/13
Author: Stefan Esser
Last Modified: 2012/01/19
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Suhosin Extension = 0.9.32.1
Severity: A possible stack buffer overflow in Suhosin extension's
transparent cookie encryption that can only be triggered
-viewer-sql-injection-vulnerability/
Thank you
Stefan Esser
Organiser
Month of PHP Security / php-security.org
SektionEins GmbH / www.sektioneins.com
Thank you
Stefan Esser
Organiser
Month of PHP Security / php-security.org
SektionEins GmbH / www.sektioneins.com
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: MyBB Password Reset Weak Random Numbers Vulnerability
Release Date: 2010/04/13
Last Modified: 2010/04/13
Author: Stefan Esser [stefan.esser
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: MyBB Password Reset Email BCC: Injection Vulnerability
Release Date: 2010/04/13
Last Modified: 2010/04/13
Author: Stefan Esser [stefan.esser
of PHP Security will be held in May 2010 by SektionEins
GmbH. During the month of May all qualifying entries will be published
at http://php-security.org day by day.
CFP Committee
- -
The CFP committee for the Month of PHP Security consists of
1) Johann-Peter Hartmann
2) Stefan Esser
3
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: Piwik Cookie Unserialize() Vulnerability
Release Date: 2009/12/09
Last Modified: 2009/12/09
Author: Stefan Esser [stefan.esser
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: PHPIDS Unserialize() Vulnerability
Release Date: 2009/12/09
Last Modified: 2009/12/09
Author: Stefan Esser [stefan.esser[at]sektioneins.de
Vulnerability
Release Date: 2009/09/18
Last Modified: 2009/09/18
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Horde Application Framework = 3.2.4
Severity: PHP applications using the Horde_Form_Type_image form
element can be tricked into overwriting
something very similar to Suhosin.
Stefan Esser
: 2008/12/04
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: PHP 5 = 5.2.6
Severity: PHP applications using ZipArchive::extractTo() to unpack zip
archive files can be tricked to overwrite arbitrary files
writable by the webserver which
: 2008/09/12
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Wordpress = 2.6.1
Severity: MySQL column truncation allows resetting the passwords of
wordpress users to random strings. Combined with weaknesses
in PHP's PRNG this allows
: 2008/09/11
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Joomla = 1.5.7
Severity: Usage of mt_rand() and mt_srand() for generation
of cryptographic secrets like random password
reset tokens
Risk: High
Vendor Status: Vendor has
: 2008/05/06
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: PHP 5 = 5.2.5
PHP 4 = 4.4.8
Severity: Weak random number seed might lead to security
problems in PHP applications using random numbers
Risk: Low
Vendor Status: Vendor
: 2008/05/06
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: PHP 5 = 5.2.5
PHP 4 = 4.4.8
Severity: Several shell locales with support for east asian
variable width encodings allow bypassing PHP's
shell command escaping
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: PunBB = 1.2.16
Severity: Weak random numbers lead to a blind password recovery
vulnerability that allows account takeover
Risk: High
Vendor Status: Vendor has released PunBB 1.2.17 which fixes
/29
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: TikiWiki = 1.9.8.1
Severity: Remote PHP code execution when TikiWiki's
sheet feature is activated
Risk: Medium
Vendor Status: Vendor has released TikiWiki 1.9.8.2 which fixes this issue
developers considered it NOT A VULNERABILITY.
Well now the PHP developers have commited a fix for this to the PHP CVS,
crediting you instead of the original reporter (me) and as usual the fix
is only fixing a part of the problem.
(Hint: long names like HTTP_POST_VARS do exist...)
Stefan Esser
they will continue with
their old habits.
Stefan Esser
Modified: 2007/02/23
Author: Stefan Esser [EMAIL PROTECTED]
Application: Firefox = 2.0.0.1, Internet Explorer 7, Opera 9
Not affected: Internet Explorer 6, Opera 8
Severity: Web-pages without a defined charset will be rendered
with the charset of the parent page when
Modified: 2007/01/05
Author: Stefan Esser [EMAIL PROTECTED]
Application: WordPress = 2.0.5
Severity: The support of trackbacks in different charsets can
be used to bypass WordPress's SQL injection protection.
This might result in a compromise
Author: Stefan Esser [EMAIL PROTECTED]
Application: WordPress = 2.0.5
Severity: The CSRF protection of WordPress's administration
interface is vulnerable to an XSS vulnerability
which might result in a compromise of the admin
account
/11/14
Author: Stefan Esser [EMAIL PROTECTED]
Application: Dotdeb PHP 5.2.0 Rev 3
Severity: Calling PHP scripts with special crafted URLs
can result in arbitrary email header injection
Risk: Critical
Vendor Status: Vendor has fixed this with Dotdeb PHP 5.2.0 rev
Author: Stefan Esser [EMAIL PROTECTED]
Application: phpMyAdmin = 2.9.0.2
Severity: XSS vulnerability in an error displaying script
Risk: Medium Critical
Vendor Status: Vendor has a released an updated version
References: http://www.hardened-php.net/advisory_122006.137.html
: 2006/11/03
Author: Stefan Esser [EMAIL PROTECTED]
Application: PHP 5 = 5.1.6, PHP 4 = 4.4.4
Severity: Bufferoverflows in htmlentities() and
htmlspecialchars() may result in arbitrary
remote code execution
Risk: Critical
Vendor Status: Vendor has
Author: Stefan Esser [EMAIL PROTECTED]
Application: Serendipity = 1.0.1
Severity: Multiple XSS vulnerabilities within the administration
interface allow Cross Site Scripting attacks against
the blog admin
Risk: Critical
Vendor Status: Vendor has
: 2006/10/15
Author: Stefan Esser [EMAIL PROTECTED]
Application: ViewVC = 1.0.2
Severity: A missing default charset definition allows XSS attacks
against browsers interpreting UTF-7 (IE, mozilla family)
Risk: Medium
Vendor Status: Vendor released 1.0.3 which
/10/09
Author: Stefan Esser [EMAIL PROTECTED]
Application: PHP 5 = 5.1.6, PHP 4 4.3.0
Not affected: PHP 4 = 4.3.0,
PHP with Hardening-Patch,
PHP with Suhosin-Patch
Severity: User-input passed to the unserialize() function might
trigger
/04
Author: Stefan Esser [EMAIL PROTECTED]
Application: PHP 4/5
Not affected: PHP with Suhosin Extension 0.9.6
Severity: A design flaw of open_basedir allows bypassing it
with the symlink() function
Risk: Critical
References: http://www.hardened-php.net
Author: Stefan Esser [EMAIL PROTECTED]
Application: phpMyAdmin = 2.9.0
Severity: Multiple vulnerabilities within phpMyAdmin allow
bypassing it's protection against CSRF
Risk: Medium Critical
Vendor Status: Vendor has a released an updated version
References
Author: Stefan Esser [EMAIL PROTECTED]
Application: PHProjekt 5.1.1
Severity: An unverified path may allow an attacker to inject
and execute arbitrary PHP code
Risk: Critical
Vendor Status: Vendor has a released an updated version
References: http
/24
Author: Stefan Esser [EMAIL PROTECTED]
Application: Zend Platform = 2.2.1
Severity: Malformed session ids may lead to multiple security problems
Risk: Critical
Vendor Status: Vendor has a released an updated version
References: http://www.hardened-php.net
be: Very Critical
http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html
Greets,
Stefan Esser
Modified: 2006/06/05
Author: Stefan Esser [EMAIL PROTECTED]
Application: DokuWiki = 2006/06/04
Severity: DokuWiki's spellchecker allows remote PHP code execution
Risk: Critical
Vendor Status: Vendor has a released an updated version
References: http://www.hardened-php.net
Hello,
just to stop this:
The bug is a binary safety issue in html_entity_decode. A function that
is not usually used on user input, because user input is usually not
expected in HTML format and then decoded. Even if the function is used
on user input it can only leak memory to a potential
Author: Stefan Esser [EMAIL PROTECTED]
Application: PHP5.1 = 5.1.1
Not Affected: PHP4, PHP 5.0.x
PHP 5.1.x with Hardening-Patch
Severity: A format string vulnerability in the exception handling
of the new mysqli extension may result in remote code
: 2006/01/12
Author: Stefan Esser [EMAIL PROTECTED]
Application: PHP5 = 5.1.1
Not Affected: PHP4
PHP5 with Hardening-Patch
Severity: PHP applications using PHP5's session extension are
vulnerable to HTTP Response Splitting attacks
Risk: Critical
Author: Stefan Esser [EMAIL PROTECTED]
Application: TinyMCE Compressor = 1.0.5
Applications that bundle it like Wordpress 2.0
Severity: Unchecked user input is directly used within filenames
or printed into the output buffer which allows disclosure
/07
Author: Stefan Esser [EMAIL PROTECTED]
Application: phpMyAdmin 2.7.0(-rc1)
Severity: A flaw in the variable overwrite protection may lead
to several XSS and local and remote file inclusion
vulnerabilities
Risk: Critical
Vendor Status: Vendor
Author: Stefan Esser [EMAIL PROTECTED]
Application: Curl= 7.15.0
libcurl = 7.15.0
Severity: When (lib)Curl tries to parse a certain kind of
malformed URLs this leads to a heap overflow
Risk: Low
Vendor Status: Vendor has released an updated version
/10/31
Author: Stefan Esser [EMAIL PROTECTED]
Application: PHP4 = 4.4.0
PHP5 = 5.0.5
Severity: $GLOBALS overwrite can lead to unexpected behaviour
of PHP applications, which can lead to execution of
remote PHP code in many situations
Modified: 2005/10/31
Author: Stefan Esser [EMAIL PROTECTED]
Application: PHP4 = 4.4.0
PHP5 = 5.0.5
Severity: Unsafe termination of parse_str() may result in the
register_globals directive turned back on
Risk: Low
Vendor Status: Vendor has released
Modified: 2005/10/31
Author: Stefan Esser [EMAIL PROTECTED]
Application: PHP4 = 4.4.0
PHP5 = 5.0.5
Severity: A Cross Site Scripting (XSS) Vulnerability in phpinfo()
could f.e. lead to cookie data exposure if an info
script is left on a production
Author: Stefan Esser [EMAIL PROTECTED]
Application: phpBB = 2.0.17
Severity: Multiple vulnerabilities allow XSS, SQL injection
and remote code execution
Risk: Critical
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net
its way to the fingerd.
Stefan Esser
msg10222/pgp0.pgp
Description: PGP signature
not allow % within domain
names and so your format string vulnerability is not exploitable at all...
Stefan Esser
e-matters GmbH
www.e-matters.de
-= Security Advisory =-
Advisory: Fetchmail remote vulnerability
Release Date: 2002/12/13
Last Modified: 2002/12/13
Author: Stefan Esser [[EMAIL PROTECTED]]
Application
e-matters GmbH
www.e-matters.de
-= Security Advisory =-
Advisory: Multiple MySQL vulnerabilities
Release Date: 2002/12/12
Last Modified: 2002/12/12
Author: Stefan Esser [[EMAIL PROTECTED]]
Application
e-matters GmbH
www.e-matters.de
-= Security Advisory =-
Advisory: Fetchmail remote vulnerabilities
Release Date: 2002/09/29
Last Modified: 2002/09/29
Author: Stefan Esser [[EMAIL PROTECTED
instruction pointer before the memcpy call...
just my 0.02 cents
Stefan Esser - e-matters Security
51 matches
Mail list logo