Advisory 01/2013: PHP openssl_x509_parse() Memory Corruption Vulnerability

SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: PHP openssl_x509_parse() Memory Corruption Vulnerability Release Date: 2013/12/13 Last Modified: 2013/12/13 Author: Stefan Esser

Advisory 01/2012: Suhosin PHP Extension Transparent Cookie Encryption Stack Buffer Overflow

Last Modified: 2012/01/19 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: Suhosin Extension = 0.9.32.1 Severity: A possible stack buffer overflow in Suhosin extension's transparent cookie encryption that can only be triggered

Month of PHP Security - Summary - 11st May - 21th

-viewer-sql-injection-vulnerability/ Thank you Stefan Esser Organiser Month of PHP Security / php-security.org SektionEins GmbH / www.sektioneins.com

Month of PHP Security - Summary - 1st May - 10th May

Thank you Stefan Esser Organiser Month of PHP Security / php-security.org SektionEins GmbH / www.sektioneins.com

Advisory 02/2010: MyBB Password Reset Weak Random Numbers Vulnerability

SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: MyBB Password Reset Weak Random Numbers Vulnerability Release Date: 2010/04/13 Last Modified: 2010/04/13 Author: Stefan Esser [stefan.esser

Advisory 01/2010: MyBB Password Reset Email BCC: Injection Vulnerability

SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: MyBB Password Reset Email BCC: Injection Vulnerability Release Date: 2010/04/13 Last Modified: 2010/04/13 Author: Stefan Esser [stefan.esser

Month of PHP Security 2010 - CALL FOR PAPERS

of PHP Security will be held in May 2010 by SektionEins GmbH. During the month of May all qualifying entries will be published at http://php-security.org day by day. CFP Committee - - The CFP committee for the Month of PHP Security consists of 1) Johann-Peter Hartmann 2) Stefan Esser 3

Advisory 03/2009: Piwik Cookie unserialize() Vulnerability

SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: Piwik Cookie Unserialize() Vulnerability Release Date: 2009/12/09 Last Modified: 2009/12/09 Author: Stefan Esser [stefan.esser

Advisory 02/2009: PHPIDS Unserialize() Vulnerability

SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: PHPIDS Unserialize() Vulnerability Release Date: 2009/12/09 Last Modified: 2009/12/09 Author: Stefan Esser [stefan.esser[at]sektioneins.de

Advisory 01/2009: Horde_Form_Type_image Arbitrary File Overwrite Vulnerability

Vulnerability Release Date: 2009/09/18 Last Modified: 2009/09/18 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: Horde Application Framework = 3.2.4 Severity: PHP applications using the Horde_Form_Type_image form element can be tricked into overwriting

Re: [Full-disclosure] PHP filesystem attack vectors

something very similar to Suhosin. Stefan Esser

Advisory 06/2008: PHP ZipArchive::extractTo() Directory Traversal Vulnerability

: 2008/12/04 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: PHP 5 = 5.2.6 Severity: PHP applications using ZipArchive::extractTo() to unpack zip archive files can be tricked to overwrite arbitrary files writable by the webserver which

Advisory 05/2008: Wordpress user_login Column SQL Truncation Vulnerability

: 2008/09/12 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: Wordpress = 2.6.1 Severity: MySQL column truncation allows resetting the passwords of wordpress users to random strings. Combined with weaknesses in PHP's PRNG this allows

Advisory 04/2008: Joomla Weak Random Password Reset Token Vulnerability

: 2008/09/11 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: Joomla = 1.5.7 Severity: Usage of mt_rand() and mt_srand() for generation of cryptographic secrets like random password reset tokens Risk: High Vendor Status: Vendor has

Advisory SE-2008-02: PHP GENERATE_SEED() Weak Random Number Seed Vulnerability

: 2008/05/06 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: PHP 5 = 5.2.5 PHP 4 = 4.4.8 Severity: Weak random number seed might lead to security problems in PHP applications using random numbers Risk: Low Vendor Status: Vendor

Advisory SE-2008-03: PHP Multibyte Shell Command Escaping Bypass Vulnerability

: 2008/05/06 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: PHP 5 = 5.2.5 PHP 4 = 4.4.8 Severity: Several shell locales with support for east asian variable width encodings allow bypassing PHP's shell command escaping

Advisory SE-2008-01: PunBB Blind Password Recovery Vulnerability

Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: PunBB = 1.2.16 Severity: Weak random numbers lead to a blind password recovery vulnerability that allows account takeover Risk: High Vendor Status: Vendor has released PunBB 1.2.17 which fixes

Advisory SE-2007-01: TikiWiki Remote PHP Code Evaluation Vulnerability

/29 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: TikiWiki = 1.9.8.1 Severity: Remote PHP code execution when TikiWiki's sheet feature is activated Risk: Medium Vendor Status: Vendor has released TikiWiki 1.9.8.2 which fixes this issue

Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite

developers considered it NOT A VULNERABILITY. Well now the PHP developers have commited a fix for this to the PHP CVS, crediting you instead of the original reporter (me) and as usual the fix is only fixing a part of the problem. (Hint: long names like HTTP_POST_VARS do exist...) Stefan Esser

Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite

they will continue with their old habits. Stefan Esser

Advisory 03/2007: Multiple Browsers Cross Domain Charset Inheritance Vulnerability

Modified: 2007/02/23 Author: Stefan Esser [EMAIL PROTECTED] Application: Firefox = 2.0.0.1, Internet Explorer 7, Opera 9 Not affected: Internet Explorer 6, Opera 8 Severity: Web-pages without a defined charset will be rendered with the charset of the parent page when

Advisory 02/2007: WordPress Trackback Charset Decoding SQL Injection Vulnerability

Modified: 2007/01/05 Author: Stefan Esser [EMAIL PROTECTED] Application: WordPress = 2.0.5 Severity: The support of trackbacks in different charsets can be used to bypass WordPress's SQL injection protection. This might result in a compromise

Advisory 01/2007: WordPress CSRF Protection XSS Vulnerability

Author: Stefan Esser [EMAIL PROTECTED] Application: WordPress = 2.0.5 Severity: The CSRF protection of WordPress's administration interface is vulnerable to an XSS vulnerability which might result in a compromise of the admin account

Advisory 14/2006: Dotdeb PHP Email Header Injection Vulnerability

/11/14 Author: Stefan Esser [EMAIL PROTECTED] Application: Dotdeb PHP 5.2.0 Rev 3 Severity: Calling PHP scripts with special crafted URLs can result in arbitrary email header injection Risk: Critical Vendor Status: Vendor has fixed this with Dotdeb PHP 5.2.0 rev

Advisory 12/2006: phpMyAdmin - error.php XSS Vulnerability

Author: Stefan Esser [EMAIL PROTECTED] Application: phpMyAdmin = 2.9.0.2 Severity: XSS vulnerability in an error displaying script Risk: Medium Critical Vendor Status: Vendor has a released an updated version References: http://www.hardened-php.net/advisory_122006.137.html

Advisory 13/2006: PHP HTML Entity Encoder Heap Overflow Vulnerability

: 2006/11/03 Author: Stefan Esser [EMAIL PROTECTED] Application: PHP 5 = 5.1.6, PHP 4 = 4.4.4 Severity: Bufferoverflows in htmlentities() and htmlspecialchars() may result in arbitrary remote code execution Risk: Critical Vendor Status: Vendor has

Advisory 11/2006: Serendipity Weblog XSS Vulnerabilities

Author: Stefan Esser [EMAIL PROTECTED] Application: Serendipity = 1.0.1 Severity: Multiple XSS vulnerabilities within the administration interface allow Cross Site Scripting attacks against the blog admin Risk: Critical Vendor Status: Vendor has

Advisory 10/2006: ViewVC Undefined Charset UTF-7 XSS Vulnerability

: 2006/10/15 Author: Stefan Esser [EMAIL PROTECTED] Application: ViewVC = 1.0.2 Severity: A missing default charset definition allows XSS attacks against browsers interpreting UTF-7 (IE, mozilla family) Risk: Medium Vendor Status: Vendor released 1.0.3 which

Advisory 09/2006: PHP unserialize() Array Creation Integer Overflow

/10/09 Author: Stefan Esser [EMAIL PROTECTED] Application: PHP 5 = 5.1.6, PHP 4 4.3.0 Not affected: PHP 4 = 4.3.0, PHP with Hardening-Patch, PHP with Suhosin-Patch Severity: User-input passed to the unserialize() function might trigger

Advisory 08/2006: PHP open_basedir Race Condition Vulnerability

/04 Author: Stefan Esser [EMAIL PROTECTED] Application: PHP 4/5 Not affected: PHP with Suhosin Extension 0.9.6 Severity: A design flaw of open_basedir allows bypassing it with the symlink() function Risk: Critical References: http://www.hardened-php.net

Advisory 07/2006: phpMyAdmin Multiple CSRF Vulnerabilities

Author: Stefan Esser [EMAIL PROTECTED] Application: phpMyAdmin = 2.9.0 Severity: Multiple vulnerabilities within phpMyAdmin allow bypassing it's protection against CSRF Risk: Medium Critical Vendor Status: Vendor has a released an updated version References

Advisory 06/2006: PHProjekt (Remote) Include Vulnerabilities

Author: Stefan Esser [EMAIL PROTECTED] Application: PHProjekt 5.1.1 Severity: An unverified path may allow an attacker to inject and execute arbitrary PHP code Risk: Critical Vendor Status: Vendor has a released an updated version References: http

Advisory 05/2006: Zend Platform Multiple Remote Vulnerabilities

/24 Author: Stefan Esser [EMAIL PROTECTED] Application: Zend Platform = 2.2.1 Severity: Malformed session ids may lead to multiple security problems Risk: Critical Vendor Status: Vendor has a released an updated version References: http://www.hardened-php.net

PHP: Zend_Hash_Del_Key_Or_Index Vulnerability

be: Very Critical http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html Greets, Stefan Esser

Advisory 04/2006: DokuWiki PHP code execution vulnerability in spellchecker

Modified: 2006/06/05 Author: Stefan Esser [EMAIL PROTECTED] Application: DokuWiki = 2006/06/04 Severity: DokuWiki's spellchecker allows remote PHP code execution Risk: Critical Vendor Status: Vendor has a released an updated version References: http://www.hardened-php.net

Re: [Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data

Hello, just to stop this: The bug is a binary safety issue in html_entity_decode. A function that is not usually used on user input, because user input is usually not expected in HTML format and then decoded. Even if the function is used on user input it can only leak memory to a potential

Advisory 02/2006: PHP ext/mysqli Format String Vulnerability

Author: Stefan Esser [EMAIL PROTECTED] Application: PHP5.1 = 5.1.1 Not Affected: PHP4, PHP 5.0.x PHP 5.1.x with Hardening-Patch Severity: A format string vulnerability in the exception handling of the new mysqli extension may result in remote code

Advisory 01/2006: PHP ext/session HTTP Response Splitting Vulnerability

: 2006/01/12 Author: Stefan Esser [EMAIL PROTECTED] Application: PHP5 = 5.1.1 Not Affected: PHP4 PHP5 with Hardening-Patch Severity: PHP applications using PHP5's session extension are vulnerable to HTTP Response Splitting attacks Risk: Critical

Advisory 26/2005: TinyMCE Compressor Vulnerabilities

Author: Stefan Esser [EMAIL PROTECTED] Application: TinyMCE Compressor = 1.0.5 Applications that bundle it like Wordpress 2.0 Severity: Unchecked user input is directly used within filenames or printed into the output buffer which allows disclosure

Advisory 25/2005: phpMyAdmin Variables Overwrite Vulnerability

/07 Author: Stefan Esser [EMAIL PROTECTED] Application: phpMyAdmin 2.7.0(-rc1) Severity: A flaw in the variable overwrite protection may lead to several XSS and local and remote file inclusion vulnerabilities Risk: Critical Vendor Status: Vendor

Advisory 24/2005: libcurl URL parsing vulnerability

Author: Stefan Esser [EMAIL PROTECTED] Application: Curl= 7.15.0 libcurl = 7.15.0 Severity: When (lib)Curl tries to parse a certain kind of malformed URLs this leads to a heap overflow Risk: Low Vendor Status: Vendor has released an updated version

Advisory 20/2005: PHP File-Upload $GLOBALS Overwrite Vulnerability

/10/31 Author: Stefan Esser [EMAIL PROTECTED] Application: PHP4 = 4.4.0 PHP5 = 5.0.5 Severity: $GLOBALS overwrite can lead to unexpected behaviour of PHP applications, which can lead to execution of remote PHP code in many situations

Advisory 19/2005: PHP register_globals Activation Vulnerability in parse_str()

Modified: 2005/10/31 Author: Stefan Esser [EMAIL PROTECTED] Application: PHP4 = 4.4.0 PHP5 = 5.0.5 Severity: Unsafe termination of parse_str() may result in the register_globals directive turned back on Risk: Low Vendor Status: Vendor has released

Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

Modified: 2005/10/31 Author: Stefan Esser [EMAIL PROTECTED] Application: PHP4 = 4.4.0 PHP5 = 5.0.5 Severity: A Cross Site Scripting (XSS) Vulnerability in phpinfo() could f.e. lead to cookie data exposure if an info script is left on a production

Advisory 17/2005: phpBB Multiple Vulnerabilities

Author: Stefan Esser [EMAIL PROTECTED] Application: phpBB = 2.0.17 Severity: Multiple vulnerabilities allow XSS, SQL injection and remote code execution Risk: Critical Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net

Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B)

its way to the fingerd. Stefan Esser msg10222/pgp0.pgp Description: PGP signature

RE: PFinger 0.7.8 format string vulnerability (#NISR16122002B)

not allow % within domain names and so your format string vulnerability is not exploitable at all... Stefan Esser

Advisory 05/2002: Another Fetchmail Remote Vulnerability

e-matters GmbH www.e-matters.de -= Security Advisory =- Advisory: Fetchmail remote vulnerability Release Date: 2002/12/13 Last Modified: 2002/12/13 Author: Stefan Esser [[EMAIL PROTECTED]] Application

Advisory 04/2002: Multiple MySQL vulnerabilities

e-matters GmbH www.e-matters.de -= Security Advisory =- Advisory: Multiple MySQL vulnerabilities Release Date: 2002/12/12 Last Modified: 2002/12/12 Author: Stefan Esser [[EMAIL PROTECTED]] Application

Advisory 03/2002: Fetchmail remote vulnerabilities

e-matters GmbH www.e-matters.de -= Security Advisory =- Advisory: Fetchmail remote vulnerabilities Release Date: 2002/09/29 Last Modified: 2002/09/29 Author: Stefan Esser [[EMAIL PROTECTED

Apache Exploit

instruction pointer before the memcpy call... just my 0.02 cents Stefan Esser - e-matters Security