About

This initiative continues the effort of Hardened-PHP's Month of PHP Bugs in 2007 to improve the security of PHP and

the PHP ecosystem by disclosing vulnerabilities in PHP and PHP applications on the one hand and on the other hand

by publishing articles and tools that help PHP application developers to develop more secure PHP applications.

(SektionEins GmbH, 2010).

Winners of the Month of PHP Security

June 10th, 2010

The Month of PHP Security is over and the MOPS CFP Committee has made a final decision about the ranking of the articles and tools submitted to us. And the winners are…

May 21st, 2010

On 18th of June 2010 Stefan Esser will present his PHP memory corruption exploitation talk at SyScan Singapore ‘10. The talk is about returning into the PHP interpreter from a remotely triggered memory corruption vulnerability in PHP. The vulnerability discussed will not be disclosed to the public during the Month of PHP Security.

« Older News Entries

Articles / Tools

Date Title Description

May 31st

As a last minute addition to the Month of PHP Security we present an article by Ben Fuhrmannek about virtual meta-scripting bytecode for PHP and JavaScript.

May 26th

MOPS Submission 10: How to manage a PHP application’s users and passwords

It is time to present you the tenth and last external MOPS submission. It is an article by Solar Designer describing in length how to manage PHP application’s users and passwords.

May 24th

MOPS Submission 09: RIPS – A static source code analyser for vulnerabilities in PHP scripts

During the last hours of the CFP we received the following MOPS submission by Johannes Dahse. It is a static code analysing tool for PHP based on the tokenizer extension.

May 22nd

MOPS Submission 08: Configuration Encryption Patch for Suhosin

Today it is time to present you the eighth external MOPS submission. It is an article by Juergen Pabel describing a new feature for the Suhosin Extension that allows encrypting configuration strings.

May 20th

MOPS Submission 07: Our Dynamic PHP – Obvious and not so obvious PHP code injection and evaluation

Today we want to present you the seventh external MOPS submission. It is an article about usual and unusual PHP code execution vulnerabilities sent in by Arthur Gerkis.

May 17th

MOPS Submission 06: Variable Initialization in PHP

Today we want to present you the sixth external MOPS submission. It is the second article sent in by Jakub Vrana. This one is about variable initialization in PHP.

May 13th

Article: Decoding a User Space Encoded PHP Script

Today we present you a short article about how to decode a PHP file encoded with the php-crypt.com PHP encoder. This article was written today by after having seen an advertisement for php-crypt in the Xing PHP Development Forum.

May 11th

MOPS Submission 05 – The Minerva PHP Fuzzer

Today it is time for the fifth external MOPS submission. It it the second submission by Mateusz Kocielski, an article about his PHP fuzzer called Minerva.

May 9th

MOPS Submission 04 – Generating Unpredictable Session IDs and Hashes

Today we want to present you the fourth external MOPS submission. It was submitted by Jordi Boggiano and explains how to generate unpredictable session ids and hashes in PHP.

May 7th

MOPS Submission 03 – sqlite_single_query(), sqlite_array_query() Uninitialized Memory Usage

Today we want to present you the third external MOPS submission. It is the first of two submissions sent in by Mateusz Kocielski. This one is a detailed explanation about how to exploit the sqlite_single_query() and sqlite_array_query() uninitialized memory usage.

May 5th

MOPS Submission 02 – Context-aware HTML escaping

Today we want to present you the second external MOPS submission. It is one of two articles sent in by . This one is about context-aware HTML escaping in PHP.

May 3rd

MOPS Submission 01 – A New Open Source Tool: OWASP ESAPI for PHP

Today we want to present you the first external MOPS submission. It was sent in by Mike Boberski on behalf of the OWASP ESAPI development team. It is an article about their OWASP ESAPI for PHP.

May 1st

Article: PHP Web Security

This article is the first part of the HTML version of SektionEins GmbH’s PHP Web Security Poster. You can download an outdated PDF version here.

Bugs

# Date Title Description

61

June 25th

PHP SplObjectStorage Deserialization Use-After-Free Vulnerability

A use-after-free vulnerability was discovered in the deserialization of SPLObjectStorage objects that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

60

May 31st

PHP Session Serializer Session Data Injection Vulnerability

PHP’s default sesson serializer wrongly handles the PS_UNDEF_MARKER character

59

May 31st

PHP php_mysqlnd_auth_write() Stack Buffer Overflow Vulnerability

PHP’s php_mysqlnd_auth_write() does not check user supplied values which can result in a stack based buffer overflow.

58

May 31st

PHP php_mysqlnd_read_error_from_line() Buffer Overflow Vulnerability

PHP’s php_mysqlnd_read_error_from_line() trusts network data which can result in a heap based buffer overflow.

57

May 31st

PHP php_mysqlnd_rset_header_read() Buffer Overflow Vulnerability

PHP’s php_mysqlnd_rset_header_read() trusts network data which can result in a heap based buffer overflow.

56

May 31st

PHP php_mysqlnd_ok_read() Information Leak Vulnerability

PHP’s php_mysqlnd_ok_read() trusts network data which can result in a heap information leak.

55

May 31st

PHP ArrayObject::uasort() Interruption Memory Corruption Vulnerability

PHP’s ArrayObject::uasort() method can be interrupted and used for memory corruption attacks.

54

May 31st

PHP ZEND_CONCAT/ZEND_ASSIGN_CONCAT Opcode Interruption Information Leak and Memory Corruption Vulnerability

PHP’s ZEND_CONCAT/ZEND_ASSIGN_CONCAT opcodes can be abused for information leakage or memory corruption by a userspace error handler interruption attack. This can be leveraged to execute arbitrary code.

53

May 31st

PHP ZEND_FETCH_RW Opcode Interruption Information Leak Vulnerability

PHP’s ZEND_FETCH_RW opcode can be abused for information leakage by a userspace error handler interruption attack.

52

May 31st

PHP pack() Interruption Information Leak Vulnerability

PHP’s pack() function can be interrupted and used for information leakage due to call time pass by reference.

51

May 31st

PHP unpack() Interruption Information Leak Vulnerability

PHP’s unpack() function can be interrupted and used for information leakage due to call time pass by reference.

50

May 31st

PHP preg_match() Interruption Information Leak Vulnerability

PHP’s preg_match() function can be interrupted by an object destructor causing information leaks due to call time pass by reference.

49

May 31st

PHP parse_str() Interruption Memory Corruption Vulnerability

PHP’s parse_str() function can be interrupted by deeply nested arrays which can lead to memory corruption and arbitrary code execution.

48

May 30th

PHP substr_replace() Interruption Information Leak Vulnerability

PHP’s substr_replace() function can be abused for information leak attacks, because of the call time pass by reference feature.

47

May 30th

PHP trim()/ltrim()/rtrim() Interruption Information Leak Vulnerability

PHP’s trim()/ltrim()/rtrim() function can be abused for information leak attacks, because of the call time pass by reference feature.

46

May 26th

PHP str_pad() Interruption Information Leak Vulnerability

PHP’s str_pad() function can be abused for information leak attacks, because of the call time pass by reference feature.

45

May 26th

PHP str_word_count() Interruption Information Leak Vulnerability

PHP’s str_word_count() function can be abused for information leak attacks, because of the call time pass by reference feature.

44

May 26th

PHP wordwrap() Interruption Information Leak Vulnerability

PHP’s wordwrap() function can be abused for information leak attacks, because of the call time pass by reference feature.

43

May 26th

PHP strtok() Interruption Information Leak Vulnerability

PHP’s strtok() function can be abused for information leak attacks, because of the call time pass by reference feature.

42

May 26th

PHP setcookie() Interruption Information Leak Vulnerability

PHP’s setcookie() function can be abused for information leak attacks, because of the call time pass by reference feature.

41

May 26th

PHP strip_tags() Interruption Information Leak Vulnerability

PHP’s strip_tags() function can be abused for information leak attacks, because of the call time pass by reference feature.

40

May 21st

PHP strtr() Interruption Information Leak Vulnerability

PHP’s strtr() function can be abused for information leak attacks, similar to all the other interruption exploits. However the interruption is not triggered inside the zend_parse_parameters() function and therefore another fix is required.

39

May 21st

PHP strpbrk() Interruption Information Leak Vulnerability

PHP’s strpbrk() function can be abused for information leak attacks, because of the call time pass by reference feature.

38

May 21st

PHP http_build_query() Interruption Information Leak Vulnerability

PHP’s http_build_query() function can be abused for information leak attacks, because of the call time pass by reference feature.

37

May 21st

PHP str_getcsv() Interruption Information Leak Vulnerability

PHP’s str_getcsv() function can be abused for information leak attacks, because of the call time pass by reference feature.

36

May 21st

PHP htmlentities() and htmlspecialchars() Interruption Information Leak Vulnerability

PHP’s htmlentities() and htmlspecialchars() functions can be abused for information leak attacks, because of the call time pass by reference feature.

35

May 19th

e107 BBCode Remote PHP Code Execution Vulnerability

It was discovered that access control to the [php] bbcode which allows executing PHP code is wrongly implemented in e107. This allows unauthenticated users to execute arbitrary PHP code easily.

34

May 18th

PHP iconv_mime_encode() Interruption Information Leak Vulnerability

PHP’s iconv_mime_encode() function can be abused for information leak attacks, because of the call time pass by reference feature. This vulnerability also demonstrates that fixing zend_parse_parameters() is not enough to kill some of these vulnerabilities.

33

May 18th

PHP iconv_substr() Interruption Information Leak Vulnerability

PHP’s iconv_substr() function can be abused for information leak attacks, because of the call time pass by reference feature.

32

May 18th

PHP iconv_mime_decode() Interruption Information Leak Vulnerability

PHP’s iconv_mime_decode() function can be abused for information leak attacks, because of the call time pass by reference feature.

31

May 16th

e107 Usersettings loginname SQL Injection Vulnerability (UPDATED)

An SQL Injection vulnerability was discovered in the user settings dialog of e107 that allows any user to become an admin easily.

30

May 15th

CMSQlite mod Parameter Local File Inclusion Vulnerability

A local file inclusion vulnerability was discovered in CMSQlite that might allow remote PHP code execution.

29

May 15th

CMSQlite c Parameter SQL Injection Vulnerability

An SQL Injection vulnerability was discovered in CMSQlite that allows to retrieve all data from the database.

28

May 14th

PHP phar_wrapper_open_url Format String Vulnerabilities

The new phar extension in PHP 5.3 contains several format string vulnerabilities in the internal phar_wrapper_open_url() function.

27

May 14th

PHP phar_parse_url Format String Vulnerabilities

The new phar extension in PHP 5.3 contains several format string vulnerabilities in the internal phar_parse_url() function.

26

May 14th

PHP phar_wrapper_unlink Format String Vulnerability

The new phar extension in PHP 5.3 contains a format string vulnerability in the internal phar_wrapper_unlink() function.

25

May 14th

PHP phar_wrapper_open_dir Format String Vulnerability

The new phar extension in PHP 5.3 contains a format string vulnerability in the internal phar_wrapper_open_dir() function.

24

May 14th

PHP phar_stream_flush Format String Vulnerability

The new phar extension in PHP 5.3 contains a format string vulnerability in the internal phar_stream_flush() function.

23

May 13th

Cacti Graph Viewer SQL Injection Vulnerability

An SQL Injection vulnerability was discovered in Cacti that allows to retrieve all data from the database. In Cacti installations with publicly viewable graphs this vulnerability is a pre-auth SQL injection vulnerability.

22

May 12th

PHP Stream Context Use After Free on Request Shutdown Vulnerability

PHP uses the stream context during stream destruction, although it was already freed in the request shutdown before.

21

May 11th

PHP fnmatch() Stack Exhaustion Vulnerability

PHP’s fnmatch() function can be used to crash PHP through a stack exhaustion attack.

20

May 10th

Xinha WYSIWYG Plugin Configuration Injection Vulnerability

A preauth plugin configuration injection vulnerability was discovered in the WYSIWYG editor Xinha that allows e.g. uploading arbitrary PHP files to the webserver.

19

May 10th

Serendipity WYSIWYG Editor Plugin Configuration Injection Vulnerability

A preauth plugin configuration injection vulnerability was discovered in the WYSIWYG editor (Xinha) bundled with Serendipity Weblog that allows e.g. uploading arbitrary PHP files to the webserver.

18

May 9th

EFront ask_chat chatrooms_ID SQL Injection Vulnerability

A preauth SQL injection vulnerability was discovered in the chat feature of EFront that allows retrieving all data from the database by simple URL manipulation.

17

May 9th

PHP preg_quote() Interruption Information Leak Vulnerability

PHP’s preg_quote() function can be abused for information leak attacks, because of the call time pass by reference feature.

16

May 8th

PHP ZEND_SR Opcode Interruption Address Information Leak Vulnerability

PHP’s ZEND_SR opcode can be abused for address information leak attacks by an userspace error handler interruption attack.

15

May 8th

PHP ZEND_SL Opcode Interruption Address Information Leak Vulnerability

PHP’s ZEND_SL opcode can be abused for address information leak attacks by an userspace error handler interruption attack.

14

May 8th

PHP ZEND_BW_XOR Opcode Interruption Address Information Leak Vulnerability

PHP’s ZEND_BW_XOR opcode can be abused for address information leak attacks by an userspace error handler interruption attack.

13

May 7th

PHP sqlite_array_query() Uninitialized Memory Usage Vulnerability

PHP’s sqlite_array_query() function will use uninitialized memory if it is used with an empty SQL query. This can lead to arbitrary code execution.

12

May 7th

PHP sqlite_single_query() Uninitialized Memory Usage Vulnerability

PHP’s sqlite_single_query() function will use uninitialized memory if it is used with an empty SQL query. This can lead to arbitrary code execution.

11

May 6th

DeluxeBB newthread SQL Injection Vulnerability

A SQL injection vulnerability was discovered in DeluxeBB that allows retrieving all the data from the database by adding new threads to the forum.

10

May 6th

PHP html_entity_decode() Interruption Information Leak Vulnerability

PHP’s html_entity_decode() function can be abused for information leak attacks, because of the call time pass by reference feature.

9

May 5th

PHP shm_put_var() Already Freed Resource Access Vulnerability

When PHP’s shm_put_var() function is interrupted by an object’s __sleep() function it can destroy the shm resource used by this function which allows to write an arbitrary memory address.

8

May 4th

PHP chunk_split() Interruption Information Leak Vulnerability

PHP’s chunk_split() function can be abused for information leak attacks, because of the call time pass by reference feature.

7

May 4th

ClanTiger Shoutbox Module s_email SQL Injection vulnerability

A SQL injection vulnerability was discovered in the shoutbox module of ClanTiger that allows retrieving all the data from the database.

6

May 3rd

PHP addcslashes() Interruption Information Leak Vulnerability

PHP’s addcslashes() function can be abused for information leak attacks, because of the call time pass by reference feature.

5

May 3rd

ClanSphere MySQL Driver Generic SQL Injection Vulnerability

A generic SQL Injection vulnerability was discovered in the MySQL Driver of ClanSphere that allows exploiting a lot of otherwise safe SQL queries.

4

May 3rd

ClanSphere Captcha Generator Blind SQL Injection Vulnerability

A SQL Injection vulnerability was discovered in the Captcha generator of ClanSphere that allows retrieving all the data from the database.

3

May 2nd

PHP dechunk Filter Signed Comparison Vulnerability

PHP’s dechunk filter that can be used to decode remote HTTP chunked encoding streams, performs a signed comparison of the chunk size against the space in the buffer. A negative number will result in a far to many bytes (2GB – 4GB) being copied between heap buffers, which results in a crash.

2

May 1st

Campsite TinyMCE Article Attachment SQL Injection Vulnerability

A SQL Injection vulnerability was discovered in the TinyMCE custom article attachment plugin within Campsite that allows retrieving all data from the database.

1

May 1st

PHP hash_update_file() Already Freed Resource Access Vulnerability

During Month of PHP Bugs in 2007 the same vulnerability was already disclosed to the general public. Because the issue remained unfixed for three years the Month of PHP Security 2010 starts with this old unfixed vulnerability.