NYCPHP Meetup

[nycphp-talk] php problems from SecurityFocus Newsletter # 210

Analysis & Solutions danielc at analysisandsolutions.com
Mon Aug 18 16:07:25 EDT 2003


Hey Folks:

Last weeks lull has been more than made up by this weeks flood, including 
a vulnerability in PHP itself...

---------------------------
A PROBLEM IN PHP ITSELF !!!
---------------------------
PHP DLOpen Arbitrary Web Server Process Memory Vulnerability
http://www.securityfocus.com/bid/8405

A problem has been reported in the dlopen function of PHP when used with
the Apache web server.  Because of this, an attacker may be able to gain
unauthorized access to potentially sensitive information.

The problem is in the ability to access the memory of the calling process.
When a PHP script is executed by an Apache process, it is possible to
dump the contents of the Apache process memory to a text file.  This could
be used by an attacker to gain access to potentially sensitive information
which could include authentication credentials.  The function may also
permit other attacks, such as allowing an attacker to deliver different
content other than what the server is configured to serve.


-----------------------------
PROBLEMS IN APPS THAT USE PHP
-----------------------------
[Yet more] PostNuke Downloads / Web_Links Modules TTitle Cross-site Scr...
http://www.securityfocus.com/bid/8374

Multiple geeeekShop Information Disclosure Vulnerabilities
http://www.securityfocus.com/bid/8380

Invision Power Board Admin.PHP Cross-Site Scripting Vulnerab...
http://www.securityfocus.com/bid/8381

DCForum+ Subject Field HTML Injection Vulnerability
http://www.securityfocus.com/bid/8384
[This issue is exposed through the dcboard.php script.]

Better Basket Pro Store Builder Remote Path Disclosure Vulne...
http://www.securityfocus.com/bid/8386

PHPOutSourcing Zorum Cross-Site Scripting Vulnerability
http://www.securityfocus.com/bid/8388

News Wizard Path Disclosure Vulnerability
http://www.securityfocus.com/bid/8389

PHP Website Calendar Module SQL Injection Vulnerabilities
http://www.securityfocus.com/bid/8390

PHP Website Multiple Module Cross-Site Scripting Vulnerabili...
http://www.securityfocus.com/bid/8393

PHPOutsourcing Zorum Path Disclosure Vulnerability
http://www.securityfocus.com/bid/8396

Horde Application Framework Account Hijacking Vulnerability
http://www.securityfocus.com/bid/8399

HostAdmin Path Disclosure Vulnerability
http://www.securityfocus.com/bid/8401

Xoops BBCode HTML Injection Vulnerability
http://www.securityfocus.com/bid/8414

HolaCMS HTMLtags.PHP Local File Include Vulnerability
http://www.securityfocus.com/bid/8416


Enjoy,

--Dan

-- 
     FREE scripts that make web and database programming easier
           http://www.analysisandsolutions.com/software/
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7th Ave #4AJ, Brooklyn NY    v: 718-854-0335   f: 718-854-0409



More information about the talk mailing list