- Multiple denial of service vulnerabilities in PHP -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)
MADRID, April 7, 2005 - iDefense has reported multiple denial of service
vulnerabilities in the PHP scripting language, which could allow an attacker
to crash the system.
The problem lies in how the routines php_handle_iff() and php_handle_jpeg()
handle the PHP function getimagesize(), which is used to determine the size
and dimensions of a large number of image formats, including GIF, JPG, PNG,
TIFF, etc.
The first flaw lies in the php_handle_iff() function, defined in
ext/standard/image.c, and could allow a remote attacker to use up all of the
CPU resources, resulting in a denial of service.
The second vulnerability is due to insufficient validation of JPEG file
headers in the php_handle_jpeg() function, also defined in
ext/standard/image.c. This format contains a length field that could be
manipulated to cause an infinite loop on copying file data to memory.
These vulnerabilities could be exploited by unauthenticated remote users to
consume 100 percent of the CPU resources on vulnerable systems. To do this,
an attacker can supply a malicious image to the getimagesize() PHP routine.
The getimagesize() PHP routine is frequently used when handling
user-supplied image uploads, which increases the probability of a success
attack.
The original security advisory about these vulnerabilities is available at:
http://www.idefense.com/application/poi/display?id=222&type=vulnerabilities&;
flashstatus=true
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.9.4 - Release Date: 4/6/2005
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
