PHPLIB unspecified system compromise

phplib-code-execution (24873) The risk level is classified as HighHigh Risk

Description:

The PHP Base Library (PHPLIB) could allow a remote attacker to gain complete control over an affected system.


Consequences:

Gain Access

Remedy:

Upgrade to the latest version of PHPLIB (7.4a or later), available from the PHPLIB Web site. See References.

References:

  • PHPLIB Web site: PHP Base Library.
  • BID-16801: PHPLIB Unspecified Code Execution Vulnerability
  • CVE-2006-0887: Eval injection vulnerability in sessions.inc in PHP Base Library (PHPLib) before 7.4a, when index.php3 from the PHPLib distribution is available on the server, allows remote attackers to execute arbitrary PHP code by including a base64-encoded representation of the code in a cookie. NOTE: this description was significantly updated on 20060605 to reflect new details after an initial vague advisory.
  • CVE-2006-2826: SQL injection vulnerability in sessions.inc in PHP Base Library (PHPLib) before 7.4a allows remote attackers to execute arbitrary SQL commands via the id variable, which is set by a client through a query string or a cookie.
  • OSVDB ID: 23466: PHPLIB Unspecified Remote Code Execution
  • SA16902: PHPLIB Session Handling SQL Injection Vulnerability
  • SECTRACK ID: 1016123: PHPLib Input Validation Flaws Let Remote Users Inject SQL Commands and Execute Arbitrary PHP Code
  • VUPEN/ADV-2006-0720: PHPLIB Parameter Handling Remote Command Execution Vulnerability

Platforms Affected:

  • PHPLIB PHPLIB 7.4

Reported:

Feb 24, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page