Vulnerability CVE-2007-1885 - CERT Civis.Net

Vulnerability Name:

CVE-2007-1885 (CCN-33767)

Assigned:

2007-03-31

Published:

2007-03-31

Updated:

2018-10-30

Summary:

Integer overflow in the str_replace function in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows context-dependent attackers to execute arbitrary code via a single character search string in conjunction with a long replacement string, which overflows a 32 bit length counter.
Note: this is probably the same issue as CVE-2007-0906.6.

CVSS v3 Severity:

5.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

5.1 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
4.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2007-1885

Source: HP
Type: UNKNOWN
SSRT071423

Source: HP
Type: UNKNOWN
HPSBTU02232

Source: CCN
Type: HP Security Bulletin HPSBTU02232 SSRT071429
Secure Web Server for HP Tru64 UNIX Powered by Apache (SWS) or HP Internet Express for Tru64 UNIX running PHP, Remote Arbitrary Code Execution, Unauthorized Disclosure of Information, or Denial of Service (DoS)

Source: CCN
Type: SA25423
HP System Management Homepage PHP Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
25423

Source: CCN
Type: SA25850
HP Secure Web Server/Internet Express for Tru64 UNIX PHP Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
25850

Source: CCN
Type: OSVDB ID: 33956
PHP str_replace() Function Multiple Remote Overflow

Source: CCN
Type: OSVDB ID: 34706
PHP Session Extension Unspecified Overflow

Source: CCN
Type: OSVDB ID: 34707
PHP zip Extension Unspecified Overflow

Source: CCN
Type: OSVDB ID: 34708
PHP imap Extension Unspecified Overflow

Source: CCN
Type: OSVDB ID: 34709
PHP sqlite Extension Unspecified Overflow

Source: CCN
Type: OSVDB ID: 34710
PHP stream Filters Unspecified Overflow

Source: CCN
Type: OSVDB ID: 34711
PHP str_replace() Function Unspecified Overflow

Source: CCN
Type: OSVDB ID: 34712
PHP mail() Function Unspecified Overflow

Source: CCN
Type: OSVDB ID: 34713
PHP ibase_delete_user() Function Unspecified Overflow

Source: CCN
Type: OSVDB ID: 34714
PHP ibase_add_user() Function Unspecified Overflow

Source: CCN
Type: OSVDB ID: 34715
PHP ibase_modify_user() Function Unspecified Overflow

Source: CCN
Type: MOPB-39-2007
PHP str_replace() Memory Allocation Integer Overflow Vulnerability

Source: MISC
Type: Exploit, Vendor Advisory
http://www.php-security.org/MOPB/MOPB-39-2007.html

Source: CCN
Type: The PHP Group Web site
PHP 5.2.1 Release Announcement

Source: CONFIRM
Type: UNKNOWN
http://www.php.net/releases/5_2_1.php

Source: BID
Type: UNKNOWN
23233

Source: CCN
Type: BID-23233
PHP Str_Replace() Integer Overflow Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2007-1991

Source: VUPEN
Type: UNKNOWN
ADV-2007-2374

Source: XF
Type: UNKNOWN
php-strreplace-bo(33767)

Source: XF
Type: UNKNOWN
php-strreplace-bo(33767)

Vulnerable Configuration:

Configuration 1:

cpe:/a:php:php:4.0.0:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.1:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.1:patch1:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.1:patch2:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.3:patch1:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.4:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.4:patch1:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.5:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.6:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.7:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.7:rc1:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.7:rc2:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.7:rc3:*:*:*:*:*:*

OR cpe:/a:php:php:4.1.0:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.1.1:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.1.2:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.2:*:dev:*:*:*:*:*

OR cpe:/a:php:php:4.2.0:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.2.1:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.2.2:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.2.3:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.0:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.1:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.2:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.3:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.4:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.5:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.6:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.7:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.8:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.9:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.10:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.11:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.4.0:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.4.1:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.4.2:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.4.3:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.4.4:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.4.5:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.4.6:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.0:rc1:*:*:*:*:*:*

OR cpe:/a:php:php:5.0:rc2:*:*:*:*:*:*

OR cpe:/a:php:php:5.0:rc3:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.0:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.0:beta1:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.0:beta2:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.0:beta3:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.0:beta4:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.0:rc1:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.0:rc2:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.0:rc3:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.1:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.2:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.3:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.4:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.5:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.1.0:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.1.1:*:*:*:*:*:*:*

OR cpe:/a:php:php:5.1.2:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.1.3:*:*:*:*:*:*:*

OR cpe:/a:php:php:5.1.4:*:*:*:*:*:*:*

OR cpe:/a:php:php:5.1.5:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.1.6:*:*:*:*:*:*:*

OR cpe:/a:php:php:5.2.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:php:php:4.0.5:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.1.1:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.2.0:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.2.1:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.2.3:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.2.2:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.0:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.4:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.9:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.10:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.3:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.11:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.4:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.0:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.4.0:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.5:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.1.1:*:*:*:*:*:*:*

OR cpe:/a:php:php:5.1.2:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.1.4:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.4.2:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.3:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.2:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.4.3:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.1.6:*:*:*:*:*:*:*

OR cpe:/a:php:php:5.2.0:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.0:beta1:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.1:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.4:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.6:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.0.7:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.0:beta_4_patch1:*:*:*:*:*:*

OR cpe:/a:php:php:4.0:beta1:*:*:*:*:*:*

OR cpe:/a:php:php:4.0:beta2:*:*:*:*:*:*

OR cpe:/a:php:php:4.0:beta3:*:*:*:*:*:*

OR cpe:/a:php:php:4.0:beta4:*:*:*:*:*:*

OR cpe:/a:php:php:4.1.0:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.1.2:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.1:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.2:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.5:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.6:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.7:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.3.8:*:*:*:*:*:*:*

OR cpe:/a:php:php:4.4.1:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.4.4:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.0:beta1:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.0:beta2:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.0:beta3:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.0:beta4:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.0:rc1:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.0:rc2:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.0:rc3:*:*:*:*:*:*

OR cpe:/a:php:php:5.0.1:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.1.0:-:*:*:*:*:*:*

OR cpe:/a:php:php:5.1.3:*:*:*:*:*:*:*

OR cpe:/a:php:php:5.1.5:-:*:*:*:*:*:*

OR cpe:/a:php:php:4.0:rc1:*:*:*:*:*:*

OR cpe:/a:php:php:4.0:rc2:*:*:*:*:*:*

Denotes that component is vulnerable