=============================================
S-MAIL HTML Entity Encoder Heap Overflow / PHP Zend_Hash_Del_Key_Or_Index /Unfiletred Header Injection in Apache / PHP Unspecified Remote Arbitrary File Upload
==============================================
Multiples Advisories
But Vendor Not Response
Then
Full Disclosure
I. VULNERABILITY
-------------------------
#Title: S-MAIL Cross-site request forgery / HTML entity encoder heap overflow / PHP socket_iovec_alloc() integer overflow / PHP Zend_Hash_Del_Key_Or_Index /Unfiletred Header Injection in Apache / PHP Unspecified Remote
Arbitrary File Upload
#Vendor:http://WWW.s-mail.com/
#Author:Juan Carlos Garca (@secnight)
#Follow me
Twitter:@secnight
II. DESCRIPTION
-------------------------
S-Mail® is an innovative email system that provides high-level protection for emails on the Internet.
S-Mail users have safe and secure email correspondence. Only the sender and recipient of S-Mail can access emails sent through this service.
S-Mail provides the ultimate protection with strong encryption for personal and business communications.
S-Mail combines simplicity and security to create a tailored solution for protecting email.
Messages and attached files are encrypted and decrypted through PGP, SSL and DSA algorithms on the user's PC.
As a result, communications sent using S-Mail are delivered fully protected.
S-Mail is compatible with all other email systems and programs.
III. PROOF OF CONCEPT
-------------------------
PHP version older than 4.4.1
*****************************
Multiple vulnerabilities have been reported in PHP, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and potentially compromise a vulnerable system.
Affected PHP versions (up to 4.4.0).
The impact of this vulnerability
___________________________________
Security bypass, cross site scripting, denial of service, system access.
Apache version older than 1.3.28 ( Current version is : Apache/1.3.27)
**********************************************************************
The impact of this vulnerability
_________________________________
Multiple. Check references for details about every vulnerability.
Apache version older than 1.3.41
*********************************
Security fixes in Apache version 1.3.41:
_________________________________________
CVE-2007-6388 (cve.mitre.org) mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. [Mark Cox]
Security fixes in Apache version 1.3.40:
___________________________________________
CVE-2007-5000 (cve.mitre.org) mod_imap: Fix cross-site scripting issue. Reported by JPCERT. [Joe Orton]
CVE-2007-3847 (cve.mitre.org) mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144. With Apache 1.3, the denial of service vulnerability applies only to the Windows and NetWare platforms. [Jeff
Trawick]
PHP HTML entity encoder heap overflow
**************************************
Stefan Esser reported some vulnerabilities in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.The vulnerabilities are caused due to boundary errors within
the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the
affected application. Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected. For a detailed explanation of the vulnerability read the referenced article.
Vendor has released PHP 5.2.0 which fixes this issue.
Affected PHP versions (up to 4.4.4/5.1.6).
The impact of this vulnerability
_________________________________
Denial of service, remote code execution.
PHP unspecified remote arbitrary file upload vulnerability
**********************************************************
An unspecified remote arbitrary file upload vulnerability has been reported for this version of PHP.
Affected PHP versions (up to 4.3.8/5.0.1).
PHP Zend_Hash_Del_Key_Or_Index vulnerability
**********************************************
Stefan Esser had discovered a weakness within the depths of the implementation of hashtables in the Zend Engine.
This vulnerability affects a large number of PHP applications. It creates large new holes in many popular PHP applications.
Additonally many old holes that were disclosed in the past were only fixed by using the unset() statement.
Many of these holes are still open if the already existing exploits are changed by adding the correct numerical keys to survive the unset().
For a detailed explanation of the vulnerability read the referenced article.
http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html
Affected PHP versions (up to 4.4.2/5.1.3).
The impact of this vulnerability
___________________________________
Code execution, SQL injection, ...
Unfiltered header injection in Apache 1.3.34/2.0.57/2.2.1
***********************************************************
Vulnerability description
*************************
This version of Apache is vulnerable to HTML injection (including malicious Javascript code) through "Expect" header. Until now it was not classified as a security vulnerability, since an attacker has no way to influence the Expect
header to send the victim to a target website. However, according to Amit Klein's paper: "Forging HTTP request headers with Flash" there is a working cross site scripting (XSS) attack against Apache 1.3.34, 2.0.57 and 2.2.1 (as long as
the client browser is IE or Firefox, and it supports Flash 6/7+).
The impact of this vulnerability
________________________________
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to
modify the content of the page presented to the user.
How to fix this vulnerability
_______________________________
Upgrade to the latest Apache versions. This flaw has been corrected in Apache versions (1.3.35/2.0.58/2.2.2)
Apache error log escape sequence injection vulnerability
********************************************************
This version of Apache is vulnerable to escape character sequences injection into error log.This problem may be exploited when a vulnerable terminal emulator is used.
Affected Apache versions (up to 2.0.48 for Apache 2.x and up to 1.3.29 for Apache 1.x).
PHP mail function ASCII control character header spoofing vulnerability
***********************************************************************
The PHP mail function does not properly sanitize user input. Because of this, a user may pass ASCII control characters to the mail() function that could alter the headers of email. This could result in spoofed mail headers.
Affected PHP versions (up to 4.2.2).
PHP socket_iovec_alloc() integer overflow
******************************************
Buffer overflow in openlog function for PHP 4.3.1 on Windows operating system, and possibly other OSes.
Affected PHP versions (up to 4.3.1).
The impact of this vulnerability
___________________________________
Allow remote attackers to cause a crash and possibly execute arbitrary code via a long filename argument.
How to fix this vulnerability
________________________________
Upgrade PHP to the latest version.
Web references
________________
CVE 2003-0172
PHP4 multiple vulnerabilities
*****************************
PHP have released an upgrade to address multiple vulnerabilities, including integer overflow issues that have been reported to affect PHP4 and bundled software.
IV. BUSINESS IMPACT
-------------------------
CRITICAL
V SOLUTION
------------------------
UPDATE PHP AND APACHE SOFTWARE P L E A S E !!!
VI. CREDITS
-------------------------
This vulnerability has been discovered
by Juan Carlos Garca(@secnight)
VII. LEGAL NOTICES
-------------------------
The Author accepts no responsibility for any damage
caused by the use or misuse of this information.