| A number of buffer overflow flaws were found in the PHP session extension,
the str_replace() function, and the imap_mail_compose() function.
If very long strings under the control of an attacker are passed to the
str_replace() function then an integer overflow could occur in memory
allocation. If a script uses the imap_mail_compose() function to create a
new MIME message based on an input body from an untrusted source, it could
result in a heap overflow. An attacker who is able to access a PHP
application affected by any these issues could trigger these flaws and
possibly execute arbitrary code as the 'apache' user. (CVE-2007-0906)
If unserializing untrusted data on 64-bit platforms, the zend_hash_init()
function can be forced to enter an infinite loop, consuming CPU resources
for a limited length of time, until the script timeout alarm aborts
execution of the script. (CVE-2007-0988)
If the wddx extension is used to import WDDX data from an untrusted source,
certain WDDX input packets may allow a random portion of heap memory to be
exposed. (CVE-2007-0908)
If the odbc_result_all() function is used to display data from a database,
and the contents of the database table are under the control of an
attacker, a format string vulnerability is possible which could lead to the
execution of arbitrary code. (CVE-2007-0909)
A one byte memory read will always occur before the beginning of a buffer,
which could be triggered for example by any use of the header() function in
a script. However it is unlikely that this would have any effect.
(CVE-2007-0907)
Several flaws in PHP could allows attackers to "clobber" certain
super-global variables via unspecified vectors. (CVE-2007-0910) | 