发布时间 :2005-01-10 00:00:00
修订时间 :2017-10-10 21:29:40

[原文]The deserialization code in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to cause a denial of service and execute arbitrary code via untrusted data to the unserialize function that may trigger "information disclosure, double-free and negative reference index array underflow" results.

[CNNVD]PHP unserialize() 代码执行漏洞(CNNVD-200501-207)


- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-20 [输入验证不恰当]

- CPE (受影响的平台与产品)

cpe:/a:openpkg:openpkg:2.1OpenPKG 2.1
cpe:/a:openpkg:openpkg:2.2OpenPKG 2.2
cpe:/a:php:php:3.0PHP PHP 3.0
cpe:/a:php:php:3.0.1PHP PHP 3.0.1
cpe:/a:php:php:3.0.2PHP PHP 3.0.2
cpe:/a:php:php:3.0.3PHP PHP 3.0.3
cpe:/a:php:php:3.0.4PHP PHP 3.0.4
cpe:/a:php:php:3.0.5PHP PHP 3.0.5
cpe:/a:php:php:3.0.6PHP PHP 3.0.6
cpe:/a:php:php:3.0.7PHP PHP 3.0.7
cpe:/a:php:php:3.0.8PHP PHP 3.0.8
cpe:/a:php:php:3.0.9PHP PHP 3.0.9
cpe:/a:php:php:3.0.10PHP PHP 3.0.10
cpe:/a:php:php:3.0.11PHP PHP 3.0.11
cpe:/a:php:php:3.0.12PHP PHP 3.0.12
cpe:/a:php:php:3.0.13PHP PHP 3.0.13
cpe:/a:php:php:3.0.14PHP PHP 3.0.14
cpe:/a:php:php:3.0.15PHP PHP 3.0.15
cpe:/a:php:php:3.0.16PHP PHP 3.0.16
cpe:/a:php:php:3.0.17PHP PHP 3.0.17
cpe:/a:php:php:3.0.18PHP PHP 3.0.18
cpe:/a:php:php:4.0.1PHP PHP 4.0.1
cpe:/a:php:php:4.0.2PHP PHP 4.0.2
cpe:/a:php:php:4.0.3PHP PHP 4.0.3
cpe:/a:php:php:4.0.4PHP PHP 4.0.4
cpe:/a:php:php:4.0.5PHP PHP 4.0.5
cpe:/a:php:php:4.0.6PHP PHP 4.0.6
cpe:/a:php:php:4.0.7PHP PHP 4.0.7
cpe:/a:php:php:4.1.0PHP PHP 4.1.0
cpe:/a:php:php:4.1.1PHP PHP 4.1.1
cpe:/a:php:php:4.1.2PHP PHP 4.1.2
cpe:/a:php:php:4.2.0PHP PHP 4.2.0
cpe:/a:php:php:4.2.1PHP PHP 4.2.1
cpe:/a:php:php:4.2.2PHP PHP 4.2.2
cpe:/a:php:php:4.2.3PHP PHP 4.2.3
cpe:/a:php:php:4.3.1PHP PHP 4.3.1
cpe:/a:php:php:4.3.2PHP PHP 4.3.2
cpe:/a:php:php:4.3.3PHP PHP 4.3.3
cpe:/a:php:php:4.3.4PHP PHP 4.3.4
cpe:/a:php:php:4.3.5PHP PHP 4.3.5
cpe:/a:php:php:4.3.6PHP PHP 4.3.6
cpe:/a:php:php:4.3.7PHP PHP 4.3.7
cpe:/a:php:php:4.3.8PHP PHP 4.3.8
cpe:/a:php:php:4.3.9PHP PHP 4.3.9
cpe:/a:php:php:5.0.0PHP PHP 5.0.0
cpe:/a:php:php:5.0.1PHP PHP 5.0.1
cpe:/a:php:php:5.0.2PHP PHP 5.0.2
cpe:/o:trustix:secure_linux:2.0Trustix Secure Linux 2.0
cpe:/o:trustix:secure_linux:2.1Trustix Secure Linux 2.1
cpe:/o:trustix:secure_linux:2.2Trustix Secure Linux 2.2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10511The deserialization code in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to cause a denial of service and execute arbit...

- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  SUSE  SUSE-SU-2015:0365
(UNKNOWN)  SUSE  openSUSE-SU-2015:0325
(UNKNOWN)  BUGTRAQ  20041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5
(UNKNOWN)  XF  php-unserialize-code-execution(18514)

- 漏洞信息

PHP unserialize() 代码执行漏洞
危急 设计错误
2005-01-10 00:00:00 2005-10-20 00:00:00

- 公告与补丁


- 漏洞信息 (F35361)

012004.txt (PacketStormID:F35361)
2004-12-30 00:00:00
Stefan Esser

Hardened-PHP Project Security Advisory - Several vulnerabilities within PHP allow local and remote execution of arbitrary code. PHP4 versions 4.3.9 and below and PHP5 version 5.0.2 and below are affected.

Hash: SHA1

                        Hardened-PHP Project

                      -= Security  Advisory =-

     Advisory: Multiple vulnerabilities within PHP 4/5
 Release Date: 2004/12/15
Last Modified: 2004/12/15
       Author: Stefan Esser []

  Application: PHP4 <= 4.3.9
               PHP5 <= 5.0.2
     Severity: Several vulnerabilities within PHP allow 
               local and remote execution of arbitrary code
         Risk: Critical
Vendor Status: Vendor has released bugfixed versions.


   PHP is a widely-used general-purpose scripting language that is 
   especially suited for Web development and can be embedded into HTML.

   During the development of Hardened-PHP which adds security hardening
   features to the PHP codebase, several vulnerabilities within PHP 
   were discovered that reach from bufferoverflows, over information 
   leak vulnerabilities and path truncation vulnerabilities to
   safe_mode restriction bypass vulnerabilities.


   [01 - pack() - integer overflow leading to heap bufferoverflow ]
   Insufficient validation of the parameters passed to pack() can
   lead to a heap overflow which can be used to execute arbitrary
   code from within a PHP script. This enables an attacker to
   bypass safe_mode restrictions and execute arbitrary code with
   the permissions of the webserver. Due to the nature of this
   function it is unlikely that a script accidently exposes it to
   remote attackers.
   [02 - unpack() - integer overflow leading to heap info leak ]

   Insufficient validation of the parameters passed to unpack() can
   lead to a heap information leak which can be used to retrieve
   secret data from the apache process. Additionally a skilled
   local attacker could use this vulnerability in combination with
   01 to bypass heap canary protection systems. Similiar to 01 this
   function is usually not used on user supplied data within

   [03 - safe_mode_exec_dir bypass in multithreaded PHP ]
   When safe_mode is activated within PHP, it is only allowed to
   execute commands within the configured safe_mode_exec_dir. 
   Unfourtunately PHP does prepend a "cd [currentdir] ;" to any
   executed command when a PHP is running on a multithreaded unix
   webserver (f.e. some installations of Apache2). Because the name
   of the current directory is prepended directly a local attacker
   may bypass safe_mode_exec_dir restrictions by injecting shell-
   commands into the current directory name.
   [04 - safe_mode bypass through path truncation ]
   The safe_mode checks silently truncated the file path at MAXPATHLEN
   bytes before passing it to realpath(). In combination with certain
   malfunctional implementations of realpath() f.e. within glibc this
   allows crafting a filepath that pass the safe_mode check although
   it points to a file that should fail the safe_mode check.
   [05 - path truncation in realpath() ]
   PHP uses realpath() within several places to get the real path
   of files. Unfourtunately some implementations of realpath() silently
   truncate overlong filenames (f.e. OpenBSD, and older NetBSD/FreeBSD)
   This can lead to arbitrary file include vulnerabilities if something
   like "include "modules/$userinput/"; is used on such
   [06 - unserialize() - wrong handling of negative references ]
   The variable unserializer could be fooled with negative references
   to add false zvalues to hashtables. When those hashtables get
   destroyed this can lead to efree()s of arbitrary memory addresses
   which can result in arbitrary code execution. (Unless Hardened-PHP's
   memory manager canaries are activated)
   [07 - unserialize() - wrong handling of references to freed data ]
   Additionally to bug 07 the previous version of the variable 
   unserializer allowed setting references to already freed entries in
   the variable hash. A skilled attacker can exploit this to create 
   an universal string that will pass execution to an arbitrary 
   memory address when it is passed to unserialize(). For AMD64 systems
   a string was developed that directly passes execution to code 
   contained in the string itself.
   It is necessary to understand that these strings can exploit a 
   bunch of popular PHP applications remotely because they pass f.e.
   cookie content to unserialize().
   Examples of vulnerable scripts:
      - phpBB2
      - Invision Board
      - vBulletin
      - Woltlab Burning Board 2.x
      - Serendipity Weblog
      - phpAds(New)
      - ...

Proof of Concept:

   The Hardened-PHP project is not going to release exploits for any 
   of these vulnerabilities to the public.

CVE Information:

   The Common Vulnerabilities and Exposures project ( has
   assigned the name CAN-2004-1018 to issues 01, 02, the name 
   CAN-2004-1019 to issues 06, 07, the name CAN-2004-1063 to issue 03
   and the name CAN-2004-1064 to issues 04, 05.


   It is strongly recommended to upgrade to the new PHP-Releases as
   soon as possible, because a lot of PHP applications expose the
   easy to exploit unserialize() vulnerability to remote attackers.
   Additionally we always recommend to run PHP with the Hardened-PHP
   patch applied.


   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1

Copyright 2004 Stefan Esser. All rights reserved.

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see



- 漏洞信息

PHP unserialize() Function Negative Reference Arbitrary Code Execution
Loss of Integrity
Vendor Verified

- 漏洞描述

PHP contains a flaw that may allow a remote attacker to gain elevated privileges. The issue is due to the deserialization code not properly sanitizing user-supplied input. This may allow an attacker to pass crafted content to the unserialize function and cause a denial of service or execute arbitrary code.

- 时间线

2004-12-15 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.3.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete