CVE-2006-4023: php ip2long function incorrect address validation

Debian Bug report logs - #382257
CVE-2006-4023: php ip2long function incorrect address validation

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2006-4023: php ip2long function incorrect address validation

Date: Wed, 09 Aug 2006 21:13:46 +0200

Package: php5
Severity: important
Tags: security


CVE-2006-4023:
The ip2long function in PHP 5.1.4 and earlier may incorrectly validate
an arbitrary string and return a valid network IP address, which
allows remote attackers to obtain network information and facilitate
other attacks, as demonstrated using SQL injection in the
X-FORWARDED-FOR Header in index.php in MiniBB 2.0.  NOTE: it could be
argued that the ip2long behavior represents a risk for
security-relevant issues in a way that is similar to strcpy's role in
buffer overflows, in which case this would be a class of
implementation bugs that would require separate CVE items for each PHP
application that uses ip2long in a security-relevant manner.


I am not sure whether this has to be fixed in php or the applications.
Please check.

Message #12 received at 382257-done@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: 382257-done@bugs.debian.org

Subject: application issue, not php issue

Date: Tue, 19 Sep 2006 09:29:12 +0200

[Message part 1 (text/plain, inline)]

hey stefan,

the agreement via the security team was that this was an implementation
issue, not a php issue.  thus, if any other packages in debian use
ip2long we should verify that they are not vulnerable to such an attack,
but in the meantime php shouldn't be considered vulnerable.


thanks,
	sean

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.