php security update (RHSA-2005-838)

Original Release Date: January 31, 2006
Last Revised: September 13, 2007
Number: ASA-2006-037
Risk Level: Low
Advisory Version: 5.0
Advisory Status: Final

1. Overview:

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.

A flaw was found in the way PHP registers global variables during a file upload request. A remote attacker could submit a carefully crafted multipart/form-data POST request that would overwrite the $GLOBALS array, altering expected script behavior, and possibly leading to the execution of arbitrary PHP commands. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-3390 to this issue.

A flaw was found in the PHP parse_str() function. If a PHP script passes only one argument to the parse_str() function, and the script can be forced to abort execution during operation (for example due to the memory_limit setting), the register_globals may be enabled even if it is disabled in the PHP configuration file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-3389 to this issue.

A Cross-Site Scripting flaw was found in the phpinfo() function. If a victim can be tricked into following a malicious URL to a site with a page displaying the phpinfo() output, it may be possible to inject javascript or HTML content into the displayed page or steal data such as cookies. This vulnerability only affects installations which allow users to view the output of the phpinfo() function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-3388 to this issue.

Some Avaya System products utilize php, and are therefore affected by these vulnerabilities.

More information about these vulnerabilities can be found in the security advisory issued by RedHat Linux:

2. Avaya System Products with php installed:

Product: Affected Version(s): Risk Level: Actions:
Avaya S87XX/S8500/S8300 CM 2.2 Load 126 and prior Low Upgrade to CM 2.2 Load 127 or later in the CM 2.2 series or CM 3.1 or later in the CM 3.x series to remove PHP.
Avaya Intuity LX All Low Avaya recommends upgrading to Intuity LX 2.0 or later to resolve this issue.
Avaya Messaging Storage Server All Low Avaya recommends upgrading to MM 3.0 or later to resolve this issue.
Avaya Message Networking All Low Avaya recommends upgrading to MN 3.0 or later to resolve this issue.

3. Avaya Software-Only Products

Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly but may threaten the integrity of the underlying platform.

In the case of this advisory Avaya software-only products are not affected by the vulnerability directly but the underlying Linux platform may be. Customers should determine on which Linux operating system the product was installed and then follow that vendors guidance:

4. Software-Only Products:

Product: Affected Version(s): Risk Level: Actions:
Avaya Interactive Response(IR) All None Depending on the Operating System provided by customers, the affected packages may be installed on the underlying Operating System supporting the IR application. The IR application does not require the software described in this advisory.
CVLAN All None Depending on the Operating System provided by customers, the affected packages may be installed on the underlying Operating System supporting the CVLAN application. The CVLAN application does not require the software described in this advisory.
Avaya Integrated Management Suite(IMS) All Low See recommended actions below.

Recommended Actions:
Avaya recommends installing the appropriate patch from the Operating System Vendor (e.g. Red Hat).

5. Additional Information:

Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.

6. Disclaimer:

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.

7. Revision History:

V 1.0 - January 31, 2006 - Initial Statement issued.
V 2.0 - February 17, 2006 - Minor formatting changes made.
V 3.0 - August 28. 2006 - Updated impact for MSS.
V 4.0 - November 27, 2006 - Added Avaya S87XX/S8500/S8300 Gateways to the list of affected system products as well as the remediation method.
V 5.0 September 13, 2007 - Changed recommended actions for all system products, and changed advisory status to final.

Send information regarding any discovered security problems with Avaya products to either the contact noted in the product's documentation or securityalerts@avaya.com.

© 2006 Avaya Inc. All Rights Reserved. All trademarks identified by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.