English
¢¸¢· µÚ·Î
Ãë¾àÁ¡ID 22557
À§Çèµµ 40
Æ÷Æ® 80, ...
ÇÁ·ÎÅäÄÝ TCP
ºÐ·ù CGI
»ó¼¼¼³¸í ÇØ´ç À¥ ¼­¹ö´Â 5.4.4 º¸´Ù ´õ ¿À·¡µÈ PHPÀÇ ¹öÀüÀ» °¡µ¿ ÁßÀÌ´Ù. PHP´Â À¥ °³¹ß¿¡ ÀûÇÕÇÏ°í HTML¿¡ ÀÓº£µðµå(embedded) µÉ ¼ö ÀÖ´Â ³Î¸® »ç¿ë ÁßÀÎ ¹ü¿ë ½ºÅ©¸³Æà ¾ð¾îÀÌ´Ù. PHPÀÇ 5.4.4 ÀÌÀüÀÇ ¹öÀüµéÀº ´ÙÁß Ãë¾àÁ¡ÀÌ Á¸ÀçÇÑ´Ù.


- 'ext/phar/tar.c' ÆÄÀÏÀÇ 'phar_parse_tarfile' ÇÔ¼ö¿¡ Á¤¼ö ¿À¹öÇÃ·Î¿ì ¿¡·¯°¡ Á¸ÀçÇϸç, ÀÌ·Î ÀÎÇÏ¿© ¾ÇÀÇÀûÀ¸·Î Á¶ÀÛµÈ TAR ÆÄÀÏÀ» ´Ù·ê ¶§ heap-based ¹öÆÛ ¿À¹öÇ÷ο찡 ¹ß»ýÇÑ´Ù. °ø°ÝÀÚ´Â ÀÓÀÇÀÇ Äڵ带 ½ÇÇà ÇÒ ¼ö ÀÖ´Ù. (CVE-2012-2386)

- DES¸¦ ±¸ÇöÇÑ 'crypt' ÇÔ¼ö¿¡ Ãë¾àÁ¡ÀÌ Á¸ÀçÇØ brute force °ø°ÝÀ» Çã¿ë ÇÒ ¼ö ÀÖ´Ù. (CVE-2012-2143)

* ¾Ë¸²: ÀÌ Á¡°ËÇ׸ñÀº ÀÌ Ãë¾àÁ¡À» Á¡°ËÇϱâ À§ÇØ ÇØ´ç ¿ø°ÝÁö PHP ¼­¹öÀÇ ¹öÀü Á¤º¸¸¸À» È®ÀÎÇÑ´Ù. µû¶ó¼­ °ÅÁþ ¾ç¼º¹ÝÀÀ(False Positive)À» º¸ÀÏ ¼ö ÀÖ´Ù.

* Âü°í »çÀÌÆ®:
http://www.php.net/ChangeLog-5.php#5.4.4
http://0x1byte.blogspot.kr/2011/04/php-phar-extension-heap-overflow.html

* ¿µÇâÀ» ¹Þ´Â Ç÷§Æû:
PHP 5.4.4 ÀÌÀüÀÇ ¹öÀüµé
Any operating system Any version
ÇØ°áÃ¥ PHP À¥ »çÀÌÆ®ÀÎ http://www.php.net/downloads.php ¿¡¼­ ±¸ÇÒ ¼ö ÀÖ´Â PHPÀÇ °¡Àå ÃֽŠ¹öÀü(5.4.4 ȤÀº ÀÌÈÄ)À¸·Î ¾÷±×·¹À̵å ÇÏ¿©¾ß ÇÑ´Ù.
°ü·Ã URL CVE-2012-2143,CVE-2012-2386 (CVE)
°ü·Ã URL 47545,53729 (SecurityFocus)
°ü·Ã URL (ISS)