PT-2012-05: Multiple Vulnerabilities in Quercus Vulnerable softwareQuercus on Resin Version 4.0.28 and earlierApplication link: http://www.caucho.com/Software descriptionQuercus on Resin is a Quercus implementation of PHP included in the Resin web server.1. HTTP Parameter ContaminationSeverity level: High Impact: HTTP Parameter Contamination Access Vector: Remote CVSS v2: Base Score: 7.5 Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)CVE: CVE-2012-2965 Vulnerability descriptionSome special characters in variables names are handled inappropriately, which may be leveraged by attackers. Additionally, attackers may intentionally cause error 500. 2. Variables Globalization and OverwritingSeverity level: High Impact: Variables Globalization and Overwriting Access Vector: Remote CVSS v2: Base Score: 7.5 Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)CVE: CVE-2012-2966Vulnerability descriptionWhen parameters are transferred via POST, they globalize and the _SERVER array items may be overwritten. 3. Inappropriate Variable ComparisonSeverity level: High Impact: Inappropriate Variable Comparison Access Vector: Remote CVSS v2: Base Score: 7.5 Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)CVE: CVE-2012-2967Vulnerability descriptionFlexible comparison (using the == operator) various types of variables is implemented inappropriately. 4. Path TraversalSeverity level: Medium Impact: Path Traversal Access Vector: Remote CVSS v2: Base Score: 5.0 Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)CVE: CVE-2012-2968Vulnerability descriptionWhen downloading files, the ../ string may be inserted into filenames (via forging HTTP requests). Such insertion allows downloading files to arbitrary directories (i.e. to conduct Path Traversal). 5. Null Byte InjectionSeverity level: Medium Impact: Null Byte Injection Access Vector: Remote CVSS v2: Base Score: 6.4 Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:P)CVE: CVE-2012-2969Vulnerability descriptionWhen downloading files, null bytes may be inserted into filenames (via forging HTTP requests). As a result of the insertion, the string after the null byte will be dropped. The vulnerability allows attackers to bypass certain checks.How to fixUpdate your software up to the latest versionAdvisory status23.03.2012 - Vendor is notified 23.03.2012 - Vendor gets vulnerability details 19.04.2012 - Vulnerability details were sent to CERT 13.07.2012 - Vendor releases fixed version and details 31.08.2012 - Public disclosureCreditsThe vulnerabilities has discovered by Sergey Scherbel, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2012-05 http://www.kb.cert.org/vuls/id/309979 Reports on the vulnerabilities previously discovered by Positive Research:http://ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/