ID CVE-2005-3388 Type cve Reporter NVD Modified 2018-10-30T12:25:35
Description
Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a "stacked array assignment."
{"osvdb": [{"lastseen": "2017-04-28T13:20:17", "bulletinFamily": "software", "description": "## Vulnerability Description\nPHP contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate input (i.e. crafted URL with a stacked array assignment) passed to the phpinfo() function. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 4.4.1, 5.1.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPHP contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate input (i.e. crafted URL with a stacked array assignment) passed to the phpinfo() function. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nphpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script>\n## References:\nVendor URL: http://www.php.net/\nVendor Specific News/Changelog Entry: http://www.php.net/release_4_4_1.php\n[Vendor Specific Advisory URL](http://www.trustix.org/errata/2005/0062/)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2006-037.htm)\n[Vendor Specific Advisory URL](http://itrc.hp.com/service/cki/docDisplay.do?docId=c00786522)\nSecurity Tracker: 1015130\n[Secunia Advisory ID:17666](https://secuniaresearch.flexerasoftware.com/advisories/17666/)\n[Secunia Advisory ID:17757](https://secuniaresearch.flexerasoftware.com/advisories/17757/)\n[Secunia Advisory ID:17557](https://secuniaresearch.flexerasoftware.com/advisories/17557/)\n[Secunia Advisory ID:18669](https://secuniaresearch.flexerasoftware.com/advisories/18669/)\n[Secunia Advisory ID:17371](https://secuniaresearch.flexerasoftware.com/advisories/17371/)\n[Secunia Advisory ID:17490](https://secuniaresearch.flexerasoftware.com/advisories/17490/)\n[Secunia Advisory ID:17531](https://secuniaresearch.flexerasoftware.com/advisories/17531/)\n[Secunia Advisory ID:17510](https://secuniaresearch.flexerasoftware.com/advisories/17510/)\n[Secunia Advisory ID:21252](https://secuniaresearch.flexerasoftware.com/advisories/21252/)\n[Secunia Advisory ID:22691](https://secuniaresearch.flexerasoftware.com/advisories/22691/)\n[Secunia Advisory ID:18198](https://secuniaresearch.flexerasoftware.com/advisories/18198/)\n[Related OSVDB ID: 20407](https://vulners.com/osvdb/OSVDB:20407)\n[Related OSVDB ID: 20408](https://vulners.com/osvdb/OSVDB:20408)\nRedHat RHSA: RHSA-2006:0549\nRedHat RHSA: RHSA-2005:831\n\nOther Advisory URL: http://www.hardened-php.net/advisory_182005.77.html\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200511-08.xml\nOther Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20051101-01-U.asc\nOther Advisory URL: http://frontal2.mandriva.com/security/advisories?name=MDKSA-2005:213\nOther Advisory URL: http://www.ubuntu.com/usn/usn-232-1\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0645.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0653.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0652.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0659.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0650.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0093.html\nKeyword: HPSBMA02159,SSRT061238\nISS X-Force ID: 10355\n[CVE-2005-3388](https://vulners.com/cve/CVE-2005-3388)\nBugtraq ID: 15248\n", "modified": "2005-10-31T00:00:00", "published": "2005-10-31T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:20406", "id": "OSVDB:20406", "type": "osvdb", "title": "PHP phpinfo() Function Stacked Array Assignment XSS", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-03T03:36:41", "bulletinFamily": "exploit", "description": "PHP 4.x PHPInfo Cross-Site Scripting Vulnerability. CVE-2005-3388 . Webapps exploit for php platform", "modified": "2005-10-31T00:00:00", "published": "2005-10-31T00:00:00", "id": "EDB-ID:26442", "href": "https://www.exploit-db.com/exploits/26442/", "type": "exploitdb", "title": "PHP 4.x PHPInfo Cross-Site Scripting Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/15248/info\r\n\r\nPHP is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.\r\n\r\nAn attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. \r\n\r\nhttp://www.example.com/phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script> ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/26442/"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:16", "bulletinFamily": "software", "description": "Buffer overflows, integer overflows, DoS conditions, crossite scripting.", "modified": "2007-03-04T00:00:00", "published": "2007-03-04T00:00:00", "id": "SECURITYVULNS:VULN:1818", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:1818", "title": "Multiple PHP bugs", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:19", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c00786522\r\nVersion: 1\r\n\r\nHPSBMA02159 SSRT061238 rev.1 - HP System Management Homepage (SMH), Remote Bypassing of Security Features or Cross Site Scripting or Denial of Service (DoS)\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2006-11-01\r\nLast Updated: 2006-11-01\r\n\r\nPotential Security Impact: Remote security bypass or cross site scripting or Denial of Service (DoS)\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified in PHP, an open source software component supplied with HP System Management Homepage (SMH). These vulnerabilities could by exploited remotely resulting in the bypassing of security features, cross site scripting, or Denial of Service (DoS).\r\n\r\nReferences: CVE-2005-2491, CVE-2005-3319, CVE-2005-3353, CVE-2005-3388, CVE-2005-3389, CVE-2005-3390, CVE-2005-3391, CVE-2005-3392\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP System Management Homepage (SMH) versions prior to 2.1.5 running on Linux and Windows.\r\n\r\nBACKGROUND\r\n\r\nRESOLUTION\r\n\r\nHP has provided System Management Homepage (SMH) version 2.1.5 or subsequent for each platform to resolve this issue.\r\n\r\nHP System Management Homepage for Linux (x86) version 2.1.5-146 can be downloaded from\r\nhttp://h18023.www1.hp.com/support/files/server/us/download/24193.html\r\n\r\nHP System Management Homepage for Linux (AMD64/EM64T) version 2.1.5-146 can be downloaded from\r\nhttp://h18023.www1.hp.com/support/files/server/us/download/24172.html\r\n\r\nHP System Management Homepage for Windows version 2.1.5-146 can be downloaded from\r\nhttp://h18007.www1.hp.com/support/files/server/us/download/23883.html\r\n\r\nPRODUCT SPECIFIC INFORMATION\r\n\r\nHISTORY:\r\nVersion:1 (rev.1) - 1 November 2006 Initial Release\r\n\r\nThird Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.\r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com\r\nIt is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.\r\nTo get the security-alert PGP key, please send an e-mail message as follows:\r\n To: security-alert@hp.com\r\n Subject: get key\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletins via Email:\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your ITRC security bulletins and patches\r\n - check ALL categories for which alerts are required and continue.\r\nUnder Step2: your ITRC operating systems\r\n - verify your operating system selections are checked and save.\r\n\r\nTo update an existing subscription: http://h30046.www3.hp.com/subSignIn.php\r\nLog in on the web page: Subscriber's choice for Business: sign-in.\r\nOn the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.\r\n\r\nTo review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:\r\n\r\nGN = HP General SW\r\nMA = HP Management Agents\r\nMI = Misc. 3rd Party SW\r\nMP = HP MPE/iX\r\nNS = HP NonStop Servers\r\nOV = HP OpenVMS\r\nPI = HP Printing & Imaging\r\nST = HP Storage SW\r\nTL = HP Trusted Linux\r\nTU = HP Tru64 UNIX\r\nUX = HP-UX\r\nVV = HP VirtualVault\r\n\r\nSystem management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.\r\n\r\n"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."\r\n\r\n\u00a9Copyright 2006 Hewlett-Packard Development Company, L.P.\r\n\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 8.1\r\n\r\niQA/AwUBRUngl+AfOvwtKn1ZEQJI1ACghtQW/CXAVNRAxIC/WF3Y0xky2IIAoMN7\r\nFrK+8N5WxaHjk6DRS1Kw/q/Q\r\n=GCt9\r\n-----END PGP SIGNATURE-----", "modified": "2006-11-03T00:00:00", "published": "2006-11-03T00:00:00", "id": "SECURITYVULNS:DOC:14915", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14915", "title": "[security bulletin] HPSBMA02159 SSRT061238 rev.1 - HP System Management Homepage (SMH), Remote Bypassing of Security Features or Cross Site Scripting or Denial of Service (DoS)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:08:50", "bulletinFamily": "scanner", "description": "According to its banner, the version of PHP installed on the remote host is older than 4.4.1 or 5.0.6. Such versions fail to protect the '$GLOBALS' superglobals variable from being overwritten due to weaknesses in the file upload handling code as well as the 'extract()' and 'import_request_variables()' functions. Depending on the nature of the PHP applications on the affected host, exploitation of this issue may lead to any number of attacks, including arbitrary code execution. \n\nIn addition, these versions may enable an attacker to exploit an integer overflow flaw in certain certain versions of the PCRE library, to enable PHP's 'register_globals' setting even if explicitly disabled in the configuration, and to launch cross-site scripting attacks involving PHP's 'phpinfo()' function.", "modified": "2018-07-24T00:00:00", "id": "PHP_4_4_1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=20111", "published": "2005-11-01T00:00:00", "title": "PHP < 4.4.1 / 5.0.6 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20111);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/07/24 18:56:10\");\n\n script_cve_id(\n \"CVE-2002-0229\",\n \"CVE-2005-2491\",\n \"CVE-2005-3388\",\n \"CVE-2005-3389\",\n \"CVE-2005-3390\"\n );\n script_bugtraq_id(\n 14620,\n 15248,\n 15249,\n 15250\n );\n\n script_name(english:\"PHP < 4.4.1 / 5.0.6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks for multiple vulnerabilities in PHP < 4.4.1 / 5.0.6\");\n \n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server uses a version of PHP that is affected by\nmultiple flaws.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to its banner, the version of PHP installed on the remote\nhost is older than 4.4.1 or 5.0.6. Such versions fail to protect the\n'$GLOBALS' superglobals variable from being overwritten due to\nweaknesses in the file upload handling code as well as the 'extract()'\nand 'import_request_variables()' functions. Depending on the nature\nof the PHP applications on the affected host, exploitation of this\nissue may lead to any number of attacks, including arbitrary code\nexecution. \n\nIn addition, these versions may enable an attacker to exploit an\ninteger overflow flaw in certain certain versions of the PCRE library,\nto enable PHP's 'register_globals' setting even if explicitly disabled\nin the configuration, and to launch cross-site scripting attacks\ninvolving PHP's 'phpinfo()' function.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.hardened-php.net/advisory_182005.77.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.hardened-php.net/advisory_192005.78.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.hardened-php.net/advisory_202005.79.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.php.net/release_4_4_1.php\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PHP version 4.4.1 / 5.0.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/11/01\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/08/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:php:php\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"php_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"audit.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\nphp = get_php_from_kb(\n port : port,\n exit_on_fail : TRUE\n);\n\nversion = php[\"ver\"];\nsource = php[\"src\"];\n\nbackported = get_kb_item('www/php/'+port+'/'+version+'/backported');\n\nif (report_paranoia < 2 && backported)\n audit(AUDIT_BACKPORT_SERVICE, port, \"PHP \"+version+\" install\");\n\nif (version =~ \"^3\\.\" ||\n version =~ \"^4\\.([0-3]\\.|4\\.0($|[^0-9]))\" || \n version =~ \"^5\\.0\\.[0-5]($|[^0-9])\"\n)\n{\n set_kb_item(name:\"www/\"+port+\"/XSS\", value:TRUE);\n if (report_verbosity > 0)\n {\n report =\n '\\n Version source : '+source +\n '\\n Installed version : '+version+\n '\\n Fixed version : 4.4.1 / 5.0.6\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"PHP\", port, version);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:08:51", "bulletinFamily": "scanner", "description": "Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nPHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.\n\nA flaw was found in the way PHP registers global variables during a file upload request. A remote attacker could submit a carefully crafted multipart/form-data POST request that would overwrite the $GLOBALS array, altering expected script behavior, and possibly leading to the execution of arbitrary PHP commands. Please note that this vulnerability only affects installations which have register_globals enabled in the PHP configuration file, which is not a default or recommended option. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3390 to this issue.\n\nA flaw was found in the PHP parse_str() function. If a PHP script passes only one argument to the parse_str() function, and the script can be forced to abort execution during operation (for example due to the memory_limit setting), the register_globals may be enabled even if it is disabled in the PHP configuration file. This vulnerability only affects installations that have PHP scripts using the parse_str function in this way. (CVE-2005-3389)\n\nA Cross-Site Scripting flaw was found in the phpinfo() function. If a victim can be tricked into following a malicious URL to a site with a page displaying the phpinfo() output, it may be possible to inject JavaScript or HTML content into the displayed page or steal data such as cookies. This vulnerability only affects installations which allow users to view the output of the phpinfo() function. As the phpinfo() function outputs a large amount of information about the current state of PHP, it should only be used during debugging or if protected by authentication. (CVE-2005-3388)\n\nA denial of service flaw was found in the way PHP processes EXIF image data. It is possible for an attacker to cause PHP to crash by supplying carefully crafted EXIF image data. (CVE-2005-3353)\n\nUsers of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues.", "modified": "2018-11-15T00:00:00", "id": "REDHAT-RHSA-2005-831.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=20206", "published": "2005-11-15T00:00:00", "title": "RHEL 3 / 4 : php (RHSA-2005:831)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2005:831. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20206);\n script_version (\"1.22\");\n script_cvs_date(\"Date: 2018/11/15 11:40:30\");\n\n script_cve_id(\"CVE-2005-3353\", \"CVE-2005-3388\", \"CVE-2005-3389\", \"CVE-2005-3390\");\n script_bugtraq_id(15248, 15249, 15250);\n script_xref(name:\"RHSA\", value:\"2005:831\");\n\n script_name(english:\"RHEL 3 / 4 : php (RHSA-2005:831)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated PHP packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 3 and 4.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Web server.\n\nA flaw was found in the way PHP registers global variables during a\nfile upload request. A remote attacker could submit a carefully\ncrafted multipart/form-data POST request that would overwrite the\n$GLOBALS array, altering expected script behavior, and possibly\nleading to the execution of arbitrary PHP commands. Please note that\nthis vulnerability only affects installations which have\nregister_globals enabled in the PHP configuration file, which is not a\ndefault or recommended option. The Common Vulnerabilities and\nExposures project assigned the name CVE-2005-3390 to this issue.\n\nA flaw was found in the PHP parse_str() function. If a PHP script\npasses only one argument to the parse_str() function, and the script\ncan be forced to abort execution during operation (for example due to\nthe memory_limit setting), the register_globals may be enabled even if\nit is disabled in the PHP configuration file. This vulnerability only\naffects installations that have PHP scripts using the parse_str\nfunction in this way. (CVE-2005-3389)\n\nA Cross-Site Scripting flaw was found in the phpinfo() function. If a\nvictim can be tricked into following a malicious URL to a site with a\npage displaying the phpinfo() output, it may be possible to inject\nJavaScript or HTML content into the displayed page or steal data such\nas cookies. This vulnerability only affects installations which allow\nusers to view the output of the phpinfo() function. As the phpinfo()\nfunction outputs a large amount of information about the current state\nof PHP, it should only be used during debugging or if protected by\nauthentication. (CVE-2005-3388)\n\nA denial of service flaw was found in the way PHP processes EXIF image\ndata. It is possible for an attacker to cause PHP to crash by\nsupplying carefully crafted EXIF image data. (CVE-2005-3353)\n\nUsers of PHP should upgrade to these updated packages, which contain\nbackported patches that resolve these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2005-3353\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2005-3388\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2005-3389\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2005-3390\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2005:831\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-domxml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-ncurses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/11/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(3|4)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 3.x / 4.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2005:831\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL3\", reference:\"php-4.3.2-26.ent\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"php-devel-4.3.2-26.ent\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"php-imap-4.3.2-26.ent\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"php-ldap-4.3.2-26.ent\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"php-mysql-4.3.2-26.ent\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"php-odbc-4.3.2-26.ent\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"php-pgsql-4.3.2-26.ent\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", reference:\"php-4.3.9-3.9\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"php-devel-4.3.9-3.9\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"php-domxml-4.3.9-3.9\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"php-gd-4.3.9-3.9\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"php-imap-4.3.9-3.9\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"php-ldap-4.3.9-3.9\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"php-mbstring-4.3.9-3.9\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"php-mysql-4.3.9-3.9\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"php-ncurses-4.3.9-3.9\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"php-odbc-4.3.9-3.9\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"php-pear-4.3.9-3.9\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"php-pgsql-4.3.9-3.9\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"php-snmp-4.3.9-3.9\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"php-xmlrpc-4.3.9-3.9\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php / php-devel / php-domxml / php-gd / php-imap / php-ldap / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:09:14", "bulletinFamily": "scanner", "description": "Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nPHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.\n\nA flaw was found in the way PHP registers global variables during a file upload request. A remote attacker could submit a carefully crafted multipart/form-data POST request that would overwrite the $GLOBALS array, altering expected script behavior, and possibly leading to the execution of arbitrary PHP commands. Please note that this vulnerability only affects installations which have register_globals enabled in the PHP configuration file, which is not a default or recommended option. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3390 to this issue.\n\nA flaw was found in the PHP parse_str() function. If a PHP script passes only one argument to the parse_str() function, and the script can be forced to abort execution during operation (for example due to the memory_limit setting), the register_globals may be enabled even if it is disabled in the PHP configuration file. This vulnerability only affects installations that have PHP scripts using the parse_str function in this way. (CVE-2005-3389)\n\nA Cross-Site Scripting flaw was found in the phpinfo() function. If a victim can be tricked into following a malicious URL to a site with a page displaying the phpinfo() output, it may be possible to inject JavaScript or HTML content into the displayed page or steal data such as cookies. This vulnerability only affects installations which allow users to view the output of the phpinfo() function. As the phpinfo() function outputs a large amount of information about the current state of PHP, it should only be used during debugging or if protected by authentication. (CVE-2005-3388)\n\nA denial of service flaw was found in the way PHP processes EXIF image data. It is possible for an attacker to cause PHP to crash by supplying carefully crafted EXIF image data. (CVE-2005-3353)\n\nUsers of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues.", "modified": "2018-11-10T00:00:00", "id": "CENTOS_RHSA-2005-831.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=21871", "published": "2006-07-03T00:00:00", "title": "CentOS 3 / 4 : php (CESA-2005:831)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2005:831 and \n# CentOS Errata and Security Advisory 2005:831 respectively.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21871);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/11/10 11:49:27\");\n\n script_cve_id(\"CVE-2005-3353\", \"CVE-2005-3388\", \"CVE-2005-3389\", \"CVE-2005-3390\");\n script_bugtraq_id(15248, 15249, 15250);\n script_xref(name:\"RHSA\", value:\"2005:831\");\n\n script_name(english:\"CentOS 3 / 4 : php (CESA-2005:831)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated PHP packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 3 and 4.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Web server.\n\nA flaw was found in the way PHP registers global variables during a\nfile upload request. A remote attacker could submit a carefully\ncrafted multipart/form-data POST request that would overwrite the\n$GLOBALS array, altering expected script behavior, and possibly\nleading to the execution of arbitrary PHP commands. Please note that\nthis vulnerability only affects installations which have\nregister_globals enabled in the PHP configuration file, which is not a\ndefault or recommended option. The Common Vulnerabilities and\nExposures project assigned the name CVE-2005-3390 to this issue.\n\nA flaw was found in the PHP parse_str() function. If a PHP script\npasses only one argument to the parse_str() function, and the script\ncan be forced to abort execution during operation (for example due to\nthe memory_limit setting), the register_globals may be enabled even if\nit is disabled in the PHP configuration file. This vulnerability only\naffects installations that have PHP scripts using the parse_str\nfunction in this way. (CVE-2005-3389)\n\nA Cross-Site Scripting flaw was found in the phpinfo() function. If a\nvictim can be tricked into following a malicious URL to a site with a\npage displaying the phpinfo() output, it may be possible to inject\nJavaScript or HTML content into the displayed page or steal data such\nas cookies. This vulnerability only affects installations which allow\nusers to view the output of the phpinfo() function. As the phpinfo()\nfunction outputs a large amount of information about the current state\nof PHP, it should only be used during debugging or if protected by\nauthentication. (CVE-2005-3388)\n\nA denial of service flaw was found in the way PHP processes EXIF image\ndata. It is possible for an attacker to cause PHP to crash by\nsupplying carefully crafted EXIF image data. (CVE-2005-3353)\n\nUsers of PHP should upgrade to these updated packages, which contain\nbackported patches that resolve these issues.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2005-November/012393.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2ba48b5d\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2005-November/012394.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a7b67205\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2005-November/012395.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?359a2fea\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2005-November/012400.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?61d76502\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2005-November/012401.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e53e54cf\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2005-November/012402.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?48e764fc\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected php packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php-domxml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php-ncurses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/07/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-3\", reference:\"php-4.3.2-26.ent\")) flag++;\nif (rpm_check(release:\"CentOS-3\", reference:\"php-devel-4.3.2-26.ent\")) flag++;\nif (rpm_check(release:\"CentOS-3\", reference:\"php-imap-4.3.2-26.ent\")) flag++;\nif (rpm_check(release:\"CentOS-3\", reference:\"php-ldap-4.3.2-26.ent\")) flag++;\nif (rpm_check(release:\"CentOS-3\", reference:\"php-mysql-4.3.2-26.ent\")) flag++;\nif (rpm_check(release:\"CentOS-3\", reference:\"php-odbc-4.3.2-26.ent\")) flag++;\nif (rpm_check(release:\"CentOS-3\", reference:\"php-pgsql-4.3.2-26.ent\")) flag++;\n\nif (rpm_check(release:\"CentOS-4\", reference:\"php-4.3.9-3.9\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"php-devel-4.3.9-3.9\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"php-domxml-4.3.9-3.9\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"php-gd-4.3.9-3.9\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"php-imap-4.3.9-3.9\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"php-ldap-4.3.9-3.9\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"php-mbstring-4.3.9-3.9\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"php-mysql-4.3.9-3.9\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"php-ncurses-4.3.9-3.9\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"php-odbc-4.3.9-3.9\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"php-pear-4.3.9-3.9\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"php-pgsql-4.3.9-3.9\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"php-snmp-4.3.9-3.9\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"php-xmlrpc-4.3.9-3.9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:08:51", "bulletinFamily": "scanner", "description": "Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nPHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.\n\nA flaw was found in the way PHP registers global variables during a file upload request. A remote attacker could submit a carefully crafted multipart/form-data POST request that would overwrite the $GLOBALS array, altering expected script behavior, and possibly leading to the execution of arbitrary PHP commands. Note that this vulnerability only affects installations which have register_globals enabled in the PHP configuration file, which is not a default or recommended option. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3390 to this issue.\n\nA flaw was found in the PHP parse_str() function. If a PHP script passes only one argument to the parse_str() function, and the script can be forced to abort execution during operation (for example due to the memory_limit setting), the register_globals may be enabled even if it is disabled in the PHP configuration file. This vulnerability only affects installations that have PHP scripts using the parse_str function in this way. (CVE-2005-3389)\n\nA Cross-Site Scripting flaw was found in the phpinfo() function. If a victim can be tricked into following a malicious URL to a site with a page displaying the phpinfo() output, it may be possible to inject JavaScript or HTML content into the displayed page or steal data such as cookies. This vulnerability only affects installations which allow users to view the output of the phpinfo() function. As the phpinfo() function outputs a large amount of information about the current state of PHP, it should only be used during debugging or if protected by authentication. (CVE-2005-3388)\n\nAdditionally, a bug introduced in the updates to fix CVE-2004-1019 has been corrected.\n\nUsers of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues.", "modified": "2019-01-02T00:00:00", "id": "REDHAT-RHSA-2005-838.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=20207", "published": "2005-11-15T00:00:00", "title": "RHEL 2.1 : php (RHSA-2005:838)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2005:838. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20207);\n script_version (\"1.21\");\n script_cvs_date(\"Date: 2019/01/02 16:37:55\");\n\n script_cve_id(\"CVE-2004-1019\", \"CVE-2005-3388\", \"CVE-2005-3389\", \"CVE-2005-3390\");\n script_bugtraq_id(15248, 15249, 15250);\n script_xref(name:\"RHSA\", value:\"2005:838\");\n\n script_name(english:\"RHEL 2.1 : php (RHSA-2005:838)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated PHP packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 2.1\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Web server.\n\nA flaw was found in the way PHP registers global variables during a\nfile upload request. A remote attacker could submit a carefully\ncrafted multipart/form-data POST request that would overwrite the\n$GLOBALS array, altering expected script behavior, and possibly\nleading to the execution of arbitrary PHP commands. Note that this\nvulnerability only affects installations which have register_globals\nenabled in the PHP configuration file, which is not a default or\nrecommended option. The Common Vulnerabilities and Exposures project\nassigned the name CVE-2005-3390 to this issue.\n\nA flaw was found in the PHP parse_str() function. If a PHP script\npasses only one argument to the parse_str() function, and the script\ncan be forced to abort execution during operation (for example due to\nthe memory_limit setting), the register_globals may be enabled even if\nit is disabled in the PHP configuration file. This vulnerability only\naffects installations that have PHP scripts using the parse_str\nfunction in this way. (CVE-2005-3389)\n\nA Cross-Site Scripting flaw was found in the phpinfo() function. If a\nvictim can be tricked into following a malicious URL to a site with a\npage displaying the phpinfo() output, it may be possible to inject\nJavaScript or HTML content into the displayed page or steal data such\nas cookies. This vulnerability only affects installations which allow\nusers to view the output of the phpinfo() function. As the phpinfo()\nfunction outputs a large amount of information about the current state\nof PHP, it should only be used during debugging or if protected by\nauthentication. (CVE-2005-3388)\n\nAdditionally, a bug introduced in the updates to fix CVE-2004-1019 has\nbeen corrected.\n\nUsers of PHP should upgrade to these updated packages, which contain\nbackported patches that resolve these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2005-3388\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2005-3389\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2005-3390\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2005:838\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/11/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^2\\.1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2005:838\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"php-4.1.2-2.3\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"php-devel-4.1.2-2.3\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"php-imap-4.1.2-2.3\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"php-ldap-4.1.2-2.3\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"php-manual-4.1.2-2.3\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"php-mysql-4.1.2-2.3\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"php-odbc-4.1.2-2.3\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"php-pgsql-4.1.2-2.3\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php / php-devel / php-imap / php-ldap / php-manual / php-mysql / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:08:54", "bulletinFamily": "scanner", "description": "A number of vulnerabilities were discovered in PHP :\n\nAn issue with fopen_wrappers.c would not properly restrict access to other directories when the open_basedir directive included a trailing slash (CVE-2005-3054); this issue does not affect Corporate Server 2.1.\n\nAn issue with the apache2handler SAPI in mod_php could allow an attacker to cause a Denial of Service via the session.save_path option in an .htaccess file or VirtualHost stanza (CVE-2005-3319); this issue does not affect Corporate Server 2.1.\n\nA Denial of Service vulnerability was discovered in the way that PHP processes EXIF image data which could allow an attacker to cause PHP to crash by supplying carefully crafted EXIF image data (CVE-2005-3353).\n\nA cross-site scripting vulnerability was discovered in the phpinfo() function which could allow for the injection of JavaScript or HTML content onto a page displaying phpinfo() output, or to steal data such as cookies (CVE-2005-3388).\n\nA flaw in the parse_str() function could allow for the enabling of register_globals, even if it was disabled in the PHP configuration file (CVE-2005-3389).\n\nA vulnerability in the way that PHP registers global variables during a file upload request could allow a remote attacker to overwrite the $GLOBALS array which could potentially lead the execution of arbitrary PHP commands. This vulnerability only affects systems with register_globals enabled (CVE-2005-3390).\n\nThe updated packages have been patched to address this issue. Once the new packages have been installed, you will need to restart your Apache server using 'service httpd restart' in order for the new packages to take effect ('service httpd2-naat restart' for MNF2).", "modified": "2018-07-19T00:00:00", "id": "MANDRAKE_MDKSA-2005-213.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=20445", "published": "2006-01-15T00:00:00", "title": "Mandrake Linux Security Advisory : php (MDKSA-2005:213)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2005:213. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20445);\n script_version (\"1.16\");\n script_cvs_date(\"Date: 2018/07/19 20:59:13\");\n\n script_cve_id(\"CVE-2005-2491\", \"CVE-2005-3054\", \"CVE-2005-3319\", \"CVE-2005-3353\", \"CVE-2005-3388\", \"CVE-2005-3389\", \"CVE-2005-3390\", \"CVE-2005-3391\", \"CVE-2005-3392\");\n script_xref(name:\"MDKSA\", value:\"2005:213\");\n\n script_name(english:\"Mandrake Linux Security Advisory : php (MDKSA-2005:213)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A number of vulnerabilities were discovered in PHP :\n\nAn issue with fopen_wrappers.c would not properly restrict access to\nother directories when the open_basedir directive included a trailing\nslash (CVE-2005-3054); this issue does not affect Corporate Server\n2.1.\n\nAn issue with the apache2handler SAPI in mod_php could allow an\nattacker to cause a Denial of Service via the session.save_path option\nin an .htaccess file or VirtualHost stanza (CVE-2005-3319); this issue\ndoes not affect Corporate Server 2.1.\n\nA Denial of Service vulnerability was discovered in the way that PHP\nprocesses EXIF image data which could allow an attacker to cause PHP\nto crash by supplying carefully crafted EXIF image data\n(CVE-2005-3353).\n\nA cross-site scripting vulnerability was discovered in the phpinfo()\nfunction which could allow for the injection of JavaScript or HTML\ncontent onto a page displaying phpinfo() output, or to steal data such\nas cookies (CVE-2005-3388).\n\nA flaw in the parse_str() function could allow for the enabling of\nregister_globals, even if it was disabled in the PHP configuration\nfile (CVE-2005-3389).\n\nA vulnerability in the way that PHP registers global variables during\na file upload request could allow a remote attacker to overwrite the\n$GLOBALS array which could potentially lead the execution of arbitrary\nPHP commands. This vulnerability only affects systems with\nregister_globals enabled (CVE-2005-3390).\n\nThe updated packages have been patched to address this issue. Once the\nnew packages have been installed, you will need to restart your Apache\nserver using 'service httpd restart' in order for the new packages to\ntake effect ('service httpd2-naat restart' for MNF2).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.hardened-php.net/advisory_182005.77.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.hardened-php.net/advisory_192005.78.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.hardened-php.net/advisory_202005.79.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64php5_common5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64php_common432\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libphp5_common5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libphp_common432\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-cgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-exif\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-fcgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php432-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2006\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:mandrakesoft:mandrake_linux:le2005\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/01/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK10.1\", cpu:\"x86_64\", reference:\"lib64php_common432-4.3.8-3.6.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", cpu:\"i386\", reference:\"libphp_common432-4.3.8-3.6.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"php-cgi-4.3.8-3.6.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"php-cli-4.3.8-3.6.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"php432-devel-4.3.8-3.6.101mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK10.2\", cpu:\"x86_64\", reference:\"lib64php_common432-4.3.10-7.4.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", cpu:\"i386\", reference:\"libphp_common432-4.3.10-7.4.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", reference:\"php-cgi-4.3.10-7.4.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", reference:\"php-cli-4.3.10-7.4.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", reference:\"php432-devel-4.3.10-7.4.102mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK2006.0\", cpu:\"x86_64\", reference:\"lib64php5_common5-5.0.4-9.1.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", cpu:\"i386\", reference:\"libphp5_common5-5.0.4-9.1.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"php-cgi-5.0.4-9.1.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"php-cli-5.0.4-9.1.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"php-devel-5.0.4-9.1.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"php-exif-5.0.4-1.1.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"php-fcgi-5.0.4-9.1.20060mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:08:59", "bulletinFamily": "scanner", "description": "Eric Romang discovered a local Denial of Service vulnerability in the handling of the 'session.save_path' parameter in PHP's Apache 2.0 module. By setting this parameter to an invalid value in an .htaccess file, a local user could crash the Apache server. (CVE-2005-3319)\n\nA Denial of Service flaw was found in the EXIF module. By sending an image with specially crafted EXIF data to a PHP program that automatically evaluates them (e. g. a web gallery), a remote attacker could cause an infinite recursion in the PHP interpreter, which caused the web server to crash. (CVE-2005-3353)\n\nStefan Esser reported a Cross Site Scripting vulnerability in the phpinfo() function. By tricking a user into retrieving a specially crafted URL to a PHP page that exposes phpinfo(), a remote attacker could inject arbitrary HTML or web script into the output page and possibly steal private data like cookies or session identifiers.\n(CVE-2005-3388)\n\nStefan Esser discovered a vulnerability of the parse_str() function when it is called with just one argument. By calling such programs with specially crafted parameters, a remote attacker could enable the 'register_globals' option which is normally turned off for security reasons. Once this option is enabled, the remote attacker could exploit other security flaws of PHP programs which are normally protected by 'register_globals' being deactivated. (CVE-2005-3389)\n\nStefan Esser discovered that a remote attacker could overwrite the $GLOBALS array in PHP programs that allow file uploads and run with 'register_globals' enabled. Depending on the particular application, this can lead to unexpected vulnerabilities. (CVE-2005-3390)\n\nThe 'gd' image processing and cURL modules did not properly check processed file names against the 'open_basedir' and 'safe_mode' restrictions, which could be exploited to circumvent these limitations. (CVE-2005-3391)\n\nAnother bypass of the 'open_basedir' and 'safe_mode' restrictions was found in virtual() function. A local attacker could exploit this to circumvent these restrictions with specially crafted PHP INI files when virtual Apache 2.0 hosts are used. (CVE-2005-3392)\n\nThe mb_send_mail() function did not properly check its arguments for invalid embedded line breaks. By setting the 'To:' field of an email to a specially crafted value in a PHP web mail application, a remote attacker could inject arbitrary headers into the sent email.\n(CVE-2005-3883).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-08-03T00:00:00", "id": "UBUNTU_USN-232-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=20776", "published": "2006-01-21T00:00:00", "title": "Ubuntu 4.10 / 5.04 / 5.10 : php4, php5 vulnerabilities (USN-232-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-232-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20776);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/08/03 12:21:23\");\n\n script_cve_id(\"CVE-2005-3319\", \"CVE-2005-3353\", \"CVE-2005-3388\", \"CVE-2005-3389\", \"CVE-2005-3390\", \"CVE-2005-3391\", \"CVE-2005-3392\", \"CVE-2005-3883\");\n script_bugtraq_id(15248, 15249, 15250);\n script_xref(name:\"USN\", value:\"232-1\");\n\n script_name(english:\"Ubuntu 4.10 / 5.04 / 5.10 : php4, php5 vulnerabilities (USN-232-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Eric Romang discovered a local Denial of Service vulnerability in the\nhandling of the 'session.save_path' parameter in PHP's Apache 2.0\nmodule. By setting this parameter to an invalid value in an .htaccess\nfile, a local user could crash the Apache server. (CVE-2005-3319)\n\nA Denial of Service flaw was found in the EXIF module. By sending an\nimage with specially crafted EXIF data to a PHP program that\nautomatically evaluates them (e. g. a web gallery), a remote attacker\ncould cause an infinite recursion in the PHP interpreter, which caused\nthe web server to crash. (CVE-2005-3353)\n\nStefan Esser reported a Cross Site Scripting vulnerability in the\nphpinfo() function. By tricking a user into retrieving a specially\ncrafted URL to a PHP page that exposes phpinfo(), a remote attacker\ncould inject arbitrary HTML or web script into the output page and\npossibly steal private data like cookies or session identifiers.\n(CVE-2005-3388)\n\nStefan Esser discovered a vulnerability of the parse_str() function\nwhen it is called with just one argument. By calling such programs\nwith specially crafted parameters, a remote attacker could enable the\n'register_globals' option which is normally turned off for security\nreasons. Once this option is enabled, the remote attacker could\nexploit other security flaws of PHP programs which are normally\nprotected by 'register_globals' being deactivated. (CVE-2005-3389)\n\nStefan Esser discovered that a remote attacker could overwrite the\n$GLOBALS array in PHP programs that allow file uploads and run with\n'register_globals' enabled. Depending on the particular application,\nthis can lead to unexpected vulnerabilities. (CVE-2005-3390)\n\nThe 'gd' image processing and cURL modules did not properly check\nprocessed file names against the 'open_basedir' and 'safe_mode'\nrestrictions, which could be exploited to circumvent these\nlimitations. (CVE-2005-3391)\n\nAnother bypass of the 'open_basedir' and 'safe_mode' restrictions was\nfound in virtual() function. A local attacker could exploit this to\ncircumvent these restrictions with specially crafted PHP INI files\nwhen virtual Apache 2.0 hosts are used. (CVE-2005-3392)\n\nThe mb_send_mail() function did not properly check its arguments for\ninvalid embedded line breaks. By setting the 'To:' field of an email\nto a specially crafted value in a PHP web mail application, a remote\nattacker could inject arbitrary headers into the sent email.\n(CVE-2005-3883).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libapache-mod-php4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libapache2-mod-php4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libapache2-mod-php5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-cgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-domxml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-mcal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-mhash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-recode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-sybase\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-universe-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php4-xslt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-cgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-mhash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-recode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-sqlite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-sybase\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-xsl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:4.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:5.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:5.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/12/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/01/21\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/10/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2005-2018 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(4\\.10|5\\.04|5\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 4.10 / 5.04 / 5.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"4.10\", pkgname:\"libapache2-mod-php4\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"php4\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"php4-cgi\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"php4-curl\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"php4-dev\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"php4-domxml\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"php4-gd\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"php4-ldap\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"php4-mcal\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"php4-mhash\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"php4-mysql\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"php4-odbc\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"php4-pear\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"php4-recode\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"php4-snmp\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"php4-sybase\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"php4-xslt\", pkgver:\"4.3.8-3ubuntu7.14\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"libapache-mod-php4\", pkgver:\"4.3.10-10ubuntu3.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"libapache2-mod-php4\", pkgver:\"4.3.10-10ubuntu4.3\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4\", pkgver:\"4.3.10-10ubuntu4.3\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-cgi\", pkgver:\"4.3.10-10ubuntu4.3\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-cli\", pkgver:\"4.3.10-10ubuntu4.3\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-common\", pkgver:\"4.3.10-10ubuntu4.3\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-curl\", pkgver:\"4.3.10-10ubuntu3.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-dev\", pkgver:\"4.3.10-10ubuntu4.3\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-domxml\", pkgver:\"4.3.10-10ubuntu3.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-gd\", pkgver:\"4.3.10-10ubuntu3.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-imap\", pkgver:\"4.3.10-10ubuntu3.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-ldap\", pkgver:\"4.3.10-10ubuntu3.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-mcal\", pkgver:\"4.3.10-10ubuntu3.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-mhash\", pkgver:\"4.3.10-10ubuntu3.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-mysql\", pkgver:\"4.3.10-10ubuntu3.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-odbc\", pkgver:\"4.3.10-10ubuntu3.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-pear\", pkgver:\"4.3.10-10ubuntu3.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-recode\", pkgver:\"4.3.10-10ubuntu3.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-snmp\", pkgver:\"4.3.10-10ubuntu3.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-sybase\", pkgver:\"4.3.10-10ubuntu3.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-universe-common\", pkgver:\"4.3.10-10ubuntu3.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"php4-xslt\", pkgver:\"4.3.10-10ubuntu3.6\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"libapache-mod-php4\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"libapache2-mod-php4\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"libapache2-mod-php5\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php-pear\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-cgi\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-cli\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-common\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-curl\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-dev\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-domxml\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-gd\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-ldap\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-mcal\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-mhash\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-mysql\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-odbc\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-pear\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-pgsql\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-recode\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-snmp\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-sybase\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php4-xslt\", pkgver:\"4.4.0-3ubuntu1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-cgi\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-cli\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-common\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-curl\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-dev\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-gd\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-ldap\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-mhash\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-mysql\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-odbc\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-pgsql\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-recode\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-snmp\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-sqlite\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-sybase\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-xmlrpc\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"php5-xsl\", pkgver:\"5.0.5-2ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libapache-mod-php4 / libapache2-mod-php4 / libapache2-mod-php5 / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:08:51", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-200511-08 (PHP: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been found and fixed in PHP:\n a possible $GLOBALS variable overwrite problem through file upload handling, extract() and import_request_variables() (CVE-2005-3390) a local Denial of Service through the use of the session.save_path option (CVE-2005-3319) an issue with trailing slashes in allowed basedirs (CVE-2005-3054) an issue with calling virtual() on Apache 2, allowing to bypass safe_mode and open_basedir restrictions (CVE-2005-3392) a problem when a request was terminated due to memory_limit constraints during certain parse_str() calls (CVE-2005-3389) The curl and gd modules allowed to bypass the safe mode open_basedir restrictions (CVE-2005-3391) a cross-site scripting (XSS) vulnerability in phpinfo() (CVE-2005-3388) Impact :\n\n Attackers could leverage these issues to exploit applications that are assumed to be secure through the use of proper register_globals, safe_mode or open_basedir parameters. Remote attackers could also conduct cross-site scripting attacks if a page calling phpinfo() was available. Finally, a local attacker could cause a local Denial of Service using malicious session.save_path options.\n Workaround :\n\n There is no known workaround that would solve all issues at this time.", "modified": "2018-08-10T00:00:00", "id": "GENTOO_GLSA-200511-08.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=20195", "published": "2005-11-15T00:00:00", "title": "GLSA-200511-08 : PHP: Multiple vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200511-08.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20195);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/08/10 18:07:06\");\n\n script_cve_id(\"CVE-2005-3054\", \"CVE-2005-3319\", \"CVE-2005-3388\", \"CVE-2005-3389\", \"CVE-2005-3390\", \"CVE-2005-3391\", \"CVE-2005-3392\");\n script_xref(name:\"GLSA\", value:\"200511-08\");\n\n script_name(english:\"GLSA-200511-08 : PHP: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200511-08\n(PHP: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been found and fixed in PHP:\n a possible $GLOBALS variable overwrite problem through file\n upload handling, extract() and import_request_variables()\n (CVE-2005-3390)\n a local Denial of Service through the use of\n the session.save_path option (CVE-2005-3319)\n an issue with\n trailing slashes in allowed basedirs (CVE-2005-3054)\n an issue\n with calling virtual() on Apache 2, allowing to bypass safe_mode and\n open_basedir restrictions (CVE-2005-3392)\n a problem when a\n request was terminated due to memory_limit constraints during certain\n parse_str() calls (CVE-2005-3389)\n The curl and gd modules\n allowed to bypass the safe mode open_basedir restrictions\n (CVE-2005-3391)\n a cross-site scripting (XSS) vulnerability in\n phpinfo() (CVE-2005-3388)\n \nImpact :\n\n Attackers could leverage these issues to exploit applications that\n are assumed to be secure through the use of proper register_globals,\n safe_mode or open_basedir parameters. Remote attackers could also\n conduct cross-site scripting attacks if a page calling phpinfo() was\n available. Finally, a local attacker could cause a local Denial of\n Service using malicious session.save_path options.\n \nWorkaround :\n\n There is no known workaround that would solve all issues at this\n time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200511-08\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All PHP users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose dev-php/php\n All mod_php users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose dev-php/mod_php\n All php-cgi users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose dev-php/php-cgi\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:mod_php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:php-cgi\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/11/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/11/15\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/10/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-php/php-cgi\", unaffected:make_list(\"rge 4.3.11-r5\", \"ge 4.4.0-r5\"), vulnerable:make_list(\"lt 4.4.0-r5\"))) flag++;\nif (qpkg_check(package:\"dev-php/php\", unaffected:make_list(\"rge 4.3.11-r4\", \"ge 4.4.0-r4\"), vulnerable:make_list(\"lt 4.4.0-r4\"))) flag++;\nif (qpkg_check(package:\"dev-php/mod_php\", unaffected:make_list(\"rge 4.3.11-r4\", \"ge 4.4.0-r8\"), vulnerable:make_list(\"lt 4.4.0-r8\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"PHP\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "centos": [{"lastseen": "2017-10-12T14:44:57", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2005:831\n\n\nPHP is an HTML-embedded scripting language commonly used with the Apache\r\nHTTP Web server.\r\n\r\nA flaw was found in the way PHP registers global variables during a file\r\nupload request. A remote attacker could submit a carefully crafted\r\nmultipart/form-data POST request that would overwrite the $GLOBALS array,\r\naltering expected script behavior, and possibly leading to the execution of\r\narbitrary PHP commands. Please note that this vulnerability only affects\r\ninstallations which have register_globals enabled in the PHP configuration\r\nfile, which is not a default or recommended option. The Common\r\nVulnerabilities and Exposures project assigned the name CVE-2005-3390 to\r\nthis issue.\r\n\r\nA flaw was found in the PHP parse_str() function. If a PHP script passes\r\nonly one argument to the parse_str() function, and the script can be forced\r\nto abort execution during operation (for example due to the memory_limit\r\nsetting), the register_globals may be enabled even if it is disabled in the\r\nPHP configuration file. This vulnerability only affects installations that\r\nhave PHP scripts using the parse_str function in this way. (CVE-2005-3389)\r\n\r\nA Cross-Site Scripting flaw was found in the phpinfo() function. If a\r\nvictim can be tricked into following a malicious URL to a site with a page\r\ndisplaying the phpinfo() output, it may be possible to inject javascript\r\nor HTML content into the displayed page or steal data such as cookies. \r\nThis vulnerability only affects installations which allow users to view the\r\noutput of the phpinfo() function. As the phpinfo() function outputs a\r\nlarge amount of information about the current state of PHP, it should only\r\nbe used during debugging or if protected by authentication. (CVE-2005-3388)\r\n\r\nA denial of service flaw was found in the way PHP processes EXIF image\r\ndata. It is possible for an attacker to cause PHP to crash by supplying\r\ncarefully crafted EXIF image data. (CVE-2005-3353)\r\n\r\nUsers of PHP should upgrade to these updated packages, which contain\r\nbackported patches that resolve these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012393.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012394.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012395.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012400.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012401.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012402.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012410.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012414.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012415.html\n\n**Affected packages:**\nphp\nphp-devel\nphp-domxml\nphp-gd\nphp-imap\nphp-ldap\nphp-mbstring\nphp-mysql\nphp-ncurses\nphp-odbc\nphp-pear\nphp-pgsql\nphp-snmp\nphp-xmlrpc\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2005-831.html", "modified": "2005-11-12T14:59:07", "published": "2005-11-11T01:54:54", "href": "http://lists.centos.org/pipermail/centos-announce/2005-November/012393.html", "id": "CESA-2005:831", "title": "php security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-13T07:01:39", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2005:1110-001\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012398.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012399.html\n\n**Affected packages:**\nphp\nphp-bcmath\nphp-dba\nphp-devel\nphp-gd\nphp-imap\nphp-ldap\nphp-mbstring\nphp-mysql\nphp-ncurses\nphp-odbc\nphp-pear\nphp-pgsql\nphp-snmp\nphp-soap\nphp-xml\nphp-xmlrpc\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2005-831.html", "modified": "2005-11-11T03:55:21", "published": "2005-11-11T03:54:29", "href": "http://lists.centos.org/pipermail/centos-announce/2005-November/012398.html", "id": "CESA-2005:1110-001", "title": "php security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-25T07:01:57", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2005:838-01\n\n\nPHP is an HTML-embedded scripting language commonly used with the Apache\r\nHTTP Web server.\r\n\r\nA flaw was found in the way PHP registers global variables during a file\r\nupload request. A remote attacker could submit a carefully crafted\r\nmultipart/form-data POST request that would overwrite the $GLOBALS array,\r\naltering expected script behavior, and possibly leading to the execution of\r\narbitrary PHP commands. Note that this vulnerability only affects\r\ninstallations which have register_globals enabled in the PHP configuration\r\nfile, which is not a default or recommended option. The Common\r\nVulnerabilities and Exposures project assigned the name CVE-2005-3390 to\r\nthis issue.\r\n\r\nA flaw was found in the PHP parse_str() function. If a PHP script passes\r\nonly one argument to the parse_str() function, and the script can be forced\r\nto abort execution during operation (for example due to the memory_limit\r\nsetting), the register_globals may be enabled even if it is disabled in the\r\nPHP configuration file. This vulnerability only affects installations that\r\nhave PHP scripts using the parse_str function in this way. (CVE-2005-3389)\r\n\r\nA Cross-Site Scripting flaw was found in the phpinfo() function. If a\r\nvictim can be tricked into following a malicious URL to a site with a page\r\ndisplaying the phpinfo() output, it may be possible to inject javascript\r\nor HTML content into the displayed page or steal data such as cookies. \r\nThis vulnerability only affects installations which allow users to view the\r\noutput of the phpinfo() function. As the phpinfo() function outputs a\r\nlarge amount of information about the current state of PHP, it should only\r\nbe used during debugging or if protected by authentication. (CVE-2005-3388)\r\n\r\nAdditionally, a bug introduced in the updates to fix CVE-2004-1019 has been\r\ncorrected.\r\n\r\nUsers of PHP should upgrade to these updated packages, which contain\r\nbackported patches that resolve these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012392.html\n\n**Affected packages:**\nphp\nphp-devel\nphp-imap\nphp-ldap\nphp-manual\nphp-mysql\nphp-odbc\nphp-pgsql\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "modified": "2005-11-10T23:45:48", "published": "2005-11-10T23:45:48", "href": "http://lists.centos.org/pipermail/centos-announce/2005-November/012392.html", "id": "CESA-2005:838-01", "title": "php security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2018-12-11T17:44:03", "bulletinFamily": "unix", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\r\nHTTP Web server.\r\n\r\nA flaw was found in the way PHP registers global variables during a file\r\nupload request. A remote attacker could submit a carefully crafted\r\nmultipart/form-data POST request that would overwrite the $GLOBALS array,\r\naltering expected script behavior, and possibly leading to the execution of\r\narbitrary PHP commands. Please note that this vulnerability only affects\r\ninstallations which have register_globals enabled in the PHP configuration\r\nfile, which is not a default or recommended option. The Common\r\nVulnerabilities and Exposures project assigned the name CVE-2005-3390 to\r\nthis issue.\r\n\r\nA flaw was found in the PHP parse_str() function. If a PHP script passes\r\nonly one argument to the parse_str() function, and the script can be forced\r\nto abort execution during operation (for example due to the memory_limit\r\nsetting), the register_globals may be enabled even if it is disabled in the\r\nPHP configuration file. This vulnerability only affects installations that\r\nhave PHP scripts using the parse_str function in this way. (CVE-2005-3389)\r\n\r\nA Cross-Site Scripting flaw was found in the phpinfo() function. If a\r\nvictim can be tricked into following a malicious URL to a site with a page\r\ndisplaying the phpinfo() output, it may be possible to inject javascript\r\nor HTML content into the displayed page or steal data such as cookies. \r\nThis vulnerability only affects installations which allow users to view the\r\noutput of the phpinfo() function. As the phpinfo() function outputs a\r\nlarge amount of information about the current state of PHP, it should only\r\nbe used during debugging or if protected by authentication. (CVE-2005-3388)\r\n\r\nA denial of service flaw was found in the way PHP processes EXIF image\r\ndata. It is possible for an attacker to cause PHP to crash by supplying\r\ncarefully crafted EXIF image data. (CVE-2005-3353)\r\n\r\nUsers of PHP should upgrade to these updated packages, which contain\r\nbackported patches that resolve these issues.", "modified": "2017-09-08T12:07:16", "published": "2005-11-10T05:00:00", "id": "RHSA-2005:831", "href": "https://access.redhat.com/errata/RHSA-2005:831", "type": "redhat", "title": "(RHSA-2005:831) php security update", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-12-11T17:45:44", "bulletinFamily": "unix", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\r\nHTTP Web server.\r\n\r\nA flaw was found in the way PHP registers global variables during a file\r\nupload request. A remote attacker could submit a carefully crafted\r\nmultipart/form-data POST request that would overwrite the $GLOBALS array,\r\naltering expected script behavior, and possibly leading to the execution of\r\narbitrary PHP commands. Note that this vulnerability only affects\r\ninstallations which have register_globals enabled in the PHP configuration\r\nfile, which is not a default or recommended option. The Common\r\nVulnerabilities and Exposures project assigned the name CVE-2005-3390 to\r\nthis issue.\r\n\r\nA flaw was found in the PHP parse_str() function. If a PHP script passes\r\nonly one argument to the parse_str() function, and the script can be forced\r\nto abort execution during operation (for example due to the memory_limit\r\nsetting), the register_globals may be enabled even if it is disabled in the\r\nPHP configuration file. This vulnerability only affects installations that\r\nhave PHP scripts using the parse_str function in this way. (CVE-2005-3389)\r\n\r\nA Cross-Site Scripting flaw was found in the phpinfo() function. If a\r\nvictim can be tricked into following a malicious URL to a site with a page\r\ndisplaying the phpinfo() output, it may be possible to inject javascript\r\nor HTML content into the displayed page or steal data such as cookies. \r\nThis vulnerability only affects installations which allow users to view the\r\noutput of the phpinfo() function. As the phpinfo() function outputs a\r\nlarge amount of information about the current state of PHP, it should only\r\nbe used during debugging or if protected by authentication. (CVE-2005-3388)\r\n\r\nAdditionally, a bug introduced in the updates to fix CVE-2004-1019 has been\r\ncorrected.\r\n\r\nUsers of PHP should upgrade to these updated packages, which contain\r\nbackported patches that resolve these issues.", "modified": "2018-03-14T19:26:00", "published": "2005-11-10T05:00:00", "id": "RHSA-2005:838", "href": "https://access.redhat.com/errata/RHSA-2005:838", "type": "redhat", "title": "(RHSA-2005:838) php security update", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:04", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 200511-08.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=55857", "id": "OPENVAS:55857", "title": "Gentoo Security Advisory GLSA 200511-08 (PHP)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"PHP suffers from multiple issues, resulting in security functions bypass,\nlocal Denial of service, cross-site scripting or PHP variables overwrite.\";\ntag_solution = \"All PHP users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose dev-php/php\n\nAll mod_php users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose dev-php/mod_php\n\nAll php-cgi users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose dev-php/php-cgi\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200511-08\nhttp://bugs.gentoo.org/show_bug.cgi?id=107602\nhttp://bugs.gentoo.org/show_bug.cgi?id=111032\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200511-08.\";\n\n \n\nif(description)\n{\n script_id(55857);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2005-3054\", \"CVE-2005-3319\", \"CVE-2005-3388\", \"CVE-2005-3389\", \"CVE-2005-3390\", \"CVE-2005-3391\", \"CVE-2005-3392\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200511-08 (PHP)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"dev-php/php\", unaffected: make_list(\"rge 4.3.11-r4\", \"ge 4.4.0-r4\"), vulnerable: make_list(\"lt 4.4.0-r4\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"dev-php/mod_php\", unaffected: make_list(\"rge 4.3.11-r4\", \"ge 4.4.0-r8\"), vulnerable: make_list(\"lt 4.4.0-r8\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"dev-php/php-cgi\", unaffected: make_list(\"rge 4.3.11-r5\", \"ge 4.4.0-r5\"), vulnerable: make_list(\"lt 4.4.0-r5\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:10:22", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-22T00:00:00", "published": "2008-09-04T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=55777", "id": "OPENVAS:55777", "title": "PHP -- multiple vulnerabilities", "type": "openvas", "sourceData": "#\n#VID 6821a2db-4ab7-11da-932d-00055d790c25\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n mod_php4-twig\n php4-cgi\n php4-cli\n php4-dtc\n php4-horde\n php4-nms\n php4\n mod_php\n mod_php4\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://secunia.com/advisories/17371/\nhttp://www.vuxml.org/freebsd/6821a2db-4ab7-11da-932d-00055d790c25.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(55777);\n script_version(\"$Revision: 4128 $\");\n script_cve_id(\"CVE-2005-2491\", \"CVE-2005-3319\", \"CVE-2005-3353\", \"CVE-2005-3388\",\n \"CVE-2005-3389\", \"CVE-2005-3390\", \"CVE-2005-3391\", \"CVE-2005-3392\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-22 07:37:51 +0200 (Thu, 22 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"PHP -- multiple vulnerabilities\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"mod_php4-twig\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.4.1\")<0) {\n txt += 'Package mod_php4-twig version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"php4-cgi\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.4.1\")<0) {\n txt += 'Package php4-cgi version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"php4-cli\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.4.1\")<0) {\n txt += 'Package php4-cli version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"php4-dtc\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.4.1\")<0) {\n txt += 'Package php4-dtc version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"php4-horde\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.4.1\")<0) {\n txt += 'Package php4-horde version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"php4-nms\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.4.1\")<0) {\n txt += 'Package php4-nms version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"php4\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.4.1\")<0) {\n txt += 'Package php4 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"mod_php\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4\")>=0 && revcomp(a:bver, b:\"4.4.1,1\")<0) {\n txt += 'Package mod_php version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"mod_php4\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4\")>=0 && revcomp(a:bver, b:\"4.4.1,1\")<0) {\n txt += 'Package mod_php4 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:09", "bulletinFamily": "unix", "description": "### Background\n\nPHP is a general-purpose scripting language widely used to develop web-based applications. It can run inside a web server using the mod_php module or the CGI version and also stand-alone in a CLI. \n\n### Description\n\nMultiple vulnerabilities have been found and fixed in PHP: \n\n * a possible $GLOBALS variable overwrite problem through file upload handling, extract() and import_request_variables() (CVE-2005-3390)\n * a local Denial of Service through the use of the session.save_path option (CVE-2005-3319)\n * an issue with trailing slashes in allowed basedirs (CVE-2005-3054)\n * an issue with calling virtual() on Apache 2, allowing to bypass safe_mode and open_basedir restrictions (CVE-2005-3392)\n * a problem when a request was terminated due to memory_limit constraints during certain parse_str() calls (CVE-2005-3389)\n * The curl and gd modules allowed to bypass the safe mode open_basedir restrictions (CVE-2005-3391)\n * a cross-site scripting (XSS) vulnerability in phpinfo() (CVE-2005-3388)\n\n### Impact\n\nAttackers could leverage these issues to exploit applications that are assumed to be secure through the use of proper register_globals, safe_mode or open_basedir parameters. Remote attackers could also conduct cross-site scripting attacks if a page calling phpinfo() was available. Finally, a local attacker could cause a local Denial of Service using malicious session.save_path options. \n\n### Workaround\n\nThere is no known workaround that would solve all issues at this time. \n\n### Resolution\n\nAll PHP users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose dev-php/php\n\nAll mod_php users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose dev-php/mod_php\n\nAll php-cgi users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose dev-php/php-cgi", "modified": "2005-11-13T00:00:00", "published": "2005-11-13T00:00:00", "id": "GLSA-200511-08", "href": "https://security.gentoo.org/glsa/200511-08", "type": "gentoo", "title": "PHP: Multiple vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:10:13", "bulletinFamily": "unix", "description": "Eric Romang discovered a local Denial of Service vulnerability in the handling of the \u2018session.save_path\u2019 parameter in PHP\u2019s Apache 2.0 module. By setting this parameter to an invalid value in an .htaccess file, a local user could crash the Apache server. (CVE-2005-3319)\n\nA Denial of Service flaw was found in the EXIF module. By sending an image with specially crafted EXIF data to a PHP program that automatically evaluates them (e. g. a web gallery), a remote attacker could cause an infinite recursion in the PHP interpreter, which caused the web server to crash. (CVE-2005-3353)\n\nStefan Esser reported a Cross Site Scripting vulnerability in the phpinfo() function. By tricking a user into retrieving a specially crafted URL to a PHP page that exposes phpinfo(), a remote attacker could inject arbitrary HTML or web script into the output page and possibly steal private data like cookies or session identifiers. (CVE-2005-3388)\n\nStefan Esser discovered a vulnerability of the parse_str() function when it is called with just one argument. By calling such programs with specially crafted parameters, a remote attacker could enable the \u2018register_globals\u2019 option which is normally turned off for security reasons. Once this option is enabled, the remote attacker could exploit other security flaws of PHP programs which are normally protected by \u2018register_globals\u2019 being deactivated. (CVE-2005-3389)\n\nStefan Esser discovered that a remote attacker could overwrite the $GLOBALS array in PHP programs that allow file uploads and run with \u2018register_globals\u2019 enabled. Depending on the particular application, this can lead to unexpected vulnerabilities. (CVE-2005-3390)\n\nThe \u2018gd\u2019 image processing and cURL modules did not properly check processed file names against the \u2018open_basedir\u2019 and \u2018safe_mode\u2019 restrictions, which could be exploited to circumvent these limitations. (CVE-2005-3391)\n\nAnother bypass of the \u2018open_basedir\u2019 and \u2018safe_mode\u2019 restrictions was found in virtual() function. A local attacker could exploit this to circumvent these restrictions with specially crafted PHP INI files when virtual Apache 2.0 hosts are used. (CVE-2005-3392)\n\nThe mb_send_mail() function did not properly check its arguments for invalid embedded line breaks. By setting the \u2018To:\u2019 field of an email to a specially crafted value in a PHP web mail application, a remote attacker could inject arbitrary headers into the sent email. (CVE-2005-3883)", "modified": "2005-12-23T00:00:00", "published": "2005-12-23T00:00:00", "id": "USN-232-1", "href": "https://usn.ubuntu.com/232-1/", "title": "PHP vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
