ID CVE-2012-4388 Type cve Reporter cve@mitre.org Modified 2013-09-12T03:28:00
Description
The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0 does not properly determine a pointer during checks for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1398.
{"id": "CVE-2012-4388", "bulletinFamily": "NVD", "title": "CVE-2012-4388", "description": "The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0 does not properly determine a pointer during checks for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1398.", "published": "2012-09-07T22:55:00", "modified": "2013-09-12T03:28:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4388", "reporter": "cve@mitre.org", "references": ["http://security-tracker.debian.org/tracker/CVE-2012-4388", "https://bugs.php.net/bug.php?id=60227", "http://openwall.com/lists/oss-security/2012/09/02/1", "http://openwall.com/lists/oss-security/2012/09/07/3", "http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/SAPI.c?r1=323986&r2=323985&pathrev=323986", "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.html", "http://www.securitytracker.com/id?1027463", "http://openwall.com/lists/oss-security/2012/09/05/15", "http://article.gmane.org/gmane.comp.php.devel/70584", "http://openwall.com/lists/oss-security/2012/08/29/5", "http://www.ubuntu.com/usn/USN-1569-1"], "cvelist": ["CVE-2012-4388"], "type": "cve", "lastseen": "2021-02-02T05:59:54", "edition": 4, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "seebug", "idList": ["SSV:60388"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310841151", "OPENVAS:841151", "OPENVAS:1361412562310802966"]}, {"type": "nessus", "idList": ["PHP_5_4_1.NASL", "UBUNTU_USN-1569-1.NASL"]}, {"type": "ubuntu", "idList": ["USN-1569-1"]}, {"type": "suse", "idList": ["SUSE-SU-2013:1351-1", "SUSE-SU-2013:1315-1"]}], "modified": "2021-02-02T05:59:54", "rev": 2}, "score": {"value": 5.7, "vector": "NONE", "modified": "2021-02-02T05:59:54", "rev": 2}, "vulnersScore": 5.7}, "cpe": ["cpe:/a:php:php:5.4.0"], "affectedSoftware": [{"cpeName": "php:php", "name": "php", "operator": "eq", "version": "5.4.0"}, {"cpeName": "php:php", "name": "php", "operator": "eq", "version": "5.4.0"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:php:php:5.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.4.0:rc2:*:*:*:*:*:*"], "cwe": ["CWE-20"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:php:php:5.4.0:rc2:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:php:php:5.4.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "USN-1569-1", "refsource": "UBUNTU", "tags": [], "url": "http://www.ubuntu.com/usn/USN-1569-1"}, {"name": "SUSE-SU-2013:1315", "refsource": "SUSE", "tags": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.html"}, {"name": "[internals] 20120203 [PHP-DEV] The case of HTTP response splitting protection in PHP", "refsource": "MLIST", "tags": [], "url": "http://article.gmane.org/gmane.comp.php.devel/70584"}, {"name": "[oss-security] 20120901 Re: php header() header injection detection bypass", "refsource": "MLIST", "tags": [], "url": "http://openwall.com/lists/oss-security/2012/09/02/1"}, {"name": "1027463", "refsource": "SECTRACK", "tags": [], "url": "http://www.securitytracker.com/id?1027463"}, {"name": "[oss-security] 20120905 Re: php header() header injection detection bypass", "refsource": "MLIST", "tags": [], "url": "http://openwall.com/lists/oss-security/2012/09/05/15"}, {"name": "[oss-security] 20120906 Re: Re: php header() header injection detection bypass", "refsource": "MLIST", "tags": [], "url": "http://openwall.com/lists/oss-security/2012/09/07/3"}, {"name": "http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/SAPI.c?r1=323986&r2=323985&pathrev=323986", "refsource": "CONFIRM", "tags": ["Patch", "Exploit"], "url": "http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/SAPI.c?r1=323986&r2=323985&pathrev=323986"}, {"name": "https://bugs.php.net/bug.php?id=60227", "refsource": "MISC", "tags": [], "url": "https://bugs.php.net/bug.php?id=60227"}, {"name": "[oss-security] 20120829 php header() header injection detection bypass", "refsource": "MLIST", "tags": [], "url": "http://openwall.com/lists/oss-security/2012/08/29/5"}, {"name": "http://security-tracker.debian.org/tracker/CVE-2012-4388", "refsource": "CONFIRM", "tags": [], "url": "http://security-tracker.debian.org/tracker/CVE-2012-4388"}]}
{"seebug": [{"lastseen": "2017-11-19T17:49:48", "description": "BUGTRAQ ID: 55527\r\nCVE ID: CVE-2012-4388\r\n\r\nPHP\u662f\u4e00\u79cdHTML\u5185\u5d4c\u5f0f\u7684\u8bed\u8a00\uff0cPHP\u4e0e\u5fae\u8f6f\u7684ASP\u9887\u6709\u51e0\u5206\u76f8\u4f3c\uff0c\u90fd\u662f\u4e00\u79cd\u5728\u670d\u52a1\u5668\u7aef\u6267\u884c\u7684\u5d4c\u5165HTML\u6587\u6863\u7684\u811a\u672c\u8bed\u8a00\uff0c\u8bed\u8a00\u7684\u98ce\u683c\u6709\u7c7b\u4f3c\u4e8eC\u8bed\u8a00\uff0c\u73b0\u5728\u88ab\u5f88\u591a\u7684\u7f51\u7ad9\u7f16\u7a0b\u4eba\u5458\u5e7f\u6cdb\u7684\u8fd0\u7528\u3002\r\n\r\nPHP 5.4.0RC2-5.4.0\u7248\u672c\u7684main/SAPI.c\u5185sapi_header_op\u51fd\u6570\u5728\u68c0\u67e5%0D\u5e8f\u5217\u65f6\u6ca1\u6709\u6b63\u786e\u786e\u5b9a\u6307\u9488\uff0c\u53ef\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u7279\u5236\u7684URL\u7ed5\u8fc7HTTP\u54cd\u5e94\u5206\u79bb\u4fdd\u62a4\u673a\u5236\uff0c\u8be5URL\u76f8\u5173PHP\u6807\u5934\u51fd\u6570\u548c\u67d0\u4e9b\u6d4f\u89c8\u5668\u76f4\u63a5\u7684\u4e0d\u6070\u5f53\u4ea4\u4e92\u3002\n0\nPHP 5.4.0RC2-5.4.0\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nPHP\r\n---\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.php.net", "published": "2012-09-18T00:00:00", "type": "seebug", "title": "PHP 5.4.0RC2-5.4.0 'main/SAPI.c' HTTP\u6807\u5934\u6ce8\u5165\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-4388"], "modified": "2012-09-18T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60388", "id": "SSV:60388", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2019-05-29T18:38:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-1398", "CVE-2012-4388"], "description": "This host is running PHP and is prone to HTTP header injection\n vulnerability.", "modified": "2018-10-12T00:00:00", "published": "2012-09-24T00:00:00", "id": "OPENVAS:1361412562310802966", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802966", "type": "openvas", "title": "PHP 'main/SAPI.c' HTTP Header Injection Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_php_http_header_injection_vuln_win.nasl 11857 2018-10-12 08:25:16Z cfischer $\n#\n# PHP 'main/SAPI.c' HTTP Header Injection Vulnerability\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:php:php\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802966\");\n script_version(\"$Revision: 11857 $\");\n script_cve_id(\"CVE-2012-4388\", \"CVE-2011-1398\");\n script_bugtraq_id(55527, 55297);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 10:25:16 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-09-24 18:58:41 +0530 (Mon, 24 Sep 2012)\");\n script_name(\"PHP 'main/SAPI.c' HTTP Header Injection Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://openwall.com/lists/oss-security/2012/09/02/1\");\n script_xref(name:\"URL\", value:\"http://openwall.com/lists/oss-security/2012/09/07/3\");\n script_xref(name:\"URL\", value:\"http://article.gmane.org/gmane.comp.php.devel/70584\");\n script_xref(name:\"URL\", value:\"http://openwall.com/lists/oss-security/2012/09/05/15\");\n script_xref(name:\"URL\", value:\"http://security-tracker.debian.org/tracker/CVE-2012-4388\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"os_detection.nasl\", \"gb_php_detect.nasl\");\n script_mandatory_keys(\"php/installed\", \"Host/runs_windows\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allows remote attackers to insert arbitrary\n headers, conduct cross-site request-forgery, cross-site scripting,\n HTML-injection, and other attacks.\");\n\n script_tag(name:\"affected\", value:\"PHP version prior to 5.3.11, PHP version 5.4.x through 5.4.0RC2 on Windows\");\n\n script_tag(name:\"insight\", value:\"The sapi_header_op function in main/SAPI.c in PHP does not properly determine\n a pointer during checks for %0D sequences.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to PHP 5.4.1 RC1 or later.\");\n\n script_tag(name:\"summary\", value:\"This host is running PHP and is prone to HTTP header injection\n vulnerability.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.php.net/downloads.php\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( isnull( phpPort = get_app_port( cpe:CPE ) ) ) exit( 0 );\nif( ! phpVer = get_app_version( cpe:CPE, port:phpPort ) ) exit( 0 );\n\n## To check PHP version\nif(version_is_less(version:phpVer, test_version:\"5.3.11\") ||\n version_in_range(version:phpVer, test_version:\"5.4.0\", test_version2:\"5.4.0.rc2\")){\n report = report_fixed_ver(installed_version:phpVer, fixed_version:\"5.3.11/5.4.1 RC1\");\n security_message(data:report, port:phpPort);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:38:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3450", "CVE-2012-2688", "CVE-2011-1398", "CVE-2012-4388"], "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1569-1", "modified": "2019-03-13T00:00:00", "published": "2012-09-22T00:00:00", "id": "OPENVAS:1361412562310841151", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841151", "type": "openvas", "title": "Ubuntu Update for php5 USN-1569-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1569_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for php5 USN-1569-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1569-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.841151\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-09-22 11:59:23 +0530 (Sat, 22 Sep 2012)\");\n script_cve_id(\"CVE-2011-1398\", \"CVE-2012-4388\", \"CVE-2012-2688\", \"CVE-2012-3450\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"USN\", value:\"1569-1\");\n script_name(\"Ubuntu Update for php5 USN-1569-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(10\\.04 LTS|12\\.04 LTS|11\\.10|11\\.04|8\\.04 LTS)\");\n script_tag(name:\"summary\", value:\"Ubuntu Update for Linux kernel vulnerabilities USN-1569-1\");\n script_tag(name:\"affected\", value:\"php5 on Ubuntu 12.04 LTS,\n Ubuntu 11.10,\n Ubuntu 11.04,\n Ubuntu 10.04 LTS,\n Ubuntu 8.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"It was discovered that PHP incorrectly handled certain character sequences\n when applying HTTP response-splitting protection. A remote attacker could\n create a specially-crafted URL and inject arbitrary headers.\n (CVE-2011-1398, CVE-2012-4388)\n\n It was discovered that PHP incorrectly handled directories with a large\n number of files. This could allow a remote attacker to execute arbitrary\n code with the privileges of the web server, or to perform a denial of\n service. (CVE-2012-2688)\n\n It was discovered that PHP incorrectly parsed certain PDO prepared\n statements. A remote attacker could use this flaw to cause PHP to crash,\n leading to a denial of service. (CVE-2012-3450)\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"php5\", ver:\"5.3.2-1ubuntu4.18\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"php5\", ver:\"5.3.10-1ubuntu3.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"php5\", ver:\"5.3.6-13ubuntu3.9\", rls:\"UBUNTU11.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"php5\", ver:\"5.3.5-1ubuntu7.11\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"php5\", ver:\"5.2.4-2ubuntu5.26\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-12-04T11:21:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3450", "CVE-2012-2688", "CVE-2011-1398", "CVE-2012-4388"], "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1569-1", "modified": "2017-12-01T00:00:00", "published": "2012-09-22T00:00:00", "id": "OPENVAS:841151", "href": "http://plugins.openvas.org/nasl.php?oid=841151", "type": "openvas", "title": "Ubuntu Update for php5 USN-1569-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1569_1.nasl 7960 2017-12-01 06:58:16Z santu $\n#\n# Ubuntu Update for php5 USN-1569-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that PHP incorrectly handled certain character sequences\n when applying HTTP response-splitting protection. A remote attacker could\n create a specially-crafted URL and inject arbitrary headers.\n (CVE-2011-1398, CVE-2012-4388)\n\n It was discovered that PHP incorrectly handled directories with a large\n number of files. This could allow a remote attacker to execute arbitrary\n code with the privileges of the web server, or to perform a denial of\n service. (CVE-2012-2688)\n \n It was discovered that PHP incorrectly parsed certain PDO prepared\n statements. A remote attacker could use this flaw to cause PHP to crash,\n leading to a denial of service. (CVE-2012-3450)\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1569-1\";\ntag_affected = \"php5 on Ubuntu 12.04 LTS ,\n Ubuntu 11.10 ,\n Ubuntu 11.04 ,\n Ubuntu 10.04 LTS ,\n Ubuntu 8.04 LTS\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1569-1/\");\n script_id(841151);\n script_version(\"$Revision: 7960 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:58:16 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-09-22 11:59:23 +0530 (Sat, 22 Sep 2012)\");\n script_cve_id(\"CVE-2011-1398\", \"CVE-2012-4388\", \"CVE-2012-2688\", \"CVE-2012-3450\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"USN\", value: \"1569-1\");\n script_name(\"Ubuntu Update for php5 USN-1569-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"php5\", ver:\"5.3.2-1ubuntu4.18\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"php5\", ver:\"5.3.10-1ubuntu3.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"php5\", ver:\"5.3.6-13ubuntu3.9\", rls:\"UBUNTU11.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"php5\", ver:\"5.3.5-1ubuntu7.11\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"php5\", ver:\"5.2.4-2ubuntu5.26\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-20T13:25:52", "description": "According to its banner, the version of PHP installed on the remote\nhost is 5.4.x earlier than 5.4.1, and, therefore, potentially affected\nby multiple vulnerabilities :\n\n - The '$_FILES' variable can be corrupted because the\n names of uploaded files are not properly validated.\n (CVE-2012-1172)\n\n - The 'open_basedir' directive is not properly handled by\n the functions 'readline_write_history' and\n 'readline_read_history'.\n\n - It's possible to bypass an HTTP response-splitting\n protection because the 'sapi_header_op()' function in \n main/SAPI.c does not properly determine a pointer during\n checks for encoded carriage return characters. (Bug \n #60227 / CVE-2012-4388)", "edition": 25, "published": "2012-05-02T00:00:00", "title": "PHP 5.4.x < 5.4.1 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-4388", "CVE-2012-1172"], "modified": "2012-05-02T00:00:00", "cpe": ["cpe:/a:php:php"], "id": "PHP_5_4_1.NASL", "href": "https://www.tenable.com/plugins/nessus/58967", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(58967);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-1172\", \"CVE-2012-4388\");\n script_bugtraq_id(53403, 55527);\n\n script_name(english:\"PHP 5.4.x < 5.4.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version of PHP\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server uses a version of PHP that is affected by\nmultiple vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to its banner, the version of PHP installed on the remote\nhost is 5.4.x earlier than 5.4.1, and, therefore, potentially affected\nby multiple vulnerabilities :\n\n - The '$_FILES' variable can be corrupted because the\n names of uploaded files are not properly validated.\n (CVE-2012-1172)\n\n - The 'open_basedir' directive is not properly handled by\n the functions 'readline_write_history' and\n 'readline_read_history'.\n\n - It's possible to bypass an HTTP response-splitting\n protection because the 'sapi_header_op()' function in \n main/SAPI.c does not properly determine a pointer during\n checks for encoded carriage return characters. (Bug \n #60227 / CVE-2012-4388)\"\n );\n # https://nealpoole.com/blog/2011/10/directory-traversal-via-php-multi-file-uploads/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e81d4026\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.php.net/bug.php?id=54374\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.php.net/bug.php?id=60227\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.php.net/archive/2012.php#id2012-04-26-1\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.php.net/ChangeLog-5.php#5.4.1\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to PHP version 5.4.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:php:php\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"php_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\nphp = get_php_from_kb(\n port : port,\n exit_on_fail : TRUE\n);\n\nversion = php[\"ver\"];\nsource = php[\"src\"];\n\nbackported = get_kb_item('www/php/'+port+'/'+version+'/backported');\n\nif (report_paranoia < 2 && backported)\n audit(AUDIT_BACKPORT_SERVICE, port, \"PHP \"+version+\" install\");\n\nif (version =~ \"^5\\.4\\.0($|[^0-9])\")\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Version source : '+source +\n '\\n Installed version : '+version+\n '\\n Fixed version : 5.4.1\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"PHP\", port, version);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-03-01T07:24:41", "description": "It was discovered that PHP incorrectly handled certain character\nsequences when applying HTTP response-splitting protection. A remote\nattacker could create a specially crafted URL and inject arbitrary\nheaders. (CVE-2011-1398, CVE-2012-4388)\n\nIt was discovered that PHP incorrectly handled directories with a\nlarge number of files. This could allow a remote attacker to execute\narbitrary code with the privileges of the web server, or to perform a\ndenial of service. (CVE-2012-2688)\n\nIt was discovered that PHP incorrectly parsed certain PDO prepared\nstatements. A remote attacker could use this flaw to cause PHP to\ncrash, leading to a denial of service. (CVE-2012-3450).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2012-09-18T00:00:00", "title": "Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : php5 vulnerabilities (USN-1569-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3450", "CVE-2012-2688", "CVE-2011-1398", "CVE-2012-4388"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:11.10", "cpe:/o:canonical:ubuntu_linux:11.04", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "cpe:/o:canonical:ubuntu_linux:8.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:php5", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-1569-1.NASL", "href": "https://www.tenable.com/plugins/nessus/62178", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1569-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(62178);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/09/19 12:54:28\");\n\n script_cve_id(\"CVE-2011-1398\", \"CVE-2012-2688\", \"CVE-2012-3450\", \"CVE-2012-4388\");\n script_bugtraq_id(54638, 54777, 55297, 55527);\n script_xref(name:\"USN\", value:\"1569-1\");\n\n script_name(english:\"Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : php5 vulnerabilities (USN-1569-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that PHP incorrectly handled certain character\nsequences when applying HTTP response-splitting protection. A remote\nattacker could create a specially crafted URL and inject arbitrary\nheaders. (CVE-2011-1398, CVE-2012-4388)\n\nIt was discovered that PHP incorrectly handled directories with a\nlarge number of files. This could allow a remote attacker to execute\narbitrary code with the privileges of the web server, or to perform a\ndenial of service. (CVE-2012-2688)\n\nIt was discovered that PHP incorrectly parsed certain PDO prepared\nstatements. A remote attacker could use this flaw to cause PHP to\ncrash, leading to a denial of service. (CVE-2012-3450).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1569-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected php5 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:11.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:11.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(8\\.04|10\\.04|11\\.04|11\\.10|12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 8.04 / 10.04 / 11.04 / 11.10 / 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"8.04\", pkgname:\"php5\", pkgver:\"5.2.4-2ubuntu5.26\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"php5\", pkgver:\"5.3.2-1ubuntu4.18\")) flag++;\nif (ubuntu_check(osver:\"11.04\", pkgname:\"php5\", pkgver:\"5.3.5-1ubuntu7.11\")) flag++;\nif (ubuntu_check(osver:\"11.10\", pkgname:\"php5\", pkgver:\"5.3.6-13ubuntu3.9\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"php5\", pkgver:\"5.3.10-1ubuntu3.4\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php5\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:35:10", "bulletinFamily": "unix", "cvelist": ["CVE-2012-3450", "CVE-2012-2688", "CVE-2011-1398", "CVE-2012-4388"], "description": "It was discovered that PHP incorrectly handled certain character sequences \nwhen applying HTTP response-splitting protection. A remote attacker could \ncreate a specially-crafted URL and inject arbitrary headers. \n(CVE-2011-1398, CVE-2012-4388)\n\nIt was discovered that PHP incorrectly handled directories with a large \nnumber of files. This could allow a remote attacker to execute arbitrary \ncode with the privileges of the web server, or to perform a denial of \nservice. (CVE-2012-2688)\n\nIt was discovered that PHP incorrectly parsed certain PDO prepared \nstatements. A remote attacker could use this flaw to cause PHP to crash, \nleading to a denial of service. (CVE-2012-3450)", "edition": 5, "modified": "2012-09-17T00:00:00", "published": "2012-09-17T00:00:00", "id": "USN-1569-1", "href": "https://ubuntu.com/security/notices/USN-1569-1", "title": "PHP vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T11:42:03", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4113", "CVE-2013-1643", "CVE-2011-1398", "CVE-2013-4635", "CVE-2012-4388", "CVE-2013-1635"], "description": "The following security issues have been fixed in PHP5:\n\n *\n\n CVE-2013-4635: Integer overflow in the SdnToJewish\n function in jewish.c in the Calendar component in PHP\n allowed context-dependent attackers to cause a denial of\n service (application hang) via a large argument to the\n jdtojewish function.\n\n *\n\n CVE-2013-1635: ext/soap/soap.c in PHP did not\n validate the relationship between the soap.wsdl_cache_dir\n directive and the open_basedir directive, which allowed\n remote attackers to bypass intended access restrictions by\n triggering the creation of cached SOAP WSDL files in an\n arbitrary directory.\n\n *\n\n CVE-2013-1643: The SOAP parser in PHP allowed remote\n attackers to read arbitrary files via a SOAP WSDL file\n containing an XML external entity declaration in\n conjunction with an entity reference, related to an XML\n External Entity (XXE) issue in the soap_xmlParseFile and\n soap_xmlParseMemory functions.\n\n *\n\n CVE-2013-4113: ext/xml/xml.c in PHP before 5.3.27\n does not properly consider parsing depth, which allows\n remote attackers to cause a denial of service (heap memory\n corruption) or possibly have unspecified other impact via a\n crafted document that is processed by the\n xml_parse_into_struct function.\n\n *\n\n CVE-2011-1398 / CVE-2012-4388: The sapi_header_op\n function in main/SAPI.c in PHP did not check for %0D\n sequences (aka carriage return characters), which allowed\n remote attackers to bypass an HTTP response-splitting\n protection mechanism via a crafted URL, related to improper\n interaction between the PHP header function and certain\n browsers, as demonstrated by Internet Explorer and Google\n Chrome.\n\n A hardening measure has been implemented without CVE:\n\n * use FilesMatch with 'SetHandler' rather than\n 'AddHandler' [bnc#775852]\n * fixed php bug #43200 (Interface implementation /\n inheritence not possible in abstract classes) [bnc#783239]\n", "edition": 1, "modified": "2013-08-09T22:04:14", "published": "2013-08-09T22:04:14", "id": "SUSE-SU-2013:1315-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.html", "type": "suse", "title": "Security update for PHP5 (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:52:15", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2311", "CVE-2013-4113", "CVE-2012-2336", "CVE-2011-1466", "CVE-2012-0789", "CVE-2013-1643", "CVE-2012-2335", "CVE-2012-1823", "CVE-2011-4885", "CVE-2012-2688", "CVE-2011-1398", "CVE-2012-0788", "CVE-2012-0830", "CVE-2012-0781", "CVE-2011-0708", "CVE-2013-4635", "CVE-2011-4388", "CVE-2011-3182", "CVE-2012-4388", "CVE-2012-0057", "CVE-2012-1172", "CVE-2011-4566", "CVE-2007-2519", "CVE-2013-1635", "CVE-2011-2202", "CVE-2012-0831", "CVE-2011-1072", "CVE-2011-4153", "CVE-2012-0807", "CVE-2012-3365"], "description": "php5 has been updated to roll up all pending security fixes\n for Long Term Service Pack Support.\n\n The Following security issues have been fixed:\n\n *\n\n CVE-2013-4635: Integer overflow in the SdnToJewish\n function in jewish.c in the Calendar component in PHP\n allowed context-dependent attackers to cause a denial of\n service (application hang) via a large argument to the\n jdtojewish function.\n\n *\n\n CVE-2013-1635: ext/soap/soap.c in PHP did not\n validate the relationship between the soap.wsdl_cache_dir\n directive and the open_basedir directive, which allowed\n remote attackers to bypass intended access restrictions by\n triggering the creation of cached SOAP WSDL files in an\n arbitrary directory.\n\n *\n\n CVE-2013-1643: The SOAP parser in PHP allowed remote\n attackers to read arbitrary files via a SOAP WSDL file\n containing an XML external entity declaration in\n conjunction with an entity reference, related to an XML\n External Entity (XXE) issue in the soap_xmlParseFile and\n soap_xmlParseMemory functions.\n\n *\n\n CVE-2013-4113: ext/xml/xml.c in PHP before 5.3.27\n does not properly consider parsing depth, which allowed\n remote attackers to cause a denial of service (heap memory\n corruption) or possibly have unspecified other impact via a\n crafted document that is processed by the\n xml_parse_into_struct function.\n\n *\n\n CVE-2011-1398 / CVE-2012-4388: The sapi_header_op\n function in main/SAPI.c in PHP did not check for %0D\n sequences (aka carriage return characters), which allowed\n remote attackers to bypass an HTTP response-splitting\n protection mechanism via a crafted URL, related to improper\n interaction between the PHP header function and certain\n browsers, as demonstrated by Internet Explorer and Google\n Chrome.\n\n *\n\n CVE-2012-2688: An unspecified vulnerability in the\n _php_stream_scandir function in the stream implementation\n in PHP had unknown impact and remote attack vectors,\n related to an "overflow."\n\n *\n\n CVE-2012-3365: The SQLite functionality in PHP before\n 5.3.15 allowed remote attackers to bypass the open_basedir\n protection mechanism via unspecified vectors.\n\n *\n\n CVE-2012-1823: sapi/cgi/cgi_main.c in PHP, when\n configured as a CGI script (aka php-cgi), did not properly\n handle query strings that lack an = (equals sign)\n character, which allowed remote attackers to execute\n arbitrary code by placing command-line options in the query\n string, related to lack of skipping a certain php_getopt\n for the 'd' case.\n\n *\n\n CVE-2012-2335: php-wrapper.fcgi did not properly\n handle command-line arguments, which allowed remote\n attackers to bypass a protection mechanism in PHP and\n execute arbitrary code by leveraging improper interaction\n between the PHP sapi/cgi/cgi_main.c component and a query\n string beginning with a +- sequence.\n\n *\n\n CVE-2012-2336: sapi/cgi/cgi_main.c in PHP, when\n configured as a CGI script (aka php-cgi), did not properly\n handle query strings that lack an = (equals sign)\n character, which allowed remote attackers to cause a denial\n of service (resource consumption) by placing command-line\n options in the query string, related to lack of skipping a\n certain php_getopt for the 'T' case. NOTE: this\n vulnerability exists because of an incomplete fix for\n CVE-2012-1823.\n\n *\n\n CVE-2012-2311: sapi/cgi/cgi_main.c in PHP, when\n configured as a CGI script (aka php-cgi), does not properly\n handle query strings that contain a %3D sequence but no =\n (equals sign) character, which allows remote attackers to\n execute arbitrary code by placing command-line options in\n the query string, related to lack of skipping a certain\n php_getopt for the 'd' case. NOTE: this vulnerability\n exists because of an incomplete fix for CVE-2012-1823.\n\n *\n\n CVE-2012-1172: The file-upload implementation in\n rfc1867.c in PHP did not properly handle invalid [ (open\n square bracket) characters in name values, which makes it\n easier for remote attackers to cause a denial of service\n (malformed $_FILES indexes) or conduct directory traversal\n attacks during multi-file uploads by leveraging a script\n that lacks its own filename restrictions.\n\n *\n\n CVE-2012-0830: The php_register_variable_ex function\n in php_variables.c in PHP allowed remote attackers to\n execute arbitrary code via a request containing a large\n number of variables, related to improper handling of array\n variables. NOTE: this vulnerability exists because of an\n incorrect fix for CVE-2011-4885.\n\n *\n\n CVE-2012-0807: Stack-based buffer overflow in the\n suhosin_encrypt_single_cookie function in the transparent\n cookie-encryption feature in the Suhosin extension before\n 0.9.33 for PHP, when suhosin.cookie.encrypt and\n suhosin.multiheader are enabled, might have allowed remote\n attackers to execute arbitrary code via a long string that\n is used in a Set-Cookie HTTP header.\n\n *\n\n CVE-2012-0057: PHP had improper libxslt security\n settings, which allowed remote attackers to create\n arbitrary files via a crafted XSLT stylesheet that uses the\n libxslt output extension.\n\n *\n\n CVE-2012-0831: PHP did not properly perform a\n temporary change to the magic_quotes_gpc directive during\n the importing of environment variables, which made it\n easier for remote attackers to conduct SQL injection\n attacks via a crafted request, related to\n main/php_variables.c, sapi/cgi/cgi_main.c, and\n sapi/fpm/fpm/fpm_main.c.\n\n *\n\n CVE-2011-4153: PHP did not always check the return\n value of the zend_strndup function, which might have\n allowed remote attackers to cause a denial of service (NULL\n pointer dereference and application crash) via crafted\n input to an application that performs strndup operations on\n untrusted string data, as demonstrated by the define\n function in zend_builtin_functions.c, and unspecified\n functions in ext/soap/php_sdl.c, ext/standard/syslog.c,\n ext/standard/browscap.c, ext/oci8/oci8.c,\n ext/com_dotnet/com_typeinfo.c, and\n main/php_open_temporary_file.c.\n\n *\n\n CVE-2012-0781: The tidy_diagnose function in PHP\n might have allowed remote attackers to cause a denial of\n service (NULL pointer dereference and application crash)\n via crafted input to an application that attempts to\n perform Tidy::diagnose operations on invalid objects, a\n different vulnerability than CVE-2011-4153.\n\n *\n\n CVE-2012-0788: The PDORow implementation in PHP did\n not properly interact with the session feature, which\n allowed remote attackers to cause a denial of service\n (application crash) via a crafted application that uses a\n PDO driver for a fetch and then calls the session_start\n function, as demonstrated by a crash of the Apache HTTP\n Server.\n\n *\n\n CVE-2012-0789: Memory leak in the timezone\n functionality in PHP allowed remote attackers to cause a\n denial of service (memory consumption) by triggering many\n strtotime function calls, which were not properly handled\n by the php_date_parse_tzfile cache.\n\n *\n\n CVE-2011-4885: PHP computed hash values for form\n parameters without restricting the ability to trigger hash\n collisions predictably, which allowed remote attackers to\n cause a denial of service (CPU consumption) by sending many\n crafted parameters. We added a max_input_vars directive to\n prevent attacks based on hash collisions.\n\n *\n\n CVE-2011-4566: Integer overflow in the\n exif_process_IFD_TAG function in exif.c in the exif\n extension in PHP allowed remote attackers to read the\n contents of arbitrary memory locations or cause a denial of\n service via a crafted offset_val value in an EXIF header in\n a JPEG file, a different vulnerability than CVE-2011-0708.\n\n *\n\n CVE-2011-3182: PHP did not properly check the return\n values of the malloc, calloc, and realloc library\n functions, which allowed context-dependent attackers to\n cause a denial of service (NULL pointer dereference and\n application crash) or trigger a buffer overflow by\n leveraging the ability to provide an arbitrary value for a\n function argument, related to (1) ext/curl/interface.c, (2)\n ext/date/lib/parse_date.c, (3)\n ext/date/lib/parse_iso_intervals.c, (4)\n ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6)\n ext/pdo_odbc/pdo_odbc.c, (7)\n ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c,\n (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c,\n and (11) the strtotime function.\n\n *\n\n CVE-2011-1466: Integer overflow in the SdnToJulian\n function in the Calendar extension in PHP allowed\n context-dependent attackers to cause a denial of service\n (application crash) via a large integer in the first\n argument to the cal_from_jd function.\n\n *\n\n CVE-2011-1072: The installer in PEAR allowed local\n users to overwrite arbitrary files via a symlink attack on\n the package.xml file, related to the (1) download_dir, (2)\n cache_dir, (3) tmp_dir, and (4) pear-build-download\n directories, a different vulnerability than CVE-2007-2519.\n\n *\n\n CVE-2011-2202: The rfc1867_post_handler function in\n main/rfc1867.c in PHP did not properly restrict filenames\n in multipart/form-data POST requests, which allowed remote\n attackers to conduct absolute path traversal attacks, and\n possibly create or overwrite arbitrary files, via a crafted\n upload request, related to a "file path injection\n vulnerability."\n\n Bugfixes:\n\n * fixed php bug #43200 (Interface implementation /\n inheritence not possible in abstract classes) [bnc#783239]\n * use FilesMatch with 'SetHandler' rather than\n 'AddHandler' [bnc#775852]\n * fixed unpredictable unpack()/pack() behaviour\n [bnc#753778]\n * memory corruption in parse_ini_string() [bnc#742806]\n * amend README.SUSE to discourage using apache module\n with apache2-worker [bnc#728671]\n * allow uploading files bigger than 2GB for 64bit\n systems [bnc#709549]\n", "edition": 1, "modified": "2013-08-16T21:04:11", "published": "2013-08-16T21:04:11", "id": "SUSE-SU-2013:1351-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00016.html", "title": "Security update for PHP5 (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
