ID 2FBFD455-F2D0-11E2-8A46-000D601460A4 Type freebsd Reporter FreeBSD Modified 2013-05-20T00:00:00
Description
suPHP developer Sebastian Marsching reports:
When the suPHP_PHPPath was set, mod_suphp would use the specified PHP
executable to pretty-print PHP source files (MIME type
x-httpd-php-source or application/x-httpd-php-source).
However, it would not sanitize the environment. Thus a user that was
allowed to use the SetEnv directive in a .htaccess file (AllowOverride
FileInfo) could make PHP load a malicious configuration file (e.g.
loading malicious extensions).
As the PHP process for highlighting the source file was run with the
privileges of the user Apache HTTPd was running as, a local attacker
could probably execute arbitrary code with the privileges of this user.
{"reporter": "FreeBSD", "published": "2013-05-20T00:00:00", "cvelist": [], "title": "suPHP -- Privilege escalation", "objectVersion": "1.2", "type": "freebsd", "hash": "0aa272a445e2927a20dfc2079c357719f44abbdc3f78e1e79de020c07dac4aa9", "href": "https://vuxml.freebsd.org/freebsd/2fbfd455-f2d0-11e2-8a46-000d601460a4.html", "bulletinFamily": "unix", "hashmap": [{"hash": "ffed5d78ad66a15456b6334af6f695a6", "key": "affectedPackage"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "f0395a742faf6d78bf6e659a742cc945", "key": "description"}, {"hash": "d6514a6d81c2cfa32e00a9c559a701a7", "key": "href"}, {"hash": "57c52b22e8213c98c8a893142a23af28", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "57c52b22e8213c98c8a893142a23af28", "key": "published"}, {"hash": "daadbdc26681332c55b5c73fb048ac4d", "key": "references"}, {"hash": "a3dc630729e463135f4e608954fa6e19", "key": "reporter"}, {"hash": "a4568383841538277dce3d8907219842", "key": "title"}, {"hash": "1527e888767cdce15d200b870b39cfd0", "key": "type"}, {"hash": "cfcd208495d565ef66e7dff9f98764da", "key": "viewCount"}], "history": [], "enchantments": {"score": {"vector": "NONE", "value": 7.2}, "dependencies": {"references": [{"type": "nessus", "idList": ["FREEBSD_PKG_2FBFD455F2D011E28A46000D601460A4.NASL"]}], "modified": "2016-09-26T17:24:28"}, "vulnersScore": 7.2}, "modified": "2013-05-20T00:00:00", "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "0.7.2", "operator": "lt", "packageName": "suphp", "arch": "noarch", "packageFilename": "UNKNOWN"}], "cvss": {"score": 0.0, "vector": "NONE"}, "viewCount": 5, "edition": 1, "description": "\nsuPHP developer Sebastian Marsching reports:\n\nWhen the suPHP_PHPPath was set, mod_suphp would use the specified PHP\n\t executable to pretty-print PHP source files (MIME type\n\t x-httpd-php-source or application/x-httpd-php-source).\nHowever, it would not sanitize the environment. Thus a user that was\n\t allowed to use the SetEnv directive in a .htaccess file (AllowOverride\n\t FileInfo) could make PHP load a malicious configuration file (e.g.\n\t loading malicious extensions).\nAs the PHP process for highlighting the source file was run with the\n\t privileges of the user Apache HTTPd was running as, a local attacker\n\t could probably execute arbitrary code with the privileges of this user.\n\n", "references": ["https://lists.marsching.com/pipermail/suphp/2013-May/002552.html"], "id": "2FBFD455-F2D0-11E2-8A46-000D601460A4", "lastseen": "2016-09-26T17:24:28"}
{"nessus": [{"lastseen": "2019-01-16T20:16:59", "bulletinFamily": "scanner", "description": "suPHP developer Sebastian Marsching reports :\n\nWhen the suPHP_PHPPath was set, mod_suphp would use the specified PHP\nexecutable to pretty-print PHP source files (MIME type\nx-httpd-php-source or application/x-httpd-php-source).\n\nHowever, it would not sanitize the environment. Thus a user that was\nallowed to use the SetEnv directive in a .htaccess file (AllowOverride\nFileInfo) could make PHP load a malicious configuration file (e.g.\nloading malicious extensions).\n\nAs the PHP process for highlighting the source file was run with the\nprivileges of the user Apache HTTPd was running as, a local attacker\ncould probably execute arbitrary code with the privileges of this\nuser.", "modified": "2018-12-19T00:00:00", "published": "2013-07-23T00:00:00", "id": "FREEBSD_PKG_2FBFD455F2D011E28A46000D601460A4.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=69008", "title": "FreeBSD : suPHP -- Privilege escalation (2fbfd455-f2d0-11e2-8a46-000d601460a4)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69008);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/12/19 13:21:18\");\n\n script_name(english:\"FreeBSD : suPHP -- Privilege escalation (2fbfd455-f2d0-11e2-8a46-000d601460a4)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"suPHP developer Sebastian Marsching reports :\n\nWhen the suPHP_PHPPath was set, mod_suphp would use the specified PHP\nexecutable to pretty-print PHP source files (MIME type\nx-httpd-php-source or application/x-httpd-php-source).\n\nHowever, it would not sanitize the environment. Thus a user that was\nallowed to use the SetEnv directive in a .htaccess file (AllowOverride\nFileInfo) could make PHP load a malicious configuration file (e.g.\nloading malicious extensions).\n\nAs the PHP process for highlighting the source file was run with the\nprivileges of the user Apache HTTPd was running as, a local attacker\ncould probably execute arbitrary code with the privileges of this\nuser.\"\n );\n # https://lists.marsching.com/pipermail/suphp/2013-May/002552.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.marsching.com/shutdown.html\"\n );\n # https://vuxml.freebsd.org/freebsd/2fbfd455-f2d0-11e2-8a46-000d601460a4.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e894069a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:suphp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"suphp<0.7.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}
