GLSA-200603-22 : PHP: Format string and XSS vulnerabilities

2006-03-2300:00:00

www.tenable.com

The remote host is affected by the vulnerability described in GLSA-200603-22 (PHP: Format string and XSS vulnerabilities)

Stefan Esser of the Hardened PHP project has reported a few     vulnerabilities found in PHP:
Input passed to the session     ID in the session extension isn't properly sanitised before being     returned to the user via a 'Set-Cookie' HTTP header, which can contain     arbitrary injected data.
A format string error while     processing error messages using the mysqli extension in version 5.1 and     above.

Impact :

By sending a specially crafted request, a remote attacker can     exploit this vulnerability to inject arbitrary HTTP headers, which will     be included in the response sent to the user. The format string     vulnerability may be exploited to execute arbitrary code.

Workaround :

There is no known workaround at this time.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 200603-22.
#
# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(21129);
  script_version("1.16");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id("CVE-2006-0207", "CVE-2006-0208");
  script_bugtraq_id(16220);
  script_xref(name:"GLSA", value:"200603-22");

  script_name(english:"GLSA-200603-22 : PHP: Format string and XSS vulnerabilities");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-200603-22
(PHP: Format string and XSS vulnerabilities)

    Stefan Esser of the Hardened PHP project has reported a few
    vulnerabilities found in PHP:
    Input passed to the session
    ID in the session extension isn't properly sanitised before being
    returned to the user via a 'Set-Cookie' HTTP header, which can contain
    arbitrary injected data.
    A format string error while
    processing error messages using the mysqli extension in version 5.1 and
    above.
  
Impact :

    By sending a specially crafted request, a remote attacker can
    exploit this vulnerability to inject arbitrary HTTP headers, which will
    be included in the response sent to the user. The format string
    vulnerability may be exploited to execute arbitrary code.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.hardened-php.net/advisory_022006.112.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.hardened-php.net/advisory_012006.113.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/200603-22"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All PHP 5.x users should upgrade to the latest version:
    # emerge --sync
    # emerge --ask --oneshot --verbose '>=dev-lang/php-5.1.2'
    All PHP 4.x users should upgrade to the latest version:
    # emerge --sync
    # emerge --ask --oneshot --verbose '>=dev-lang/php-4.4.2'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:php");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2006/03/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/03/23");
  script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/11");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"dev-lang/php", unaffected:make_list("ge 5.1.2"), vulnerable:make_list("lt 4.4.2", "rge 5.1.1", "rge 5.0.5", "rge 5.0.4"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "PHP");
}

VendorProductVersionCPE
gentoolinuxphpp-cpe:/a:gentoo:linux:php
gentoolinuxcpe:/o:gentoo:linux

Vendor	Product	Version	CPE
gentoo	linux	php	p-cpe:/a:gentoo:linux:php
gentoo	linux		cpe:/o:gentoo:linux

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0207

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0208

www.hardened-php.net/advisory_012006.113.html

www.hardened-php.net/advisory_022006.112.html

security.gentoo.org/glsa/200603-22

JSON

Related for GENTOO_GLSA-200603-22.NASL