Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.UBUNTU_USN-171-1.NASL
HistoryJan 15, 2006 - 12:00 a.m.

Ubuntu 4.10 / 5.04 : php4 vulnerabilities (USN-171-1)

2006-01-1500:00:00
Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
www.tenable.com
25
JSON

CAN-2005-1751 :

The php4-dev package ships a copy of the ‘shtool’ utility in /usr/lib/php4/build/, which provides useful functionality for developers of software packages. Eric Romang discovered that shtool created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the shtool program.

CAN-1005-1759 :

The creation of temporary files in shtool was also vulnerable to a race condition which allowed a local user to read the contents of the temporary file. However, this file does not usually contain sensitive information since shtool is usually used for building software packages.

CAN-2005-2498 :

Stefan Esser discovered another remote code execution vulnerability in the XMLRPC module of the PEAR (PHP Extension and Application Repository) extension of PHP. By sending specially crafted XMLRPC requests to an affected web server, a remote attacker could exploit this to execute arbitrary code with the web server’s privileges.

In Ubuntu, the PEAR extension is unsupported (it is contained in the php4-pear package which is part of universe). However, since this is a highly critical vulnerability, that package was fixed anyway.

Please note that many applications contain a copy of the affected XMLRPC code, which must be fixed separately. The following packages may also be affected, but are unsupported in Ubuntu :

  • drupal - wordpress - phpwiki - horde3 - ewiki - egroupware - phpgroupware

    These packages might be fixed by the community later.

    The following common third-party applications might be affected as well, but not packaged for Ubuntu :

  • Serendipity - Postnuke - tikiwiki - phpwebsite

    If you run any affected software, please check whether you are affected and upgrade it as soon as possible to protect your server.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-171-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(20578);
  script_version("1.16");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2005-1751", "CVE-2005-1759", "CVE-2005-2498");
  script_xref(name:"USN", value:"171-1");

  script_name(english:"Ubuntu 4.10 / 5.04 : php4 vulnerabilities (USN-171-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"CAN-2005-1751 :

The php4-dev package ships a copy of the 'shtool' utility in
/usr/lib/php4/build/, which provides useful functionality for
developers of software packages. Eric Romang discovered that shtool
created temporary files in an insecure manner. This could allow a
symlink attack to create or overwrite arbitrary files with the
privileges of the user invoking the shtool program.

CAN-1005-1759 :

The creation of temporary files in shtool was also vulnerable to a
race condition which allowed a local user to read the contents of the
temporary file. However, this file does not usually contain sensitive
information since shtool is usually used for building software
packages.

CAN-2005-2498 :

Stefan Esser discovered another remote code execution vulnerability in
the XMLRPC module of the PEAR (PHP Extension and Application
Repository) extension of PHP. By sending specially crafted XMLRPC
requests to an affected web server, a remote attacker could exploit
this to execute arbitrary code with the web server's privileges.

In Ubuntu, the PEAR extension is unsupported (it is
contained in the php4-pear package which is part of
universe). However, since this is a highly critical
vulnerability, that package was fixed anyway.

Please note that many applications contain a copy of the
affected XMLRPC code, which must be fixed separately. The
following packages may also be affected, but are unsupported
in Ubuntu :

  - drupal - wordpress - phpwiki - horde3 - ewiki -
    egroupware - phpgroupware

    These packages might be fixed by the community later.

    The following common third-party applications might be
    affected as well, but not packaged for Ubuntu :

  - Serendipity - Postnuke - tikiwiki - phpwebsite

    If you run any affected software, please check whether
    you are affected and upgrade it as soon as possible to
    protect your server.

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libapache-mod-php4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libapache2-mod-php4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-cgi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-cli");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-curl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-domxml");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-gd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-imap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-ldap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-mcal");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-mhash");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-mysql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-odbc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-pear");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-recode");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-snmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-sybase");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-universe-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-xslt");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04");

  script_set_attribute(attribute:"patch_publication_date", value:"2005/08/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! ereg(pattern:"^(4\.10|5\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10 / 5.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"4.10", pkgname:"libapache2-mod-php4", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-cgi", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-curl", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-dev", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-domxml", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-gd", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-ldap", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-mcal", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-mhash", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-mysql", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-odbc", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-pear", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-recode", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-snmp", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-sybase", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-xslt", pkgver:"4.3.8-3ubuntu7.12")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"libapache-mod-php4", pkgver:"4.3.10-10ubuntu3.4")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"libapache2-mod-php4", pkgver:"4.3.10-10ubuntu4.1")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4", pkgver:"4.3.10-10ubuntu4.1")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-cgi", pkgver:"4.3.10-10ubuntu4.1")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-cli", pkgver:"4.3.10-10ubuntu4.1")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-common", pkgver:"4.3.10-10ubuntu4.1")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-curl", pkgver:"4.3.10-10ubuntu3.4")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-dev", pkgver:"4.3.10-10ubuntu4.1")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-domxml", pkgver:"4.3.10-10ubuntu3.4")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-gd", pkgver:"4.3.10-10ubuntu3.4")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-imap", pkgver:"4.3.10-10ubuntu3.4")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-ldap", pkgver:"4.3.10-10ubuntu3.4")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-mcal", pkgver:"4.3.10-10ubuntu3.4")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-mhash", pkgver:"4.3.10-10ubuntu3.4")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-mysql", pkgver:"4.3.10-10ubuntu3.4")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-odbc", pkgver:"4.3.10-10ubuntu3.4")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-pear", pkgver:"4.3.10-10ubuntu3.4")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-recode", pkgver:"4.3.10-10ubuntu3.4")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-snmp", pkgver:"4.3.10-10ubuntu3.4")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-sybase", pkgver:"4.3.10-10ubuntu3.4")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-universe-common", pkgver:"4.3.10-10ubuntu3.4")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-xslt", pkgver:"4.3.10-10ubuntu3.4")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libapache-mod-php4 / libapache2-mod-php4 / php4 / php4-cgi / etc");
}
VendorProductVersionCPE
canonicalubuntu_linuxlibapache-mod-php4p-cpe:/a:canonical:ubuntu_linux:libapache-mod-php4
canonicalubuntu_linuxlibapache2-mod-php4p-cpe:/a:canonical:ubuntu_linux:libapache2-mod-php4
canonicalubuntu_linuxphp4p-cpe:/a:canonical:ubuntu_linux:php4
canonicalubuntu_linuxphp4-cgip-cpe:/a:canonical:ubuntu_linux:php4-cgi
canonicalubuntu_linuxphp4-clip-cpe:/a:canonical:ubuntu_linux:php4-cli
canonicalubuntu_linuxphp4-commonp-cpe:/a:canonical:ubuntu_linux:php4-common
canonicalubuntu_linuxphp4-curlp-cpe:/a:canonical:ubuntu_linux:php4-curl
canonicalubuntu_linuxphp4-devp-cpe:/a:canonical:ubuntu_linux:php4-dev
canonicalubuntu_linuxphp4-domxmlp-cpe:/a:canonical:ubuntu_linux:php4-domxml
canonicalubuntu_linuxphp4-gdp-cpe:/a:canonical:ubuntu_linux:php4-gd
Rows per page:
1-10 of 241

Related

ubuntu 1
nessus 27
openvas 33
cve 4
ubuntucve 3
securityvulns 4
debiancve 2
gentoo 7
osv 3
debian 8
centos 3
redhat 2
freebsd 1
slackware 3
suse 2
ubuntu
ubuntu
PHP4 vulnerabilities
2005-08-21 00:00:00
nessus
nessus
Debian DSA-789-1 : php4 - several vulnerabilities
2005-08-30 00:00:00
GLSA-200506-08 : GNU shtool, ocaml-mysql: Insecure temporary file creation
2005-06-11 00:00:00
FreeBSD : shtool -- insecure temporary file creation (6596bb80-d026-11d9-9aed-000e0c2e438a)
2005-07-13 00:00:00
openvas
openvas
FreeBSD Ports: shtool
2008-09-04 00:00:00
Gentoo Security Advisory GLSA 200506-08 (GNU shtool)
2008-09-24 00:00:00
FreeBSD Ports: shtool
2008-09-04 00:00:00
cve
cve
CVE-2005-1759
2005-06-28 04:00:00
CVE-2005-1751
2005-05-25 04:00:00
CVE-1005-1759
2022-02-26 00:05:59
ubuntucve
ubuntucve
CVE-2005-1751
2005-05-25 00:00:00
CVE-2005-1759
2005-06-28 00:00:00
CVE-2005-2498
2005-08-15 00:00:00
securityvulns
securityvulns
[ GLSA 200506-08 ] GNU shtool, ocaml-mysql: Insecure temporary file creation
2005-06-12 00:00:00
[Full-disclosure] Advisory 15/2005: PHPXMLRPC Remote PHP Code Injection Vulnerability
2005-08-15 00:00:00
[Full-disclosure] Advisory 14/2005: PEAR XML_RPC Remote PHP Code Injection Vulnerability
2005-08-15 00:00:00
debiancve
debiancve
CVE-2005-1759
2005-06-28 04:00:00
CVE-2005-1751
2005-05-25 04:00:00
gentoo
gentoo
GNU shtool, ocaml-mysql: Insecure temporary file creation
2005-06-11 00:00:00
PEAR XML-RPC, phpxmlrpc: New PHP script injection vulnerability
2005-08-24 00:00:00
TikiWiki, eGroupWare: Arbitrary command execution through XML-RPC
2005-08-24 00:00:00
osv
osv
php4 - several
2005-08-29 00:00:00
drupal - missing input sanitising
2005-10-04 00:00:00
phpgroupware - several
2005-09-02 00:00:00
debian
debian
[SECURITY] [DSA 789-1] New PHP 4 packages fix several vulnerabilities
2005-08-29 15:31:06
[SECURITY] [DSA 789-1] New PHP 4 packages fix several vulnerabilities
2005-08-29 15:31:06
[SECURITY] [DSA 842-1] New egroupware packages fix arbitrary code execution
2005-10-04 15:11:05
centos
centos
php security update
2005-08-31 21:06:57
php security update
2005-08-19 18:20:20
php security update
2005-07-07 20:36:04
redhat
redhat
(RHSA-2005:748) php security update
2005-08-19 00:00:00
(RHSA-2005:564) php security update
2005-07-07 00:00:00
freebsd
freebsd
pear-XML_RPC -- remote PHP code injection vulnerability
2005-08-15 00:00:00
slackware
slackware
php5 in Slackware 10.1
2005-09-08 15:55:19
PHP
2005-08-30 15:54:11
slackware-current security updates
2005-09-08 15:55:02
suse
suse
remote code execution in php4, php5
2005-08-30 14:35:22
local command execution, authentication bypass, in apache2
2005-09-12 13:00:50
JSON
Related for UBUNTU_USN-171-1.NASL
ubuntu1nessus27openvas33cve4ubuntucve3securityvulns4debiancve2gentoo7osv3debian8centos3redhat2freebsd1slackware3suse2