{"bulletinFamily": "software", "viewCount": 34, "reporter": "Stefan Esser(sesser@hardened-php.net)", "references": [], "description": "## Vulnerability Description\nA remote overflow exists in php. The php3_mime_split function fails to perform proper bounds checking resulting in a heap overflow. By using the HTTP POST method to upload a PHP form containing specially crafted MIME-encoded data, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 4.1.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in php. The php3_mime_split function fails to perform proper bounds checking resulting in a heap overflow. By using the HTTP POST method to upload a PHP form containing specially crafted MIME-encoded data, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.php.net/\n[Vendor Specific Advisory URL](http://www.debian.org/security/2002/dsa-115)\n[Vendor Specific Advisory URL](http://rhn.redhat.com/errata/RHSA-2002-035.html)\n[Vendor Specific Advisory URL](http://www.linuxsecurity.com/content/view/103701/109/)\n[Vendor Specific Advisory URL](http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:017)\n[Vendor Specific Advisory URL](http://www.trustix.net/errata/misc/2002/TSL-2002-0033-mod_phpX.asc.txt)\n[Vendor Specific Advisory URL](http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000468)\n[Related OSVDB ID: 720](https://vulners.com/osvdb/OSVDB:720)\nOther Advisory URL: http://security.e-matters.de/advisories/012002.html\n[Nessus Plugin ID:10867](https://vulners.com/search?query=pluginID:10867)\nISS X-Force ID: 8281\nGeneric Exploit URL: http://archives.neohapsis.com/archives/bugtraq/2002-03/0040.html\n[CVE-2002-0081](https://vulners.com/cve/CVE-2002-0081)\nCIAC Advisory: m-049\nCERT: CA-2002-05\nBugtraq ID: 4183\n", "affectedSoftware": [{"operator": "eq", "version": "3.0.14", "name": "PHP"}, {"operator": "eq", "version": "3.0.12", "name": "PHP"}, {"operator": "eq", "version": "3.0.11", "name": "PHP"}, {"operator": "eq", "version": "3.0.17", "name": "PHP"}, {"operator": "eq", "version": "3.0.18", "name": "PHP"}, {"operator": "eq", "version": "3.0.10", "name": "PHP"}, {"operator": "eq", "version": "3.0.15", "name": "PHP"}, {"operator": "eq", "version": "3.0.16", "name": "PHP"}, {"operator": "eq", "version": "3.0.13", "name": "PHP"}], "href": "https://vulners.com/osvdb/OSVDB:34719", "modified": "2002-02-27T00:00:00", "enchantments": {"score": {"value": 7.9, "vector": "NONE", "modified": "2017-04-28T13:20:30", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-0081"]}, {"type": "openvas", "idList": ["OPENVAS:53395", "OPENVAS:10867", "OPENVAS:136141256231010867"]}, {"type": "nessus", "idList": ["PHP_SPLIT_MIME.NASL", "DEBIAN_DSA-115.NASL", "MANDRAKE_MDKSA-2002-017.NASL"]}, {"type": "osvdb", "idList": ["OSVDB:720"]}, {"type": "cert", "idList": ["VU:234971", "VU:297363"]}, {"type": "suse", "idList": ["SUSE-SA:2002:007"]}], "modified": "2017-04-28T13:20:30", "rev": 2}, "vulnersScore": 7.9}, "id": "OSVDB:34719", "title": "PHP php3_mime_split Function POST Request Overflow", "edition": 1, "published": "2002-02-27T00:00:00", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "cvelist": ["CVE-2002-0081"], "lastseen": "2017-04-28T13:20:30"}

{"cve": [{"lastseen": "2021-02-02T05:19:05", "description": "Buffer overflows in (1) php_mime_split in PHP 4.1.0, 4.1.1, and 4.0.6 and earlier, and (2) php3_mime_split in PHP 3.0.x allows remote attackers to execute arbitrary code via a multipart/form-data HTTP POST request when file_uploads is enabled.", "edition": 4, "cvss3": {}, "published": "2002-03-08T05:00:00", "title": "CVE-2002-0081", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-0081"], "modified": "2016-10-18T02:15:00", "cpe": ["cpe:/a:php:php:3.0", "cpe:/a:php:php:4.1.0", "cpe:/a:php:php:4.1.1", "cpe:/a:php:php:4.0.6"], "id": "CVE-2002-0081", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0081", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:php:php:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.6:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-2002-0081"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in php. The php_mime_split function fails to perform proper bounds checking resulting in a heap overflow. By using the HTTP POST method to upload a PHP form containing specially crafted MIME-encoded data, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 4.1.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in php. The php_mime_split function fails to perform proper bounds checking resulting in a heap overflow. By using the HTTP POST method to upload a PHP form containing specially crafted MIME-encoded data, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.php.net/\n[Vendor Specific Advisory URL](http://www.debian.org/security/2002/dsa-115)\n[Vendor Specific Advisory URL](http://www.linuxsecurity.com/content/view/103701/109/)\n[Vendor Specific Advisory URL](http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:017)\n[Vendor Specific Advisory URL](http://rhn.redhat.com/errata/RHSA-2002-035.html)\n[Vendor Specific Advisory URL](http://www.trustix.net/errata/misc/2002/TSL-2002-0033-mod_phpX.asc.txt)\n[Vendor Specific Advisory URL](http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000468)\n[Related OSVDB ID: 34719](https://vulners.com/osvdb/OSVDB:34719)\nOther Advisory URL: http://security.e-matters.de/advisories/012002.html\n[Nessus Plugin ID:10867](https://vulners.com/search?query=pluginID:10867)\nISS X-Force ID: 8281\nGeneric Exploit URL: http://archives.neohapsis.com/archives/bugtraq/2002-03/0040.html\n[CVE-2002-0081](https://vulners.com/cve/CVE-2002-0081)\nCIAC Advisory: m-049\nCERT: CA-2002-05\nBugtraq ID: 4183\n", "modified": "2002-02-27T00:00:00", "published": "2002-02-27T00:00:00", "id": "OSVDB:720", "href": "https://vulners.com/osvdb/OSVDB:720", "title": "PHP php_mime_split Function POST Request Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-12-08T11:44:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-0081"], "description": "The remote host is running a version of PHP earlier\nthan 4.1.2.\n\nThere are several flaws in how PHP handles\nmultipart/form-data POST requests, any one of which can\nallow an attacker to gain remote access to the system.", "modified": "2017-12-07T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:10867", "href": "http://plugins.openvas.org/nasl.php?oid=10867", "type": "openvas", "title": "php POST file uploads", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: php_split_mime.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: php POST file uploads\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n# Modified by H D Moore & Renaud Deraison to actually test for the flaw\n#\n# Copyright:\n# Copyright (C) 2002 Thomas Reinke\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The remote host is running a version of PHP earlier\nthan 4.1.2.\n\nThere are several flaws in how PHP handles\nmultipart/form-data POST requests, any one of which can\nallow an attacker to gain remote access to the system.\";\n\ntag_solution = \"Upgrade to PHP 4.1.2\";\n\nif(description)\n{\n script_id(10867);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(4183);\n script_cve_id(\"CVE-2002-0081\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n \n name = \"php POST file uploads\";\n\n script_name(name);\n\n \n \n script_category(ACT_DENIAL);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n \n \n script_copyright(\"This script is Copyright (C) 2002 Thomas Reinke\");\n family = \"Web application abuses\";\n script_family(family);\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\", \"webmirror.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\n\nif(http_is_dead(port:port))exit(0);\n\nif(get_port_state(port))\n{\n if ( ! can_host_php(port:port) ) exit(0);\n\n if(!safe_checks())\n {\n files = get_kb_list(string(\"www/\", port, \"/content/extensions/php*\"));\n \n if(isnull(files))file = \"/default.php\";\n else {\n \tfiles = make_list(files);\n\tfile = files[0];\n\t}\n \n if(is_cgi_installed_ka(item:file, port:port))\n {\n boundary1 = string(\"-OPENVAS!\");\n boundary2 = string(\"--OPENVAS!\");\n clen = \"567\";\n dblq = raw_string(0x22);\n badb = raw_string(0x12);\n\n\n postdata = string(\"POST \", file, \" HTTP/1.1\\r\\n\", \"Host: \", get_host_name(), \"\\r\\n\");\n postdata = string(postdata, \"Referer: http://\", get_host_name(), \"/\", file, \"\\r\\n\");\n postdata = string(postdata, \"Content-type: multipart/form-data; boundary=\", boundary1, \"\\r\\n\");\n postdata = string(postdata, \"Content-Length: \", clen, \"\\r\\n\\r\\n\", boundary2, \"\\r\\n\");\n postdata = string(postdata, \"Content-Disposition: form-data; name=\");\n \n\n\n len = strlen(dblq) + strlen(badb) + strlen(dblq);\n big = crap(clen - len);\n postdata = string(postdata, dblq, badb, dblq, big, dblq);\n \n soc = http_open_socket(port);\n if(!soc)exit(0);\n \n send(socket:soc, data:postdata);\n \n r = http_recv(socket:soc);\n http_close_socket(soc);\n if(http_is_dead(port: port)) { security_message(port); }\n }\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-0081"], "description": "The remote host is missing an update to php3, php4\nannounced via advisory DSA 115-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53395", "href": "http://plugins.openvas.org/nasl.php?oid=53395", "type": "openvas", "title": "Debian Security Advisory DSA 115-1 (php3, php4)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_115_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 115-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Stefan Esser, who is also a member of the PHP team, found several\nflaws in the way PHP handles multipart/form-data POST requests (as\ndescribed in RFC1867) known as POST fileuploads. Each of the flaws\ncould allow an attacker to execute arbitrary code on the victim's\nsystem.\n\nFor PHP3 flaws contain a broken boundary check and an arbitrary heap\noverflow. For PHP4 they consist of a broken boundary check and a heap\noff by one error.\n\nFor the stable release of Debian these problems are fixed in version\n3.0.18-0potato1.1 of PHP3 and version 4.0.3pl1-0potato3 of PHP4.\n\nFor the unstable and testing release of Debian these problems are\nfixed in version 3.0.18-22 of PHP3 and version 4.1.2-1 of PHP4.\n\nThere is no PHP4 in the stable and unstable distribution for the arm\narchitecture due to a compiler error.\n\nWe recommend that you upgrade your php packages immediately.\";\ntag_summary = \"The remote host is missing an update to php3, php4\nannounced via advisory DSA 115-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20115-1\";\n\nif(description)\n{\n script_id(53395);\n script_cve_id(\"CVE-2002-0081\");\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:24:46 +0100 (Thu, 17 Jan 2008)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 115-1 (php3, php4)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"php3-doc\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-dev\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-gd\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-imap\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-ldap\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-magick\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-mhash\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-mysql\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-pgsql\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-snmp\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi-xml\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-cgi\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-dev\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-gd\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-imap\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-ldap\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-magick\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-mhash\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-mysql\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-pgsql\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-snmp\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3-xml\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php3\", ver:\"3.0.18-0potato1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-cgi-gd\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-cgi-imap\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-cgi-ldap\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-cgi-mhash\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-cgi-mysql\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-cgi-pgsql\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-cgi-snmp\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-cgi-xml\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-cgi\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-gd\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-imap\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-ldap\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-mhash\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-mysql\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-pgsql\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-snmp\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-xml\", ver:\"4.0.3pl1-0potato3\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-05-08T16:40:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-0081"], "description": "The remote host is running a version of PHP earlier\n than 4.1.2.\n\n There are several flaws in how PHP handles multipart/form-data POST requests, any one of\n which can allow an attacker to gain remote access to the system.", "modified": "2020-05-06T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010867", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010867", "type": "openvas", "title": "php POST file uploads", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# php POST file uploads\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n# Modified by H D Moore & Renaud Deraison to actually test for the flaw\n#\n# Copyright:\n# Copyright (C) 2002 Thomas Reinke\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10867\");\n script_version(\"2020-05-06T07:10:15+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 07:10:15 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(4183);\n script_cve_id(\"CVE-2002-0081\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"php POST file uploads\");\n script_category(ACT_DENIAL);\n script_copyright(\"Copyright (C) 2002 Thomas Reinke\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name:\"solution\", value:\"Upgrade to PHP 4.1.2 or later.\");\n\n script_tag(name:\"summary\", value:\"The remote host is running a version of PHP earlier\n than 4.1.2.\n\n There are several flaws in how PHP handles multipart/form-data POST requests, any one of\n which can allow an attacker to gain remote access to the system.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port(default:80);\nif(http_is_dead(port:port))exit(0);\nif ( ! http_can_host_php(port:port) ) exit(0);\n\nhost = http_host_name( dont_add_port:TRUE );\nfiles = http_get_kb_file_extensions( port:port, host:host, ext:\"php*\" );\n\nif(isnull(files))\n file = \"/default.php\";\nelse {\n files = make_list(files);\n file = files[0];\n}\n\nif(http_is_cgi_installed_ka(item:file, port:port)){\n\n boundary1 = string(\"-VTTEST!\");\n boundary2 = string(\"--VTTEST!\");\n clen = \"567\";\n dblq = raw_string(0x22);\n badb = raw_string(0x12);\n\n postdata = string(\"POST \", file, \" HTTP/1.1\\r\\n\", \"Host: \", host, \"\\r\\n\");\n postdata = string(postdata, \"Referer: http://\", get_host_name(), \"/\", file, \"\\r\\n\");\n postdata = string(postdata, \"Content-type: multipart/form-data; boundary=\", boundary1, \"\\r\\n\");\n postdata = string(postdata, \"Content-Length: \", clen, \"\\r\\n\\r\\n\", boundary2, \"\\r\\n\");\n postdata = string(postdata, \"Content-Disposition: form-data; name=\");\n\n len = strlen(dblq) + strlen(badb) + strlen(dblq);\n big = crap(clen - len);\n postdata = string(postdata, dblq, badb, dblq, big, dblq);\n\n soc = http_open_socket(port);\n if(!soc)exit(0);\n\n send(socket:soc, data:postdata);\n\n r = http_recv(socket:soc);\n http_close_socket(soc);\n if(http_is_dead(port: port)) {\n security_message(port:port);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2016-09-04T12:07:45", "bulletinFamily": "unix", "cvelist": ["CVE-2002-0081"], "description": "The e-matters team have found multiple remotely exploitable vulnerabilites in the source code responsible for file upload in the apache modules mod_php and mod_php4 (versions 3 and 4). The weakness can be used to have the webserver execute arbitrary code as supplied by the attacker.", "edition": 1, "modified": "2002-02-28T20:59:29", "published": "2002-02-28T20:59:29", "id": "SUSE-SA:2002:007", "href": "http://lists.opensuse.org/opensuse-security-announce/2002-02/msg00007.html", "title": "remote command execution in mod_php, mod_php4", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cert": [{"lastseen": "2020-09-18T20:44:52", "bulletinFamily": "info", "cvelist": ["CVE-2002-0081"], "description": "### Overview \n\nVulnerabilities in PHP versions 3 and 4 could allow an intruder to execute arbitrary code with the privileges of the web server. \n\n### Description \n\n[PHP](<http://www.php.net>) is a scripting language widely used in web development. PHP can be installed on a variety of web servers, including Apache, IIS, Caudium, Netscape and iPlanet, OmniHTTPd and others. Vulnerabilities in the php_mime_split function may allow an intruder to execute arbitrary code with the privileges of the web server. For additional details, see\n\n<http://security.e-matters.de/advisories/012002.html> \n \nWeb servers that do not have PHP installed are not affected by this vulnerability. \n \n--- \n \n### Impact \n\nIntruders can execute arbitrary code with the privileges of the web server, or interrupt normal operations of the web server. \n \n--- \n \n### Solution \n\nUpgrade to PHP version 4.1.2, available from <http://www.php.net/do_download.php?download_file=php-4.1.2.tar.gz>. If upgrading is not possible, apply patches as described at <http://www.php.net/downloads.php>: \n \nFor PHP 4.10/4.11 \n<http://www.php.net/do_download.php?download_file=rfc1867.c.diff-4.1.x.gz> \n \nFor PHP 4.06 \n<http://www.php.net/do_download.php?download_file=rfc1867.c.diff-4.0.6.gz> \n \nFor PHP 3.0 \n<http://www.php.net/do_download.php?download_file=mime.c.diff-3.0.gz> \n \nIf you are using version 4.20-dev, you are not affected by this vulnerability. Quoting from [http://security.e-matters.de/advisories/012002.htm, \"](<http://security.e-matters.de/advisories/012002.html>)_users running PHP 4.2.0-dev from cvs are not vulnerable to any of the described bugs because the fileupload code was completly rewritten for the 4.2.0 branch. \"_ \n \n--- \n \nIf upgrading is not possible or a patch cannot be applied, you can avoid these vulnerabilities by setting `file_uploads = Off` in the php.ini file for version 4.0.3 and above. This will prevent you from using fileuploads, which may not be acceptable for your operation.` ` \n \n--- \n \n### Vendor Information\n\n297363\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apache Software Foundation __ Affected\n\nUpdated: February 27, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nInformation about this vulnerability is available from <http://www.php.net/>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nCERT/CC has no additional comments at this time. \n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23297363 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://security.e-matters.de/advisories/012002.html>\n * <http://www.php.net/do_download.php?download_file=rfc1867.c.diff-4.1.x.gz>\n * <http://www.php.net/do_download.php?download_file=rfc1867.c.diff-4.0.6.gz>\n * <http://www.php.net/do_download.php?download_file=mime.c.diff-3.0.gz>\n\n### Acknowledgements\n\nOur thanks to Stefan Esser, upon whose advisory this document is based. \n\nThis document was written by Shawn V. Hernan.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-0081](<http://web.nvd.nist.gov/vuln/detail/CVE-2002-0081>) \n---|--- \n**Severity Metric:** | 55.08 \n**Date Public:** | 2002-02-27 \n**Date First Published:** | 2002-02-27 \n**Date Last Updated: ** | 2002-02-27 18:13 UTC \n**Document Revision: ** | 9 \n", "modified": "2002-02-27T18:13:00", "published": "2002-02-27T00:00:00", "id": "VU:297363", "href": "https://www.kb.cert.org/vuls/id/297363", "type": "cert", "title": "PHP contains vulnerability in \"php_mime_split\" function allowing arbitrary code execution", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-18T20:44:56", "bulletinFamily": "info", "cvelist": ["CVE-2002-0081", "CVE-2002-0082"], "description": "### Overview \n\nThere is a remotely exploitable buffer overflow in two modules that implement the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocol. This can be used to execute arbitrary code.\n\n### Description \n\nThe [Secure Sockets Layer (SSL)](<http://www.netscape.com/eng/ssl3/>) and [Transport Layer Security (TLS)](<http://www.ietf.org/rfc/rfc2246.txt>) protocols are used to provide a secure connection between a client and server for higher level protocols such as HTTP. Apache_SSL and mod_ssl are two modules for Apache that both call an OpenSSL routine i2d_SSL_SESSION() to help create an SSL/TLS session. This routine converts the SSL/TLS session data into a format that can be stored in the session cache. The [OpenSSL d2i_SSL_SESSION.pod document](<http://www.cise.ufl.edu/depot/doc/openssl/ssl/d2i_SSL_SESSION.pod>) states that the routine should be called to first determine the size of the buffer needed to store the session data. Then the appropriately sized buffer should be allocated and finally the routine should be called again to convert the data.\n\nThese two modules fail to follow this procedure, and use a statically defined buffer to store the results of the i2d_SSL_SESSION() routine. By establishing an SSL Session, with a large crafted client certificate signed by a trusted CA, an attacker may be able to execute arbitrary code. If the target server trusts multiple CAs, then the target server's risk of receiving a malicious certificate is increased. \n \nClient certificates are generated when a Certificate Signature Request (CSR) is made of a Certificate Authority (CA). The CA signs the CSR with their server certificate and the resulting certificate is sent back to the client. Since some of the data in the CSR is entered by the person making the request, it is possible to submit a large crafted CSR for signature and have the CA sign it without suspicion. \n \nIt should be noted that for testing purposes mod_ssl ships a static \"snakeoil\" CA server certificate. It is clearly stated that this certificate should not be used for production environments, and steps are given to dynamically generate a server certificate for the CA. If, however, a system uses this static \"snakeoil\" server certificate as their own CA signing certificate, then it is trivial for an attacker to craft and sign their own client side certificate that would be accepted by the victim site as being signed by the trusted CA. The MD5 checksum for these static certificates from mod_ssl version 2.8.4 for Apache version 1.3.20 are as follows: \n \n9bd1d1069c69fafed5a86ea931ae45f9 ca-bundle.crt \nb21689366a43829d83728b023b6d04b8 Makefile.crl \n0de94cb2a39ed0fc158edd053b425255 Makefile.crt \nfbb7ae5d7e39607a39b1e36d30048683 README.CRL \n84bfd413a53d6a8036311b57faa8f0c8 README.CRT \na3351dacc96ebc615d986dfdb371c856 README.CSR \n2284a70fae1cb3c1101494cff135f1f7 README.KEY \n9a611f57078e624b672222197b8ff377 README.PRM \nb269a8269073c62bd83e6635d56ec11b server.crt \n4ff42eeddd6571a29e0a7682d06137e4 server.csr \nad5dc80749418c15c3d99962f00eb2b1 server.key \n3c392576b27d8f79ab92eb39fce681f3 snakeoil-ca-dsa.crt \n05cc51fdcc3c8ef6ed6a777f460e675a snakeoil-ca-dsa.key \n3c9bf8ebd0586ce0633e7c6a85ed345a snakeoil-ca-dsa.prm \ne76c1653eb00e4c2168a9c590fcf4ed7 snakeoil-ca-rsa.crt \na55527f1b3ad826052b8f6395d0da3e4 snakeoil-ca-rsa.key \nd1701e1c69a9867943ad61432f1f44b1 snakeoil-dsa.crt \nbc6e0ae4c628088f78e22c7287647b0a snakeoil-dsa.key \n3c9bf8ebd0586ce0633e7c6a85ed345a snakeoil-dsa.prm \n6c7a7d92f67c8dbd6ca57a30da7bc3bb snakeoil-rsa.crt \nec09a963da45ee792d5eb284568894da snakeoil-rsa.key \nc98761828d8f030f973894f73e751e80 sslcfg.patch \n \nAccording to the timestamps, it appears that most of these test files have not changed since 1998-1999. \n \n--- \n \n### Impact \n\nAn attacker may be able to execute arbitrary code on the system with the privileges of the ssl module. \n \n--- \n \n### Solution \n\nUpgrade to [mod_ssl 2.8.7](<http://www.modssl.org/>) or [Apache_SSL 1.3.22+1.47](<http://www.apache-ssl.org/>), or apply the patch provided by your vendor. \n \n--- \n \n### Vendor Information\n\n234971\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apache-SSL __ Affected\n\nNotified: March 01, 2002 Updated: April 04, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n<http://www.apache-ssl.org/advisory-20020301.txt>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nVersions of Apache-SSL prior to 1.3.22+1.47 are vulnerable.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### Caldera __ Affected\n\nUpdated: April 02, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nSee <http://www.caldera.com/support/security/advisories/CSSA-2002-011.0.txt>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### Compaq Computer Corporation __ Affected\n\nUpdated: April 02, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n\\-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1\n\nTITLE: (SSRT0817, SSRT0821) Potential Security Vulnerabilities \nwith Compaq Secure Web Server (PHP and apache/mod_ssl) \n \nPosted at <http://ftp.support.compaq.com/patches/.new/security.shtml> \n \nNOTICE: There are no restrictions for distribution of this Bulletin \nprovided that it remains complete and intact. \n \nRELEASE DATE: March 2002 \n \nSOURCE: \nCompaq Computer Corporation \nCompaq Services \nSoftware Security Response Team \n \nX-REFERENCE: CVE Candidate - PHP (CAN-2002-0081) , \nApache/mod_ssl(CAN-2002-0082) \n \nPROBLEM SUMMARY: \n \nCompaq was recently notified of two potential vulnerabilities \nthat impact Compaq's distributed Secure Web Server (CSWS) for \nOpenVMS and TRU64 UNIX. \n \n(SSRT0817) PHP \n \nPHP (Hypertext Preprocessor scripting language). PHP does not \nperform proper bounds checking on in functions related to \nForm-based File Uploads in HTML to decode MIME encoded files. \nThis potential overflow vulnerability may allow arbitrary code \nto be executed. \n \n \n \n(SSRT0821) Apache/mod_ssl \n \nApache/mod_ssl session cache management routines use an unchecked \nbuffer that could potentially allow an overflow of a session cache \nbuffer. Thispotential vulnerability may allow arbitrary code to be \nexecuted. \n \nVERSIONS IMPACTED: \n \nIMPACT: \n \nCSWS (SSRT0817) PHP (SSRT0821) \nApache/mod_ssl \n \nOpenVMS V7.1-2 \nor \nlater CSWS_PHP V1.0 CSWS V1.0-1, \nCSWS V1.1-1, \nCSWS V1.2 \n \n \nTRU64 UNIX V5.0A \nor \nlater CSWS V5.5.2 CSWS V5.5.2 \n \n \n*NOTE:These reported potential vulnerabilities do not \nhave an impact to the base operating system in the form \nof elevated permissions or privileges. \n \n \nNO IMPACT: \n \nHimalaya Web Products \n \nCompaq Management Software Web Products \n \n \nRESOLUTION: \n \nCompaq has corrected both problems and created patches that are now \navailable for CSWS (Compaq Secure Web Server) for OpenVMS and TRU64 \nUNIX. \n \nCSWS for OpenVMS V7.1-2 or later: \n \nA Compaq Secure Web Server security update kit is available for \ndownload at: \n<http://www.openvms.compaq.com/openvms/products/ips/apache/csws_patches> \n.html \n \n(SSRT0817) PHP \n \nINSTALLED VERSION UPDATE KIT \n \nCSWS_PHP 1.0 CSWS_PHP10_UPDATE V1.0 \n \n \nNOTE: (SSRT0817) PHP - For OpenVMS - if upgrading is not \npossible or a patch cannot be applied immediately, the \npotential PHP overflow vulnerability may be minimized by \nadding the following line to MOD_PHP.CONF file: \nPHP_FLAG file_uploads OFF \nThis will prevent using fileuploads, which may not be \nan acceptable short-term solution. \n \n(SSRT0821) Apache/mod_ssl \n \nInstalled Version Update Kit \n \nCSWS V1.2 CSWS12_UPDATE V1.0 \nCSWS V1.1-1 CSWS111_UPDATE V1.0 \nCSWS V1.0-1 CSWS101_UPDATE V1.0 \n \n \n \n \nTRU64 UNIX for V5.0a or later: \n \nA Compaq Secure Web Server security update kit is available for \ndownload at: \n<http://tru64unix.compaq.com/internet/download.htm#sws_v582> \nselect and install the CSWS (Compaq Secure Web Server) kit V5.8.2 \n \n \nInstalled Version Install Updated Server Kit \n \nCSWS V5.5.2 CSWS V5.8.2 \n \n \nAfter completing the update, Compaq strongly recommends that you \nperform an immediate backup of your system disk so that any \nsubsequent restore operations begin with updated software. Otherwise, \nyou must reapply the patch after a future restore operation. Also, if \nat some future time you upgrade your system to a later patch version, \nyou may need to reapply the appropriate patch. \n \n \nSUPPORT: \n \nFor further information, contact Compaq Global Services. \n \n \nSUBSCRIBE: \n \nTo subscribe to automatically receive future Security Advisories from \nthe Compaq's Software Security Response Team via electronic mail: \n<http://www.support.compaq.com/patches/mailing-list.shtml> \n \nREPORT: \n \nTo report a potential security vulnerability with any Compaq \nsupported product, send email [mailto:security-ssrt@compaq.com](<mailto:security-ssrt@compaq.com>) \n \nCompaq appreciates your cooperation and patience. We regret \nany inconvenience applying this information may cause. As always, \nCompaq urges you to periodically review your system management and \nsecurity procedures. Compaq will continue to review and enhance the \nsecurity features of its products and work with customers to maintain \nand improve the security and integrity of their systems. \n \n\"Compaq is broadly distributing this Security Advisory to notify all \nusers of Compaq products of the important security information \ncontained in this Advisory. Compaq recommends that all users \ndetermine the applicability of this information to their individual \nsituations and take appropriate action. Compaq does not warrant that \nthis information is necessarily accurate or complete for all user \nsituations and, consequently, Compaq will not be responsible for any \ndamages resulting from user's use or disregard of the information \nprovided in this Advisory.\" \n \nCopyright 2002 Compaq Information Technologies Group, L.P. Compaq \nshall not be liable for technical or editorial errors or omissions \ncontained herein. The information in this document is subject to \nchange without notice. Compaq and the names of Compaq products \nreferenced herein are, either, trademarks and/or service marks or \nregistered trademarks and/or service marks of Compaq Information \nTechnologies Group, L.P. Other product and company names mentioned \nherein may be trademarks and/or service marks of their respective \nowners. \n \n\\-----BEGIN PGP SIGNATURE----- \nVersion: PGP 7.0.1 \n \niQA/AwUBPKYaXznTu2ckvbFuEQLbTQCfarAsi8kRC4LM8mftiUv84AWBHmYAn1Z7 \nqdlODoP4yGBrHmi2hIVqr0Ia \n=egdQ \n\\-----END PGP SIGNATURE-----\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### Conectiva __ Affected\n\nUpdated: March 04, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nSee, [http://distro.conectiva.com.br/atualizacoes/?id=a&amp;anuncio=000464&amp;ckval=en](<http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464&ckval=en>)\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### Debian __ Affected\n\nNotified: March 01, 2002 Updated: March 11, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nSee, <http://www.debian.org/security/2002/dsa-120>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### Engarde __ Affected\n\nUpdated: March 01, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n\\-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n\n\n+------------------------------------------------------------------------+ \n| EnGarde Secure Linux Security Advisory March 01, 2002 | \n| <http://www.engardelinux.org/> ESA-20020301-005 | \n| | \n| Package: apache (mod_ssl) | \n| Summary: mod_ssl's session caching mechanisms contain a potential | \n| buffer overflow | \n+------------------------------------------------------------------------+ \n \nEnGarde Secure Linux is a secure distribution of Linux that features \nimproved access control, host and network intrusion detection, Web \nbased secure remote management, complete e-commerce using AllCommerce, \nand integrated open source security tools. \n \n \nOVERVIEW \n\\- -------- \nThere is a buffer overflow in mod_ssl, part of EnGarde's apache package, \nwhich an attacker may potentially trigger by sending a very long client \ncertificate. \n \n \nDETAIL \n\\- ------ \nmod_ssl is an apache module used to provide SSL functionality using the \nOpenSSL toolkit. Ed Moyle has discovered a buffer overflow in \nmod_ssl's session caching mechanisms using dbm and shared memory. \n \nWe would like to stress that this vulnerability is in mod_ssl, not in \napache. We are issuing an apache update because we include mod_ssl as \npart of our apache package. \n \n \nSOLUTION \n\\- -------- \nAll users should upgrade to the most recent version as outlined in \nthis advisory. \n \nGuardian Digital recently made available the Guardian Digital Secure \nUpdate, a means to proactively keep systems secure and manage \nsystem software. EnGarde users can automatically update their system \nusing the Guardian Digital WebTool secure interface. \n \nIf choosing to manually upgrade this package, updates can be \nobtained from: \n \n<ftp://ftp.engardelinux.org/pub/engarde/stable/updates/> \n<http://ftp.engardelinux.org/pub/engarde/stable/updates/> \n \nBefore upgrading the package, the machine must either: \n \na) be booted into a \"standard\" kernel; or \nb) have LIDS disabled. \n \nTo disable LIDS, execute the command: \n \n# /sbin/lidsadm -S -- -LIDS_GLOBAL \n \nTo install the updated package, execute the command: \n \n# rpm -Uvh &lt;filename&gt; \n \nYou must now update the LIDS configuration by executing the command: \n \n# /usr/sbin/config_lids.pl \n \nTo re-enable LIDS (if it was disabled), execute the command: \n \n# /sbin/lidsadm -S -- +LIDS_GLOBAL \n \nTo verify the signatures of the updated packages, execute the command: \n \n# rpm -Kv &lt;filename&gt; \n \n \nUPDATED PACKAGES \n\\- ---------------- \nThese updated packages are for EnGarde Secure Linux 1.0.1 (Finestra). \n \nSource Packages: \n \nSRPMS/apache-1.3.23-1.0.27.src.rpm \nMD5 Sum: 412c8ed8f0151dc023372b70aac0475c \n \nBinary Packages: \n \ni386/apache-1.3.23-1.0.27.i386.rpm \nMD5 Sum: 66b23a6224b1916983c4350e95c35fd6 \n \ni686/apache-1.3.23-1.0.27.i686.rpm \nMD5 Sum: 4dc0650fb82a15aa00927cabcb02b230 \n \n \nREFERENCES \n\\- ---------- \nGuardian Digital's public key: \n<http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY> \n \nCredit for the discovery of this bug goes to: \nEd Moyle &lt;emoyle@scsnet.csc.com&gt; \n \nmod_ssl's Official Web Site: \n<http://www.modssl.org/> \n \nSecurity Contact: security@guardiandigital.com \nEnGarde Advisories: <http://www.engardelinux.org/advisories.html> \n \n\\- -------------------------------------------------------------------------- \n$Id: ESA-20020301-005-apache,v 1.3 2002/03/01 05:24:50 rwm Exp $ \n\\- -------------------------------------------------------------------------- \nAuthor: Ryan W. Maple, &lt;ryan@guardiandigital.com&gt; \nCopyright 2002, Guardian Digital, Inc. \n \n\\-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.6 (GNU/Linux) \nComment: For info see <http://www.gnupg.org> \n \niD8DBQE8fxtOHD5cqd57fu0RAs4YAJwI63Bvsu3ovXom2fpYe3uUVwaQhQCcDmhE \nmkmxGGvF3L1LAN+eT5D8uU0= \n=dudS \n\\-----END PGP SIGNATURE----- \n\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### Hewlett Packard __ Affected\n\nNotified: March 01, 2002 Updated: March 27, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nHP Support Information Digests\n\n=============================================================================== \no Security Bulletin Digest Split \n\\------------------------------ \n \nThe security bulletins digest has been split into multiple digests \nbased on the operating system (HP-UX, MPE/iX, and HP Secure OS \nSoftware for Linux). You will continue to receive all security \nbulletin digests unless you choose to update your subscriptions. \n \nTo update your subscriptions, use your browser to access the \nIT Resource Center on the World Wide Web at: \n \n<http://www.itresourcecenter.hp.com/> \n \nUnder the Maintenance and Support Menu, click on the \"more...\" link. \nThen use the 'login' link at the left side of the screen to login \nusing your IT Resource Center User ID and Password. \n \nUnder the notifications section (near the bottom of the page), select \nSupport Information Digests. \n \nTo subscribe or unsubscribe to a specific security bulletin digest, \nselect or unselect the checkbox beside it. Then click the \n\"Update Subscriptions\" button at the bottom of the page. \n \no IT Resource Center World Wide Web Service \n\\--------------------------------------------------- \n \nIf you subscribed through the IT Resource Center and would \nlike to be REMOVED from this mailing list, access the \nIT Resource Center on the World Wide Web at: \n \n<http://www.itresourcecenter.hp.com/> \n \nLogin using your IT Resource Center User ID and Password. \nThen select Support Information Digests (located under \nMaintenance and Support). You may then unsubscribe from the \nappropriate digest. \n=============================================================================== \n \n \nDigest Name: daily HP Secure OS Software for Linux security bulletins digest \nCreated: Fri Mar 15 3:00:03 PST 2002 \n \nTable of Contents: \n \nDocument ID Title \n\\--------------- ----------- \nHPSBTL0203-031 Security vulnerability in Apache prior to 1.3.23 \n \nThe documents are listed below. \n\\------------------------------------------------------------------------------- \n \n \nDocument ID: HPSBTL0203-031 \nDate Loaded: 20020314 \nTitle: Security vulnerability in Apache prior to 1.3.23 \n \nTEXT \n \n \n \n \n \n\\--------------------------------------------------------------- \nHEWLETT-PACKARD COMPANY SECURITY BULLETIN: #031 \nOriginally issued: 14 March '02 \n\\--------------------------------------------------------------- \n \nThe information in the following Security Bulletin should be acted \nupon as soon as possible. Hewlett-Packard Company will not be \nliable for any consequences to any customer resulting from said customer's \nfailure to fully implement instructions in this Security Bulletin as \nsoon as possible. \n \n\\--------------------------------------------------------------- \nPROBLEM: Security vulnerability in Apache prior to 1.3.23 and mod_ssl \nprior to 2.8.7. This bulletin addresses the same issues as the \nRed Hat Advisory RHSA-2002-041. Please, be aware, that the \nmod_ssl package has been altered for HP Secure OS software \nfor Linux. Please follow instructions provided below. \n \nPLATFORM: Any system running HP Secure OS software for Linux Release 1.0 \n \nDAMAGE: Use of the client certificates could yield unexpected results \nin Apache prior to 1.3.23 and mod_ssl prior to 2.8.7 \n \nSOLUTION: Apply the appropriate patch (see section B below). \n \nMANUAL ACTIONS: None \n \nAVAILABILITY: The patch is available now. \n\\--------------------------------------------------------------- \nA. Background \nHP Secure OS software for Linux Release 1.0 was released \nwith the 1.3.19 version of Apache. Since then, Apache 1.3.23 \nhas been released to correct a number of security related problems. \n \nB. Fixing the problem \nApply patch HPTL_00012. \n \nThe patch is available as follows: - \n \nUse your browser to access the HP IT Resource Center page \nat: \n \n<http://itrc.hp.com> \n \nUse the 'Login' tab at the left side of the screen to login \nusing your ID and password. Use your existing login or the \n\"Register\" button at the left to create a login. Remember to save the \nUser ID assigned to you, and your password. This login provides \naccess to many useful areas of the ITRC. \n \nUnder the \"Maintenance and Support\" section, select \"Individual Patches\". \n \nIn the field at the bottom of the page labeled \"retrieve a specific patch \nby entering the patch name\", enter HPTL_00012. \n \nFor instructions on installing the patch, please see the install text file \nincluded in the patch. \n \nC. To subscribe to automatically receive future NEW HP Security \nBulletins from the HP IT Resource Center via electronic \nmail, do the following: \n \nUse your browser to access the HP IT Resource Center page at: \n \n<http://itrc.hp.com> \n \nUse the 'Login' tab at the left side of the screen to login \nusing your ID and password. Use your existing login or the \n\"Register\" button at the left to create a login. Remember to \nsave the User ID assigned to you, and your password. This \nlogin provides access to many useful areas of the ITRC. \n \nIn the left most frame select \"Maintenance and Support\". \n \nUnder the \"Notifications\" section (near the bottom of \nthe page), select \"Support Information Digests\". \n \nTo -subscribe- to future HP Security Bulletins or other \nTechnical Digests, click the check box (in the left column) \nfor the appropriate digest and then click the \"Update \nSubscriptions\" button at the bottom of the page. \n \nor \n \nTo -review- bulletins already released, select the link \n(in the middle column) for the appropriate digest. \n \nD. To report new security vulnerabilities, send email to \n \nsecurity-alert@hp.com \n \nPlease encrypt any exploit information using the \nsecurity-alert PGP key, available from your local key \nserver. You may also get the security-alert PGP key by \nsending a message with a -subject- (not body) of \n'get key' (no quotes) to security-alert@hp.com. \n \nPermission is granted for copying and circulating this \nBulletin to Hewlett-Packard (HP) customers (or the Internet \ncommunity) for the purpose of alerting them to problems, \nif and only if, the Bulletin is not edited or changed in \nany way, is attributed to HP, and provided such reproduction \nand/or distribution is performed for non-commercial purposes. \n \nAny other use of this information is prohibited. HP is not \nliable for any misuse of this information by any third party. \n\\--------------------------------------------------------------- \n\\-----End of Document ID: HPSBTL0203-031--------------------------------------\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### MandrakeSoft __ Affected\n\nNotified: March 01, 2002 Updated: March 08, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n\\-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1\n\n________________________________________________________________________ \n \nMandrake Linux Security Update Advisory \n________________________________________________________________________ \n \nPackage name: mod_ssl \nAdvisory ID: MDKSA-2002:020 \nDate: March 7th, 2002 \nAffected versions: 7.1, 7.2, 8.0, 8.1, Corporate Server 1.0.1, \nSingle Network Firewall 7.2 \n________________________________________________________________________ \n \nProblem Description: \n \nEd Moyle discovered a buffer overflow in mod_ssl's session caching \nmechanisms that use shared memory and dbm. This could potentially be \ntriggered by sending a very long client certificate to the server. \n________________________________________________________________________ \n \nReferences: \n \n<http://online.securityfocus.com/bid/4189> \n________________________________________________________________________ \n \nUpdated Packages: \n \nLinux-Mandrake 7.1: \n57b34a081cca5b85aae6c097d067316a 7.1/RPMS/mod_ssl-2.8.5-2.4mdk.i586.rpm \n5189233df0f03cb8fe78675dc4b7b58b 7.1/SRPMS/mod_ssl-2.8.5-2.4mdk.src.rpm \n \nLinux-Mandrake 7.2: \nb1fd2e18a7d3b8d512e2bf858c040282 7.2/RPMS/mod_ssl-2.8.5-2.3mdk.i586.rpm \n09c08fd15d6e826188f51a41a047b568 7.2/SRPMS/mod_ssl-2.8.5-2.3mdk.src.rpm \n \nMandrake Linux 8.0: \n25812a052c7e82db4015c80395d0a142 8.0/RPMS/mod_ssl-2.8.5-2.2mdk.i586.rpm \nae2ab6e8cd666f6171b682f69340e0df 8.0/SRPMS/mod_ssl-2.8.5-2.2mdk.src.rpm \n \nMandrake Linux 8.0/ppc: \n53b213329a866d92c4a70273cf0b591d ppc/8.0/RPMS/mod_ssl-2.8.5-2.2mdk.ppc.rpm \nae2ab6e8cd666f6171b682f69340e0df ppc/8.0/SRPMS/mod_ssl-2.8.5-2.2mdk.src.rpm \n \nMandrake Linux 8.1: \n020058f4fd26dc78480804caf5cd0044 8.1/RPMS/mod_ssl-2.8.5-2.1mdk.i586.rpm \n8e9e7f26e64e15d4323e69cc9afad15e 8.1/SRPMS/mod_ssl-2.8.5-2.1mdk.src.rpm \n \nMandrake Linux 8.1/ia64: \n59974b39c67f4e2773416349c8207d54 ia64/8.1/RPMS/mod_ssl-2.8.5-2.1mdk.ia64.rpm \n8e9e7f26e64e15d4323e69cc9afad15e ia64/8.1/SRPMS/mod_ssl-2.8.5-2.1mdk.src.rpm \n \nCorporate Server 1.0.1: \n57b34a081cca5b85aae6c097d067316a 1.0.1/RPMS/mod_ssl-2.8.5-2.4mdk.i586.rpm \n5189233df0f03cb8fe78675dc4b7b58b 1.0.1/SRPMS/mod_ssl-2.8.5-2.4mdk.src.rpm \n \nSingle Network Firewall 7.2: \n27f5f01c9f3ec9fda3af4661fa84c9f5 snf7.2/RPMS/mod_ssl-2.8.4-4.2mdk.i586.rpm \n5421309dd07559693f07800528561612 snf7.2/SRPMS/mod_ssl-2.8.4-4.2mdk.src.rpm \n________________________________________________________________________ \n \nBug IDs fixed (see <https://qa.mandrakesoft.com> for more information): \n \n________________________________________________________________________ \n \nTo upgrade automatically, use MandrakeUpdate. The verification of md5 \nchecksums and GPG signatures is performed automatically for you. \n \nIf you want to upgrade manually, download the updated package from one \nof our FTP server mirrors and upgrade with \"rpm -Fvh *.rpm\". A list of \nFTP mirrors can be obtained from: \n \n<http://www.mandrakesecure.net/en/ftp.php> \n \nPlease verify the update prior to upgrading to ensure the integrity of \nthe downloaded package. You can do this with the command: \n \nrpm --checksig &lt;filename&gt; \n \nAll packages are signed by MandrakeSoft for security. You can obtain \nthe GPG public key of the Mandrake Linux Security Team from: \n \n<https://www.mandrakesecure.net/RPM-GPG-KEYS> \n \nPlease be aware that sometimes it takes the mirrors a few hours to \nupdate. \n \nYou can view other update advisories for Mandrake Linux at: \n \n<http://www.mandrakesecure.net/en/advisories/> \n \nMandrakeSoft has several security-related mailing list services that \nanyone can subscribe to. Information on these lists can be obtained by \nvisiting: \n \n<http://www.mandrakesecure.net/en/mlist.php> \n \nIf you want to report vulnerabilities, please contact \n \nsecurity@linux-mandrake.com \n________________________________________________________________________ \n \nType Bits/KeyID Date User ID \npub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team \n&lt;security@linux-mandrake.com&gt; \n \n \n\\- -----BEGIN PGP PUBLIC KEY BLOCK----- \nVersion: GnuPG v1.0.5 (GNU/Linux) \nComment: For info see <http://www.gnupg.org> \n \nmQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday \nL4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7 \nWKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo \nP0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl \nhynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx \nPFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg \n2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs \niyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD \nLLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu \nZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t \nPohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy \n/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA \nBgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP \nWdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w \nPk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPa5AQ0EOWnn \n7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77 \n9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV \nJb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s \n+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX \nVl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl \n3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi \nRYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX \nlA== \n=0ahQ \n\\- -----END PGP PUBLIC KEY BLOCK----- \n \n\\-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.6 (GNU/Linux) \nComment: For info see <http://www.gnupg.org> \n \niD8DBQE8iD4ymqjQ0CJFipgRApoOAKDHTMIWmVyawBQQ7EpuhcTsf3DFswCg8Avh \nivsKSso3VTP3qYIhaPKTAfA= \n=JG5R \n\\-----END PGP SIGNATURE-----\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### Mod_ssl __ Affected\n\nNotified: February 28, 2002 Updated: March 01, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nVersions of mod_ssl prior to 2.8.7 for Apache 1.3.23 are vulnerable.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### Red Hat __ Affected\n\nNotified: March 01, 2002 Updated: March 06, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nRed Hat Linux 7.0, 7.1, 7.2 as well as Red Hat Secure Web Server 3.2 contain a vulnerable version of mod_ssl. However to exploit the overflow, the server must be configured to require client certificates, and an attacker must obtain a carefully crafted client certificate that has been signed by a Certificate Authority which is trusted by the server. Users who use client certificate authentication would be wise to upgrade or switch to the superior shared memory session cache, shmcb, which is not vulnerable to this issue. Updated mod_ssl packages will be available shortly at the following URL. Users of the Red Hat Network can use the 'up2date' tool to update their systems at the same time.\n\n<http://www.redhat.com/support/errata/RHSA-2002-041.html> \n \nVersion 3.0 and earlier of Red Hat Stronghold contain a vulnerable version of mod_ssl. Red Hat Stronghold is set by default to use the shmcb session cache (also known as c2shm) which is not vulnerable to this issue. Updates to Stronghold will be available shortly. \n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### Trustix __ Affected\n\nUpdated: March 01, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n\\-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n\n\n\\- -------------------------------------------------------------------------- \nTrustix Secure Linux Security Advisory #2002-0034 \n \nPackage name: apache \nSummary: Security fix and version upgrade \nDate: 2002-02-28 \nAffected versions: TSL 1.5 \n \n\\- -------------------------------------------------------------------------- \n \nProblem description: \nThe mod_ssl module in Apache utilizes OpenSSL for the SSL implementation. \nThe version in the old apache package made use of the underlying OpenSSL \nroutines in a manner which could overflow a buffer within the implementation. \nThis release (mod_ssl-2.8.7-1.3.23) fixes the problem. \n \nAction: \nWe recommend that all systems with this package installed are upgraded. \nPlease note that if you do not need the functionality provided by this \npackage, you may want to remove it from your system. \n \n \nLocation: \nAll TSL updates are available from \n&lt;URI:<http://www.trustix.net/pub/Trustix/updates/>&gt; \n&lt;URI:<ftp://ftp.trustix.net/pub/Trustix/updates/>&gt; \n \n \nAutomatic updates: \nUsers of the SWUP tool can enjoy having updates automatically \ninstalled using 'swup --upgrade'. \n \nGet SWUP from: \n&lt;URI:<ftp://ftp.trustix.net/pub/Trustix/software/swup/>&gt; \n \n \nPublic testing: \nThese packages have been available for public testing for some time. \nIf you want to contribute by testing the various packages in the \ntesting tree, please feel free to share your findings on the \ntsl-discuss mailinglist. \nThe testing tree is located at \n&lt;URI:<http://www.trustix.net/pub/Trustix/testing/>&gt; \n&lt;URI:<ftp://ftp.trustix.net/pub/Trustix/testing/>&gt; \n \n \nQuestions? \nCheck out our mailing lists: \n&lt;URI:<http://www.trustix.net/support/>&gt; \n \n \nVerification: \nThis advisory along with all TSL packages are signed with the TSL sign key. \nThis key is available from: \n&lt;URI:<http://www.trustix.net/TSL-GPG-KEY>&gt; \n \nThe advisory itself is available from the errata pages at \n&lt;URI:<http://www.trustix.net/errata/trustix-1.5/>&gt; \nor directly at \n&lt;URI:<http://www.trustix.net/errata/misc/2002/TSL-2002-0034-apache.asc.txt>&gt; \n \n \nMD5sums of the packages: \n\\- -------------------------------------------------------------------------- \nc75115bb82f788f2d673e13faf66254b ./1.5/SRPMS/apache-1.3.23-1tr.src.rpm \n7ea8c94b43b43cdbc2a9b31be96e40b5 ./1.5/RPMS/apache-devel-1.3.23-1tr.i586.rpm \neea37ac2ee6c2611d9434977fa389475 ./1.5/RPMS/apache-1.3.23-1tr.i586.rpm \n\\- -------------------------------------------------------------------------- \n \n \nTrustix Security Team \n \n\\-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.6 (GNU/Linux) \nComment: For info see <http://www.gnupg.org> \n \niD8DBQE8fj8XwRTcg4BxxS0RAmMvAJ9NUotASETlF+AZ7NA9bCxX9RScHQCfQa3g \nUKIuLd2Zg8uRINq1N67j48k= \n=3Cg+ \n\\-----END PGP SIGNATURE-----\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### Microsoft __ Not Affected\n\nNotified: March 01, 2002 Updated: March 04, 2002 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe've checked in our implementation of ASN.1 in SSL and we are not affected by this issue.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\nView all 12 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html>\n * <http://www.apache-ssl.org/advisory-20020301.txt>\n * <http://www.trustix.net/errata/misc/2002/TSL-2002-0034-apache.asc.txt>\n * <http://www.linuxsecurity.com/advisories/other_advisory-1923.html>\n * <http://www.apacheweek.com/issues/02-03-01.html#security>\n\n### Acknowledgements\n\nEd Moyle discovered and analyzed this vulnerability. \n\nThis document was written by Jason Rafail with assistance from Roman Danyliw, Sean Levy, and Jeff Havrilla.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-0082](<http://web.nvd.nist.gov/vuln/detail/CVE-2002-0082>) \n---|--- \n**Severity Metric:** | 15.50 \n**Date Public:** | 2002-02-27 \n**Date First Published:** | 2002-03-01 \n**Date Last Updated: ** | 2002-04-22 20:44 UTC \n**Document Revision: ** | 26 \n", "modified": "2002-04-22T20:44:00", "published": "2002-03-01T00:00:00", "id": "VU:234971", "href": "https://www.kb.cert.org/vuls/id/234971", "type": "cert", "title": "mod_ssl and Apache_SSL modules contain a buffer overflow in the implementation of the OpenSSL \"i2d_SSL_SESSION\" routine", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-07T11:51:16", "description": "Several flaws exist in various versions of PHP in the way it handles\nmultipart/form-data POST requests, which are used for file uploads.\nThe php_mime_split() function could be used by an attacker to execute\narbitrary code on the server. This affects both PHP4 and PHP3. The\nauthors have fixed this in PHP 4.1.2 and provided patches for older\nversions of PHP.", "edition": 24, "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : php (MDKSA-2002:017)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-0081"], "modified": "2004-07-31T00:00:00", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:7.2", "p-cpe:/a:mandriva:linux:php-common", "cpe:/o:mandrakesoft:mandrake_linux:8.0", "cpe:/o:mandrakesoft:mandrake_linux:7.1", "cpe:/o:mandrakesoft:mandrake_linux:8.1", "p-cpe:/a:mandriva:linux:php-devel", "p-cpe:/a:mandriva:linux:php"], "id": "MANDRAKE_MDKSA-2002-017.NASL", "href": "https://www.tenable.com/plugins/nessus/13925", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2002:017. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(13925);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2002-0081\");\n script_xref(name:\"MDKSA\", value:\"2002:017\");\n\n script_name(english:\"Mandrake Linux Security Advisory : php (MDKSA-2002:017)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several flaws exist in various versions of PHP in the way it handles\nmultipart/form-data POST requests, which are used for file uploads.\nThe php_mime_split() function could be used by an attacker to execute\narbitrary code on the server. This affects both PHP4 and PHP3. The\nauthors have fixed this in PHP 4.1.2 and provided patches for older\nversions of PHP.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://security.e-matters.de/advisories/012002.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php, php-common and / or php-devel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/02/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"php-4.0.6-5.8mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"php-common-4.0.6-5.8mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"php-devel-4.0.6-5.8mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"php-4.0.6-5.7mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"php-common-4.0.6-5.7mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"php-devel-4.0.6-5.7mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"php-4.0.6-5.6mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"php-common-4.0.6-5.6mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"php-devel-4.0.6-5.6mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"php-4.0.6-5.5mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"php-common-4.0.6-5.5mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"php-devel-4.0.6-5.5mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-16T03:48:47", "description": "The remote host is running a version of PHP earlier than 4.1.2.\n\nThere are several flaws in how PHP handles multipart/form-data POST\nrequests, any one of which could allow an attacker to gain remote\naccess to the system.", "edition": 17, "published": "2002-02-28T00:00:00", "title": "PHP mime_split Function POST Request Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-0081"], "modified": "2002-02-28T00:00:00", "cpe": ["cpe:/a:php:php"], "id": "PHP_SPLIT_MIME.NASL", "href": "https://www.tenable.com/plugins/nessus/10867", "sourceData": "#\n# This script was written by Thomas Reinke <reinke@securityspace.com>\n#\n# Modified by H D Moore & Renaud Deraison to actually test for the flaw\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - Revised plugin title (4/23/009)\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10867);\n script_version(\"1.39\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\"CVE-2002-0081\");\n script_bugtraq_id(4183);\n\n script_name(english:\"PHP mime_split Function POST Request Overflow\");\n script_summary(english:\"Checks for version of PHP\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"Arbitrary code may be run on the remote server.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of PHP earlier than 4.1.2.\n\nThere are several flaws in how PHP handles multipart/form-data POST\nrequests, any one of which could allow an attacker to gain remote\naccess to the system.\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to PHP 4.1.2.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/02/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/02/28\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:php:php\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2002-2020 Thomas Reinke\");\n script_family(english:\"Web Servers\");\n\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\", \"webmirror.nasl\");\n script_require_keys(\"Settings/ParanoidReport\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"backport.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:80, embedded:TRUE);\nif (! get_port_state(port)) exit(0, \"Port \"+port+\" is closed.\");\nif ( ! can_host_php(port:port) ) exit(0, \"The web server on port \"+port+\" does not support PHP.\");\n\nbanner = get_http_banner(port:port);\nif(!banner)exit(1, \"No HTTP banner on port \"+port+\".\");\nphp = get_php_version(banner:banner);\nif ( ! php ) exit(0, \"No PHP banner on port \"+port+\".\");\n\nif(http_is_dead(port:port))exit(1, \"The web server on port \"+port+\" is dead.\");\n\n if(!safe_checks())\n {\n files = get_kb_list(string(\"www/\", port, \"/content/extensions/php*\"));\n\n if(isnull(files))file = \"/default.php\";\n else {\n \tfiles = make_list(files);\n\tfile = files[0];\n\t}\n\n if(is_cgi_installed_ka(item:file, port:port))\n {\n boundary1 = string(\"-NESSUS!\");\n boundary2 = string(\"--NESSUS!\");\n clen = \"567\";\n dblq = raw_string(0x22);\n badb = raw_string(0x12);\n\n\n postdata = string(\"POST \", file, \" HTTP/1.1\\r\\n\", \"Host: \", get_host_name(), \"\\r\\n\");\n postdata = string(postdata, \"Referer: http://\", get_host_name(), \"/\", file, \"\\r\\n\");\n postdata = string(postdata, \"Content-type: multipart/form-data; boundary=\", boundary1, \"\\r\\n\");\n postdata = string(postdata, \"Content-Length: \", clen, \"\\r\\n\\r\\n\", boundary2, \"\\r\\n\");\n postdata = string(postdata, \"Content-Disposition: form-data; name=\");\n\n\n\n len = strlen(dblq) + strlen(badb) + strlen(dblq);\n big = crap(clen - len);\n postdata = string(postdata, dblq, badb, dblq, big, dblq);\n\n soc = http_open_socket(port);\n if(!soc) exit(1, \"TCP connection failed to port \"+port+\".\");\n\n send(socket:soc, data:postdata);\n\n r = http_recv(socket:soc);\n http_close_socket(soc);\n if(http_is_dead(port: port, retry: 3)) { security_hole(port); }\n }\n }\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:44:40", "description": "Stefan Esser, who is also a member of the PHP team, found several\nflawsin the way PHP handles multipart/form-data POST requests (as\ndescribed in RFC1867) known as POST fileuploads. Each of the flaws\ncould allow an attacker to execute arbitrary code on the victim's\nsystem.\n\nFor PHP3 flaws contain a broken boundary check and an arbitrary heap\noverflow. For PHP4 they consist of a broken boundary check and a heap\noff by one error.\n\nFor the stable release of Debian these problems are fixed in version\n3.0.18-0potato1.1 of PHP3 and version 4.0.3pl1-0potato3 of PHP4.\n\nFor the unstable and testing release of Debian these problems are\nfixed in version 3.0.18-22 of PHP3 and version 4.1.2-1 of PHP4.\n\nThere is no PHP4 in the stable and unstable distribution for the arm\narchitecture due to a compiler error.", "edition": 26, "published": "2004-09-29T00:00:00", "title": "Debian DSA-115-1 : php - broken boundary check and more", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-0081"], "modified": "2004-09-29T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:2.2", "p-cpe:/a:debian:debian_linux:php4", "p-cpe:/a:debian:debian_linux:php3"], "id": "DEBIAN_DSA-115.NASL", "href": "https://www.tenable.com/plugins/nessus/14952", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-115. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14952);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2002-0081\");\n script_bugtraq_id(4183);\n script_xref(name:\"CERT\", value:\"297363\");\n script_xref(name:\"DSA\", value:\"115\");\n\n script_name(english:\"Debian DSA-115-1 : php - broken boundary check and more\");\n script_summary(english:\"Checks dpkg output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Stefan Esser, who is also a member of the PHP team, found several\nflawsin the way PHP handles multipart/form-data POST requests (as\ndescribed in RFC1867) known as POST fileuploads. Each of the flaws\ncould allow an attacker to execute arbitrary code on the victim's\nsystem.\n\nFor PHP3 flaws contain a broken boundary check and an arbitrary heap\noverflow. For PHP4 they consist of a broken boundary check and a heap\noff by one error.\n\nFor the stable release of Debian these problems are fixed in version\n3.0.18-0potato1.1 of PHP3 and version 4.0.3pl1-0potato3 of PHP4.\n\nFor the unstable and testing release of Debian these problems are\nfixed in version 3.0.18-22 of PHP3 and version 4.1.2-1 of PHP4.\n\nThere is no PHP4 in the stable and unstable distribution for the arm\narchitecture due to a compiler error.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://security.e-matters.de/advisories/012002.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2002/dsa-115\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the PHP packages immediately.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/02/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"php3\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-cgi\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-cgi-gd\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-cgi-imap\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-cgi-ldap\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-cgi-magick\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-cgi-mhash\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-cgi-mysql\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-cgi-pgsql\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-cgi-snmp\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-cgi-xml\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-dev\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-doc\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-gd\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-imap\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-ldap\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-magick\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-mhash\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-mysql\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-pgsql\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-snmp\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php3-xml\", reference:\"3.0.18-0potato1.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-cgi\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-cgi-gd\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-cgi-imap\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-cgi-ldap\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-cgi-mhash\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-cgi-mysql\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-cgi-pgsql\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-cgi-snmp\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-cgi-xml\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-dev\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-gd\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-imap\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-ldap\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-mhash\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-mysql\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-pgsql\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-snmp\", reference:\"4.0.3pl1-0potato3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"php4-xml\", reference:\"4.0.3pl1-0potato3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}