{"openvas": [{"lastseen": "2019-05-29T18:34:55", "bulletinFamily": "scanner", "description": "This host is installed with PHP and is prone\n to heap buffer overflow vulnerability.", "modified": "2018-10-19T00:00:00", "published": "2017-11-09T00:00:00", "id": "OPENVAS:1361412562310812073", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812073", "title": "PHP 'timelib_meridian' Heap Based Buffer Overflow Vulnerability (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_php_timelib_meridian_heap_bof_vuln_lin.nasl 11983 2018-10-19 10:04:45Z mmartin $\n#\n# PHP 'timelib_meridian' Heap Based Buffer Overflow Vulnerability (Linux)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:php:php\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812073\");\n script_version(\"$Revision: 11983 $\");\n script_cve_id(\"CVE-2017-16642\");\n script_bugtraq_id(101745);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 12:04:45 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-09 18:55:09 +0530 (Thu, 09 Nov 2017)\");\n script_name(\"PHP 'timelib_meridian' Heap Based Buffer Overflow Vulnerability (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with PHP and is prone\n to heap buffer overflow vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error in the date\n extension's 'timelib_meridian' handling of 'front of' and 'back of' directives.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allow\n attacker to execute arbitrary code with elevated privileges within the context\n of a privileged process.\");\n\n script_tag(name:\"affected\", value:\"PHP versions before 5.6.32, 7.x before 7.0.25,\n and 7.1.x before 7.1.11\");\n\n script_tag(name:\"solution\", value:\"Upgrade to PHP version 5.6.32, 7.0.25, 7.1.11,\n or later.\");\n\n script_xref(name:\"URL\", value:\"http://php.net/ChangeLog-5.php\");\n script_xref(name:\"URL\", value:\"http://php.net/ChangeLog-7.php\");\n script_xref(name:\"URL\", value:\"https://bugs.php.net/bug.php?id=75055\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Buffer overflow\");\n script_dependencies(\"gb_php_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"php/installed\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"http://www.php.net\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(isnull(phpPort = get_app_port(cpe:CPE))) exit(0);\nif(!infos = get_app_version_and_location(cpe:CPE, port:phpPort, exit_no_version:TRUE)) exit(0);\nphpVers = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version:phpVers, test_version:\"5.6.32\")){\n fix = \"5.6.32\";\n}\n\nelse if(version_in_range(version:phpVers, test_version:\"7.0\", test_version2:\"7.0.24\")){\n fix = \"7.0.25\";\n}\n\nelse if(phpVers =~ \"^7\\.1\" && version_is_less(version:phpVers, test_version:\"7.1.11\")){\n fix = \"7.1.11\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:phpVers, fixed_version:fix, install_path:path);\n security_message(port:phpPort, data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:55", "bulletinFamily": "scanner", "description": "This host is installed with PHP and is prone\n to heap buffer overflow vulnerability.", "modified": "2018-10-19T00:00:00", "published": "2017-11-09T00:00:00", "id": "OPENVAS:1361412562310812072", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812072", "title": "PHP 'timelib_meridian' Heap Based Buffer Overflow Vulnerability (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_php_timelib_meridian_heap_bof_vuln_win.nasl 11983 2018-10-19 10:04:45Z mmartin $\n#\n# PHP 'timelib_meridian' Heap Based Buffer Overflow Vulnerability (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:php:php\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812072\");\n script_version(\"$Revision: 11983 $\");\n script_cve_id(\"CVE-2017-16642\");\n script_bugtraq_id(101745);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 12:04:45 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-09 18:44:32 +0530 (Thu, 09 Nov 2017)\");\n script_name(\"PHP 'timelib_meridian' Heap Based Buffer Overflow Vulnerability (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with PHP and is prone\n to heap buffer overflow vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error in the date\n extension's 'timelib_meridian' handling of 'front of' and 'back of' directives.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allow\n attacker to execute arbitrary code with elevated privileges within the context\n of a privileged process.\");\n\n script_tag(name:\"affected\", value:\"PHP versions before 5.6.32, 7.x before 7.0.25,\n and 7.1.x before 7.1.11\");\n\n script_tag(name:\"solution\", value:\"Upgrade to PHP version 5.6.32, 7.0.25, 7.1.11,\n or later.\");\n\n script_xref(name:\"URL\", value:\"http://php.net/ChangeLog-5.php\");\n script_xref(name:\"URL\", value:\"http://php.net/ChangeLog-7.php\");\n script_xref(name:\"URL\", value:\"https://bugs.php.net/bug.php?id=75055\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Buffer overflow\");\n script_dependencies(\"gb_php_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"php/installed\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"http://www.php.net\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(isnull(phpPort = get_app_port(cpe:CPE))) exit(0);\nif(!infos = get_app_version_and_location(cpe:CPE, port:phpPort, exit_no_version:TRUE)) exit(0);\nphpVers = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version:phpVers, test_version:\"5.6.32\")){\n fix = \"5.6.32\";\n}\n\nelse if(version_in_range(version:phpVers, test_version:\"7.0\", test_version2:\"7.0.24\")){\n fix = \"7.0.25\";\n}\n\nelse if(phpVers =~ \"^7\\.1\" && version_is_less(version:phpVers, test_version:\"7.1.11\")){\n fix = \"7.1.11\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:phpVers, fixed_version:fix, install_path:path);\n security_message(port:phpPort, data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "zdt": [{"lastseen": "2018-04-02T05:22:50", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2012-01-04T00:00:00", "published": "2012-01-04T00:00:00", "id": "1337DAY-ID-17330", "href": "https://0day.today/exploit/description/17330", "type": "zdt", "title": "Typo3 v4.5-4.7 Remote Code Execution (RFI/LFI)", "sourceData": "# Exploit Title: Typo3 v4.5-4.7 - Remote Code Execution (RFI/LFI)\r\n# Date: 4th January 2012\r\n# Author: MaXe\r\n# Software Link: https://typo3.org/download/\r\n# Version: 4.5.0 up to 4.5.8, 4.6.0 and 4.6.1 (+ development releases of\r\n4.7 branch)\r\n \r\n \r\nTypo3 v4.5-4.7 - Remote Code Execution (RFI/LFI)\r\n \r\n \r\nVersions Affected: 4.5.0 up to 4.5.8, 4.6.0 and 4.6.1 (+ development\r\nreleases of 4.7 branch)\r\n \r\nInfo:\r\nTYPO3 is a small to midsize enterprise-class Content Management Framework\r\noffering\r\nthe best of both worlds: out-of-the-box operation with a complete set of\r\nstandard\r\nmodules and a clean and sturdy high-performance architecture accomodating\r\nvirtually\r\nevery kind of custom solution or extension.\r\n \r\nExternal Links:\r\nhttp://typo3.org/\r\n \r\nCredits: Bj\u00f6rn Pedersen and Christian Toffolo who discovered and reported\r\nthe issue and the Security Team member Helmut Hummel for providing the\r\npatch.\r\n(This advisory was rewritten by MaXe @InterN0T to offer a quick overview\r\nof the vulnerability, including the removal of all irrelevant and untrue\r\ndetails.\r\n \r\n \r\n-:: The Advisory ::-\r\nRequirements for any RCE:\r\n- register_globals in the php.ini MUST be enabled (if the exploit fails\r\nagainst a supposed to be vulnerable version, this is why. This setting is\r\noften disabled by default.)\r\n \r\nRequirements for RFI:\r\n- allow_url_include has to be enabled (It's often \"off\" by default.)\r\n \r\n \r\nProof of Concept:\r\nBy browsing to a script / page, that uses the following file:\r\ntypo3/sysext/workspaces/Classes/Controller/AbstractController.php (direct\r\naccess may not be allowed)\r\nIt is possible to include PHP code to be executed via the \"BACK_PATH\"\r\nglobal variable. This can be accessed in ways like:\r\nAbstractController.php?BACK_PATH=LFI/RFI%00\r\n \r\nThe vulnerable piece of code: require_once($GLOBALS['BACK_PATH'] .\r\n'template.php');\r\nDemonstrates, that it is necessary to append a null-byte ( %00 ) after the\r\nmaliciously crafted input / URL. (Unless your remote file if applicable, is\r\nnamed something.template.php)\r\n \r\n \r\n-:: Solution ::-\r\n* Update to the latest version of Typo3 OR change the vulnerable piece of\r\ncode to: require_once(PATH_site . TYPO3_mainDir . 'template.php');\r\n \r\n \r\n \r\nReferences:\r\n- http://typo3.org/fileadmin/security-team/bug32571/32571.diff\r\n-\r\nhttps://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-004/\r\n-\r\nhttp://news.typo3.org/news/article/important-security-bulletin-pre-announcement-2/\r\n\r\n\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/17330"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:20", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, mb_send_mail() message headers modification, etc.", "modified": "2005-11-29T00:00:00", "published": "2005-11-29T00:00:00", "id": "SECURITYVULNS:VULN:5487", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:5487", "title": "Web applications security vulnerabilities (PHP, ASP, CGI, Perl, etc)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:14", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nAmpache Snoopy "_httpsrequest()" Command Injection Vulnerability\r\n\r\nSECUNIA ADVISORY ID:\r\nSA17779\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/17779/\r\n\r\nCRITICAL:\r\nHighly critical\r\n\r\nIMPACT:\r\nSystem access\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nAmpache 3.x\r\nhttp://secunia.com/product/5347/\r\n\r\nDESCRIPTION:\r\nA vulnerability has been reported in Ampache, which can be exploited\r\nby malicious people to compromise a vulnerable system.\r\n\r\nThe vulnerability is caused due to the use of a vulnerable version of\r\nSnoopy.\r\n\r\nFor more information:\r\nSA17330\r\n\r\nSOLUTION:\r\nUpdate to version 3.3.1.5.\r\nhttp://www.ampache.org/download.php\r\n\r\nOTHER REFERENCES:\r\nSA17330:\r\nhttp://secunia.com/advisories/17330/\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2005-11-29T00:00:00", "published": "2005-11-29T00:00:00", "id": "SECURITYVULNS:DOC:10454", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:10454", "title": "[SA17779] Ampache Snoopy "_httpsrequest()" Command Injection Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}