Vulnerabilities > CVE-2000-0967 - Unspecified vulnerability in PHP 3.0/4.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error messages that are improperly written to the error logs.
Exploit-Db
description PHP 3.0.16/4.0.2 Remote Format Overflow Exploit. CVE-2000-0967. Remote exploit for linux platform id EDB-ID:220 last seen 2016-01-31 modified 2000-12-06 published 2000-12-06 reporter Gneisenau source https://www.exploit-db.com/download/220/ title PHP 3.0.16/4.0.2 - Remote Format Overflow Exploit description PHP 3.0/4.0 Error Logging Format String Vulnerability. CVE-2000-0967 . Remote exploit for php platform id EDB-ID:20286 last seen 2016-02-02 modified 2000-10-12 published 2000-10-12 reporter anonymous source https://www.exploit-db.com/download/20286/ title PHP 3.0/4.0 Error Logging Format String Vulnerability
Nessus
NASL family CGI abuses NASL id PHP_LOG.NASL description The version of PHP that is running on the remote host is older than 3.0.17 or 4.0.3. If the option last seen 2020-06-01 modified 2020-06-02 plugin id 10535 published 2000-10-14 reporter This script is Copyright (C) 2000-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10535 title PHP Error Log Format String Command Injection code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10535); script_version ("1.23"); script_cve_id("CVE-2000-0967"); script_bugtraq_id(1786); script_name(english:"PHP Error Log Format String Command Injection"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code might be run on the remote host." ); script_set_attribute(attribute:"description", value: "The version of PHP that is running on the remote host is older than 3.0.17 or 4.0.3. If the option 'log_errors' is set to 'On' in php.ini, then an attacker may execute arbitrary code on this host." ); script_set_attribute(attribute:"solution", value: "Make sure that 'log_errors' is set to 'Off' in your php.ini, or install the latest version of PHP." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2000/10/14"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/10/14"); script_cvs_date("Date: 2018/07/24 18:56:10"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:php:php"); script_end_attributes(); script_summary(english:"Checks for version of PHP"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc."); script_family(english:"CGI abuses"); script_dependencie("find_service1.nasl", "http_version.nasl"); script_require_ports("Services/www", 80); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); banner = get_http_banner(port:port); if(!banner)exit(0); serv = egrep(string:banner, pattern:"^Server:.*$"); if(ereg(pattern:"(.*PHP/3\.0\.((1[0-6])|([0-9]([^0-9]|$))))|(.*PHP/4\.0\.[0-2]([^0-9]|$))", string:serv)) { security_warning(port); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2000-062.NASL description PHP version 3 which ships with Linux-Mandrake are vulnerable to format string attacks due to logging functions that make improper use of the syslog() and vsnprintf() functions. This renders PHP3-enabled servers vulnerable to compromise by remote attackers. This attack is only effective on PHP installations that log errors and warnings while those servers that do not are not affected. By default, Linux-Mandrake systems do not have logging enabled. last seen 2020-06-01 modified 2020-06-02 plugin id 61849 published 2012-09-06 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/61849 title Mandrake Linux Security Advisory : mod_php3 (MDKSA-2000:062) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2000:062. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(61849); script_version("1.5"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2000-0967"); script_xref(name:"MDKSA", value:"2000:062"); script_name(english:"Mandrake Linux Security Advisory : mod_php3 (MDKSA-2000:062)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "PHP version 3 which ships with Linux-Mandrake are vulnerable to format string attacks due to logging functions that make improper use of the syslog() and vsnprintf() functions. This renders PHP3-enabled servers vulnerable to compromise by remote attackers. This attack is only effective on PHP installations that log errors and warnings while those servers that do not are not affected. By default, Linux-Mandrake systems do not have logging enabled." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mod_php3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mod_php3-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mod_php3-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mod_php3-manual"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mod_php3-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mod_php3-pgsql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:6.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1"); script_set_attribute(attribute:"patch_publication_date", value:"2000/10/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK6.1", cpu:"i386", reference:"mod_php3-3.0.17-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK6.1", cpu:"i386", reference:"mod_php3-imap-3.0.17-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK6.1", cpu:"i386", reference:"mod_php3-manual-3.0.17-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK6.1", cpu:"i386", reference:"mod_php3-pgsql-3.0.17-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"mod_php3-3.0.17-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"mod_php3-imap-3.0.17-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"mod_php3-manual-3.0.17-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"mod_php3-pgsql-3.0.17-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"mod_php3-3.0.17-2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"mod_php3-imap-3.0.17-2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"mod_php3-ldap-3.0.17-2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"mod_php3-manual-3.0.17-2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"mod_php3-mysql-3.0.17-2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"mod_php3-pgsql-3.0.17-2mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Redhat
| advisories |
|
References
- ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:75.php.asc
- http://archives.neohapsis.com/archives/bugtraq/2000-10/0204.html
- http://www.atstake.com/research/advisories/2000/a101200-1.txt
- http://www.calderasystems.com/support/security/advisories/CSSA-2000-037.0.txt
- http://www.linux-mandrake.com/en/security/MDKSA-2000-062.php3?dis=7.1
- http://www.redhat.com/support/errata/RHSA-2000-088.html
- http://www.redhat.com/support/errata/RHSA-2000-095.html
- http://www.securityfocus.com/bid/1786
- https://exchange.xforce.ibmcloud.com/vulnerabilities/5359