Vulnerabilities > CVE-2002-0985 - Argument Injection or Modification vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Argument injection vulnerability in the mail function for PHP 4.x to 4.2.2 may allow attackers to bypass safe mode restrictions and modify command line arguments to the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA behavior and possibly executing commands.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Try All Common Application Switches and Options
    An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. For example, in some applications, adding a --debug switch causes debugging information to be displayed, which can sometimes reveal sensitive processing or configuration information to an attacker. This attack differs from other forms of API abuse in that the attacker is blindly attempting to invoke options in the hope that one of them will work rather than specifically targeting a known option. Nonetheless, even if the attacker is familiar with the published options of a targeted application this attack method may still be fruitful as it might discover unpublicized functionality.
  • Using Meta-characters in E-mail Headers to Inject Malicious Payloads
    This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.
  • HTTP Parameter Pollution (HPP)
    An attacker overrides or adds HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.
  • OS Command Injection
    In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2002-214.NASL
    descriptionPHP versions up to and including 4.2.2 contain vulnerabilities in the mail() function, allowing local script authors to bypass safe mode restrictions and possibly allowing remote attackers to insert arbitrary mail headers or content. [Updated 13 Jan 2003] Added fixed packages for the Itanium (IA64) architecture. [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server. The mail function in PHP 4.x to 4.2.2 may allow local script authors to bypass safe mode restrictions and modify command line arguments to the MTA (such as sendmail) in the 5th argument to mail(), altering MTA behavior and possibly executing arbitrary local commands. The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a
    last seen2020-06-01
    modified2020-06-02
    plugin id12326
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12326
    titleRHEL 2.1 : php (RHSA-2002:214)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2002:214. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12326);
      script_version ("1.22");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2002-0985", "CVE-2002-0986");
      script_xref(name:"RHSA", value:"2002:214");
    
      script_name(english:"RHEL 2.1 : php (RHSA-2002:214)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "PHP versions up to and including 4.2.2 contain vulnerabilities in the
    mail() function, allowing local script authors to bypass safe mode
    restrictions and possibly allowing remote attackers to insert
    arbitrary mail headers or content.
    
    [Updated 13 Jan 2003] Added fixed packages for the Itanium (IA64)
    architecture.
    
    [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation
    2.1
    
    PHP is an HTML-embedded scripting language commonly used with the
    Apache HTTP server.
    
    The mail function in PHP 4.x to 4.2.2 may allow local script authors
    to bypass safe mode restrictions and modify command line arguments to
    the MTA (such as sendmail) in the 5th argument to mail(), altering MTA
    behavior and possibly executing arbitrary local commands.
    
    The mail function in PHP 4.x to 4.2.2 does not filter ASCII control
    characters from its arguments, which could allow remote attackers to
    modify mail message content, including mail headers, and possibly use
    PHP as a 'spam proxy.'
    
    Script authors should note that all input data should be checked for
    unsafe data by any PHP scripts which call functions such as mail().
    
    Note that this PHP errata, as did RHSA-2002:129, enforces memory
    limits on the size of the PHP process to prevent a badly generated
    script from becoming a possible source for a denial of service attack.
    The default process size is 8Mb, though you can adjust this as you
    deem necessary through the php.ini directive memory_limit. For
    example, to change the process memory limit to 4MB, add the 
    following :
    
    memory_limit 4194304
    
    Important Note: There are special instructions you should follow
    regarding your /etc/php.ini configuration file in the 'Solution'
    section below."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-0985"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-0986"
      );
      # http://marc.theaimsgroup.com/?l=bugtraq&m=103011916928204
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=bugtraq&m=103011916928204"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2002:214"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-manual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-pgsql");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/09/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2003/02/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2002:214";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-4.1.2-2.1.6")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-devel-4.1.2-2.1.6")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-imap-4.1.2-2.1.6")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-ldap-4.1.2-2.1.6")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-manual-4.1.2-2.1.6")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-mysql-4.1.2-2.1.6")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-odbc-4.1.2-2.1.6")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-pgsql-4.1.2-2.1.6")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-devel / php-imap / php-ldap / php-manual / php-mysql / etc");
      }
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2002_036.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2002:036 (mod_php4). PHP is a well known and widely used web programming language. If a PHP script runs in
    last seen2020-06-01
    modified2020-06-02
    plugin id13757
    published2004-07-25
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13757
    titleSUSE-SA:2002:036: mod_php4
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2002:036
    #
    
    
    if ( ! defined_func("bn_random") ) exit(0);
    
    include("compat.inc");
    
    if(description)
    {
     script_id(13757);
     script_version ("1.13");
     script_cve_id("CVE-2002-0985");
     
     name["english"] = "SUSE-SA:2002:036: mod_php4";
     
     script_name(english:name["english"]);
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a vendor-supplied security patch" );
     script_set_attribute(attribute:"description", value:
    "The remote host is missing the patch for the advisory SUSE-SA:2002:036 (mod_php4).
    
    
    PHP is a well known and widely used web programming language.
    If a PHP script runs in 'safe mode' several restrictions are applied
    to it including limits on execution of external programs.
    
    An attacker can pass shell meta-characters or sendmail(8) command line
    options via the 5th argument (introduced in version 4.0.5) of the mail()
    function to execute shell commands or control the behavior of sendmail(8).
    
    The CRLF injection vulnerabilities in fopen(), file(), header(), ...
    allow an attacker to bypass ACLs or trigger cross-side scripting.
    
    The mod_php4 package is not installed by default.
    A temporary fix is not known.
    
    Please note, that the following packages were rebuild too:
    - mod_php4-core
    - mod_php4-aolserver
    - mod_php4-devel
    - mod_php4-servlet
    - mod_php4-roxen
    
    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, install the package using the command 'rpm -Fhv file.rpm' to apply
    the update." );
     script_set_attribute(attribute:"solution", value:
    "http://www.suse.de/security/2002_036_modphp4.html" );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
    
    
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/25");
      script_cvs_date("Date: 2019/10/25 13:36:27");
     script_end_attributes();
    
     
     summary["english"] = "Check for the version of the mod_php4 package";
     script_summary(english:summary["english"]);
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
     family["english"] = "SuSE Local Security Checks";
     script_family(english:family["english"]);
     
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/SuSE/rpm-list");
     exit(0);
    }
    
    include("rpm.inc");
    if ( rpm_check( reference:"mod_php4-4.0.4pl1-135", release:"SUSE7.0") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"mod_php4-4.0.4pl1-142", release:"SUSE7.1") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"mod_php4-4.0.6-192", release:"SUSE7.2") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"mod_php4-4.0.6-193", release:"SUSE7.3") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"mod_php4-4.1.0-257", release:"SUSE8.0") )
    {
     security_hole(0);
     exit(0);
    }
    if (rpm_exists(rpm:"mod_php4-", release:"SUSE7.0")
     || rpm_exists(rpm:"mod_php4-", release:"SUSE7.1")
     || rpm_exists(rpm:"mod_php4-", release:"SUSE7.2")
     || rpm_exists(rpm:"mod_php4-", release:"SUSE7.3")
     || rpm_exists(rpm:"mod_php4-", release:"SUSE8.0") )
    {
     set_kb_item(name:"CVE-2002-0985", value:TRUE);
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2003-082.NASL
    descriptionA vulnerability was discovered in the transparent session ID support in PHP4 prior to version 4.3.2. It did not properly escape user- supplied input prior to inserting it in the generated web page. This could be exploited by an attacker to execute embedded scripts within the context of the generated HTML (CVE-2003-0442). As well, two vulnerabilities had not been patched in the PHP packages included with Mandrake Linux 8.2: The mail() function did not filter ASCII control filters from its arguments, which could allow an attacker to modify the mail message content (CVE-2002-0986). Another vulnerability in the mail() function would allow a remote attacker to bypass safe mode restrictions and modify the command line arguments passed to the MTA in the fifth argument (CVE-2002-0985). All users are encouraged to upgrade to these patched packages. Update : The packages for Mandrake Linux 8.2 and Multi-Network Firewall 8.2, due to improper BuildRequires did not include mail() support. This update corrects that problem.
    last seen2020-06-01
    modified2020-06-02
    plugin id14064
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14064
    titleMandrake Linux Security Advisory : php (MDKSA-2003:082-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2003:082. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14064);
      script_version ("1.25");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2002-0985", "CVE-2002-0986", "CVE-2003-0442");
      script_xref(name:"MDKSA", value:"2003:082");
      script_xref(name:"MDKSA", value:"2003:082-1");
    
      script_name(english:"Mandrake Linux Security Advisory : php (MDKSA-2003:082-1)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability was discovered in the transparent session ID support
    in PHP4 prior to version 4.3.2. It did not properly escape user-
    supplied input prior to inserting it in the generated web page. This
    could be exploited by an attacker to execute embedded scripts within
    the context of the generated HTML (CVE-2003-0442).
    
    As well, two vulnerabilities had not been patched in the PHP packages
    included with Mandrake Linux 8.2: The mail() function did not filter
    ASCII control filters from its arguments, which could allow an
    attacker to modify the mail message content (CVE-2002-0986). Another
    vulnerability in the mail() function would allow a remote attacker to
    bypass safe mode restrictions and modify the command line arguments
    passed to the MTA in the fifth argument (CVE-2002-0985).
    
    All users are encouraged to upgrade to these patched packages.
    
    Update :
    
    The packages for Mandrake Linux 8.2 and Multi-Network Firewall 8.2,
    due to improper BuildRequires did not include mail() support. This
    update corrects that problem."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libphp_common430");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cgi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pear");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php430-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/08/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"php-4.1.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"php-common-4.1.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"php-devel-4.1.2-1.2mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"php-4.2.3-4.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"php-common-4.2.3-4.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"php-devel-4.2.3-4.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"php-pear-4.2.3-4.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"libphp_common430-430-11.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"php-cgi-4.3.1-11.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"php-cli-4.3.1-11.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"php430-devel-430-11.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-168.NASL
    descriptionWojciech Purczynski found out that it is possible for scripts to pass arbitrary text to sendmail as commandline extension when sending a mail through PHP even when safe_mode is turned on. Passing 5th argument should be disabled if PHP is configured in safe_mode, which is the case for newer PHP versions and for the versions below. This does not affect PHP3, though. Wojciech Purczynski also found out that arbitrary ASCII control characters may be injected into string arguments of the mail() function. If mail() arguments are taken from user
    last seen2020-06-01
    modified2020-06-02
    plugin id15005
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15005
    titleDebian DSA-168-1 : php - bypassing safe_mode, CRLF injection
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-168. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15005);
      script_version("1.26");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2002-0985", "CVE-2002-0986", "CVE-2002-1783");
      script_bugtraq_id(5681);
      script_xref(name:"DSA", value:"168");
    
      script_name(english:"Debian DSA-168-1 : php - bypassing safe_mode, CRLF injection");
      script_summary(english:"Checks dpkg output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Wojciech Purczynski found out that it is possible for scripts to pass
    arbitrary text to sendmail as commandline extension when sending a
    mail through PHP even when safe_mode is turned on. Passing 5th
    argument should be disabled if PHP is configured in safe_mode, which
    is the case for newer PHP versions and for the versions below. This
    does not affect PHP3, though.
    
    Wojciech Purczynski also found out that arbitrary ASCII control
    characters may be injected into string arguments of the mail()
    function. If mail() arguments are taken from user's input it may give
    the user ability to alter message content including mail headers.
    
    Ulf Harnhammar discovered that file() and fopen() are vulnerable to
    CRLF injection. An attacker could use it to escape certain
    restrictions and add arbitrary text to alleged HTTP requests that are
    passed through.
    
    However this only happens if something is passed to these functions
    which is neither a valid file name nor a valid url. Any string that
    contains control chars cannot be a valid url. Before you pass a string
    that should be a url to any function you must use urlencode() to
    encode it.
    
    Three problems have been identified in PHP :
    
      - The mail() function can allow arbitrary email headers to
        be specified if a recipient address or subject contains
        CR/LF characters.
      - The mail() function does not properly disable the
        passing of arbitrary command-line options to sendmail
        when running in Safe Mode.
    
      - The fopen() function, when retrieving a URL, can allow
        manipulation of the request for the resource through a
        URL containing CR/LF characters. For example, headers
        could be added to an HTTP request.
    
    These problems have been fixed in version 3.0.18-23.1woody1 for PHP3
    and 4.1.2-5 for PHP4 for the current stable distribution (woody), in
    version 3.0.18-0potato1.2 for PHP3 and 4.0.3pl1-0potato4 for PHP4 in
    the old stable distribution (potato) and in version 3.0.18-23.2 for
    PHP3 and 4.2.3-3 for PHP4 for the unstable distribution (sid)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2002/dsa-168"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the PHP packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:PHP3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:PHP4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/09/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2003/07/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"2.2", prefix:"php3", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-cgi", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-cgi-gd", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-cgi-imap", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-cgi-ldap", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-cgi-magick", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-cgi-mhash", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-cgi-mysql", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-cgi-pgsql", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-cgi-snmp", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-cgi-xml", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-dev", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-doc", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-gd", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-imap", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-ldap", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-magick", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-mhash", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-mysql", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-pgsql", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-snmp", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php3-xml", reference:"3.0.18-0potato1.2")) flag++;
    if (deb_check(release:"2.2", prefix:"php4", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-cgi", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-cgi-gd", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-cgi-imap", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-cgi-ldap", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-cgi-mhash", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-cgi-mysql", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-cgi-pgsql", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-cgi-snmp", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-cgi-xml", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-dev", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-gd", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-imap", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-ldap", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-mhash", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-mysql", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-pgsql", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-snmp", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"2.2", prefix:"php4-xml", reference:"4.0.3pl1-0potato4")) flag++;
    if (deb_check(release:"3.0", prefix:"caudium-php4", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php3", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-cgi", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-cgi-gd", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-cgi-imap", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-cgi-ldap", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-cgi-magick", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-cgi-mhash", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-cgi-mysql", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-cgi-snmp", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-cgi-xml", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-dev", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-doc", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-gd", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-imap", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-ldap", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-magick", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-mhash", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-mysql", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-snmp", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php3-xml", reference:"3.0.18-23.1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"php4", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-cgi", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-curl", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-dev", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-domxml", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-gd", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-imap", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-ldap", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-mcal", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-mhash", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-mysql", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-odbc", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-pear", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-recode", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-snmp", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-sybase", reference:"4.1.2-5")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-xslt", reference:"4.1.2-5")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCGI abuses
    NASL idPHP_MAIL_FUNC_HEADER_SPOOF.NASL
    descriptionThe remote host is running a version of PHP prior or equal to 4.2.2. The mail() function does not properly sanitize user input. This allows users to forge email to make it look like it is coming from a different source other than the server. Users can exploit this even if SAFE_MODE is enabled.
    last seen2020-06-01
    modified2020-06-02
    plugin id11444
    published2003-03-23
    reporter(C) 2003-2018 [email protected]
    sourcehttps://www.tenable.com/plugins/nessus/11444
    titlePHP Mail Function Header Spoofing
    code
    # [email protected]
    # http://libpcap.net
    #
    # See the Nessus Scripts License for details
    
    
    include("compat.inc");
    
    if(description)
    {
      script_id(11444);
    
      script_cve_id("CVE-2002-0985", "CVE-2002-0986");
      script_bugtraq_id(5562);
      script_version ("1.19");
    
      script_name(english:"PHP Mail Function Header Spoofing");
     
     script_set_attribute(attribute:"synopsis", value:
    "A remote web application can be used to forge data." );
     script_set_attribute(attribute:"description", value:
    "The remote host is running a version of PHP prior or equal to 4.2.2.
    
    The mail() function does not properly sanitize user input.
    This allows users to forge email to make it look like it is
    coming from a different source other than the server.
    
    Users can exploit this even if SAFE_MODE is enabled." );
     script_set_attribute(attribute:"solution", value:
    "Contact your vendor for the latest PHP release." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
     script_set_attribute(attribute:"exploit_available", value:"false");
     script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/23");
     script_set_attribute(attribute:"vuln_publication_date", value: "2003/07/30");
     script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_set_attribute(attribute:"cpe",value:"cpe:/a:php:php");
    script_end_attributes();
    
     
      summary["english"] = "Checks for version of PHP";
      script_summary(english:summary["english"]);
     
      script_category(ACT_GATHER_INFO);
     
      script_family(english:"CGI abuses");
      script_copyright(english:"(C) 2003-2020 [email protected]");
      if ( ! defined_func("bn_random") )
    	script_dependencie("http_version.nasl");
      else
      	script_dependencie("http_version.nasl", "redhat-RHSA-2002-214.nasl");
      script_require_ports("Services/www", 80);
      exit(0);
    }
    
    #
    # The script code starts here
    #
    
    include("http_func.inc");
    
    if ( get_kb_item("CVE-2002-0985" ) ) exit(0);
    
    port = get_http_port(default:80, embedded:TRUE);
    
    
    if(get_port_state(port)) {
      banner = get_http_banner(port:port);
      if(!banner)exit(0);
    
      if(egrep(pattern:".*PHP/([0-3]\..*|4\.[0-1]\..*|4\.2\.[0-2][^0-9])", string:banner)) {
        security_warning(port);
      }
    }
     
    
  • NASL familyCGI abuses
    NASL idPHP_4_2_X_MALFORMED_POST.NASL
    descriptionThe remote host is running a version of PHP earlier than 4.2.2. The new POST handling system in PHP 4.2.0 and 4.2.1 has a bug which allows an attacker to disable the remote server or to compromise it.
    last seen2020-06-01
    modified2020-06-02
    plugin id11050
    published2002-07-22
    reporterThis script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11050
    titlePHP < 4.2.x mail Function CRLF Injection

Redhat

advisories
  • rhsa
    idRHSA-2002:213
  • rhsa
    idRHSA-2002:214
  • rhsa
    idRHSA-2002:243
  • rhsa
    idRHSA-2002:244
  • rhsa
    idRHSA-2002:248
  • rhsa
    idRHSA-2003:159