Vulnerabilities > CVE-2002-0986 - Unspecified vulnerability in PHP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a "spam proxy."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 18 |
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2002-214.NASL description PHP versions up to and including 4.2.2 contain vulnerabilities in the mail() function, allowing local script authors to bypass safe mode restrictions and possibly allowing remote attackers to insert arbitrary mail headers or content. [Updated 13 Jan 2003] Added fixed packages for the Itanium (IA64) architecture. [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server. The mail function in PHP 4.x to 4.2.2 may allow local script authors to bypass safe mode restrictions and modify command line arguments to the MTA (such as sendmail) in the 5th argument to mail(), altering MTA behavior and possibly executing arbitrary local commands. The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a last seen 2020-06-01 modified 2020-06-02 plugin id 12326 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12326 title RHEL 2.1 : php (RHSA-2002:214) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2002:214. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12326); script_version ("1.22"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2002-0985", "CVE-2002-0986"); script_xref(name:"RHSA", value:"2002:214"); script_name(english:"RHEL 2.1 : php (RHSA-2002:214)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "PHP versions up to and including 4.2.2 contain vulnerabilities in the mail() function, allowing local script authors to bypass safe mode restrictions and possibly allowing remote attackers to insert arbitrary mail headers or content. [Updated 13 Jan 2003] Added fixed packages for the Itanium (IA64) architecture. [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server. The mail function in PHP 4.x to 4.2.2 may allow local script authors to bypass safe mode restrictions and modify command line arguments to the MTA (such as sendmail) in the 5th argument to mail(), altering MTA behavior and possibly executing arbitrary local commands. The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a 'spam proxy.' Script authors should note that all input data should be checked for unsafe data by any PHP scripts which call functions such as mail(). Note that this PHP errata, as did RHSA-2002:129, enforces memory limits on the size of the PHP process to prevent a badly generated script from becoming a possible source for a denial of service attack. The default process size is 8Mb, though you can adjust this as you deem necessary through the php.ini directive memory_limit. For example, to change the process memory limit to 4MB, add the following : memory_limit 4194304 Important Note: There are special instructions you should follow regarding your /etc/php.ini configuration file in the 'Solution' section below." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2002-0985" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2002-0986" ); # http://marc.theaimsgroup.com/?l=bugtraq&m=103011916928204 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=103011916928204" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2002:214" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-manual"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-pgsql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/09/24"); script_set_attribute(attribute:"patch_publication_date", value:"2003/02/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2002:214"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-4.1.2-2.1.6")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-devel-4.1.2-2.1.6")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-imap-4.1.2-2.1.6")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-ldap-4.1.2-2.1.6")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-manual-4.1.2-2.1.6")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-mysql-4.1.2-2.1.6")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-odbc-4.1.2-2.1.6")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-pgsql-4.1.2-2.1.6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-devel / php-imap / php-ldap / php-manual / php-mysql / etc"); } }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-082.NASL description A vulnerability was discovered in the transparent session ID support in PHP4 prior to version 4.3.2. It did not properly escape user- supplied input prior to inserting it in the generated web page. This could be exploited by an attacker to execute embedded scripts within the context of the generated HTML (CVE-2003-0442). As well, two vulnerabilities had not been patched in the PHP packages included with Mandrake Linux 8.2: The mail() function did not filter ASCII control filters from its arguments, which could allow an attacker to modify the mail message content (CVE-2002-0986). Another vulnerability in the mail() function would allow a remote attacker to bypass safe mode restrictions and modify the command line arguments passed to the MTA in the fifth argument (CVE-2002-0985). All users are encouraged to upgrade to these patched packages. Update : The packages for Mandrake Linux 8.2 and Multi-Network Firewall 8.2, due to improper BuildRequires did not include mail() support. This update corrects that problem. last seen 2020-06-01 modified 2020-06-02 plugin id 14064 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14064 title Mandrake Linux Security Advisory : php (MDKSA-2003:082-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:082. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14064); script_version ("1.25"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2002-0985", "CVE-2002-0986", "CVE-2003-0442"); script_xref(name:"MDKSA", value:"2003:082"); script_xref(name:"MDKSA", value:"2003:082-1"); script_name(english:"Mandrake Linux Security Advisory : php (MDKSA-2003:082-1)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered in the transparent session ID support in PHP4 prior to version 4.3.2. It did not properly escape user- supplied input prior to inserting it in the generated web page. This could be exploited by an attacker to execute embedded scripts within the context of the generated HTML (CVE-2003-0442). As well, two vulnerabilities had not been patched in the PHP packages included with Mandrake Linux 8.2: The mail() function did not filter ASCII control filters from its arguments, which could allow an attacker to modify the mail message content (CVE-2002-0986). Another vulnerability in the mail() function would allow a remote attacker to bypass safe mode restrictions and modify the command line arguments passed to the MTA in the fifth argument (CVE-2002-0985). All users are encouraged to upgrade to these patched packages. Update : The packages for Mandrake Linux 8.2 and Multi-Network Firewall 8.2, due to improper BuildRequires did not include mail() support. This update corrects that problem." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libphp_common430"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pear"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php430-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2003/08/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"php-4.1.2-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"php-common-4.1.2-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"php-devel-4.1.2-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"php-4.2.3-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"php-common-4.2.3-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"php-devel-4.2.3-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"php-pear-4.2.3-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"libphp_common430-430-11.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"php-cgi-4.3.1-11.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"php-cli-4.3.1-11.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"php430-devel-430-11.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-168.NASL description Wojciech Purczynski found out that it is possible for scripts to pass arbitrary text to sendmail as commandline extension when sending a mail through PHP even when safe_mode is turned on. Passing 5th argument should be disabled if PHP is configured in safe_mode, which is the case for newer PHP versions and for the versions below. This does not affect PHP3, though. Wojciech Purczynski also found out that arbitrary ASCII control characters may be injected into string arguments of the mail() function. If mail() arguments are taken from user last seen 2020-06-01 modified 2020-06-02 plugin id 15005 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15005 title Debian DSA-168-1 : php - bypassing safe_mode, CRLF injection code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-168. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15005); script_version("1.26"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2002-0985", "CVE-2002-0986", "CVE-2002-1783"); script_bugtraq_id(5681); script_xref(name:"DSA", value:"168"); script_name(english:"Debian DSA-168-1 : php - bypassing safe_mode, CRLF injection"); script_summary(english:"Checks dpkg output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Wojciech Purczynski found out that it is possible for scripts to pass arbitrary text to sendmail as commandline extension when sending a mail through PHP even when safe_mode is turned on. Passing 5th argument should be disabled if PHP is configured in safe_mode, which is the case for newer PHP versions and for the versions below. This does not affect PHP3, though. Wojciech Purczynski also found out that arbitrary ASCII control characters may be injected into string arguments of the mail() function. If mail() arguments are taken from user's input it may give the user ability to alter message content including mail headers. Ulf Harnhammar discovered that file() and fopen() are vulnerable to CRLF injection. An attacker could use it to escape certain restrictions and add arbitrary text to alleged HTTP requests that are passed through. However this only happens if something is passed to these functions which is neither a valid file name nor a valid url. Any string that contains control chars cannot be a valid url. Before you pass a string that should be a url to any function you must use urlencode() to encode it. Three problems have been identified in PHP : - The mail() function can allow arbitrary email headers to be specified if a recipient address or subject contains CR/LF characters. - The mail() function does not properly disable the passing of arbitrary command-line options to sendmail when running in Safe Mode. - The fopen() function, when retrieving a URL, can allow manipulation of the request for the resource through a URL containing CR/LF characters. For example, headers could be added to an HTTP request. These problems have been fixed in version 3.0.18-23.1woody1 for PHP3 and 4.1.2-5 for PHP4 for the current stable distribution (woody), in version 3.0.18-0potato1.2 for PHP3 and 4.0.3pl1-0potato4 for PHP4 in the old stable distribution (potato) and in version 3.0.18-23.2 for PHP3 and 4.2.3-3 for PHP4 for the unstable distribution (sid)." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2002/dsa-168" ); script_set_attribute(attribute:"solution", value:"Upgrade the PHP packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:PHP3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:PHP4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2002/09/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/07/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"php3", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-cgi", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-cgi-gd", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-cgi-imap", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-cgi-ldap", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-cgi-magick", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-cgi-mhash", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-cgi-mysql", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-cgi-pgsql", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-cgi-snmp", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-cgi-xml", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-dev", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-doc", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-gd", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-imap", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-ldap", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-magick", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-mhash", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-mysql", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-pgsql", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-snmp", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php3-xml", reference:"3.0.18-0potato1.2")) flag++; if (deb_check(release:"2.2", prefix:"php4", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-cgi", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-cgi-gd", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-cgi-imap", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-cgi-ldap", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-cgi-mhash", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-cgi-mysql", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-cgi-pgsql", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-cgi-snmp", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-cgi-xml", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-dev", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-gd", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-imap", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-ldap", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-mhash", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-mysql", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-pgsql", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-snmp", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"2.2", prefix:"php4-xml", reference:"4.0.3pl1-0potato4")) flag++; if (deb_check(release:"3.0", prefix:"caudium-php4", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php3", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi-gd", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi-imap", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi-ldap", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi-magick", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi-mhash", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi-mysql", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi-snmp", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi-xml", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-dev", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-doc", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-gd", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-imap", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-ldap", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-magick", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-mhash", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-mysql", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-snmp", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php3-xml", reference:"3.0.18-23.1woody1")) flag++; if (deb_check(release:"3.0", prefix:"php4", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php4-cgi", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php4-curl", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php4-dev", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php4-domxml", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php4-gd", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php4-imap", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php4-ldap", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php4-mcal", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php4-mhash", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php4-mysql", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php4-odbc", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php4-pear", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php4-recode", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php4-snmp", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php4-sybase", reference:"4.1.2-5")) flag++; if (deb_check(release:"3.0", prefix:"php4-xslt", reference:"4.1.2-5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id PHP_MAIL_FUNC_HEADER_SPOOF.NASL description The remote host is running a version of PHP prior or equal to 4.2.2. The mail() function does not properly sanitize user input. This allows users to forge email to make it look like it is coming from a different source other than the server. Users can exploit this even if SAFE_MODE is enabled. last seen 2020-06-01 modified 2020-06-02 plugin id 11444 published 2003-03-23 reporter (C) 2003-2018 [email protected] source https://www.tenable.com/plugins/nessus/11444 title PHP Mail Function Header Spoofing code # [email protected] # http://libpcap.net # # See the Nessus Scripts License for details include("compat.inc"); if(description) { script_id(11444); script_cve_id("CVE-2002-0985", "CVE-2002-0986"); script_bugtraq_id(5562); script_version ("1.19"); script_name(english:"PHP Mail Function Header Spoofing"); script_set_attribute(attribute:"synopsis", value: "A remote web application can be used to forge data." ); script_set_attribute(attribute:"description", value: "The remote host is running a version of PHP prior or equal to 4.2.2. The mail() function does not properly sanitize user input. This allows users to forge email to make it look like it is coming from a different source other than the server. Users can exploit this even if SAFE_MODE is enabled." ); script_set_attribute(attribute:"solution", value: "Contact your vendor for the latest PHP release." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/23"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/07/30"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:php:php"); script_end_attributes(); summary["english"] = "Checks for version of PHP"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"(C) 2003-2020 [email protected]"); if ( ! defined_func("bn_random") ) script_dependencie("http_version.nasl"); else script_dependencie("http_version.nasl", "redhat-RHSA-2002-214.nasl"); script_require_ports("Services/www", 80); exit(0); } # # The script code starts here # include("http_func.inc"); if ( get_kb_item("CVE-2002-0985" ) ) exit(0); port = get_http_port(default:80, embedded:TRUE); if(get_port_state(port)) { banner = get_http_banner(port:port); if(!banner)exit(0); if(egrep(pattern:".*PHP/([0-3]\..*|4\.[0-1]\..*|4\.2\.[0-2][^0-9])", string:banner)) { security_warning(port); } }NASL family CGI abuses NASL id PHP_4_2_X_MALFORMED_POST.NASL description The remote host is running a version of PHP earlier than 4.2.2. The new POST handling system in PHP 4.2.0 and 4.2.1 has a bug which allows an attacker to disable the remote server or to compromise it. last seen 2020-06-01 modified 2020-06-02 plugin id 11050 published 2002-07-22 reporter This script is Copyright (C) 2002-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11050 title PHP < 4.2.x mail Function CRLF Injection
Redhat
| advisories |
|
References
- ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-008.0.txt
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000545
- http://marc.info/?l=bugtraq&m=103011916928204&w=2
- http://marc.info/?l=bugtraq&m=105760591228031&w=2
- http://www.debian.org/security/2002/dsa-168
- http://www.kb.cert.org/vuls/id/410609
- http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:082
- http://www.novell.com/linux/security/advisories/2002_036_modphp4.html
- http://www.osvdb.org/2160
- http://www.redhat.com/support/errata/RHSA-2002-213.html
- http://www.redhat.com/support/errata/RHSA-2002-214.html
- http://www.redhat.com/support/errata/RHSA-2002-243.html
- http://www.redhat.com/support/errata/RHSA-2002-244.html
- http://www.redhat.com/support/errata/RHSA-2002-248.html
- http://www.redhat.com/support/errata/RHSA-2003-159.html
- http://www.securityfocus.com/bid/5562
- https://exchange.xforce.ibmcloud.com/vulnerabilities/9959