Vulnerabilities > CVE-2003-0863 - Unspecified vulnerability in PHP 4.3.0/4.3.1/4.3.2

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
php
nessus
exploit available

Summary

The php_check_safe_mode_include_dir function in fopen_wrappers.c of PHP 4.3.x returns a success value (0) when the safe_mode_include_dir variable is not specified in configuration, which differs from the previous failure value and may allow remote attackers to exploit file include vulnerabilities in PHP applications.

Vulnerable Configurations

Part Description Count
Application
Php
3

Exploit-Db

descriptionPHP 4.3.x Undefined Safe_Mode_Include_Dir Safemode Bypass Vulnerability. CVE-2003-0863. Local exploit for php platform
idEDB-ID:22911
last seen2016-02-02
modified2003-07-16
published2003-07-16
reporterMichal Krause
sourcehttps://www.exploit-db.com/download/22911/
titlePHP 4.3.x Undefined Safe_Mode_Include_Dir Safemode Bypass Vulnerability

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2005-001.NASL
    descriptionhe remote host is missing Security Update 2005-001. This security update contains a number of fixes for the following programs : - at commands - ColorSync - libxml2 - Mail - PHP - Safari - SquirrelMail These programs have multiple vulnerabilities which may allow a remote attacker to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id16251
    published2005-01-26
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16251
    titleMac OS X Multiple Vulnerabilities (Security Update 2005-001)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    if ( ! defined_func("bn_random") ) exit(0);
    if ( NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if(description)
    {
     script_id(16251);
     script_version ("1.21");
     script_cve_id("CVE-2005-0125", "CVE-2005-0126", "CVE-2004-0989", "CVE-2005-0127", "CVE-2003-0860", 
                   "CVE-2003-0863", "CVE-2004-0594", "CVE-2004-0595", "CVE-2004-1018", "CVE-2004-1019", 
                   "CVE-2004-1020", "CVE-2004-1063", "CVE-2004-1064", "CVE-2004-1065", "CVE-2004-1314", 
                   "CVE-2004-1036");
     script_bugtraq_id(12367, 12366, 12297, 11857);
    
     script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2005-001)");
     script_summary(english:"Check for Security Update 2005-001");
    
     script_set_attribute( attribute:"synopsis", value:
    "The remote host is missing a Mac OS X update that fixes a security
    issue." );
     script_set_attribute(attribute:"description",   value:
    "he remote host is missing Security Update 2005-001. This security
    update contains a number of fixes for the following programs :
    
      - at commands
      - ColorSync
      - libxml2
      - Mail
      - PHP
      - Safari
      - SquirrelMail
    
    These programs have multiple vulnerabilities which may allow a remote
    attacker to execute arbitrary code." );
     script_set_attribute(
       attribute:"see_also",
       value:"http://support.apple.com/kb/TA22859"
     );
     script_set_attribute(
       attribute:"solution", 
       value:"Install Security Update 2005-001."
     );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploited_by_malware", value:"true");
     script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
     script_set_attribute(attribute:"canvas_package", value:'CANVAS');
     script_cwe_id(20);
     script_set_attribute(attribute:"plugin_publication_date", value: "2005/01/26");
     script_set_attribute(attribute:"vuln_publication_date", value: "2003/07/16");
     script_set_attribute(attribute:"patch_publication_date", value: "2005/01/26");
     script_cvs_date("Date: 2018/07/14  1:59:35");
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
     script_end_attributes();
     
     script_category(ACT_GATHER_INFO);
     script_family(english:"MacOS X Local Security Checks");
    
     script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
    
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/MacOSX/packages");
     exit(0);
    }
    
    
    packages = get_kb_item("Host/MacOSX/packages");
    if ( ! packages ) exit(0);
    
    uname = get_kb_item("Host/uname");
    # MacOS X 10.2.8, 10.3.7 only
    if ( egrep(pattern:"Darwin.* (6\.8\.|7\.7\.)", string:uname) )
    {
      if ( ! egrep(pattern:"^SecUpd(Srvr)?2005-001", string:packages) ) security_hole(0);
    	else non_vuln = 1;
    }
    else if ( egrep(pattern:"Darwin.* (6\.9|[0-9][0-9]\.|7\.([8-9]\.|[0-9][0-9]\.))", string:uname) ) non_vuln = 1;
    
    if ( non_vuln )
    {
     list = make_list("CVE-2005-0125", "CVE-2005-0126", "CVE-2004-0989", "CVE-2005-0127", "CVE-2003-0860", "CVE-2003-0863", "CVE-2004-0594", "CVE-2004-0595", "CVE-2004-1018", "CVE-2004-1019", "CVE-2004-1020", "CVE-2004-1063", "CVE-2004-1064", "CVE-2004-1065", "CVE-2004-1314", "CVE-2004-1036");
     foreach cve (list) set_kb_item(name:cve, value:TRUE);
    }
    
  • NASL familyCGI abuses
    NASL idPHP_4_3_X_SAFE_MODE_INCLUDE.NASL
    descriptionAccording to its banner, the version of PHP 4.3.x installed on the remote host is prior to 4.3.2. It is, therefore, potentially affected by an information disclosure vulnerability. Due to a flaw in the function php_safe_mode_include_dir(), a local attacker could bypass safe mode and gain unauthorized access to files on the local system.
    last seen2020-06-01
    modified2020-06-02
    plugin id11807
    published2003-07-25
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11807
    titlePHP < 4.3.3 php_check_safe_mode_include_dir Function Safemode Bypass
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(11807);
      script_version("1.21");
      script_cvs_date("Date: 2018/07/24 18:56:10");
    
      script_cve_id("CVE-2003-0863");
      script_bugtraq_id(8201);
    
      script_name(english:"PHP < 4.3.3 php_check_safe_mode_include_dir Function Safemode Bypass");
      script_summary(english:"Checks for version of PHP");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"Arbitrary files may be read on the remote host."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "According to its banner, the version of PHP 4.3.x installed on the
    remote host is prior to 4.3.2.   It is, therefore, potentially
    affected by an information disclosure vulnerability.
    
    Due to a flaw in the function php_safe_mode_include_dir(), a local
    attacker could bypass safe mode and gain unauthorized access to
    files on the local system."
      );
      script_set_attribute(attribute:"solution", value:
    "Upgrade to PHP 4.3.3 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2003/07/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2003/08/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2003/07/25");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
    
      script_dependencie("php_version.nasl");
      script_require_ports("Services/www", 80);
      script_require_keys("www/PHP");
     
      exit(0);
    }
    
    #
    # The script code starts here
    #
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("audit.inc");
    include("webapp_func.inc");
    
    port = get_http_port(default:80, php:TRUE);
    
    php = get_php_from_kb(
      port : port,
      exit_on_fail : TRUE
    );
    
    version = php["ver"];
    source = php["src"];
    
    backported = get_kb_item('www/php/'+port+'/'+version+'/backported');
    
    if (report_paranoia < 2 && backported)
      audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");
    
    if (version =~ "^4\.3\.[0-2]($|[^0-9])")
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source     : '+source +
          '\n  Installed version  : '+version+
          '\n  Fixed version      : 4.3.3\n';
        security_warning(port:port, extra:report);
      }
      else security_warning(port);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);
    

Statements

contributorMark J Cox
lastmodified2008-06-30
organizationRed Hat
statementNot vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1. The PHP packages in Red Hat Enterprise Linux 3 contain a backported patch to address this issue since release. The issue was fixed upstream in PHP 4.3.3. The PHP packages in Red Hat Enterprise Linux 4 and 5 are based on fixed upstream versions.