Vulnerabilities > CVE-2004-0594 - Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 | |
| Application | Php
| 126 |
| OS | 3 | |
| OS | 4 | |
| OS | 1 | |
| Hardware | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions via Symbolic Links This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to her. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file she will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Exploit-Db
| description | PHP <= 4.3.7/ 5.0.0RC3 memory_limit Remote Exploit. CVE-2004-0594. Remote exploit for linux platform |
| id | EDB-ID:660 |
| last seen | 2016-01-31 |
| modified | 2004-11-27 |
| published | 2004-11-27 |
| reporter | Gyan Chawdhary |
| source | https://www.exploit-db.com/download/660/ |
| title | PHP <= 4.3.7/ 5.0.0RC3 memory_limit Remote Exploit |
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-392.NASL description Updated php packages that fix various security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server. Stefan Esser discovered a flaw when memory_limit is enabled in versions of PHP 4 before 4.3.8. If a remote attacker could force the PHP interpreter to allocate more memory than the memory_limit setting before script execution begins, then the attacker may be able to supply the contents of a PHP hash table remotely. This hash table could then be used to execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 13653 published 2004-07-20 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/13653 title RHEL 3 : php (RHSA-2004:392) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2004:392. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(13653); script_version ("1.29"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2004-0594", "CVE-2004-0595"); script_xref(name:"RHSA", value:"2004:392"); script_name(english:"RHEL 3 : php (RHSA-2004:392)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated php packages that fix various security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server. Stefan Esser discovered a flaw when memory_limit is enabled in versions of PHP 4 before 4.3.8. If a remote attacker could force the PHP interpreter to allocate more memory than the memory_limit setting before script execution begins, then the attacker may be able to supply the contents of a PHP hash table remotely. This hash table could then be used to execute arbitrary code as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0594 to this issue. This issue has a higher risk when PHP is running on an instance of Apache which is vulnerable to CVE-2004-0493. For Red Hat Enterprise Linux 3, this Apache memory exhaustion issue was fixed by a previous update, RHSA-2004:342. It may also be possible to exploit this issue if using a non-default PHP configuration with the 'register_defaults' setting is changed to 'On'. Red Hat does not believe that this flaw is exploitable in the default configuration of Red Hat Enterprise Linux 3. Stefan Esser discovered a flaw in the strip_tags function in versions of PHP before 4.3.8. The strip_tags function is commonly used by PHP scripts to prevent Cross-Site-Scripting attacks by removing HTML tags from user-supplied form data. By embedding NUL bytes into form data, HTML tags can in some cases be passed intact through the strip_tags function, which may allow a Cross-Site-Scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0595 to this issue. All users of PHP are advised to upgrade to these updated packages, which contain backported patches that address these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0594" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0595" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2004:392" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-pgsql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/07/27"); script_set_attribute(attribute:"patch_publication_date", value:"2004/07/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/20"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2004:392"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL3", reference:"php-4.3.2-11.1.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-imap-4.3.2-11.1.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-ldap-4.3.2-11.1.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-mysql-4.3.2-11.1.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-odbc-4.3.2-11.1.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-pgsql-4.3.2-11.1.ent")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-imap / php-ldap / php-mysql / php-odbc / php-pgsql"); } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-531.NASL description Two vulnerabilities were discovered in php4 : - CAN-2004-0594 The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete. - CAN-2004-0595 The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 15368 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15368 title Debian DSA-531-1 : php4 - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-531. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15368); script_version("1.23"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2004-0594", "CVE-2004-0595"); script_xref(name:"DSA", value:"531"); script_name(english:"Debian DSA-531-1 : php4 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Two vulnerabilities were discovered in php4 : - CAN-2004-0594 The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete. - CAN-2004-0595 The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2004/dsa-531" ); script_set_attribute( attribute:"solution", value: "For the current stable distribution (woody), these problems have been fixed in version 4.1.2-7. We recommend that you update your php4 package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2004/07/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"caudium-php4", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4-cgi", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4-curl", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4-dev", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4-domxml", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4-gd", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4-imap", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4-ldap", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4-mcal", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4-mhash", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4-mysql", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4-odbc", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4-pear", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4-recode", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4-snmp", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4-sybase", reference:"4.1.2-7")) flag++; if (deb_check(release:"3.0", prefix:"php4-xslt", reference:"4.1.2-7")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2005-001.NASL description he remote host is missing Security Update 2005-001. This security update contains a number of fixes for the following programs : - at commands - ColorSync - libxml2 - Mail - PHP - Safari - SquirrelMail These programs have multiple vulnerabilities which may allow a remote attacker to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 16251 published 2005-01-26 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16251 title Mac OS X Multiple Vulnerabilities (Security Update 2005-001) code # # (C) Tenable Network Security, Inc. # if ( ! defined_func("bn_random") ) exit(0); if ( NASL_LEVEL < 3000) exit(0); include("compat.inc"); if(description) { script_id(16251); script_version ("1.21"); script_cve_id("CVE-2005-0125", "CVE-2005-0126", "CVE-2004-0989", "CVE-2005-0127", "CVE-2003-0860", "CVE-2003-0863", "CVE-2004-0594", "CVE-2004-0595", "CVE-2004-1018", "CVE-2004-1019", "CVE-2004-1020", "CVE-2004-1063", "CVE-2004-1064", "CVE-2004-1065", "CVE-2004-1314", "CVE-2004-1036"); script_bugtraq_id(12367, 12366, 12297, 11857); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2005-001)"); script_summary(english:"Check for Security Update 2005-001"); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes a security issue." ); script_set_attribute(attribute:"description", value: "he remote host is missing Security Update 2005-001. This security update contains a number of fixes for the following programs : - at commands - ColorSync - libxml2 - Mail - PHP - Safari - SquirrelMail These programs have multiple vulnerabilities which may allow a remote attacker to execute arbitrary code." ); script_set_attribute( attribute:"see_also", value:"http://support.apple.com/kb/TA22859" ); script_set_attribute( attribute:"solution", value:"Install Security Update 2005-001." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(20); script_set_attribute(attribute:"plugin_publication_date", value: "2005/01/26"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/07/16"); script_set_attribute(attribute:"patch_publication_date", value: "2005/01/26"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages"); exit(0); } packages = get_kb_item("Host/MacOSX/packages"); if ( ! packages ) exit(0); uname = get_kb_item("Host/uname"); # MacOS X 10.2.8, 10.3.7 only if ( egrep(pattern:"Darwin.* (6\.8\.|7\.7\.)", string:uname) ) { if ( ! egrep(pattern:"^SecUpd(Srvr)?2005-001", string:packages) ) security_hole(0); else non_vuln = 1; } else if ( egrep(pattern:"Darwin.* (6\.9|[0-9][0-9]\.|7\.([8-9]\.|[0-9][0-9]\.))", string:uname) ) non_vuln = 1; if ( non_vuln ) { list = make_list("CVE-2005-0125", "CVE-2005-0126", "CVE-2004-0989", "CVE-2005-0127", "CVE-2003-0860", "CVE-2003-0863", "CVE-2004-0594", "CVE-2004-0595", "CVE-2004-1018", "CVE-2004-1019", "CVE-2004-1020", "CVE-2004-1063", "CVE-2004-1064", "CVE-2004-1065", "CVE-2004-1314", "CVE-2004-1036"); foreach cve (list) set_kb_item(name:cve, value:TRUE); }NASL family CGI abuses NASL id PHP_STRIP_TAGS_MEMORY_LIMIT_VULN.NASL description According to its banner, the version of PHP 4.3.x installed on the remote host is prior to 4.3.7. It is, therefore, potentially affected by a bug that could allow an attacker to execute arbitrary code on the remote host if the option memory_limit is set. Another bug in the function strip_tags() may allow an attacker to bypass content restrictions when submitting data and may lead to cross-site scripting issues. last seen 2020-06-01 modified 2020-06-02 plugin id 13650 published 2004-07-15 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13650 title PHP < 4.3.8 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(13650); script_version("1.24"); script_cvs_date("Date: 2018/07/24 18:56:10"); script_cve_id("CVE-2004-0594","CVE-2004-0595"); script_bugtraq_id(10724, 10725); script_name(english:"PHP < 4.3.8 Multiple Vulnerabilities"); script_summary(english:"Checks for version of PHP"); script_set_attribute( attribute:"synopsis", value: "The remote web server uses a version of PHP that is affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "According to its banner, the version of PHP 4.3.x installed on the remote host is prior to 4.3.7. It is, therefore, potentially affected by a bug that could allow an attacker to execute arbitrary code on the remote host if the option memory_limit is set. Another bug in the function strip_tags() may allow an attacker to bypass content restrictions when submitting data and may lead to cross-site scripting issues." ); script_set_attribute(attribute:"see_also", value:"http://www.php.net/releases/4_3_8.php"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP 4.3.8." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"vuln_publication_date", value:"2004/07/14"); script_set_attribute(attribute:"patch_publication_date", value:"2004/07/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_dependencies("php_version.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("audit.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); php = get_php_from_kb( port : port, exit_on_fail : TRUE ); version = php["ver"]; source = php["src"]; backported = get_kb_item('www/php/'+port+'/'+version+'/backported'); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install"); if (version =~ "^4\.3\.[0-7]($|[^0-9])") { set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); if (report_verbosity > 0) { report = '\n Version source : '+source + '\n Installed version : '+version+ '\n Fixed version : 4.3.8\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2004-202-01.NASL description New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix security issues (memory_limit handling and a problem in the strip_tags function). Sites using PHP should upgrade. last seen 2020-06-01 modified 2020-06-02 plugin id 18773 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18773 title Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : PHP (SSA:2004-202-01) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2004-202-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(18773); script_version("1.19"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2004-0594", "CVE-2004-0595"); script_xref(name:"SSA", value:"2004-202-01"); script_name(english:"Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : PHP (SSA:2004-202-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix security issues (memory_limit handling and a problem in the strip_tags function). Sites using PHP should upgrade." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.406480 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?011c10ac" ); script_set_attribute(attribute:"solution", value:"Update the affected php package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:php"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/07/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"8.1", pkgname:"php", pkgver:"4.3.8", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.0", pkgname:"php", pkgver:"4.3.8", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.1", pkgname:"php", pkgver:"4.3.8", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"10.0", pkgname:"php", pkgver:"4.3.8", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"current", pkgname:"php", pkgver:"4.3.8", pkgarch:"i486", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-395.NASL description Updated php packages that fix various security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server. Stefan Esser discovered a flaw when memory_limit configuration setting is enabled in versions of PHP 4 before 4.3.8. If a remote attacker could force the PHP interpreter to allocate more memory than the memory_limit setting before script execution begins, then the attacker may be able to supply the contents of a PHP hash table remotely. This hash table could then be used to execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 13652 published 2004-07-19 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/13652 title RHEL 2.1 : php (RHSA-2004:395) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2004:395. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(13652); script_version ("1.31"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2004-0594", "CVE-2004-0595"); script_xref(name:"RHSA", value:"2004:395"); script_name(english:"RHEL 2.1 : php (RHSA-2004:395)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated php packages that fix various security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server. Stefan Esser discovered a flaw when memory_limit configuration setting is enabled in versions of PHP 4 before 4.3.8. If a remote attacker could force the PHP interpreter to allocate more memory than the memory_limit setting before script execution begins, then the attacker may be able to supply the contents of a PHP hash table remotely. This hash table could then be used to execute arbitrary code as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0594 to this issue. This issue may be exploitable if using the default PHP configuration with the 'register_globals' setting of 'On'. The Apache memory exhaustion bug, fixed in a previous update to Red Hat Enterprise Linux 3, may also allow this PHP issue to be exploited; this Apache bug does not affect Red Hat Enterprise Linux 2.1. Stefan Esser discovered a flaw in the strip_tags function in versions of PHP before 4.3.8. The strip_tags function is commonly used by PHP scripts to prevent Cross-Site-Scripting attacks by removing HTML tags from user-supplied form data. By embedding NUL bytes into form data, HTML tags can in some cases be passed intact through the strip_tags function, which may allow a Cross-Site-Scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0595 to this issue. All users of PHP are advised to upgrade to these updated packages, which contain backported patches that address these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0594" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0595" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2004:395" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-manual"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-pgsql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/07/27"); script_set_attribute(attribute:"patch_publication_date", value:"2004/07/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/19"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2004:395"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-4.1.2-2.1.8")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-devel-4.1.2-2.1.8")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-imap-4.1.2-2.1.8")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-ldap-4.1.2-2.1.8")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-manual-4.1.2-2.1.8")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-mysql-4.1.2-2.1.8")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-odbc-4.1.2-2.1.8")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-pgsql-4.1.2-2.1.8")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-devel / php-imap / php-ldap / php-manual / php-mysql / etc"); } }NASL family SuSE Local Security Checks NASL id SUSE_SA_2004_021.NASL description The remote host is missing the patch for the advisory SUSE-SA:2004:021 (php4/mod_php4). PHP is a well known, widely-used scripting language often used within web server setups. Stefan Esser found a problem with the last seen 2020-06-01 modified 2020-06-02 plugin id 13837 published 2004-07-25 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13837 title SUSE-SA:2004:021: php4/mod_php4 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2004:021 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(13837); script_version ("1.15"); script_cve_id("CVE-2004-0594", "CVE-2004-0595"); name["english"] = "SUSE-SA:2004:021: php4/mod_php4"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2004:021 (php4/mod_php4). PHP is a well known, widely-used scripting language often used within web server setups. Stefan Esser found a problem with the 'memory_limit' handling of PHP which allows remote attackers to execute arbitrary code as the user running the PHP interpreter. This problem has been fixed. Additionally a problem within the 'strip_tags' function has been found and fixed which allowed remote attackers to inject arbitrary tags into certain web browsers, issuing XSS related attacks. Since there is no easy workaround except disabling PHP, we recommend an update for users running the PHP interpreter within the apache web server. To be sure the update takes effect you have to restart the apache process by executing the following command as root: /usr/sbin/rcapache restart or if you use the apache2 package /usr/sbin/rcapache2 restart Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update." ); script_set_attribute(attribute:"solution", value: "http://www.suse.de/security/2004_21_php4.html" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/25"); script_cvs_date("Date: 2019/10/25 13:36:27"); script_end_attributes(); summary["english"] = "Check for the version of the php4/mod_php4 package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"mod_php4-4.1.0-317", release:"SUSE8.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"mod_php4-core-4.1.0-317", release:"SUSE8.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.1.0-317", release:"SUSE8.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"mod_php4-4.2.2-479", release:"SUSE8.1") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"mod_php4-core-4.2.2-479", release:"SUSE8.1") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.2.2-479", release:"SUSE8.1") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"mod_php4-4.3.1-169", release:"SUSE8.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"mod_php4-core-4.3.1-169", release:"SUSE8.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"mod_php4-4.3.3-177", release:"SUSE9.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"mod_php4-core-4.3.3-177", release:"SUSE9.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.3.3-177", release:"SUSE9.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-4.3.4-43.11", release:"SUSE9.1") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-servlet-4.3.4-43.11", release:"SUSE9.1") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-imap-4.3.4-43.11", release:"SUSE9.1") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-mysql-4.3.4-43.11", release:"SUSE9.1") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-session-4.3.4-43.11", release:"SUSE9.1") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-wddx-4.3.4-43.11", release:"SUSE9.1") ) { security_warning(0); exit(0); } if (rpm_exists(rpm:"php4-", release:"SUSE8.0") || rpm_exists(rpm:"php4-", release:"SUSE8.1") || rpm_exists(rpm:"php4-", release:"SUSE8.2") || rpm_exists(rpm:"php4-", release:"SUSE9.0") || rpm_exists(rpm:"php4-", release:"SUSE9.1") ) { set_kb_item(name:"CVE-2004-0594", value:TRUE); set_kb_item(name:"CVE-2004-0595", value:TRUE); }NASL family Fedora Local Security Checks NASL id FEDORA_2004-222.NASL description This update includes the latest release of PHP 4, including fixes for security issues in memory limit handling (CVE-2004-0594), and the strip_tags function (CVE-2004-0595). CVE-2004-0595 is not known to be exploitable in the default configuration if using httpd 2.0.50, but can be triggered if the last seen 2020-06-01 modified 2020-06-02 plugin id 13748 published 2004-07-24 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13748 title Fedora Core 1 : php-4.3.8-1.1 (2004-222) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2004-222. # include("compat.inc"); if (description) { script_id(13748); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_xref(name:"FEDORA", value:"2004-222"); script_name(english:"Fedora Core 1 : php-4.3.8-1.1 (2004-222)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update includes the latest release of PHP 4, including fixes for security issues in memory limit handling (CVE-2004-0594), and the strip_tags function (CVE-2004-0595). CVE-2004-0595 is not known to be exploitable in the default configuration if using httpd 2.0.50, but can be triggered if the 'register_globals' setting has been enabled. CVE-2004-0595 can allow a possible cross-site-scripting attack with some browsers. The mbstring extension has been moved into the php-mbstring subpackage in this update to reduce the overall package size. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2004-July/000228.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0288a8dd" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-domxml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/07/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 1.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC1", reference:"php-4.3.8-1.1")) flag++; if (rpm_check(release:"FC1", reference:"php-debuginfo-4.3.8-1.1")) flag++; if (rpm_check(release:"FC1", reference:"php-devel-4.3.8-1.1")) flag++; if (rpm_check(release:"FC1", reference:"php-domxml-4.3.8-1.1")) flag++; if (rpm_check(release:"FC1", reference:"php-imap-4.3.8-1.1")) flag++; if (rpm_check(release:"FC1", reference:"php-ldap-4.3.8-1.1")) flag++; if (rpm_check(release:"FC1", reference:"php-mbstring-4.3.8-1.1")) flag++; if (rpm_check(release:"FC1", reference:"php-mysql-4.3.8-1.1")) flag++; if (rpm_check(release:"FC1", reference:"php-odbc-4.3.8-1.1")) flag++; if (rpm_check(release:"FC1", reference:"php-pgsql-4.3.8-1.1")) flag++; if (rpm_check(release:"FC1", reference:"php-snmp-4.3.8-1.1")) flag++; if (rpm_check(release:"FC1", reference:"php-xmlrpc-4.3.8-1.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-debuginfo / php-devel / php-domxml / php-imap / php-ldap / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2004-223.NASL description This update includes the latest release of PHP 4, including fixes for security issues in memory limit handling (CVE-2004-0594), and the strip_tags function (CVE-2004-0595). CVE-2004-0595 is not known to be exploitable in the default configuration if using httpd 2.0.50, but can be triggered if the last seen 2020-06-01 modified 2020-06-02 plugin id 13749 published 2004-07-24 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13749 title Fedora Core 2 : php-4.3.8-2.1 (2004-223) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2004-223. # include("compat.inc"); if (description) { script_id(13749); script_version ("1.20"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_xref(name:"FEDORA", value:"2004-223"); script_name(english:"Fedora Core 2 : php-4.3.8-2.1 (2004-223)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update includes the latest release of PHP 4, including fixes for security issues in memory limit handling (CVE-2004-0594), and the strip_tags function (CVE-2004-0595). CVE-2004-0595 is not known to be exploitable in the default configuration if using httpd 2.0.50, but can be triggered if the 'register_globals' setting has been enabled. CVE-2004-0595 can allow a possible cross-site-scripting attack with some browsers. The mbstring extension has been moved into the php-mbstring subpackage in this update to reduce the overall package size. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2004-July/000229.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?dfe80132" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-domxml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-pear"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:2"); script_set_attribute(attribute:"patch_publication_date", value:"2004/07/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 2.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC2", reference:"php-4.3.8-2.1")) flag++; if (rpm_check(release:"FC2", reference:"php-debuginfo-4.3.8-2.1")) flag++; if (rpm_check(release:"FC2", reference:"php-devel-4.3.8-2.1")) flag++; if (rpm_check(release:"FC2", reference:"php-domxml-4.3.8-2.1")) flag++; if (rpm_check(release:"FC2", reference:"php-imap-4.3.8-2.1")) flag++; if (rpm_check(release:"FC2", reference:"php-ldap-4.3.8-2.1")) flag++; if (rpm_check(release:"FC2", reference:"php-mbstring-4.3.8-2.1")) flag++; if (rpm_check(release:"FC2", reference:"php-mysql-4.3.8-2.1")) flag++; if (rpm_check(release:"FC2", reference:"php-odbc-4.3.8-2.1")) flag++; if (rpm_check(release:"FC2", reference:"php-pear-4.3.8-2.1")) flag++; if (rpm_check(release:"FC2", reference:"php-pgsql-4.3.8-2.1")) flag++; if (rpm_check(release:"FC2", reference:"php-snmp-4.3.8-2.1")) flag++; if (rpm_check(release:"FC2", reference:"php-xmlrpc-4.3.8-2.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-debuginfo / php-devel / php-domxml / php-imap / php-ldap / etc"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_DD7AA4F1102F11D98A8A000C41E2CDAD.NASL description Stefan Esser of e-matters discovered a condition within PHP that may lead to remote execution of arbitrary code. The memory_limit facility is used to notify functions when memory contraints have been met. Under certain conditions, the entry into this facility is able to interrupt functions such as zend_hash_init() at locations not suitable for interruption. The result would leave these functions in a vulnerable state. An attacker that is able to trigger the memory_limit abort within zend_hash_init() and is additionally able to control the heap before the HashTable itself is allocated, is able to supply his own HashTable destructor pointer. [...] All mentioned places outside of the extensions are quite easy to exploit, because the memory allocation up to those places is deterministic and quite static throughout different PHP versions. [...] Because the exploit itself consist of supplying an arbitrary destructor pointer this bug is exploitable on any platform. last seen 2020-06-01 modified 2020-06-02 plugin id 19143 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19143 title FreeBSD : php -- memory_limit related vulnerability (dd7aa4f1-102f-11d9-8a8a-000c41e2cdad) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(19143); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:36"); script_cve_id("CVE-2004-0594"); script_bugtraq_id(10725); script_name(english:"FreeBSD : php -- memory_limit related vulnerability (dd7aa4f1-102f-11d9-8a8a-000c41e2cdad)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Stefan Esser of e-matters discovered a condition within PHP that may lead to remote execution of arbitrary code. The memory_limit facility is used to notify functions when memory contraints have been met. Under certain conditions, the entry into this facility is able to interrupt functions such as zend_hash_init() at locations not suitable for interruption. The result would leave these functions in a vulnerable state. An attacker that is able to trigger the memory_limit abort within zend_hash_init() and is additionally able to control the heap before the HashTable itself is allocated, is able to supply his own HashTable destructor pointer. [...] All mentioned places outside of the extensions are quite easy to exploit, because the memory allocation up to those places is deterministic and quite static throughout different PHP versions. [...] Because the exploit itself consist of supplying an arbitrary destructor pointer this bug is exploitable on any platform." ); # http://marc.theaimsgroup.com/?l=bugtraq&m=108981780109154 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=108981780109154" ); # http://security.e-matters.de/advisories/112004.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?83c215d0" ); # https://vuxml.freebsd.org/freebsd/dd7aa4f1-102f-11d9-8a8a-000c41e2cdad.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9502549c" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mod_php4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mod_php4-twig"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mod_php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:php4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:php4-cgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:php4-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:php4-dtc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:php4-horde"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:php4-nms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:php5-cgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:php5-cli"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/07/07"); script_set_attribute(attribute:"patch_publication_date", value:"2004/09/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"mod_php4-twig<=4.3.7_3")) flag++; if (pkg_test(save_report:TRUE, pkg:"php4<=4.3.7_3")) flag++; if (pkg_test(save_report:TRUE, pkg:"php4-cgi<=4.3.7_3")) flag++; if (pkg_test(save_report:TRUE, pkg:"php4-cli<=4.3.7_3")) flag++; if (pkg_test(save_report:TRUE, pkg:"php4-dtc<=4.3.7_3")) flag++; if (pkg_test(save_report:TRUE, pkg:"php4-horde<=4.3.7_3")) flag++; if (pkg_test(save_report:TRUE, pkg:"php4-nms<=4.3.7_3")) flag++; if (pkg_test(save_report:TRUE, pkg:"mod_php4<=4.3.7_3,1")) flag++; if (pkg_test(save_report:TRUE, pkg:"php5<=5.0.0.r3_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"php5-cgi<=5.0.0.r3_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"php5-cli<=5.0.0.r3_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"mod_php5<=5.0.0.r3_2,1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-068.NASL description Stefan Esser discovered a remotely exploitable vulnerability in PHP where a remote attacker could trigger a memory_limit request termination in places where an interruption is unsafe. This could be used to execute arbitrary code. As well, Stefan Esser also found a vulnerability in the handling of allowed tags within PHP last seen 2020-06-01 modified 2020-06-02 plugin id 14167 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14167 title Mandrake Linux Security Advisory : php (MDKSA-2004:068) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2004:068. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14167); script_version ("1.21"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2004-0594", "CVE-2004-0595"); script_xref(name:"MDKSA", value:"2004:068"); script_name(english:"Mandrake Linux Security Advisory : php (MDKSA-2004:068)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Stefan Esser discovered a remotely exploitable vulnerability in PHP where a remote attacker could trigger a memory_limit request termination in places where an interruption is unsafe. This could be used to execute arbitrary code. As well, Stefan Esser also found a vulnerability in the handling of allowed tags within PHP's strip_tags() function. This could lead to a number of XSS issues on sites that rely on strip_tags(); however, this only seems to affect the Internet Explorer and Safari browsers. The updated packages have been patched to correct the problem and all users are encouraged to upgrade immediately." ); # http://security.e-matters.de/advisories/112004.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?83c215d0" ); # http://security.e-matters.de/advisories/122004.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9d4bce03" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64php_common432"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libphp_common430"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libphp_common432"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php430-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php432-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2"); script_set_attribute(attribute:"patch_publication_date", value:"2004/07/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64php_common432-4.3.4-4.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libphp_common432-4.3.4-4.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"php-cgi-4.3.4-4.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"php-cli-4.3.4-4.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"php432-devel-4.3.4-4.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"libphp_common430-430-11.2.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"php-cgi-4.3.1-11.2.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"php-cli-4.3.1-11.2.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"php430-devel-430-11.2.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"lib64php_common432-4.3.3-2.1.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"libphp_common432-4.3.3-2.1.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"php-cgi-4.3.3-2.1.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"php-cli-4.3.3-2.1.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"php432-devel-4.3.3-2.1.92mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-669.NASL description Two vulnerabilities have been discovered in php4 which also apply to the version of php3 in the stable Debian distribution. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2004-0594 The memory_limit functionality allows remote attackers to execute arbitrary code under certain circumstances. - CAN-2004-0595 The strip_tags function does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by some web browsers which could lead to cross-site scripting (XSS) vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 16343 published 2005-02-10 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16343 title Debian DSA-669-1 : php3 - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-669. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(16343); script_version("1.21"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2004-0594", "CVE-2004-0595"); script_xref(name:"DSA", value:"669"); script_name(english:"Debian DSA-669-1 : php3 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Two vulnerabilities have been discovered in php4 which also apply to the version of php3 in the stable Debian distribution. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2004-0594 The memory_limit functionality allows remote attackers to execute arbitrary code under certain circumstances. - CAN-2004-0595 The strip_tags function does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by some web browsers which could lead to cross-site scripting (XSS) vulnerabilities." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-669" ); script_set_attribute( attribute:"solution", value: "Upgrade the php3 packages. For the stable distribution (woody) these problems have been fixed in version 3.0.18-23.1woody2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2005/02/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/10"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"php3", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi-gd", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi-imap", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi-ldap", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi-magick", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi-mhash", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi-mysql", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi-snmp", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-cgi-xml", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-dev", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-doc", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-gd", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-imap", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-ldap", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-magick", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-mhash", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-mysql", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-snmp", reference:"3.0.18-23.1woody2")) flag++; if (deb_check(release:"3.0", prefix:"php3-xml", reference:"3.0.18-23.1woody2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200407-13.NASL description The remote host is affected by the vulnerability described in GLSA-200407-13 (PHP: Multiple security vulnerabilities) Several security vulnerabilities were found and fixed in version 4.3.8 of PHP. The strip_tags() function, used to sanitize user input, could in certain cases allow tags containing \\0 characters (CAN-2004-0595). When memory_limit is used, PHP might unsafely interrupt other functions (CAN-2004-0594). The ftok and itpc functions were missing safe_mode checks. It was possible to bypass open_basedir restrictions using MySQL last seen 2020-06-01 modified 2020-06-02 plugin id 14546 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14546 title GLSA-200407-13 : PHP: Multiple security vulnerabilities
Oval
| accepted | 2013-04-29T04:09:47.707-04:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| definition_extensions |
| ||||||||
| description | The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete. | ||||||||
| family | unix | ||||||||
| id | oval:org.mitre.oval:def:10896 | ||||||||
| status | accepted | ||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||
| title | The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete. | ||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||||||||||
| rpms |
|
References
- http://lists.grok.org.uk/pipermail/full-disclosure/2004-July/023908.html
- http://www.debian.org/security/2004/dsa-531
- http://www.debian.org/security/2005/dsa-669
- http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:068
- http://www.redhat.com/support/errata/RHSA-2004-392.html
- http://www.redhat.com/support/errata/RHSA-2004-395.html
- http://www.redhat.com/support/errata/RHSA-2004-405.html
- http://www.novell.com/linux/security/advisories/2004_21_php4.html
- http://www.trustix.org/errata/2004/0039/
- http://www.gentoo.org/security/en/glsa/glsa-200407-13.xml
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000847
- http://www.redhat.com/support/errata/RHSA-2005-816.html
- http://www.securityfocus.com/bid/10725
- http://marc.info/?l=bugtraq&m=109051444105182&w=2
- http://marc.info/?l=bugtraq&m=108981780109154&w=2
- http://marc.info/?l=bugtraq&m=109181600614477&w=2
- http://marc.info/?l=bugtraq&m=108982983426031&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16693
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10896