Vulnerabilities > CVE-2004-1392 - Unspecified vulnerability in PHP

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

php

nessus

exploit available

NVD

Published: 2004-12-31

Updated: 2017-10-11

Summary

PHP 4.0 with cURL functions allows remote attackers to bypass the open_basedir setting and read arbitrary files via a file: URL argument to the curl_init function.

Vulnerable Configurations

Part	Description	Count
Application	Php PHP PHP 4.0 PHP PHP 4.0.1 PHP PHP 4.0.2 PHP PHP 4.0.3 PHP PHP 4.0.4 PHP PHP 4.0.5 PHP PHP 4.0.6 PHP PHP 4.0.7	14

Exploit-Db

description	PHP 4.x/5 cURL Open_Basedir Restriction Bypass Vulnerability. CVE-2004-1392. Remote exploit for php platform
id	EDB-ID:24711
last seen	2016-02-02
modified	2004-10-28
published	2004-10-28
reporter	FraMe
source	https://www.exploit-db.com/download/24711/
title	PHP 4.x/5 cURL Open_Basedir Restriction Bypass Vulnerability

Nessus

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2005-405.NASL
description	Updated PHP packages that fix various security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0524 and CVE-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way that it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1043 to this issue. Several bug fixes are also included in this update : - The security fixes in RHSA-2004-687 to the
last seen	2020-06-01
modified	2020-06-02
plugin id	18163
published	2005-04-29
reporter	This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/18163
title	RHEL 3 : PHP (RHSA-2005:405)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:405. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(18163); script_version ("1.26"); script_cvs_date("Date: 2019/10/25 13:36:11"); script_cve_id("CVE-2004-1392", "CVE-2005-0524", "CVE-2005-0525", "CVE-2005-1042", "CVE-2005-1043"); script_xref(name:"RHSA", value:"2005:405"); script_name(english:"RHEL 3 : PHP (RHSA-2005:405)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated PHP packages that fix various security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0524 and CVE-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way that it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1043 to this issue. Several bug fixes are also included in this update : - The security fixes in RHSA-2004-687 to the 'unserializer' code introduced some performance issues. - In the gd extension, the 'imagecopymerge' function did not correctly handle transparency. The original image was being obscured in the resultant image. - In the curl extension, safe mode was not enforced for 'file:///' URL lookups (CVE-2004-1392). Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-1392" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-0524" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-0525" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-1042" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-1043" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2005:405" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-pgsql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/31"); script_set_attribute(attribute:"patch_publication_date", value:"2005/04/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^3([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2005:405"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL3", reference:"php-4.3.2-23.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-devel-4.3.2-23.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-imap-4.3.2-23.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-ldap-4.3.2-23.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-mysql-4.3.2-23.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-odbc-4.3.2-23.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-pgsql-4.3.2-23.ent")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-devel / php-imap / php-ldap / php-mysql / php-odbc / etc"); } }

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2005-406.NASL
description	Updated PHP packages that fix various security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0524 and CVE-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1043 to this issue. Several bug fixes are also included in this update : - some performance issues in the unserialize() function have been fixed - the behaviour of the interpreter when handling integer overflow during conversion of a floating variable to an integer has been reverted to match the behaviour used upstream; the integer will now be wrapped rather than truncated - a fix for the virtual() function in the Apache httpd module which would flush the response prematurely - the hard-coded default
last seen	2020-06-01
modified	2020-06-02
plugin id	23981
published	2007-01-08
reporter	This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/23981
title	CentOS 4 : PHP (CESA-2005:406)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2005-405.NASL
description	Updated PHP packages that fix various security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0524 and CVE-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way that it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1043 to this issue. Several bug fixes are also included in this update : - The security fixes in RHSA-2004-687 to the
last seen	2020-06-01
modified	2020-06-02
plugin id	21818
published	2006-07-03
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/21818
title	CentOS 3 : PHP (CESA-2005:405)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2005-406.NASL
description	Updated PHP packages that fix various security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0524 and CVE-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1043 to this issue. Several bug fixes are also included in this update : - some performance issues in the unserialize() function have been fixed - the behaviour of the interpreter when handling integer overflow during conversion of a floating variable to an integer has been reverted to match the behaviour used upstream; the integer will now be wrapped rather than truncated - a fix for the virtual() function in the Apache httpd module which would flush the response prematurely - the hard-coded default
last seen	2020-06-01
modified	2020-06-02
plugin id	18198
published	2005-05-04
reporter	This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/18198
title	RHEL 4 : PHP (RHSA-2005:406)

Oval

accepted

2013-04-29T04:18:38.998-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651
comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990

description

PHP 4.0 with cURL functions allows remote attackers to bypass the open_basedir setting and read arbitrary files via a file: URL argument to the curl_init function.

family

unix

oval:org.mitre.oval:def:9279

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

PHP 4.0 with cURL functions allows remote attackers to bypass the open_basedir setting and read arbitrary files via a file: URL argument to the curl_init function.

version

Redhat

advisories

rhsa
id RHSA-2005:405
rhsa
id RHSA-2005:406

rpms

php-0:4.3.2-23.ent
php-debuginfo-0:4.3.2-23.ent
php-devel-0:4.3.2-23.ent
php-imap-0:4.3.2-23.ent
php-ldap-0:4.3.2-23.ent
php-mysql-0:4.3.2-23.ent
php-odbc-0:4.3.2-23.ent
php-pgsql-0:4.3.2-23.ent
php-0:4.3.9-3.6
php-debuginfo-0:4.3.9-3.6
php-devel-0:4.3.9-3.6
php-domxml-0:4.3.9-3.6
php-gd-0:4.3.9-3.6
php-imap-0:4.3.9-3.6
php-ldap-0:4.3.9-3.6
php-mbstring-0:4.3.9-3.6
php-mysql-0:4.3.9-3.6
php-ncurses-0:4.3.9-3.6
php-odbc-0:4.3.9-3.6
php-pear-0:4.3.9-3.6
php-pgsql-0:4.3.9-3.6
php-snmp-0:4.3.9-3.6
php-xmlrpc-0:4.3.9-3.6

Statements

contributor	Mark J Cox
lastmodified	2006-08-30
organization	Red Hat
statement	We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1

Summary

Vulnerable Configurations

Exploit-Db

Nessus

Oval

Redhat

Statements

References