Vulnerabilities > CVE-2005-1921 - Code Injection vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 18 | |
| Application | 1 | |
| Application | Drupal
| 17 |
| Application | 2 | |
| OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Exploit-Db
description PHPXMLRPC < 1.1 - Remote Code Execution. CVE-2005-1921. Webapps exploit for PHP platform id EDB-ID:43829 last seen 2018-01-24 modified 2015-07-02 published 2015-07-02 reporter Exploit-DB source https://www.exploit-db.com/download/43829/ title PHPXMLRPC < 1.1 - Remote Code Execution description PHP XML-RPC Arbitrary Code Execution. CVE-2005-1921. Webapps exploit for php platform id EDB-ID:16882 last seen 2016-02-02 modified 2010-07-25 published 2010-07-25 reporter metasploit source https://www.exploit-db.com/download/16882/ title PHP XML-RPC Arbitrary Code Execution description XML-RPC Library <= 1.3.0 (xmlrpc.php) Remote Code Injection Exploit. CVE-2005-1921,CVE-2005-2116. Webapps exploit for php platform id EDB-ID:1078 last seen 2016-01-31 modified 2005-07-01 published 2005-07-01 reporter ilo-- source https://www.exploit-db.com/download/1078/ title XML-RPC Library <= 1.3.0 xmlrpc.php Remote Code Injection Exploit
Metasploit
| description | This module exploits an arbitrary code execution flaw discovered in many implementations of the PHP XML-RPC module. This flaw is exploitable through a number of PHP web applications, including but not limited to Drupal, Wordpress, Postnuke, and TikiWiki. |
| id | MSF:EXPLOIT/UNIX/WEBAPP/PHP_XMLRPC_EVAL |
| last seen | 2020-01-14 |
| modified | 2017-07-24 |
| published | 2007-01-05 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1921 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/php_xmlrpc_eval.rb |
| title | PHP XML-RPC Arbitrary Code Execution |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SA_2005_049.NASL description The remote host is missing the patch for the advisory SUSE-SA:2005:049 (php4, php5). This update fixes the following security issues in the PHP scripting language. - Bugs in the PEAR::XML_RPC library allowed remote attackers to pass arbitrary PHP code to the eval() function (CVE-2005-1921, CVE-2005-2498). The Pear::XML_RPC library is not used by default in SUSE Linux, but might be used by third-party PHP applications. - A integer overflow bug was found in the PCRE (perl compatible regular expression) library which could be used by an attacker to potentially execute code. (CVE-2005-2491) last seen 2019-10-28 modified 2005-10-05 plugin id 19928 published 2005-10-05 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19928 title SUSE-SA:2005:049: php4, php5 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2005:049 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(19928); script_version ("1.8"); name["english"] = "SUSE-SA:2005:049: php4, php5"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2005:049 (php4, php5). This update fixes the following security issues in the PHP scripting language. - Bugs in the PEAR::XML_RPC library allowed remote attackers to pass arbitrary PHP code to the eval() function (CVE-2005-1921, CVE-2005-2498). The Pear::XML_RPC library is not used by default in SUSE Linux, but might be used by third-party PHP applications. - A integer overflow bug was found in the PCRE (perl compatible regular expression) library which could be used by an attacker to potentially execute code. (CVE-2005-2491)" ); script_set_attribute(attribute:"solution", value: "http://www.suse.de/security/advisories/2005_49_php.html" ); script_set_attribute(attribute:"risk_factor", value:"High" ); script_set_attribute(attribute:"plugin_publication_date", value: "2005/10/05"); script_end_attributes(); summary["english"] = "Check for the version of the php4, php5 package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"apache2-mod_php4-4.3.3-194", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-4.3.3-194", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-aolserver-4.3.3-194", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-core-4.3.3-194", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-devel-4.3.3-194", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.3.3-194", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php4-4.3.4-43.41", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-core-4.3.4-43.41", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.3.4-43.41", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-4.3.4-43.41", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-devel-4.3.4-43.41", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-exif-4.3.4-43.41", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-fastcgi-4.3.4-43.41", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-imap-4.3.4-43.41", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-mysql-4.3.4-43.41", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-pear-4.3.4-43.41", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-recode-4.3.4-43.41", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-servlet-4.3.4-43.41", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-session-4.3.4-43.41", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-sysvshm-4.3.4-43.41", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-wddx-4.3.4-43.41", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php4-4.3.8-8.12", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.3.8-8.12", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-4.3.8-8.12", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-devel-4.3.8-8.12", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-exif-4.3.8-8.12", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-fastcgi-4.3.8-8.12", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-pear-4.3.8-8.12", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-session-4.3.8-8.12", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-sysvshm-4.3.8-8.12", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php4-4.3.10-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php5-5.0.3-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.3.10-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-4.3.10-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-devel-4.3.10-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-exif-4.3.10-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-fastcgi-4.3.10-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-pear-4.3.10-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-session-4.3.10-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-sysvshm-4.3.10-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php5-5.0.3-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php5-devel-5.0.3-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php5-exif-5.0.3-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php5-fastcgi-5.0.3-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php5-pear-5.0.3-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php5-sysvmsg-5.0.3-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php5-sysvshm-5.0.3-14.9", release:"SUSE9.3") ) { security_hole(0); exit(0); }NASL family Fedora Local Security Checks NASL id FEDORA_2005-517.NASL description This update includes the PEAR XML_RPC 1.3.1 package, which fixes a security issue in the XML_RPC server implementation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1921 to this issue. The bundled version of shtool is also updated, to fix some temporary file handling races. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1751 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 18624 published 2005-07-06 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18624 title Fedora Core 3 : php-4.3.11-2.6 (2005-517) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2005-517. # include("compat.inc"); if (description) { script_id(18624); script_version ("1.16"); script_cvs_date("Date: 2019/08/02 13:32:24"); script_cve_id("CVE-2005-1921"); script_xref(name:"FEDORA", value:"2005-517"); script_name(english:"Fedora Core 3 : php-4.3.11-2.6 (2005-517)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update includes the PEAR XML_RPC 1.3.1 package, which fixes a security issue in the XML_RPC server implementation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1921 to this issue. The bundled version of shtool is also updated, to fix some temporary file handling races. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1751 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2005-July/001031.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?55b9a7ea" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP XML-RPC Arbitrary Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-domxml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-ncurses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-pear"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:3"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 3.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC3", reference:"php-4.3.11-2.6")) flag++; if (rpm_check(release:"FC3", reference:"php-debuginfo-4.3.11-2.6")) flag++; if (rpm_check(release:"FC3", reference:"php-devel-4.3.11-2.6")) flag++; if (rpm_check(release:"FC3", reference:"php-domxml-4.3.11-2.6")) flag++; if (rpm_check(release:"FC3", reference:"php-gd-4.3.11-2.6")) flag++; if (rpm_check(release:"FC3", reference:"php-imap-4.3.11-2.6")) flag++; if (rpm_check(release:"FC3", reference:"php-ldap-4.3.11-2.6")) flag++; if (rpm_check(release:"FC3", reference:"php-mbstring-4.3.11-2.6")) flag++; if (rpm_check(release:"FC3", reference:"php-mysql-4.3.11-2.6")) flag++; if (rpm_check(release:"FC3", reference:"php-ncurses-4.3.11-2.6")) flag++; if (rpm_check(release:"FC3", reference:"php-odbc-4.3.11-2.6")) flag++; if (rpm_check(release:"FC3", reference:"php-pear-4.3.11-2.6")) flag++; if (rpm_check(release:"FC3", reference:"php-pgsql-4.3.11-2.6")) flag++; if (rpm_check(release:"FC3", reference:"php-snmp-4.3.11-2.6")) flag++; if (rpm_check(release:"FC3", reference:"php-xmlrpc-4.3.11-2.6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-debuginfo / php-devel / php-domxml / php-gd / php-imap / etc"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-564.NASL description Updated PHP packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the last seen 2020-06-01 modified 2020-06-02 plugin id 18648 published 2005-07-08 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18648 title RHEL 3 / 4 : php (RHSA-2005:564) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:564. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(18648); script_version ("1.27"); script_cvs_date("Date: 2019/10/25 13:36:11"); script_cve_id("CVE-2005-1751", "CVE-2005-1921"); script_bugtraq_id(14088); script_xref(name:"RHSA", value:"2005:564"); script_name(english:"RHEL 3 / 4 : php (RHSA-2005:564)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated PHP packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1921 to this issue. When using the default SELinux 'targeted' policy on Red Hat Enterprise Linux 4, the impact of this issue is reduced since the scripts executed by PHP are constrained within the httpd_sys_script_t security context. A race condition in temporary file handling was discovered in the shtool script installed by PHP. If a third-party PHP module which uses shtool was compiled as root, a local user may be able to modify arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1751 to this issue. Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-1751" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-1921" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2005:564" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP XML-RPC Arbitrary Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-domxml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-ncurses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-pear"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/25"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x / 4.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2005:564"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL3", reference:"php-4.3.2-24.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-devel-4.3.2-24.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-imap-4.3.2-24.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-ldap-4.3.2-24.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-mysql-4.3.2-24.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-odbc-4.3.2-24.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"php-pgsql-4.3.2-24.ent")) flag++; if (rpm_check(release:"RHEL4", reference:"php-4.3.9-3.7")) flag++; if (rpm_check(release:"RHEL4", reference:"php-devel-4.3.9-3.7")) flag++; if (rpm_check(release:"RHEL4", reference:"php-domxml-4.3.9-3.7")) flag++; if (rpm_check(release:"RHEL4", reference:"php-gd-4.3.9-3.7")) flag++; if (rpm_check(release:"RHEL4", reference:"php-imap-4.3.9-3.7")) flag++; if (rpm_check(release:"RHEL4", reference:"php-ldap-4.3.9-3.7")) flag++; if (rpm_check(release:"RHEL4", reference:"php-mbstring-4.3.9-3.7")) flag++; if (rpm_check(release:"RHEL4", reference:"php-mysql-4.3.9-3.7")) flag++; if (rpm_check(release:"RHEL4", reference:"php-ncurses-4.3.9-3.7")) flag++; if (rpm_check(release:"RHEL4", reference:"php-odbc-4.3.9-3.7")) flag++; if (rpm_check(release:"RHEL4", reference:"php-pear-4.3.9-3.7")) flag++; if (rpm_check(release:"RHEL4", reference:"php-pgsql-4.3.9-3.7")) flag++; if (rpm_check(release:"RHEL4", reference:"php-snmp-4.3.9-3.7")) flag++; if (rpm_check(release:"RHEL4", reference:"php-xmlrpc-4.3.9-3.7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-devel / php-domxml / php-gd / php-imap / php-ldap / etc"); } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-789.NASL description Several security related problems have been found in PHP4, the server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-1751 Eric Romang discovered insecure temporary files in the shtool utility shipped with PHP that can exploited by a local attacker to overwrite arbitrary files. Only this vulnerability affects packages in oldstable. - CAN-2005-1921 GulfTech has discovered that PEAR XML_RPC is vulnerable to a remote PHP code execution vulnerability that may allow an attacker to compromise a vulnerable server. - CAN-2005-2498 Stefan Esser discovered another vulnerability in the XML-RPC libraries that allows injection of arbitrary PHP code into eval() statements. last seen 2020-06-01 modified 2020-06-02 plugin id 19532 published 2005-08-30 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19532 title Debian DSA-789-1 : php4 - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-789. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(19532); script_version("1.22"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2005-1751", "CVE-2005-1759", "CVE-2005-1921", "CVE-2005-2498"); script_xref(name:"DSA", value:"789"); script_name(english:"Debian DSA-789-1 : php4 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several security related problems have been found in PHP4, the server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-1751 Eric Romang discovered insecure temporary files in the shtool utility shipped with PHP that can exploited by a local attacker to overwrite arbitrary files. Only this vulnerability affects packages in oldstable. - CAN-2005-1921 GulfTech has discovered that PEAR XML_RPC is vulnerable to a remote PHP code execution vulnerability that may allow an attacker to compromise a vulnerable server. - CAN-2005-2498 Stefan Esser discovered another vulnerability in the XML-RPC libraries that allows injection of arbitrary PHP code into eval() statements." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=323366" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-789" ); script_set_attribute( attribute:"solution", value: "Upgrade the PHP packages. For the old stable distribution (woody) these problems have been fixed in version 4.1.2-7.woody5. For the stable distribution (sarge) these problems have been fixed in version 4.3.10-16." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP XML-RPC Arbitrary Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/08/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/30"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"caudium-php4", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4-cgi", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4-curl", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4-dev", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4-domxml", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4-gd", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4-imap", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4-ldap", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4-mcal", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4-mhash", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4-mysql", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4-odbc", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4-pear", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4-recode", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4-snmp", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4-sybase", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.0", prefix:"php4-xslt", reference:"4.1.2-7.woody5")) flag++; if (deb_check(release:"3.1", prefix:"libapache-mod-php4", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"libapache2-mod-php4", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-cgi", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-cli", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-common", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-curl", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-dev", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-domxml", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-gd", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-imap", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-ldap", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-mcal", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-mhash", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-mysql", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-odbc", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-pear", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-recode", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-snmp", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-sybase", reference:"4.3.10-16")) flag++; if (deb_check(release:"3.1", prefix:"php4-xslt", reference:"4.3.10-16")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id PHPADSNEW_XMLRPC.NASL description The remote host appears to be running phpAdsNew, an open source ad server written in PHP. The version of phpAdsNew installed on the remote host allows attackers to execute arbitrary PHP code subject to the privileges of the web server user id due to a flaw in its bundled XML-RPC library. last seen 2020-06-01 modified 2020-06-02 plugin id 20180 published 2005-11-11 reporter This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20180 title phpAdsNew XML-RPC Library Remote Code Injection code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20180); script_version("1.19"); script_cve_id("CVE-2005-1921"); script_bugtraq_id(14088); script_name(english:"phpAdsNew XML-RPC Library Remote Code Injection"); script_summary(english:"Checks for remote code injection vulnerability in phpAdsNew XML-RPC library"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP script that is prone to arbitrary code execution." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running phpAdsNew, an open source ad server written in PHP. The version of phpAdsNew installed on the remote host allows attackers to execute arbitrary PHP code subject to the privileges of the web server user id due to a flaw in its bundled XML-RPC library." ); # http://web.archive.org/web/20101223094048/http://www.gulftech.org/?node=research&article_id=00087-07012005 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e698f657" ); # http://web.archive.org/web/20060615161153/http://phpadsnew.com/two/nucleus/index.php?itemid=45 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cadcbe45" ); script_set_attribute(attribute:"solution", value: "Upgrade to phpAdsNew 2.0.5 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"metasploit_name", value:'PHP XML-RPC Arbitrary Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/11/11"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/06/29"); script_cvs_date("Date: 2018/07/24 18:56:10"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:phpadsnew:phpadsnew"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); if (!can_host_php(port:port)) exit(0); # Loop through directories. foreach dir (cgi_dirs()) { # Check whether the script exists. r = http_send_recv3(method:"GET",item:dir + "/adxmlrpc.php", port:port); if (isnull(r)) exit(0); res = r[2]; # If it does... if ("<methodResponse>" >< res) { # Try to exploit the flaw to run phpinfo(). postdata = '<?xml version="1.0"?>' + "<methodCall>" + "<methodName>system.listMethods</methodName>" + "<params>" + "<param><value><name>','')); phpinfo();exit;/*</name></value></param>" + "</params>" + "</methodCall>"; r = http_send_recv3(method:"POST", item: dir + "/adxmlrpc.php", version: 11, port: port, add_headers: make_array("Content-Type", "text/xml"), data: postdata ); if (isnull(r)) exit(0); res = r[2]; # There's a problem if it looks like the output of phpinfo(). if ("PHP Version" >< res) { security_report_v4(port:port, extra:res, severity:SECURITY_HOLE); exit(0); } } }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200507-08.NASL description The remote host is affected by the vulnerability described in GLSA-200507-08 (phpGroupWare, eGroupWare: PHP script injection vulnerability) The XML-RPC implementations of phpGroupWare and eGroupWare fail to sanitize input sent to the XML-RPC server using the last seen 2020-06-01 modified 2020-06-02 plugin id 18666 published 2005-07-11 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18666 title GLSA-200507-08 : phpGroupWare, eGroupWare: PHP script injection vulnerability code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200507-08. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(18666); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-1921"); script_bugtraq_id(14088); script_xref(name:"GLSA", value:"200507-08"); script_name(english:"GLSA-200507-08 : phpGroupWare, eGroupWare: PHP script injection vulnerability"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200507-08 (phpGroupWare, eGroupWare: PHP script injection vulnerability) The XML-RPC implementations of phpGroupWare and eGroupWare fail to sanitize input sent to the XML-RPC server using the 'POST' method. Impact : A remote attacker could exploit the XML-RPC vulnerability to execute arbitrary PHP script code by sending specially crafted XML data to the XML-RPC servers of phpGroupWare or eGroupWare. Workaround : There are no known workarounds at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200507-08" ); script_set_attribute( attribute:"solution", value: "All phpGroupWare users should upgrade to the latest available version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-app/phpgroupware-0.9.16.006' All eGroupWare users should upgrade to the latest available version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-app/egroupware-1.0.0.008'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP XML-RPC Arbitrary Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:egroupware"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:phpgroupware"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/11"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-apps/egroupware", unaffected:make_list("ge 1.0.0.008"), vulnerable:make_list("lt 1.0.0.008"))) flag++; if (qpkg_check(package:"www-apps/phpgroupware", unaffected:make_list("ge 0.9.16.006"), vulnerable:make_list("lt 0.9.16.006"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpGroupWare / eGroupWare"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-745.NASL description Two input validation errors were discovered in drupal and its bundled xmlrpc module. These errors can lead to the execution of arbitrary commands on the web server running drupal. drupal was not included in the old stable distribution (woody). last seen 2020-06-01 modified 2020-06-02 plugin id 18655 published 2005-07-10 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18655 title Debian DSA-745-1 : drupal - input validation errors code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-745. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(18655); script_version("1.24"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2005-1921", "CVE-2005-2106"); script_xref(name:"DSA", value:"745"); script_name(english:"Debian DSA-745-1 : drupal - input validation errors"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Two input validation errors were discovered in drupal and its bundled xmlrpc module. These errors can lead to the execution of arbitrary commands on the web server running drupal. drupal was not included in the old stable distribution (woody)." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-745" ); script_set_attribute( attribute:"solution", value: "Upgrade the drupal package. For the current stable distribution (sarge), these problems have been fixed in version 4.5.3-3." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP XML-RPC Arbitrary Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:drupal"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/10"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"drupal", reference:"4.5.3-3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_SA_2005_051.NASL description The remote host is missing the patch for the advisory SUSE-SA:2005:051 (php4,php5). This update fixes the following security issues in the PHP scripting language. - Bugs in the PEAR::XML_RPC library allowed remote attackers to pass arbitrary PHP code to the eval() function (CVE-2005-1921, CVE-2005-2498). The Pear::XML_RPC library is not used by default in SUSE Linux, but might be used by third-party PHP applications. - An integer overflow bug was found in the PCRE (perl compatible regular expression) library which could be used by an attacker to potentially execute code. (CVE-2005-2491) Please note: last seen 2019-10-28 modified 2005-10-05 plugin id 19930 published 2005-10-05 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19930 title SUSE-SA:2005:051: php4,php5 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2005:051 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(19930); script_version ("1.8"); name["english"] = "SUSE-SA:2005:051: php4,php5"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2005:051 (php4,php5). This update fixes the following security issues in the PHP scripting language. - Bugs in the PEAR::XML_RPC library allowed remote attackers to pass arbitrary PHP code to the eval() function (CVE-2005-1921, CVE-2005-2498). The Pear::XML_RPC library is not used by default in SUSE Linux, but might be used by third-party PHP applications. - An integer overflow bug was found in the PCRE (perl compatible regular expression) library which could be used by an attacker to potentially execute code. (CVE-2005-2491) Please note:" ); script_set_attribute(attribute:"solution", value: "http://www.suse.de/security/advisories/2005_51_php.html" ); script_set_attribute(attribute:"risk_factor", value:"High" ); script_set_attribute(attribute:"plugin_publication_date", value: "2005/10/05"); script_end_attributes(); summary["english"] = "Check for the version of the php4,php5 package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"apache2-mod_php4-4.3.3-196", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-4.3.3-196", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-aolserver-4.3.3-196", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-core-4.3.3-196", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-devel-4.3.3-196", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.3.3-196", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php4-4.3.4-43.44", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-core-4.3.4-43.44", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.3.4-43.44", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-4.3.4-43.44", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-devel-4.3.4-43.44", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-exif-4.3.4-43.44", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-fastcgi-4.3.4-43.44", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-imap-4.3.4-43.44", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-mysql-4.3.4-43.44", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-pear-4.3.4-43.44", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-recode-4.3.4-43.44", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-servlet-4.3.4-43.44", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-session-4.3.4-43.44", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-sysvshm-4.3.4-43.44", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-wddx-4.3.4-43.44", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php4-4.3.8-8.14", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.3.8-8.14", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-4.3.8-8.14", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-devel-4.3.8-8.14", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-exif-4.3.8-8.14", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-fastcgi-4.3.8-8.14", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-pear-4.3.8-8.14", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-session-4.3.8-8.14", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-sysvshm-4.3.8-8.14", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php4-4.3.10-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php5-5.0.3-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.3.10-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-4.3.10-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-devel-4.3.10-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-exif-4.3.10-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-fastcgi-4.3.10-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-pear-4.3.10-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-session-4.3.10-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php4-sysvshm-4.3.10-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php5-5.0.3-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php5-devel-5.0.3-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php5-exif-5.0.3-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php5-fastcgi-5.0.3-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php5-pear-5.0.3-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php5-sysvmsg-5.0.3-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"php5-sysvshm-5.0.3-14.11", release:"SUSE9.3") ) { security_hole(0); exit(0); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200507-06.NASL description The remote host is affected by the vulnerability described in GLSA-200507-06 (TikiWiki: Arbitrary command execution through XML-RPC) TikiWiki is vulnerable to arbitrary command execution as described in GLSA 200507-01. Impact : A remote attacker could exploit this vulnerability to execute arbitrary PHP code by sending specially crafted XML data. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 18647 published 2005-07-08 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18647 title GLSA-200507-06 : TikiWiki: Arbitrary command execution through XML-RPC code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200507-06. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(18647); script_version("1.21"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-1921"); script_bugtraq_id(14088); script_xref(name:"GLSA", value:"200507-06"); script_name(english:"GLSA-200507-06 : TikiWiki: Arbitrary command execution through XML-RPC"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200507-06 (TikiWiki: Arbitrary command execution through XML-RPC) TikiWiki is vulnerable to arbitrary command execution as described in GLSA 200507-01. Impact : A remote attacker could exploit this vulnerability to execute arbitrary PHP code by sending specially crafted XML data. Workaround : There is no known workaround at this time." ); # http://security.gentoo.org/glsa/glsa-200507-01.xml script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200507-01" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200507-06" ); script_set_attribute( attribute:"solution", value: "All TikiWiki users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/tikiwiki-1.8.5-r1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP XML-RPC Arbitrary Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:tikiwiki"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-apps/tikiwiki", unaffected:make_list("ge 1.8.5-r1"), vulnerable:make_list("lt 1.8.5-r1"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "TikiWiki"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200507-02.NASL description The remote host is affected by the vulnerability described in GLSA-200507-02 (WordPress: Multiple vulnerabilities) James Bercegay of the GulfTech Security Research Team discovered that WordPress insufficiently checks data passed to the XML-RPC server. He also discovered that WordPress has several cross-site scripting and full path disclosure vulnerabilities. Impact : An attacker could use the PHP script injection vulnerabilities to execute arbitrary PHP script commands. Furthermore the cross-site scripting vulnerabilities could be exploited to execute arbitrary script code in a user last seen 2020-06-01 modified 2020-06-02 plugin id 18606 published 2005-07-05 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18606 title GLSA-200507-02 : WordPress: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200507-02. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(18606); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-1921"); script_xref(name:"GLSA", value:"200507-02"); script_name(english:"GLSA-200507-02 : WordPress: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200507-02 (WordPress: Multiple vulnerabilities) James Bercegay of the GulfTech Security Research Team discovered that WordPress insufficiently checks data passed to the XML-RPC server. He also discovered that WordPress has several cross-site scripting and full path disclosure vulnerabilities. Impact : An attacker could use the PHP script injection vulnerabilities to execute arbitrary PHP script commands. Furthermore the cross-site scripting vulnerabilities could be exploited to execute arbitrary script code in a user's browser session in context of a vulnerable site. Workaround : There are no known workarounds at this time." ); # http://www.gulftech.org/?node=research&article_id=00085-06282005 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?44378fda" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200507-02" ); script_set_attribute( attribute:"solution", value: "All WordPress users should upgrade to the latest available version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/wordpress-1.5.1.3'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP XML-RPC Arbitrary Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:wordpress"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-apps/wordpress", unaffected:make_list("ge 1.5.1.3"), vulnerable:make_list("lt 1.5.1.3"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "WordPress"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-746.NASL description A vulnerability had been identified in the xmlrpc library included with phpgroupware, a web-based application including email, calendar and other groupware functionality. This vulnerability could lead to the execution of arbitrary commands on the server running phpgroupware. The security team is continuing to investigate the version of phpgroupware included with the old stable distribution (woody). At this time we recommend disabling phpgroupware or upgrading to the current stable distribution (sarge). last seen 2020-06-01 modified 2020-06-02 plugin id 19195 published 2005-07-14 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19195 title Debian DSA-746-1 : phpgroupware - input validation error code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-746. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(19195); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2005-1921"); script_xref(name:"DSA", value:"746"); script_name(english:"Debian DSA-746-1 : phpgroupware - input validation error"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A vulnerability had been identified in the xmlrpc library included with phpgroupware, a web-based application including email, calendar and other groupware functionality. This vulnerability could lead to the execution of arbitrary commands on the server running phpgroupware. The security team is continuing to investigate the version of phpgroupware included with the old stable distribution (woody). At this time we recommend disabling phpgroupware or upgrading to the current stable distribution (sarge)." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-746" ); script_set_attribute( attribute:"solution", value: "Upgrade the phpgroupware package. For the current stable distribution (sarge) this problem has been fixed in version 0.9.16.005-3.sarge0." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP XML-RPC Arbitrary Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:phpgroupware"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"phpgroupware", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-addressbook", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-admin", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-bookmarks", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-calendar", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-chat", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-comic", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-core", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-developer-tools", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-dj", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-eldaptir", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-email", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-etemplate", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-felamimail", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-filemanager", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-folders", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-forum", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-ftp", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-fudforum", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-headlines", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-hr", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-img", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-infolog", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-manual", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-messenger", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-news-admin", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-nntp", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-notes", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-phonelog", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-phpbrain", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-phpgwapi", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-phpsysinfo", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-polls", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-preferences", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-projects", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-qmailldap", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-registration", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-setup", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-sitemgr", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-skel", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-soap", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-stocks", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-todo", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-tts", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-wiki", reference:"0.9.16.005-3.sarge0")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-xmlrpc", reference:"0.9.16.005-3.sarge0")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-747.NASL description A vulnerability has been identified in the xmlrpc library included in the egroupware package. This vulnerability could lead to the execution of arbitrary commands on the server running egroupware. The old stable distribution (woody) did not include egroupware. last seen 2020-06-01 modified 2020-06-02 plugin id 18662 published 2005-07-11 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18662 title Debian DSA-747-1 : egroupware - input validation error code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-747. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(18662); script_version("1.21"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2005-1921"); script_xref(name:"DSA", value:"747"); script_name(english:"Debian DSA-747-1 : egroupware - input validation error"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A vulnerability has been identified in the xmlrpc library included in the egroupware package. This vulnerability could lead to the execution of arbitrary commands on the server running egroupware. The old stable distribution (woody) did not include egroupware." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-747" ); script_set_attribute( attribute:"solution", value: "Upgrade the egroupware package. For the current stable distribution (sarge), this problem is fixed in version 1.0.0.007-2.dfsg-2sarge1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP XML-RPC Arbitrary Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:egroupware"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/11"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"egroupware", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-addressbook", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-bookmarks", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-calendar", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-comic", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-core", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-developer-tools", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-email", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-emailadmin", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-etemplate", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-felamimail", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-filemanager", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-forum", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-ftp", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-fudforum", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-headlines", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-infolog", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-jinn", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-ldap", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-manual", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-messenger", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-news-admin", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-phpbrain", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-phpldapadmin", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-phpsysinfo", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-polls", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-projects", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-registration", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-sitemgr", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-stocks", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-tts", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-wiki", reference:"1.0.0.007-2.dfsg-2sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-109.NASL description A vulnerability was discovered by GulfTech Security in the PHP XML RPC project. This vulnerability is considered critical and can lead to remote code execution. The vulnerability also exists in the PEAR XMLRPC implementation. Mandriva ships with the PEAR XMLRPC implementation and it has been patched to correct this problem. It is advised that users examine the PHP applications they have installed on their servers for any applications that may come bundled with their own copies of the PEAR system and either patch RPC.php or use the system PEAR (found in /usr/share/pear). Updates have been released for some popular PHP applications such as WordPress and Serendipity and users are urged to take all precautions to protect their systems from attack and/or defacement by upgrading their applications from the authors of the respective applications. last seen 2020-06-01 modified 2020-06-02 plugin id 18597 published 2005-07-01 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18597 title Mandrake Linux Security Advisory : php-pear (MDKSA-2005:109) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:109. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(18597); script_version ("1.19"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2005-1921"); script_xref(name:"MDKSA", value:"2005:109"); script_name(english:"Mandrake Linux Security Advisory : php-pear (MDKSA-2005:109)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered by GulfTech Security in the PHP XML RPC project. This vulnerability is considered critical and can lead to remote code execution. The vulnerability also exists in the PEAR XMLRPC implementation. Mandriva ships with the PEAR XMLRPC implementation and it has been patched to correct this problem. It is advised that users examine the PHP applications they have installed on their servers for any applications that may come bundled with their own copies of the PEAR system and either patch RPC.php or use the system PEAR (found in /usr/share/pear). Updates have been released for some popular PHP applications such as WordPress and Serendipity and users are urged to take all precautions to protect their systems from attack and/or defacement by upgrading their applications from the authors of the respective applications." ); script_set_attribute( attribute:"see_also", value:"http://www.hardened-php.net/advisory-022005.php" ); script_set_attribute( attribute:"solution", value:"Update the affected php-pear package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP XML-RPC Arbitrary Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pear"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:mandrakesoft:mandrake_linux:le2005"); script_set_attribute(attribute:"patch_publication_date", value:"2005/06/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"php-pear-4.3.4-3.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"php-pear-4.3.4-3.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"php-pear-4.3.8-1.1.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"php-pear-4.3.8-1.1.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"php-pear-4.3.10-3.1.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"php-pear-4.3.10-3.1.102mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-564.NASL description Updated PHP packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the last seen 2020-06-01 modified 2020-06-02 plugin id 21841 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21841 title CentOS 3 / 4 : php (CESA-2005:564) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:564 and # CentOS Errata and Security Advisory 2005:564 respectively. # include("compat.inc"); if (description) { script_id(21841); script_version("1.21"); script_cvs_date("Date: 2019/10/25 13:36:02"); script_cve_id("CVE-2005-1751", "CVE-2005-1921"); script_bugtraq_id(14088); script_xref(name:"RHSA", value:"2005:564"); script_name(english:"CentOS 3 / 4 : php (CESA-2005:564)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated PHP packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1921 to this issue. When using the default SELinux 'targeted' policy on Red Hat Enterprise Linux 4, the impact of this issue is reduced since the scripts executed by PHP are constrained within the httpd_sys_script_t security context. A race condition in temporary file handling was discovered in the shtool script installed by PHP. If a third-party PHP module which uses shtool was compiled as root, a local user may be able to modify arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1751 to this issue. Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues." ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011918.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1cb95481" ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011919.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3529b1c9" ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011920.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?fa8edd70" ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011921.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9e964f24" ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011922.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4cf76efa" ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011923.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?336c8c23" ); script_set_attribute(attribute:"solution", value:"Update the affected php packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP XML-RPC Arbitrary Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-domxml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-ncurses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-pear"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/25"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-3", reference:"php-4.3.2-24.ent")) flag++; if (rpm_check(release:"CentOS-3", reference:"php-devel-4.3.2-24.ent")) flag++; if (rpm_check(release:"CentOS-3", reference:"php-imap-4.3.2-24.ent")) flag++; if (rpm_check(release:"CentOS-3", reference:"php-ldap-4.3.2-24.ent")) flag++; if (rpm_check(release:"CentOS-3", reference:"php-mysql-4.3.2-24.ent")) flag++; if (rpm_check(release:"CentOS-3", reference:"php-odbc-4.3.2-24.ent")) flag++; if (rpm_check(release:"CentOS-3", reference:"php-pgsql-4.3.2-24.ent")) flag++; if (rpm_check(release:"CentOS-4", reference:"php-4.3.9-3.7")) flag++; if (rpm_check(release:"CentOS-4", reference:"php-devel-4.3.9-3.7")) flag++; if (rpm_check(release:"CentOS-4", reference:"php-domxml-4.3.9-3.7")) flag++; if (rpm_check(release:"CentOS-4", reference:"php-gd-4.3.9-3.7")) flag++; if (rpm_check(release:"CentOS-4", reference:"php-imap-4.3.9-3.7")) flag++; if (rpm_check(release:"CentOS-4", reference:"php-ldap-4.3.9-3.7")) flag++; if (rpm_check(release:"CentOS-4", reference:"php-mbstring-4.3.9-3.7")) flag++; if (rpm_check(release:"CentOS-4", reference:"php-mysql-4.3.9-3.7")) flag++; if (rpm_check(release:"CentOS-4", reference:"php-ncurses-4.3.9-3.7")) flag++; if (rpm_check(release:"CentOS-4", reference:"php-odbc-4.3.9-3.7")) flag++; if (rpm_check(release:"CentOS-4", reference:"php-pear-4.3.9-3.7")) flag++; if (rpm_check(release:"CentOS-4", reference:"php-pgsql-4.3.9-3.7")) flag++; if (rpm_check(release:"CentOS-4", reference:"php-snmp-4.3.9-3.7")) flag++; if (rpm_check(release:"CentOS-4", reference:"php-xmlrpc-4.3.9-3.7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-devel / php-domxml / php-gd / php-imap / php-ldap / etc"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_F241641EF5EA11D9A6DB000D608ED240.NASL description Kuba Zygmunt discovered a flaw in the input validation routines of Drupal last seen 2020-06-01 modified 2020-06-02 plugin id 19359 published 2005-08-01 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19359 title FreeBSD : drupal -- PHP code execution vulnerabilities (f241641e-f5ea-11d9-a6db-000d608ed240) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(19359); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:38"); script_cve_id("CVE-2005-1921", "CVE-2005-2106"); script_name(english:"FreeBSD : drupal -- PHP code execution vulnerabilities (f241641e-f5ea-11d9-a6db-000d608ed240)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Kuba Zygmunt discovered a flaw in the input validation routines of Drupal's filter mechanism. An attacker could execute arbitrary PHP code on a target site when public comments or postings are allowed." ); # http://drupal.org/files/sa-2005-002/advisory.txt script_set_attribute( attribute:"see_also", value:"https://www.drupal.org/files/sa-2005-002/advisory.txt" ); # https://vuxml.freebsd.org/freebsd/f241641e-f5ea-11d9-a6db-000d608ed240.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?32a4ac65" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP XML-RPC Arbitrary Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:drupal"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/29"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"drupal<4.6.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200507-15.NASL description The remote host is affected by the vulnerability described in GLSA-200507-15 (PHP: Script injection through XML-RPC) James Bercegay has discovered that the XML-RPC implementation in PHP fails to sanitize input passed in an XML document, which is used in an last seen 2020-06-01 modified 2020-06-02 plugin id 19211 published 2005-07-16 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19211 title GLSA-200507-15 : PHP: Script injection through XML-RPC NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2005-192-01.NASL description New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issue with the PEAR XML_RPC class that allows a remote attacker to run arbitrary PHP code. Sites that make use of this PHP library should upgrade to the new PHP package right away, or may instead upgrade the XML_RPC PEAR class with the following command: pear upgrade XML_RPC last seen 2020-06-01 modified 2020-06-02 plugin id 18805 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18805 title Slackware 10.0 / 10.1 / 8.1 / 9.0 / 9.1 / current : PHP (SSA:2005-192-01) NASL family SuSE Local Security Checks NASL id SUSE_SA_2005_041.NASL description The remote host is missing the patch for the advisory SUSE-SA:2005:041 (php/pear XML::RPC). A bug in the PEAR::XML_RPC library allowed remote attackers to pass arbitrary PHP code to the eval() function. The updated php packages fix the XML::RPC bug, however several third party PHP packages include a copy of the problematic XML::RPC code itself and might be still vulnerable after the update. Please check their respective websites whether the package is vulnerable. The following projects are known to include the XML::RPC code: - tikiwiki - postnuke - drupal - b2evolution - b2 - phpGroupWare - eGroupware - Serendipity Weblog - phpAdsNew - Max Media Manager This issue is tracked by the Mitre CVE ID CVE-2005-1921. The bug in the SUSE php packages affects SUSE Linux versions from 8.2 up to 9.3, SUSE Linux Enterprise Server 9 and Open Enterprise Server. php4 on SUSE Linux Enterprise Server 8 is not affected, since it was not shipping the XML::RPC extension. last seen 2019-10-28 modified 2005-07-20 plugin id 19250 published 2005-07-20 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19250 title SUSE-SA:2005:041: php/pear XML::RPC NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200507-01.NASL description The remote host is affected by the vulnerability described in GLSA-200507-01 (PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability) James Bercegay of GulfTech Security Research discovered that the PEAR XML-RPC and phpxmlrpc libraries fail to sanatize input sent using the last seen 2020-06-01 modified 2020-06-02 plugin id 18605 published 2005-07-05 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18605 title GLSA-200507-01 : PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200507-07.NASL description The remote host is affected by the vulnerability described in GLSA-200507-07 (phpWebSite: Multiple vulnerabilities) phpWebSite fails to sanitize input sent to the XML-RPC server using the last seen 2020-06-01 modified 2020-06-02 plugin id 18656 published 2005-07-10 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18656 title GLSA-200507-07 : phpWebSite: Multiple vulnerabilities NASL family CGI abuses NASL id SERENDIPITY_XMLRPC_CODE_INJECTION.NASL description The version of Serendipity installed on the remote host is prone to remote code execution due to a failure of its bundled XML-RPC library to sanitize user-supplied input to the last seen 2020-06-01 modified 2020-06-02 plugin id 18600 published 2005-07-01 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18600 title Serendipity XML-RPC for PHP Remote Code Injection NASL family CGI abuses NASL id DRUPAL_XMLRPC.NASL description The version of Drupal running on the remote web server allows attackers to execute arbitrary PHP code due to a flaw in its bundled XML-RPC library. last seen 2020-06-01 modified 2020-06-02 plugin id 18640 published 2005-07-08 reporter This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18640 title Drupal XML-RPC for PHP Remote Code Injection NASL family Fedora Local Security Checks NASL id FEDORA_2005-518.NASL description This update includes the PEAR XML_RPC 1.3.1 package, which fixes a security issue in the XML_RPC server implementation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1921 to this issue. The bundled version of shtool is also updated, to fix some temporary file handling races. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1751 to this issue. Bug fixes for the dom, ldap, and gd extensions are also included in this update. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 18625 published 2005-07-06 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18625 title Fedora Core 4 : php-5.0.4-10.3 (2005-518) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_0274A9F1075911DABC080001020EED82.NASL description Postnuke Security Announcementss reports of the following vulnerabilities : - missing input validation within /modules/Messages/readpmsg.php - possible path disclosure within /user.php - possible path disclosure within /modules/News/article.php - possible remote code injection within /includes/pnMod.php - possible cross-site-scripting in /index.php - remote code injection via xml rpc library last seen 2020-06-01 modified 2020-06-02 plugin id 21379 published 2006-05-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21379 title FreeBSD : postnuke -- multiple vulnerabilities (0274a9f1-0759-11da-bc08-0001020eed82) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_523FAD14EB9D11D9A8BD000CF18BBE54.NASL description GulfTech Security Research Team reports : PEAR XML_RPC is vulnerable to a very high risk php code injection vulnerability due to unsanatized data being passed into an eval() call. last seen 2020-06-01 modified 2020-06-02 plugin id 18933 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18933 title FreeBSD : pear-XML_RPC -- arbitrary remote code execution (523fad14-eb9d-11d9-a8bd-000cf18bbe54) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-147-1.NASL description A remote code execution vulnerability has been discovered in the XMLRPC module of the PEAR (PHP Extension and Application Repository) extension of PHP. By sending specially crafted XMLRPC requests to an affected web server, a remote attacker could exploit this to execute arbitrary code with the web server last seen 2020-06-01 modified 2020-06-02 plugin id 20541 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20541 title Ubuntu 4.10 / 5.04 : php4, php4-universe vulnerability (USN-147-1)
Oval
accepted 2013-04-29T04:12:58.707-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651 comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990
description Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement. family unix id oval:org.mitre.oval:def:11294 status accepted submitted 2010-07-09T03:56:16-04:00 title Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement. version 26 accepted 2005-09-21T01:33:00.000-04:00 class vulnerability contributors name Jay Beale organization Bastille Linux description Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement. family unix id oval:org.mitre.oval:def:350 status accepted submitted 2005-07-19T12:00:00.000-04:00 title PEAR XML_RPC PHP Code Execution Vulnerability version 4
Packetstorm
| data source | https://packetstormsecurity.com/files/download/82366/php_xmlrpc_eval.rb.txt |
| id | PACKETSTORM:82366 |
| last seen | 2016-12-05 |
| published | 2009-10-30 |
| reporter | H D Moore |
| source | https://packetstormsecurity.com/files/82366/PHP-XML-RPC-Arbitrary-Code-Execution.html |
| title | PHP XML-RPC Arbitrary Code Execution |
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://pear.php.net/package/XML_RPC/download/1.3.1
- http://www.gulftech.org/?node=research&article_id=00087-07012005
- http://www.hardened-php.net/advisory-022005.php
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:109
- http://sourceforge.net/project/shownotes.php?release_id=338803
- http://www.debian.org/security/2005/dsa-745
- http://www.debian.org/security/2005/dsa-747
- http://security.gentoo.org/glsa/glsa-200507-01.xml
- http://security.gentoo.org/glsa/glsa-200507-06.xml
- http://security.gentoo.org/glsa/glsa-200507-07.xml
- http://www.drupal.org/security/drupal-sa-2005-003/advisory.txt
- http://sourceforge.net/project/showfiles.php?group_id=87163
- http://www.ampache.org/announce/3_3_1_2.php
- http://secunia.com/advisories/15852
- http://secunia.com/advisories/15872
- http://secunia.com/advisories/15944
- http://secunia.com/advisories/15947
- http://secunia.com/advisories/15957
- http://secunia.com/advisories/16001
- http://www.debian.org/security/2005/dsa-789
- http://www.securityfocus.com/bid/14088
- http://securitytracker.com/id?1015336
- http://secunia.com/advisories/18003
- http://secunia.com/advisories/15810
- http://secunia.com/advisories/15855
- http://secunia.com/advisories/15861
- http://secunia.com/advisories/15883
- http://secunia.com/advisories/15884
- http://secunia.com/advisories/15895
- http://secunia.com/advisories/15903
- http://secunia.com/advisories/15904
- http://secunia.com/advisories/15916
- http://secunia.com/advisories/15917
- http://secunia.com/advisories/15922
- http://secunia.com/advisories/16339
- http://secunia.com/advisories/16693
- http://secunia.com/advisories/17440
- http://secunia.com/advisories/17674
- http://www.debian.org/security/2005/dsa-746
- http://www.redhat.com/support/errata/RHSA-2005-564.html
- http://www.novell.com/linux/security/advisories/2005_41_php_pear.html
- http://www.novell.com/linux/security/advisories/2005_49_php.html
- http://www.novell.com/linux/security/advisories/2005_18_sr.html
- http://www.vupen.com/english/advisories/2005/2827
- http://marc.info/?l=bugtraq&m=112008638320145&w=2
- http://marc.info/?l=bugtraq&m=112015336720867&w=2
- http://marc.info/?l=bugtraq&m=112605112027335&w=2
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A350
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11294
- http://www.securityfocus.com/archive/1/419064/100/0/threaded