Vulnerabilities > CVE-2005-3319 - Local Denial of Service vulnerability in PHP Apache 2

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
local
low complexity
php
nessus
NVD
Published: 2005-10-27
Updated: 2018-10-30

Summary

The apache2handler SAPI (sapi_apache2.c) in the Apache module (mod_php) for PHP 5.x before 5.1.0 final and 4.4 before 4.4.1 final allows attackers to cause a denial of service (segmentation fault) via the session.save_path option in a .htaccess file or VirtualHost.

Vulnerable Configurations

Part Description Count
Application
Php
44

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2006-001.NASL
    descriptionThe remote host is running Apple Mac OS X, but lacks Security Update 2006-001. This security update contains fixes for the following applications : apache_mod_php automount Bom Directory Services iChat IPSec LaunchServices LibSystem loginwindow Mail rsync Safari Syndication
    last seen2020-06-01
    modified2020-06-02
    plugin id20990
    published2006-03-02
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20990
    titleMac OS X Multiple Vulnerabilities (Security Update 2006-001)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(20990);
 script_version("1.23");
 script_cvs_date("Date: 2018/07/14  1:59:35");

 script_cve_id("CVE-2005-2713", "CVE-2005-2714", "CVE-2005-3319", "CVE-2005-3353", "CVE-2005-3391",
               "CVE-2005-3392", "CVE-2005-3706", "CVE-2005-3712", "CVE-2005-4217", "CVE-2005-4504",
               "CVE-2006-0383", "CVE-2006-0384", "CVE-2006-0386", "CVE-2006-0387", "CVE-2006-0388",
               "CVE-2006-0389", "CVE-2006-0391", "CVE-2006-0395", "CVE-2006-0848");
 script_bugtraq_id(16736, 16907);

 script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2006-001)");
 script_summary(english:"Check for Security Update 2006-001");

 script_set_attribute(attribute:"synopsis", value:"The remote operating system is missing a vendor-supplied patch.");
 script_set_attribute(attribute:"description", value:
"The remote host is running Apple Mac OS X, but lacks
Security Update 2006-001.

This security update contains fixes for the following
applications :

apache_mod_php
automount
Bom
Directory Services
iChat
IPSec
LaunchServices
LibSystem
loginwindow
Mail
rsync
Safari
Syndication");
 script_set_attribute(attribute:"see_also", value:"http://docs.info.apple.com/article.html?artnum=303382");
 script_set_attribute(attribute:"solution", value:
"Mac OS X 10.4 :
http://www.apple.com/support/downloads/securityupdate2006001macosx1045ppc.html
http://www.apple.com/support/downloads/securityupdate2006001macosx1045intel.html

Mac OS X 10.3 :
http://www.apple.com/support/downloads/securityupdate20060011039client.html
http://www.apple.com/support/downloads/securityupdate20060011039server.html");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'Safari Archive Metadata Command Execution');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2005/12/21");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/03/03");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/03/02");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"MacOS X Local Security Checks");

 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/MacOSX/packages");
 exit(0);
}


packages = get_kb_item("Host/MacOSX/packages");
if ( ! packages ) exit(0);


uname = get_kb_item("Host/uname");
if ( egrep(pattern:"Darwin.* (7\.[0-9]\.|8\.[0-5]\.)", string:uname) )
{
  if (!egrep(pattern:"^SecUpd(Srvr)?(2006-00[123467]|2007-003)", string:packages)) security_hole(0);
}
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-232-1.NASL
    descriptionEric Romang discovered a local Denial of Service vulnerability in the handling of the
    last seen2020-06-01
    modified2020-06-02
    plugin id20776
    published2006-01-21
    reporterUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20776
    titleUbuntu 4.10 / 5.04 / 5.10 : php4, php5 vulnerabilities (USN-232-1)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-232-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(20776);
  script_version("1.17");
  script_cvs_date("Date: 2019/08/02 13:33:00");

  script_cve_id("CVE-2005-3319", "CVE-2005-3353", "CVE-2005-3388", "CVE-2005-3389", "CVE-2005-3390", "CVE-2005-3391", "CVE-2005-3392", "CVE-2005-3883");
  script_bugtraq_id(15248, 15249, 15250);
  script_xref(name:"USN", value:"232-1");

  script_name(english:"Ubuntu 4.10 / 5.04 / 5.10 : php4, php5 vulnerabilities (USN-232-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Eric Romang discovered a local Denial of Service vulnerability in the
handling of the 'session.save_path' parameter in PHP's Apache 2.0
module. By setting this parameter to an invalid value in an .htaccess
file, a local user could crash the Apache server. (CVE-2005-3319)

A Denial of Service flaw was found in the EXIF module. By sending an
image with specially crafted EXIF data to a PHP program that
automatically evaluates them (e. g. a web gallery), a remote attacker
could cause an infinite recursion in the PHP interpreter, which caused
the web server to crash. (CVE-2005-3353)

Stefan Esser reported a Cross Site Scripting vulnerability in the
phpinfo() function. By tricking a user into retrieving a specially
crafted URL to a PHP page that exposes phpinfo(), a remote attacker
could inject arbitrary HTML or web script into the output page and
possibly steal private data like cookies or session identifiers.
(CVE-2005-3388)

Stefan Esser discovered a vulnerability of the parse_str() function
when it is called with just one argument. By calling such programs
with specially crafted parameters, a remote attacker could enable the
'register_globals' option which is normally turned off for security
reasons. Once this option is enabled, the remote attacker could
exploit other security flaws of PHP programs which are normally
protected by 'register_globals' being deactivated. (CVE-2005-3389)

Stefan Esser discovered that a remote attacker could overwrite the
$GLOBALS array in PHP programs that allow file uploads and run with
'register_globals' enabled. Depending on the particular application,
this can lead to unexpected vulnerabilities. (CVE-2005-3390)

The 'gd' image processing and cURL modules did not properly check
processed file names against the 'open_basedir' and 'safe_mode'
restrictions, which could be exploited to circumvent these
limitations. (CVE-2005-3391)

Another bypass of the 'open_basedir' and 'safe_mode' restrictions was
found in virtual() function. A local attacker could exploit this to
circumvent these restrictions with specially crafted PHP INI files
when virtual Apache 2.0 hosts are used. (CVE-2005-3392)

The mb_send_mail() function did not properly check its arguments for
invalid embedded line breaks. By setting the 'To:' field of an email
to a specially crafted value in a PHP web mail application, a remote
attacker could inject arbitrary headers into the sent email.
(CVE-2005-3883).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libapache-mod-php4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libapache2-mod-php4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libapache2-mod-php5");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php-pear");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-cgi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-cli");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-curl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-domxml");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-gd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-imap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-ldap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-mcal");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-mhash");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-mysql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-odbc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-pear");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-pgsql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-recode");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-snmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-sybase");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-universe-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php4-xslt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-cgi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-cli");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-curl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-gd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-ldap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-mhash");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-mysql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-odbc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-pgsql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-recode");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-snmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-sqlite");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-sybase");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-xmlrpc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-xsl");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10");

  script_set_attribute(attribute:"patch_publication_date", value:"2005/12/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/21");
  script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/02");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! ereg(pattern:"^(4\.10|5\.04|5\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10 / 5.04 / 5.10", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"4.10", pkgname:"libapache2-mod-php4", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-cgi", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-curl", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-dev", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-domxml", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-gd", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-ldap", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-mcal", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-mhash", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-mysql", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-odbc", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-pear", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-recode", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-snmp", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-sybase", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"php4-xslt", pkgver:"4.3.8-3ubuntu7.14")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"libapache-mod-php4", pkgver:"4.3.10-10ubuntu3.6")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"libapache2-mod-php4", pkgver:"4.3.10-10ubuntu4.3")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4", pkgver:"4.3.10-10ubuntu4.3")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-cgi", pkgver:"4.3.10-10ubuntu4.3")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-cli", pkgver:"4.3.10-10ubuntu4.3")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-common", pkgver:"4.3.10-10ubuntu4.3")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-curl", pkgver:"4.3.10-10ubuntu3.6")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-dev", pkgver:"4.3.10-10ubuntu4.3")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-domxml", pkgver:"4.3.10-10ubuntu3.6")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-gd", pkgver:"4.3.10-10ubuntu3.6")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-imap", pkgver:"4.3.10-10ubuntu3.6")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-ldap", pkgver:"4.3.10-10ubuntu3.6")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-mcal", pkgver:"4.3.10-10ubuntu3.6")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-mhash", pkgver:"4.3.10-10ubuntu3.6")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-mysql", pkgver:"4.3.10-10ubuntu3.6")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-odbc", pkgver:"4.3.10-10ubuntu3.6")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-pear", pkgver:"4.3.10-10ubuntu3.6")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-recode", pkgver:"4.3.10-10ubuntu3.6")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-snmp", pkgver:"4.3.10-10ubuntu3.6")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-sybase", pkgver:"4.3.10-10ubuntu3.6")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-universe-common", pkgver:"4.3.10-10ubuntu3.6")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"php4-xslt", pkgver:"4.3.10-10ubuntu3.6")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"libapache-mod-php4", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"libapache2-mod-php4", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"libapache2-mod-php5", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php-pear", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-cgi", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-cli", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-common", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-curl", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-dev", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-domxml", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-gd", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-ldap", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-mcal", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-mhash", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-mysql", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-odbc", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-pear", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-pgsql", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-recode", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-snmp", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-sybase", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php4-xslt", pkgver:"4.4.0-3ubuntu1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-cgi", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-cli", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-common", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-curl", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-dev", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-gd", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-ldap", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-mhash", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-mysql", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-odbc", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-pgsql", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-recode", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-snmp", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-sqlite", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-sybase", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-xmlrpc", pkgver:"5.0.5-2ubuntu1.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"php5-xsl", pkgver:"5.0.5-2ubuntu1.1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libapache-mod-php4 / libapache2-mod-php4 / libapache2-mod-php5 / etc");
}
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200511-08.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200511-08 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been found and fixed in PHP: a possible $GLOBALS variable overwrite problem through file upload handling, extract() and import_request_variables() (CVE-2005-3390) a local Denial of Service through the use of the session.save_path option (CVE-2005-3319) an issue with trailing slashes in allowed basedirs (CVE-2005-3054) an issue with calling virtual() on Apache 2, allowing to bypass safe_mode and open_basedir restrictions (CVE-2005-3392) a problem when a request was terminated due to memory_limit constraints during certain parse_str() calls (CVE-2005-3389) The curl and gd modules allowed to bypass the safe mode open_basedir restrictions (CVE-2005-3391) a cross-site scripting (XSS) vulnerability in phpinfo() (CVE-2005-3388) Impact : Attackers could leverage these issues to exploit applications that are assumed to be secure through the use of proper register_globals, safe_mode or open_basedir parameters. Remote attackers could also conduct cross-site scripting attacks if a page calling phpinfo() was available. Finally, a local attacker could cause a local Denial of Service using malicious session.save_path options. Workaround : There is no known workaround that would solve all issues at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id20195
    published2005-11-15
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20195
    titleGLSA-200511-08 : PHP: Multiple vulnerabilities
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-213.NASL
    descriptionA number of vulnerabilities were discovered in PHP : An issue with fopen_wrappers.c would not properly restrict access to other directories when the open_basedir directive included a trailing slash (CVE-2005-3054); this issue does not affect Corporate Server 2.1. An issue with the apache2handler SAPI in mod_php could allow an attacker to cause a Denial of Service via the session.save_path option in an .htaccess file or VirtualHost stanza (CVE-2005-3319); this issue does not affect Corporate Server 2.1. A Denial of Service vulnerability was discovered in the way that PHP processes EXIF image data which could allow an attacker to cause PHP to crash by supplying carefully crafted EXIF image data (CVE-2005-3353). A cross-site scripting vulnerability was discovered in the phpinfo() function which could allow for the injection of JavaScript or HTML content onto a page displaying phpinfo() output, or to steal data such as cookies (CVE-2005-3388). A flaw in the parse_str() function could allow for the enabling of register_globals, even if it was disabled in the PHP configuration file (CVE-2005-3389). A vulnerability in the way that PHP registers global variables during a file upload request could allow a remote attacker to overwrite the $GLOBALS array which could potentially lead the execution of arbitrary PHP commands. This vulnerability only affects systems with register_globals enabled (CVE-2005-3390). The updated packages have been patched to address this issue. Once the new packages have been installed, you will need to restart your Apache server using
    last seen2020-06-01
    modified2020-06-02
    plugin id20445
    published2006-01-15
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20445
    titleMandrake Linux Security Advisory : php (MDKSA-2005:213)
  • NASL familyCGI abuses
    NASL idPHP_5_1_0.NASL
    descriptionAccording to its banner, the version of PHP 5.x installed on the remote host is older than 5.1.0. Such versions may be affected by multiple vulnerabilities : - A cross-site scripting vulnerability exists in phpinfo(). - Multiple safe_mode/open_basedir bypass vulnerabilities exist in ext/curl and ext/gd. - It is possible to overwrite $GLOBALS due to an issue in file upload handling, extract(), and import_request_variables(). - An issue exists when a request is terminated due to memory_limit constraints during certain parse_str() calls, which could lead to register globals being turned on. - An issue exists with trailing slashes in allowed basedirs. - An issue exists with calling virtual() on Apache 2, which allows an attacker to bypass certain configuration directives like safe_mode or open_basedir. - A possible header injection exists in the mb_send_mail() function. - The apache2handler SAPI in the Apache module allows attackers to cause a denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id17711
    published2011-11-18
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17711
    titlePHP 5.x < 5.1.0 Multiple Vulnerabilities

Statements

contributorJoshua Bressers
lastmodified2008-02-12
organizationRed Hat
statementWe do not class this as a security issue as it only allows local users who have the privileges to create .htaccess files the ability to cause a denial of service. Untrusted users should never be given the ability to create .htaccess files.

References