Vulnerabilities > CVE-2005-3347 - Path Traversal vulnerability in PHPgroupware 0.9.16
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple directory traversal vulnerabilities in index.php in phpSysInfo 2.4 and earlier, as used in phpgroupware 0.9.16 and earlier, and egrouwpware before 1.0.0.009, allow remote attackers to include arbitrary files via .. (dot dot) sequences in the (1) sensor_program parameter or the (2) _SERVER[HTTP_ACCEPT_LANGUAGE] parameter, which overwrites an internal variable, a variant of CVE-2003-0536. NOTE: due to a typo in an advisory, an issue in osh was inadvertently linked to this identifier; the proper identifier for the osh issue is CVE-2005-3346.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Relative Path Traversal An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
- Directory Traversal An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
- File System Function Injection, Content Based An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
- Using Slashes and URL Encoding Combined to Bypass Validation Logic This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
- Manipulating Input to File System Calls An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200511-18.NASL description The remote host is affected by the vulnerability described in GLSA-200511-18 (phpSysInfo: Multiple vulnerabilities) Christopher Kunz from the Hardened-PHP Project discovered that phpSysInfo is vulnerable to local file inclusion, cross-site scripting and a HTTP Response Splitting attacks. Impact : A local attacker may exploit the file inclusion vulnerability by sending malicious requests, causing the execution of arbitrary code with the rights of the user running the web server. A remote attacker could exploit the vulnerability to disclose local file content. Furthermore, the cross-site scripting issues gives a remote attacker the ability to inject and execute malicious script code in the user last seen 2020-06-01 modified 2020-06-02 plugin id 20262 published 2005-12-07 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20262 title GLSA-200511-18 : phpSysInfo: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200511-18. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(20262); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2005-3347", "CVE-2005-3348"); script_xref(name:"GLSA", value:"200511-18"); script_name(english:"GLSA-200511-18 : phpSysInfo: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200511-18 (phpSysInfo: Multiple vulnerabilities) Christopher Kunz from the Hardened-PHP Project discovered that phpSysInfo is vulnerable to local file inclusion, cross-site scripting and a HTTP Response Splitting attacks. Impact : A local attacker may exploit the file inclusion vulnerability by sending malicious requests, causing the execution of arbitrary code with the rights of the user running the web server. A remote attacker could exploit the vulnerability to disclose local file content. Furthermore, the cross-site scripting issues gives a remote attacker the ability to inject and execute malicious script code in the user's browser context or to steal cookie-based authentication credentials. The HTTP response splitting issue give an attacker the ability to perform site hijacking and cache poisoning. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"http://www.hardened-php.net/advisory_222005.81.html" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200511-18" ); script_set_attribute( attribute:"solution", value: "All phpSysInfo users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/phpsysinfo-2.4.1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_cwe_id(22, 352); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:phpsysinfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/11/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/12/07"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/11/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-apps/phpsysinfo", unaffected:make_list("ge 2.4.1"), vulnerable:make_list("lt 2.4.1"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpSysInfo"); }NASL family CGI abuses NASL id PHPSYSINFO_241.NASL description The remote host is running phpSysInfo, a PHP application that parses the /proc entries on Linux/Unix systems and displays them in HTML. The installed version of phpSysInfo on the remote host has a design flaw in its globalization layer such that the script last seen 2020-06-01 modified 2020-06-02 plugin id 20215 published 2005-11-16 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20215 title phpSysInfo < 2.4.1 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20215); script_version("1.20"); script_cve_id( "CVE-2003-0536", "CVE-2005-0870", "CVE-2005-3347", "CVE-2005-3348" ); script_bugtraq_id(7286, 15396, 15414); script_name(english:"phpSysInfo < 2.4.1 Multiple Vulnerabilities"); script_summary(english:"Checks for multiple vulnerabilities in phpSysInfo < 2.4.1"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host is running phpSysInfo, a PHP application that parses the /proc entries on Linux/Unix systems and displays them in HTML. The installed version of phpSysInfo on the remote host has a design flaw in its globalization layer such that the script's variables can be overwritten independent of PHP's 'register_globals' setting. By exploiting this issue, an attacker may be able to read arbitrary files on the remote host and even execute arbitrary PHP code, both subject to the privileges of the web server user id. In addition, the application fails to sanitize user-supplied input before using it in dynamically-generated pages, which can be used to conduct cross-site scripting and HTTP response splitting attacks." ); script_set_attribute(attribute:"see_also", value:"http://www.hardened-php.net/advisory_222005.81.html" ); script_set_attribute(attribute:"solution", value: "Upgrade to phpSysInfo 2.4.1 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(22, 352); script_set_attribute(attribute:"plugin_publication_date", value: "2005/11/16"); script_cvs_date("Date: 2018/07/24 18:56:11"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:phpsysinfo:phpsysinfo"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/01/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("http_version.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80, embedded: 0); if (!can_host_php(port:port)) exit(0); # Loop through directories. if (thorough_tests) dirs = list_uniq(make_list("/phpsysinfo", "/phpSysInfo", "/sysinfo", cgi_dirs())); else dirs = make_list(cgi_dirs()); foreach dir (dirs) { # Try to exploit some of the flaws. r = http_send_recv3(method: "GET", port: port, item:string( dir, "/index.php?", # if successful, output will have the footer repeated. "lng=../system_footer&", # if successful, output will complain about an invalid sensor program. "sensor_program=", SCRIPT_NAME)); if (isnull(r)) exit(0); res = r[2]; # There's a problem if we overwrote $sensor_program. if (string("<center><b>Error: ", SCRIPT_NAME, " is not currently supported</b></center>") >< res) { security_warning(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); exit(0); } # Alternatively, there's a problem if it looks like phpSysInfo and... if ("phpSysInfo-" >< res || "Created By: phpSysInfo" >< res) { # there are two footers. footer = "</html>"; post_footer = strstr(res, footer); if (post_footer) { post_footer = post_footer - footer; if (strstr(post_footer, footer)) { security_warning(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); exit(0); } } } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-899.NASL description Several vulnerabilities have been discovered in egroupware, a web-based groupware suite. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-0870 Maksymilian Arciemowicz discovered several cross site scripting problems in phpsysinfo, which are also present in the imported version in egroupware and of which not all were fixed in DSA 724. - CVE-2005-2600 Alexander Heidenreich discovered a cross-site scripting problem in the tree view of FUD Forum Bulletin Board Software, which is also present in egroupware and allows remote attackers to read private posts via a modified mid parameter. - CVE-2005-3347 Christopher Kunz discovered that local variables get overwritten unconditionally in phpsysinfo, which are also present in egroupware, and are trusted later, which could lead to the inclusion of arbitrary files. - CVE-2005-3348 Christopher Kunz discovered that user-supplied input is used unsanitised in phpsysinfo and imported in egroupware, causing a HTTP Response splitting problem. last seen 2020-06-01 modified 2020-06-02 plugin id 22765 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22765 title Debian DSA-899-1 : egroupware - programming errors code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-899. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22765); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-0870", "CVE-2005-2600", "CVE-2005-3347", "CVE-2005-3348"); script_xref(name:"DSA", value:"899"); script_name(english:"Debian DSA-899-1 : egroupware - programming errors"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in egroupware, a web-based groupware suite. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-0870 Maksymilian Arciemowicz discovered several cross site scripting problems in phpsysinfo, which are also present in the imported version in egroupware and of which not all were fixed in DSA 724. - CVE-2005-2600 Alexander Heidenreich discovered a cross-site scripting problem in the tree view of FUD Forum Bulletin Board Software, which is also present in egroupware and allows remote attackers to read private posts via a modified mid parameter. - CVE-2005-3347 Christopher Kunz discovered that local variables get overwritten unconditionally in phpsysinfo, which are also present in egroupware, and are trusted later, which could lead to the inclusion of arbitrary files. - CVE-2005-3348 Christopher Kunz discovered that user-supplied input is used unsanitised in phpsysinfo and imported in egroupware, causing a HTTP Response splitting problem." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=301118" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-899" ); script_set_attribute( attribute:"solution", value: "Upgrade the egroupware packages. The old stable distribution (woody) does not contain egroupware packages. For the stable distribution (sarge) this problem has been fixed in version 1.0.0.007-2.dfsg-2sarge4." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_cwe_id(22, 352); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:egroupware"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/11/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"egroupware", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-addressbook", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-bookmarks", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-calendar", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-comic", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-core", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-developer-tools", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-email", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-emailadmin", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-etemplate", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-felamimail", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-filemanager", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-forum", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-ftp", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-fudforum", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-headlines", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-infolog", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-jinn", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-ldap", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-manual", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-messenger", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-news-admin", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-phpbrain", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-phpldapadmin", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-phpsysinfo", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-polls", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-projects", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-registration", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-sitemgr", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-stocks", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-tts", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"egroupware-wiki", reference:"1.0.0.007-2.dfsg-2sarge4")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-897.NASL description Several vulnerabilities have been discovered in phpsysinfo, a PHP based host information application. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-0870 Maksymilian Arciemowicz discovered several cross site scripting problems, of which not all were fixed in DSA 724. - CVE-2005-3347 Christopher Kunz discovered that local variables get overwritten unconditionally and are trusted later, which could lead to the inclusion of arbitrary files. - CVE-2005-3348 Christopher Kunz discovered that user-supplied input is used unsanitised, causing a HTTP Response splitting problem. last seen 2020-06-01 modified 2020-06-02 plugin id 22763 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22763 title Debian DSA-897-1 : phpsysinfo - programming errors code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-897. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22763); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-0870", "CVE-2005-3347", "CVE-2005-3348"); script_xref(name:"DSA", value:"897"); script_name(english:"Debian DSA-897-1 : phpsysinfo - programming errors"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in phpsysinfo, a PHP based host information application. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-0870 Maksymilian Arciemowicz discovered several cross site scripting problems, of which not all were fixed in DSA 724. - CVE-2005-3347 Christopher Kunz discovered that local variables get overwritten unconditionally and are trusted later, which could lead to the inclusion of arbitrary files. - CVE-2005-3348 Christopher Kunz discovered that user-supplied input is used unsanitised, causing a HTTP Response splitting problem." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=301118" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-897" ); script_set_attribute( attribute:"solution", value: "Upgrade the phpsysinfo package. For the old stable distribution (woody) these problems have been fixed in version 2.0-3woody3. For the stable distribution (sarge) these problems have been fixed in version 2.3-4sarge1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_cwe_id(22, 352); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:phpsysinfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"phpsysinfo", reference:"2.0-3woody3")) flag++; if (deb_check(release:"3.1", prefix:"phpsysinfo", reference:"2.3-4sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-898.NASL description Several vulnerabilities have been discovered in phpsysinfo, a PHP based host information application that is included in phpgroupware. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-0870 Maksymilian Arciemowicz discovered several cross site scripting problems, of which not all were fixed in DSA 724. - CVE-2005-3347 Christopher Kunz discovered that local variables get overwritten unconditionally and are trusted later, which could lead to the inclusion of arbitrary files. - CVE-2005-3348 Christopher Kunz discovered that user-supplied input is used unsanitised, causing a HTTP Response splitting problem. last seen 2020-06-01 modified 2020-06-02 plugin id 22764 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22764 title Debian DSA-898-1 : phpgroupware - programming errors code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-898. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22764); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-0870", "CVE-2005-3347", "CVE-2005-3348"); script_xref(name:"DSA", value:"898"); script_name(english:"Debian DSA-898-1 : phpgroupware - programming errors"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in phpsysinfo, a PHP based host information application that is included in phpgroupware. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-0870 Maksymilian Arciemowicz discovered several cross site scripting problems, of which not all were fixed in DSA 724. - CVE-2005-3347 Christopher Kunz discovered that local variables get overwritten unconditionally and are trusted later, which could lead to the inclusion of arbitrary files. - CVE-2005-3348 Christopher Kunz discovered that user-supplied input is used unsanitised, causing a HTTP Response splitting problem." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=301118" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-898" ); script_set_attribute( attribute:"solution", value: "Upgrade the phpgroupware packages. For the old stable distribution (woody) these problems have been fixed in version 0.9.14-0.RC3.2.woody5. For the stable distribution (sarge) these problems have been fixed in version 0.9.16.005-3.sarge4." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_cwe_id(22, 352); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:phpgroupware"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/11/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/03/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"phpgroupware", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-addressbook", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-admin", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-api", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-api-doc", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-bookkeeping", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-bookmarks", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-brewer", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-calendar", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-chat", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-chora", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-comic", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-core", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-core-doc", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-developer-tools", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-dj", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-eldaptir", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-email", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-filemanager", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-forum", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-ftp", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-headlines", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-hr", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-img", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-infolog", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-inv", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-manual", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-messenger", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-napster", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-news-admin", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-nntp", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-notes", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-phonelog", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-phpsysinfo", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-phpwebhosting", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-polls", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-preferences", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-projects", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-registration", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-setup", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-skel", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-soap", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-stocks", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-todo", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-tts", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-wap", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-weather", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.0", prefix:"phpgroupware-xmlrpc", reference:"0.9.14-0.RC3.2.woody5")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-addressbook", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-admin", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-bookmarks", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-calendar", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-chat", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-comic", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-core", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-developer-tools", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-dj", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-eldaptir", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-email", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-etemplate", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-felamimail", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-filemanager", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-folders", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-forum", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-ftp", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-fudforum", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-headlines", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-hr", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-img", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-infolog", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-manual", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-messenger", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-news-admin", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-nntp", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-notes", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-phonelog", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-phpbrain", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-phpgwapi", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-phpsysinfo", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-polls", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-preferences", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-projects", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-qmailldap", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-registration", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-setup", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-sitemgr", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-skel", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-soap", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-stocks", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-todo", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-tts", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-wiki", reference:"0.9.16.005-3.sarge4")) flag++; if (deb_check(release:"3.1", prefix:"phpgroupware-xmlrpc", reference:"0.9.16.005-3.sarge4")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Packetstorm
| data source | https://packetstormsecurity.com/files/download/41530/advisory_212005.81.txt |
| id | PACKETSTORM:41530 |
| last seen | 2016-12-05 |
| published | 2005-11-15 |
| reporter | Christopher Kunz |
| source | https://packetstormsecurity.com/files/41530/Hardened-PHP-Project-Security-Advisory-2005-21.81.html |
| title | Hardened-PHP Project Security Advisory 2005-21.81 |
References
- http://secunia.com/advisories/17441
- http://secunia.com/advisories/17570
- http://secunia.com/advisories/17584
- http://secunia.com/advisories/17616
- http://secunia.com/advisories/17620
- http://secunia.com/advisories/17643
- http://secunia.com/advisories/17698
- http://www.debian.org/security/2005/dsa-897
- http://www.debian.org/security/2005/dsa-898
- http://www.debian.org/security/2005/dsa-899
- http://www.gentoo.org/security/en/glsa/glsa-200511-18.xml
- http://www.hardened-php.net/advisory_212005.81.html
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:212
- http://www.securityfocus.com/archive/1/416543
- http://www.securityfocus.com/bid/15396
- http://www.securityfocus.com/bid/15414
- https://exchange.xforce.ibmcloud.com/vulnerabilities/23107