Vulnerabilities > CVE-2006-1014 - Security Bypass vulnerability in PHP

047910
CVSS 3.2 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE
local
low complexity
php
nessus
exploit available

Summary

Argument injection vulnerability in certain PHP 4.x and 5.x applications, when used with sendmail and when accepting remote input for the additional_parameters argument to the mb_send_mail function, allows context-dependent attackers to read and create arbitrary files by providing extra -C and -X arguments to sendmail. NOTE: it could be argued that this is a class of technology-specific vulnerability, instead of a particular instance; if so, then this should not be included in CVE. This vulnerability affects all versions of PHP from 4.0.x through 5.1.x

Exploit-Db

descriptionPHP 4.x/5.0/5.1 mb_send_mail() Function Parameter Restriction Bypass. CVE-2006-1014. Local exploit for php platform
idEDB-ID:27335
last seen2016-02-03
modified2006-02-28
published2006-02-28
reporter[email protected]
sourcehttps://www.exploit-db.com/download/27335/
titlePHP 4.x/5.0/5.1 mb_send_mail Function Parameter Restriction Bypass

Nessus

  • NASL familyCGI abuses
    NASL idPHP_SENDMAIL_ARGUMENT_INJECTION.NASL
    descriptionAccording to its banner, the version of PHP installed on the remote host is affected by a flaw that allows an attacker to gain unauthorized privileges. When used with sendmail and when accepting remote input for the additional_parameters argument to the mb_send_mail function, it is possible for context-dependent attackers to read and create arbitrary files.
    last seen2020-06-01
    modified2020-06-02
    plugin id17716
    published2011-11-18
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17716
    titlePHP mb_send_mail() Function Parameter Security Bypass
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(17716);
      script_version("1.6");
      script_cvs_date("Date: 2018/11/15 20:50:18");
    
      script_cve_id("CVE-2006-1014");
      script_bugtraq_id(16878);
    
      script_name(english:"PHP mb_send_mail() Function Parameter Security Bypass");
      script_summary(english:"Checks version of PHP");
     
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote web server uses a version of PHP that is affected by a
    security bypass vulnerability."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "According to its banner, the version of PHP installed on the remote
    host is affected by a flaw that allows an attacker to gain
    unauthorized privileges.  When used with sendmail and when accepting
    remote input for the additional_parameters argument to the
    mb_send_mail function, it is possible for context-dependent attackers
    to read and create arbitrary files."
      );
    
      script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/426342/100/0/threaded");
      script_set_attribute(attribute:"solution", value:"There is no known solution at this time.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/18");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
      script_end_attributes();
     
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
    
      script_dependencies("php_version.nasl");
      script_require_ports("Services/www", 80);
      script_require_keys("www/PHP", "Settings/PCI_DSS");
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("audit.inc");
    include("webapp_func.inc");
    
    # Only PCI considers this an issue
    if (!get_kb_item("Settings/PCI_DSS")) audit(AUDIT_PCI);
    
    port = get_http_port(default:80, php:TRUE);
    
    php = get_php_from_kb(
      port : port,
      exit_on_fail : TRUE
    );
    
    version = php["ver"];
    source = php["src"];
    
    # nb: unfixed.
    if (report_verbosity > 0)
    {
      report =
        '\n  Version source     : '+source +
        '\n  Installed version  : '+version + 
        '\n';
      security_note(port:port, extra:report);
    }
    else security_note(port);
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2006_024.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2006:024 (php4,php5). This update fixes the following security issues in the scripting languages PHP4 and PHP5: - copy() and tempnam() functions could bypass open_basedir restrictions (CVE-2006-1494) - Cross-Site-Scripting (XSS) bug in phpinfo() (CVE-2006-0996) - mb_send_mail() lacked safe_mode checks (CVE-2006-1014, CVE-2006-1015) - html_entity_decode() could expose memory content (CVE-2006-1490)
    last seen2019-10-28
    modified2006-05-13
    plugin id21369
    published2006-05-13
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21369
    titleSUSE-SA:2006:024: php4,php5
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:024
    #
    
    
    if ( ! defined_func("bn_random") ) exit(0);
    
    include("compat.inc");
    
    if(description)
    {
     script_id(21369);
     script_version ("1.8");
     
     name["english"] = "SUSE-SA:2006:024: php4,php5";
     
     script_name(english:name["english"]);
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a vendor-supplied security patch" );
     script_set_attribute(attribute:"description", value:
    "The remote host is missing the patch for the advisory SUSE-SA:2006:024 (php4,php5).
    
    
    This update fixes the following security issues in the scripting languages
    PHP4 and PHP5:
    
    - copy() and tempnam() functions could bypass open_basedir restrictions (CVE-2006-1494)
    - Cross-Site-Scripting (XSS) bug in phpinfo() (CVE-2006-0996)
    - mb_send_mail() lacked safe_mode checks (CVE-2006-1014, CVE-2006-1015)
    - html_entity_decode() could expose memory content (CVE-2006-1490)" );
     script_set_attribute(attribute:"solution", value:
    "http://www.suse.de/security/advisories/05-05-2006.html" );
     script_set_attribute(attribute:"risk_factor", value:"Medium" );
    
    
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2006/05/13");
     script_end_attributes();
    
     
     summary["english"] = "Check for the version of the php4,php5 package";
     script_summary(english:summary["english"]);
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
     family["english"] = "SuSE Local Security Checks";
     script_family(english:family["english"]);
     
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/SuSE/rpm-list");
     exit(0);
    }
    
    include("rpm.inc");
    if ( rpm_check( reference:"apache2-mod_php4-4.4.0-6.10", release:"SUSE10.0") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"apache2-mod_php5-5.0.4-9.10", release:"SUSE10.0") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-4.4.0-6.10", release:"SUSE10.0") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-exif-4.4.0-6.10", release:"SUSE10.0") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-fastcgi-4.4.0-6.10", release:"SUSE10.0") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-mbstring-4.4.0-6.10", release:"SUSE10.0") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-servlet-4.4.0-6.10", release:"SUSE10.0") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-unixODBC-4.4.0-6.10", release:"SUSE10.0") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php5-5.0.4-9.10", release:"SUSE10.0") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php5-exif-5.0.4-9.10", release:"SUSE10.0") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php5-fastcgi-5.0.4-9.10", release:"SUSE10.0") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php5-mbstring-5.0.4-9.10", release:"SUSE10.0") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php5-pear-5.0.4-9.10", release:"SUSE10.0") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php5-snmp-5.0.4-9.10", release:"SUSE10.0") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"apache2-mod_php4-4.3.4-43.53", release:"SUSE9.1") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"mod_php4-core-4.3.4-43.53", release:"SUSE9.1") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"mod_php4-servlet-4.3.4-43.53", release:"SUSE9.1") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-4.3.4-43.53", release:"SUSE9.1") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-devel-4.3.4-43.53", release:"SUSE9.1") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-exif-4.3.4-43.53", release:"SUSE9.1") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-fastcgi-4.3.4-43.53", release:"SUSE9.1") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-imap-4.3.4-43.53", release:"SUSE9.1") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-mbstring-4.3.4-43.53", release:"SUSE9.1") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-mysql-4.3.4-43.53", release:"SUSE9.1") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-pear-4.3.4-43.53", release:"SUSE9.1") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-recode-4.3.4-43.53", release:"SUSE9.1") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-servlet-4.3.4-43.53", release:"SUSE9.1") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-session-4.3.4-43.53", release:"SUSE9.1") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-sysvshm-4.3.4-43.53", release:"SUSE9.1") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-wddx-4.3.4-43.53", release:"SUSE9.1") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"apache2-mod_php4-4.3.8-8.23", release:"SUSE9.2") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"mod_php4-servlet-4.3.8-8.23", release:"SUSE9.2") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-4.3.8-8.23", release:"SUSE9.2") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-devel-4.3.8-8.23", release:"SUSE9.2") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-exif-4.3.8-8.23", release:"SUSE9.2") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-fastcgi-4.3.8-8.23", release:"SUSE9.2") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-mbstring-4.3.8-8.23", release:"SUSE9.2") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-pear-4.3.8-8.23", release:"SUSE9.2") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-session-4.3.8-8.23", release:"SUSE9.2") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-sysvshm-4.3.8-8.23", release:"SUSE9.2") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"apache2-mod_php4-4.3.10-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"apache2-mod_php5-5.0.3-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"mod_php4-servlet-4.3.10-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-4.3.10-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-devel-4.3.10-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-exif-4.3.10-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-fastcgi-4.3.10-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-mbstring-4.3.10-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-pear-4.3.10-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-session-4.3.10-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php4-sysvshm-4.3.10-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php5-5.0.3-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php5-devel-5.0.3-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php5-exif-5.0.3-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php5-fastcgi-5.0.3-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php5-mbstring-5.0.3-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php5-pear-5.0.3-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php5-sysvmsg-5.0.3-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    if ( rpm_check( reference:"php5-sysvshm-5.0.3-14.20", release:"SUSE9.3") )
    {
     security_warning(0);
     exit(0);
    }
    

Statements

contributorMark J Cox
lastmodified2006-08-30
organizationRed Hat
statementWe do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1