Vulnerabilities > CVE-2006-1490 - Unspecified vulnerability in PHP

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
php
nessus
exploit available

Summary

PHP before 5.1.3-RC1 might allow remote attackers to obtain portions of memory via crafted binary data sent to a script that processes user input in the html_entity_decode function and sends the encoded results back to the client, aka a "binary safety" issue. NOTE: this issue has been referred to as a "memory leak," but it is an information leak that discloses memory contents.

Exploit-Db

descriptionPHP 4.x/5.x Html_Entity_Decode() Information Disclosure Vulnerability. CVE-2006-1490. Remote exploit for php platform
idEDB-ID:27508
last seen2016-02-03
modified2006-03-29
published2006-03-29
reporterSamuel
sourcehttps://www.exploit-db.com/download/27508/
titlePHP 4.x/5.x Html_Entity_Decode Information Disclosure Vulnerability

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200605-08.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200605-08 (PHP: Multiple vulnerabilities) Several vulnerabilities were discovered on PHP4 and PHP5 by Infigo, Tonu Samuel and Maksymilian Arciemowicz. These included a buffer overflow in the wordwrap() function, restriction bypasses in the copy() and tempname() functions, a cross-site scripting issue in the phpinfo() function, a potential crash in the substr_compare() function and a memory leak in the non-binary-safe html_entity_decode() function. Impact : Remote attackers might be able to exploit these issues in PHP applications making use of the affected functions, potentially resulting in the execution of arbitrary code, Denial of Service, execution of scripted contents in the context of the affected site, security bypass or information leak. Workaround : There is no known workaround at this point.
    last seen2020-06-01
    modified2020-06-02
    plugin id21350
    published2006-05-13
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21350
    titleGLSA-200605-08 : PHP: Multiple vulnerabilities
  • NASL familyCGI abuses
    NASL idPHP_4_4_3.NASL
    descriptionAccording to its banner, the version of PHP installed on the remote host is older than 4.4.3 / 5.1.4. Such versions may be affected by several issues, including a buffer overflow, heap corruption, and a flaw by which a variable may survive a call to
    last seen2020-06-01
    modified2020-06-02
    plugin id22268
    published2006-08-25
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22268
    titlePHP < 4.4.3 / 5.1.4 Multiple Vulnerabilities
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-063.NASL
    descriptionA vulnerability was discovered where the html_entity_decode() function would return a chunk of memory with length equal to the string supplied, which could include php code, php ini data, other user data, etc. Note that by default, Corporate 3.0 and Mandriva Linux LE2005 ship with magic_quotes_gpc on which seems to protect against this vulnerability
    last seen2020-06-01
    modified2020-06-02
    plugin id21178
    published2006-04-04
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21178
    titleMandrake Linux Security Advisory : php (MDKSA-2006:063)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0276.NASL
    descriptionUpdated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996) The html_entity_decode() PHP function was found to not be binary safe. An attacker could use this flaw to disclose a certain part of the memory. In order for this issue to be exploitable the target site would need to have a PHP script which called the
    last seen2020-06-01
    modified2020-06-02
    plugin id21897
    published2006-07-03
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21897
    titleCentOS 3 / 4 : php (CESA-2006:0276)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-289.NASL
    descriptionThis update includes the latest release of PHP 5, version 5.1.4. This release includes fixes for several security issues and many bug fixes. The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996) The html_entity_decode() PHP function was found to not be binary safe. An attacker could use this flaw to disclose a certain part of the memory. In order for this issue to be exploitable the target site would need to have a PHP script which called the
    last seen2020-06-01
    modified2020-06-02
    plugin id24083
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24083
    titleFedora Core 5 : php-5.1.4-1 (2006-289)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0276.NASL
    descriptionUpdated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996) The html_entity_decode() PHP function was found to not be binary safe. An attacker could use this flaw to disclose a certain part of the memory. In order for this issue to be exploitable the target site would need to have a PHP script which called the
    last seen2020-06-01
    modified2020-06-02
    plugin id21287
    published2006-04-26
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21287
    titleRHEL 3 / 4 : php (RHSA-2006:0276)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-320-1.NASL
    descriptionThe phpinfo() PHP function did not properly sanitize long strings. A remote attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). Please note that it is not recommended to publicly expose phpinfo(). (CVE-2006-0996) An information disclosure has been reported in the html_entity_decode() function. A script which uses this function to process arbitrary user-supplied input could be exploited to expose a random part of memory, which could potentially reveal sensitive data. (CVE-2006-1490) The wordwrap() function did not sufficiently check the validity of the
    last seen2020-06-01
    modified2020-06-02
    plugin id27897
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27897
    titleUbuntu 5.04 / 5.10 / 6.06 LTS : php4, php5 vulnerabilities (USN-320-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2006_024.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2006:024 (php4,php5). This update fixes the following security issues in the scripting languages PHP4 and PHP5: - copy() and tempnam() functions could bypass open_basedir restrictions (CVE-2006-1494) - Cross-Site-Scripting (XSS) bug in phpinfo() (CVE-2006-0996) - mb_send_mail() lacked safe_mode checks (CVE-2006-1014, CVE-2006-1015) - html_entity_decode() could expose memory content (CVE-2006-1490)
    last seen2019-10-28
    modified2006-05-13
    plugin id21369
    published2006-05-13
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21369
    titleSUSE-SA:2006:024: php4,php5

Oval

accepted2013-04-29T04:11:22.811-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionPHP before 5.1.3-RC1 might allow remote attackers to obtain portions of memory via crafted binary data sent to a script that processes user input in the html_entity_decode function and sends the encoded results back to the client, aka a "binary safety" issue. NOTE: this issue has been referred to as a "memory leak," but it is an information leak that discloses memory contents.
familyunix
idoval:org.mitre.oval:def:11084
statusaccepted
submitted2010-07-09T03:56:16-04:00
titlePHP before 5.1.3-RC1 might allow remote attackers to obtain portions of memory via crafted binary data sent to a script that processes user input in the html_entity_decode function and sends the encoded results back to the client, aka a "binary safety" issue. NOTE: this issue has been referred to as a "memory leak," but it is an information leak that discloses memory contents.
version26

Redhat

advisories
bugzilla
id187510
titleCVE-2006-0996 phpinfo() XSS issue
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 4 is installed
      ovaloval:com.redhat.rhba:tst:20070304025
    • OR
      • AND
        • commentphp-imap is earlier than 0:4.3.9-3.12
          ovaloval:com.redhat.rhsa:tst:20060276001
        • commentphp-imap is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060276002
      • AND
        • commentphp-pgsql is earlier than 0:4.3.9-3.12
          ovaloval:com.redhat.rhsa:tst:20060276003
        • commentphp-pgsql is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060276004
      • AND
        • commentphp-xmlrpc is earlier than 0:4.3.9-3.12
          ovaloval:com.redhat.rhsa:tst:20060276005
        • commentphp-xmlrpc is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060276006
      • AND
        • commentphp-odbc is earlier than 0:4.3.9-3.12
          ovaloval:com.redhat.rhsa:tst:20060276007
        • commentphp-odbc is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060276008
      • AND
        • commentphp-mysql is earlier than 0:4.3.9-3.12
          ovaloval:com.redhat.rhsa:tst:20060276009
        • commentphp-mysql is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060276010
      • AND
        • commentphp is earlier than 0:4.3.9-3.12
          ovaloval:com.redhat.rhsa:tst:20060276011
        • commentphp is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060276012
      • AND
        • commentphp-snmp is earlier than 0:4.3.9-3.12
          ovaloval:com.redhat.rhsa:tst:20060276013
        • commentphp-snmp is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060276014
      • AND
        • commentphp-ncurses is earlier than 0:4.3.9-3.12
          ovaloval:com.redhat.rhsa:tst:20060276015
        • commentphp-ncurses is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060276016
      • AND
        • commentphp-pear is earlier than 0:4.3.9-3.12
          ovaloval:com.redhat.rhsa:tst:20060276017
        • commentphp-pear is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060276018
      • AND
        • commentphp-mbstring is earlier than 0:4.3.9-3.12
          ovaloval:com.redhat.rhsa:tst:20060276019
        • commentphp-mbstring is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060276020
      • AND
        • commentphp-domxml is earlier than 0:4.3.9-3.12
          ovaloval:com.redhat.rhsa:tst:20060276021
        • commentphp-domxml is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060276022
      • AND
        • commentphp-ldap is earlier than 0:4.3.9-3.12
          ovaloval:com.redhat.rhsa:tst:20060276023
        • commentphp-ldap is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060276024
      • AND
        • commentphp-gd is earlier than 0:4.3.9-3.12
          ovaloval:com.redhat.rhsa:tst:20060276025
        • commentphp-gd is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060276026
      • AND
        • commentphp-devel is earlier than 0:4.3.9-3.12
          ovaloval:com.redhat.rhsa:tst:20060276027
        • commentphp-devel is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060276028
rhsa
idRHSA-2006:0276
released2006-04-25
severityModerate
titleRHSA-2006:0276: php security update (Moderate)
rpms
  • php-0:4.3.2-30.ent
  • php-0:4.3.9-3.12
  • php-debuginfo-0:4.3.2-30.ent
  • php-debuginfo-0:4.3.9-3.12
  • php-devel-0:4.3.2-30.ent
  • php-devel-0:4.3.9-3.12
  • php-domxml-0:4.3.9-3.12
  • php-gd-0:4.3.9-3.12
  • php-imap-0:4.3.2-30.ent
  • php-imap-0:4.3.9-3.12
  • php-ldap-0:4.3.2-30.ent
  • php-ldap-0:4.3.9-3.12
  • php-mbstring-0:4.3.9-3.12
  • php-mysql-0:4.3.2-30.ent
  • php-mysql-0:4.3.9-3.12
  • php-ncurses-0:4.3.9-3.12
  • php-odbc-0:4.3.2-30.ent
  • php-odbc-0:4.3.9-3.12
  • php-pear-0:4.3.9-3.12
  • php-pgsql-0:4.3.2-30.ent
  • php-pgsql-0:4.3.9-3.12
  • php-snmp-0:4.3.9-3.12
  • php-xmlrpc-0:4.3.9-3.12

Seebug

bulletinFamilyexploit
descriptionApple Mac OS X是一款基于BSD的操作系统。 Apple Mac OS X存在多个安全问题,远程和本地攻击者可以利用漏洞进行恶意代码执行,拒绝服务攻击,特权提升,覆盖文件,获得敏感信息等攻击。 具体问题如下: AirPort-CVE-ID: CVE-2006-5710: AirPort无线驱动不正确处理应答帧,可导致基于堆的溢出。 ATS-CVE-ID: CVE-2006-4396: Apple Type服务不安全建立错误日至可导致任意文件覆盖。 ATS-CVE-ID: CVE-2006-4398: Apple Type服务存在多个缓冲区溢出,可导致以高权限执行任意代码。 ATS-CVE-ID: CVE-2006-4400: 利用特殊的字体文件,可导致任意代码执行。 CFNetwork-CVE-ID: CVE-2006-4401: 通过诱使用户访问恶意ftp URI,可导致任意ftp命令执行。 ClamAV-CVE-ID: CVE-2006-4182: 恶意email消息可导致ClamAV执行任意代码。 Finder-CVE-ID: CVE-2006-4402: 通过浏览共享目录可导致应用程序崩溃或执行任意代码。 ftpd-CVE-ID: CVE-2006-4403: 当ftp访问启用时,未授权用户可判别合法的账户名。 gnuzip-CVE-ID: CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE-2006-4338: gunzip处理压缩文件存在多个问题,可导致应用程序崩溃或执行任意指令。 Installer-CVE-ID: CVE-2006-4404: 当以管理用户安装软件时,系统权限可能被未授权利用。 OpenSSL-CVE-ID: CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4339, CVE-2006-4343: OpenSSL存在多个安全问题可导致任意代码执行或者获得敏感信息。 perl-CVE-ID: CVE-2005-3962: 不安全处理字符串,可导致Perl应用程序执行任意代码。 PHP-CVE-ID: CVE-2006-1490, CVE-2006-1990: Php应用程序存在多个问题,可导致拒绝服务或执行任意代码。 PHP-CVE-ID: CVE-2006-5465: PHP的htmlentities()和htmlspecialchars()函数存在缓冲区溢出,可导致任意代码执行。 PPP-CVE-ID: CVE-2006-4406: 在不可信的本地网络上使用PPPoE可导致任意代码执行。 Samba-CVE-ID: CVE-2006-3403: 当Windows共享使用时,远程攻击者可进行拒绝服务攻击。 Security Framework-CVE-ID: CVE-2006-4407: 不安全的传送方法可导致不协商最安全的加密信息。 Security Framework-CVE-ID: CVE-2006-4408: 处理X.509证书时可导致拒绝服务攻击。 Security Framework-CVE-ID: CVE-2006-4409: 当使用http代理时,证书废弃列表不能获得。 Security Framework-CVE-ID: CVE-2006-4410: 部分调用证书错误的被授权。 VPN-CVE-ID: CVE-2006-4411: 恶意本地用户可获得系统特权。 WebKit-CVE-ID: CVE-2006-4412: 通过诱使用户浏览恶意web页执行任意代码。 Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.4.3 Apple Mac OS X Server 10.4.2 Apple Mac OS X Server 10.4.1 Apple Mac OS X Server 10.4 Apple Mac OS X Server 10.3.9 Apple Mac OS X Server 10.3.8 Apple Mac OS X Server 10.3.7 Apple Mac OS X Server 10.3.6 Apple Mac OS X Server 10.3.5 Apple Mac OS X Server 10.3.4 Apple Mac OS X Server 10.3.3 Apple Mac OS X Server 10.3.2 Apple Mac OS X Server 10.3.1 Apple Mac OS X Server 10.3 Apple Mac OS X Server 10.2.8 Apple Mac OS X Server 10.2.7 Apple Mac OS X Server 10.2.6 Apple Mac OS X Server 10.2.5 Apple Mac OS X Server 10.2.4 Apple Mac OS X Server 10.2.3 Apple Mac OS X Server 10.2.2 Apple Mac OS X Server 10.2.1 Apple Mac OS X Server 10.2 Apple Mac OS X Server 10.1.5 Apple Mac OS X Server 10.1.4 Apple Mac OS X Server 10.1.3 Apple Mac OS X Server 10.1.2 Apple Mac OS X Server 10.1.1 Apple Mac OS X Server 10.1 Apple Mac OS X Server 10.0 Apple Mac OS X 10.4.8 Apple Mac OS X 10.4.7 Apple Mac OS X 10.4.6 Apple Mac OS X 10.4.5 Apple Mac OS X 10.4.4 Apple Mac OS X 10.4.3 Apple Mac OS X 10.4.2 Apple Mac OS X 10.4.1 Apple Mac OS X 10.4 Apple Mac OS X 10.3.9 Apple Mac OS X 10.3.8 Apple Mac OS X 10.3.7 Apple Mac OS X 10.3.6 Apple Mac OS X 10.3.5 Apple Mac OS X 10.3.4 Apple Mac OS X 10.3.3 Apple Mac OS X 10.3.2 Apple Mac OS X 10.3.1 Apple Mac OS X 10.3 Apple Mac OS X 10.2.8 Apple Mac OS X 10.2.7 Apple Mac OS X 10.2.6 Apple Mac OS X 10.2.5 Apple Mac OS X 10.2.4 Apple Mac OS X 10.2.3 Apple Mac OS X 10.2.2 Apple Mac OS X 10.2.1 Apple Mac OS X 10.2 Apple Mac OS X 10.1.5 Apple Mac OS X 10.1.4 Apple Mac OS X 10.1.3 Apple Mac OS X 10.1.2 Apple Mac OS X 10.1.1 Apple Mac OS X 10.1 Apple Mac OS X 10.1 Apple Mac OS X 10.0.4 Apple Mac OS X 10.0.3 Apple Mac OS X 10.0.2 Apple Mac OS X 10.0.1 Apple Mac OS X 10.0 3 Apple Mac OS X 10.0 <a href="http://docs.info.apple.com/article.html?artnum=304829" target="_blank">http://docs.info.apple.com/article.html?artnum=304829</a>
idSSV:623
last seen2017-11-19
modified2006-11-29
published2006-11-29
reporterRoot
titleApple Mac OS X 2006-007存在多个安全漏洞

References