Vulnerabilities > CVE-2006-1494 - Unspecified vulnerability in PHP

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
php
nessus
exploit available

Summary

Directory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function.

Exploit-Db

descriptionPHP 4.x tempnam() Function open_basedir Restriction Bypass. CVE-2006-1494. Remote exploit for php platform
idEDB-ID:27595
last seen2016-02-03
modified2006-04-10
published2006-04-10
reporterMaksymilian Arciemowicz
sourcehttps://www.exploit-db.com/download/27595/
titlePHP 4.x tempnam Function open_basedir Restriction Bypass

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0568.NASL
    descriptionUpdated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A directory traversal vulnerability was found in PHP. Local users could bypass open_basedir restrictions allowing remote attackers to create files in arbitrary directories via the tempnam() function. (CVE-2006-1494) The wordwrap() PHP function did not properly check for integer overflow in the handling of the
    last seen2020-06-01
    modified2020-06-02
    plugin id22037
    published2006-07-13
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22037
    titleCentOS 3 / 4 : php (CESA-2006:0568)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0567.NASL
    descriptionUpdated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1 This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A flaw was found in the zend_hash_del() PHP function. For PHP scripts that rely on the use of the unset() function, a remote attacker could force variable initialization to be bypassed. This would be a security issue particularly for installations that enable the
    last seen2020-06-01
    modified2020-06-02
    plugin id22110
    published2006-07-28
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22110
    titleRHEL 2.1 : php (RHSA-2006:0567)
  • NASL familyCGI abuses
    NASL idPHP_4_4_3.NASL
    descriptionAccording to its banner, the version of PHP installed on the remote host is older than 4.4.3 / 5.1.4. Such versions may be affected by several issues, including a buffer overflow, heap corruption, and a flaw by which a variable may survive a call to
    last seen2020-06-01
    modified2020-06-02
    plugin id22268
    published2006-08-25
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22268
    titlePHP < 4.4.3 / 5.1.4 Multiple Vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0568.NASL
    descriptionUpdated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A directory traversal vulnerability was found in PHP. Local users could bypass open_basedir restrictions allowing remote attackers to create files in arbitrary directories via the tempnam() function. (CVE-2006-1494) The wordwrap() PHP function did not properly check for integer overflow in the handling of the
    last seen2020-06-01
    modified2020-06-02
    plugin id22044
    published2006-07-13
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22044
    titleRHEL 3 / 4 : php (RHSA-2006:0568)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-196.NASL
    descriptionThe Hardened-PHP Project discovered buffer overflows in htmlentities/htmlspecialchars internal routines to the PHP Project. The purpose of these functions is to be filled with user input. (The overflow can only be when UTF-8 is used) (CVE-2006-5465) Unspecified vulnerabilities in PHP, probably before 5.2.0, allow local users to bypass open_basedir restrictions and perform unspecified actions via unspecified vectors involving the (1) chdir and (2) tempnam functions. NOTE: the tempnam vector might overlap CVE-2006-1494. (CVE-2006-5706) Updated packages have been patched to correct these issues. Users must restart Apache for the changes to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id24581
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24581
    titleMandrake Linux Security Advisory : php (MDKSA-2006:196)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-320-1.NASL
    descriptionThe phpinfo() PHP function did not properly sanitize long strings. A remote attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). Please note that it is not recommended to publicly expose phpinfo(). (CVE-2006-0996) An information disclosure has been reported in the html_entity_decode() function. A script which uses this function to process arbitrary user-supplied input could be exploited to expose a random part of memory, which could potentially reveal sensitive data. (CVE-2006-1490) The wordwrap() function did not sufficiently check the validity of the
    last seen2020-06-01
    modified2020-06-02
    plugin id27897
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27897
    titleUbuntu 5.04 / 5.10 / 6.06 LTS : php4, php5 vulnerabilities (USN-320-1)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-074.NASL
    descriptionA cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP <= 5.1.2 allows remote attackers to inject arbitrary web script or HTML via long array variables, including (1) a large number of dimensions or (2) long values, which prevents HTML tags from being removed. (CVE-2006-0996) Directory traversal vulnerability in file.c in PHP <= 5.1.2 allows local users to bypass open_basedir restrictions and allows remote attackers to create files in arbitrary directories via the tempnam function. (CVE-2006-1494) The copy function in file.c in PHP <= 5.1.2 allows local users to bypass safe mode and read arbitrary files via a source argument containing a compress.zlib:// URI. (CVE-2006-1608) Updated packages have been patched to address these issues. After upgrading these packages, please run
    last seen2020-06-01
    modified2020-06-02
    plugin id21281
    published2006-04-26
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21281
    titleMandrake Linux Security Advisory : php (MDKSA-2006:074)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2006_024.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2006:024 (php4,php5). This update fixes the following security issues in the scripting languages PHP4 and PHP5: - copy() and tempnam() functions could bypass open_basedir restrictions (CVE-2006-1494) - Cross-Site-Scripting (XSS) bug in phpinfo() (CVE-2006-0996) - mb_send_mail() lacked safe_mode checks (CVE-2006-1014, CVE-2006-1015) - html_entity_decode() could expose memory content (CVE-2006-1490)
    last seen2019-10-28
    modified2006-05-13
    plugin id21369
    published2006-05-13
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21369
    titleSUSE-SA:2006:024: php4,php5

Oval

accepted2013-04-29T04:03:18.320-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionDirectory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function.
familyunix
idoval:org.mitre.oval:def:10196
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleDirectory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function.
version26

Redhat

advisories
  • rhsa
    idRHSA-2006:0549
  • rhsa
    idRHSA-2006:0567
  • rhsa
    idRHSA-2006:0568
rpms
  • php-0:4.3.2-33.ent
  • php-0:4.3.9-3.15
  • php-debuginfo-0:4.3.2-33.ent
  • php-debuginfo-0:4.3.9-3.15
  • php-devel-0:4.3.2-33.ent
  • php-devel-0:4.3.9-3.15
  • php-domxml-0:4.3.9-3.15
  • php-gd-0:4.3.9-3.15
  • php-imap-0:4.3.2-33.ent
  • php-imap-0:4.3.9-3.15
  • php-ldap-0:4.3.2-33.ent
  • php-ldap-0:4.3.9-3.15
  • php-mbstring-0:4.3.9-3.15
  • php-mysql-0:4.3.2-33.ent
  • php-mysql-0:4.3.9-3.15
  • php-ncurses-0:4.3.9-3.15
  • php-odbc-0:4.3.2-33.ent
  • php-odbc-0:4.3.9-3.15
  • php-pear-0:4.3.9-3.15
  • php-pgsql-0:4.3.2-33.ent
  • php-pgsql-0:4.3.9-3.15
  • php-snmp-0:4.3.9-3.15
  • php-xmlrpc-0:4.3.9-3.15

Statements

contributorMark J Cox
lastmodified2006-08-30
organizationRed Hat
statementThis issue did not affect the versions of OpenSSH as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

References