Vulnerabilities > CVE-2006-4482 - Out-of-bounds Write vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Multiple heap-based buffer overflows in the (1) str_repeat and (2) wordwrap functions in ext/standard/string.c in PHP before 5.1.5, when used on a 64-bit system, have unspecified impact and attack vectors, a different vulnerability than CVE-2006-1990.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-122.NASL description Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function. One instance in gd_io_dp.c does not appear to be corrected in the embedded copy of GD used in php to build the php-gd package. (CVE-2004-0941) Integer overflows were reported in the GD Graphics Library (libgd) 2.0.28, and possibly other versions. These overflows allow remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx() function. PHP, as packaged in Mandriva Linux, contains an embedded copy of the GD library, used to build the php-gd package. (CVE-2004-0990) The c-client library 2000, 2001, or 2004 for PHP 3.x, 4.x, and 5.x, when used in applications that accept user-controlled input for the mailbox argument to the imap_open function, allow remote attackers to obtain access to an IMAP stream data structure and conduct unauthorized IMAP actions. (CVE-2006-1017) Integer overflow in the wordwrap function in string.c in might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396. (CVE-2006-1990) The previous update for this issue did not resolve the issue on 64bit platforms. The cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to bypass safe mode and read files via a file:// request containing nul characters. (CVE-2006-2563) Buffer consumption vulnerability in the tempnam function in PHP 5.1.4 and 4.x before 4.4.3 allows local users to bypass restrictions and create PHP files with fixed names in other directories via a pathname argument longer than MAXPATHLEN, which prevents a unique string from being appended to the filename. (CVE-2006-2660) The LZW decoding in the gdImageCreateFromGifPtr function in the Thomas Boutell graphics draw (GD) library (aka libgd) 2.0.33 allows remote attackers to cause a denial of service (CPU consumption) via malformed GIF data that causes an infinite loop. PHP, as packaged in Mandriva Linux, contains an embedded copy of the GD library, used to build the php-gd package. (CVE-2006-2906) The error_log function in PHP allows local users to bypass safe mode and open_basedir restrictions via a last seen 2020-06-01 modified 2020-06-02 plugin id 22053 published 2006-07-17 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22053 title Mandrake Linux Security Advisory : php (MDKSA-2006:122) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2006:122. # The text itself is copyright (C) Mandriva S.A. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(22053); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2004-0941", "CVE-2004-0990", "CVE-2006-1017", "CVE-2006-1990", "CVE-2006-1991", "CVE-2006-2563", "CVE-2006-2660", "CVE-2006-2906", "CVE-2006-3011", "CVE-2006-3016", "CVE-2006-3017", "CVE-2006-3018", "CVE-2006-4482", "CVE-2006-4483", "CVE-2006-4486"); script_bugtraq_id(11523); script_xref(name:"MDKSA", value:"2006:122"); script_name(english:"Mandrake Linux Security Advisory : php (MDKSA-2006:122)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function. One instance in gd_io_dp.c does not appear to be corrected in the embedded copy of GD used in php to build the php-gd package. (CVE-2004-0941) Integer overflows were reported in the GD Graphics Library (libgd) 2.0.28, and possibly other versions. These overflows allow remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx() function. PHP, as packaged in Mandriva Linux, contains an embedded copy of the GD library, used to build the php-gd package. (CVE-2004-0990) The c-client library 2000, 2001, or 2004 for PHP 3.x, 4.x, and 5.x, when used in applications that accept user-controlled input for the mailbox argument to the imap_open function, allow remote attackers to obtain access to an IMAP stream data structure and conduct unauthorized IMAP actions. (CVE-2006-1017) Integer overflow in the wordwrap function in string.c in might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396. (CVE-2006-1990) The previous update for this issue did not resolve the issue on 64bit platforms. The cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to bypass safe mode and read files via a file:// request containing nul characters. (CVE-2006-2563) Buffer consumption vulnerability in the tempnam function in PHP 5.1.4 and 4.x before 4.4.3 allows local users to bypass restrictions and create PHP files with fixed names in other directories via a pathname argument longer than MAXPATHLEN, which prevents a unique string from being appended to the filename. (CVE-2006-2660) The LZW decoding in the gdImageCreateFromGifPtr function in the Thomas Boutell graphics draw (GD) library (aka libgd) 2.0.33 allows remote attackers to cause a denial of service (CPU consumption) via malformed GIF data that causes an infinite loop. PHP, as packaged in Mandriva Linux, contains an embedded copy of the GD library, used to build the php-gd package. (CVE-2006-2906) The error_log function in PHP allows local users to bypass safe mode and open_basedir restrictions via a 'php://' or other scheme in the third argument, which disables safe mode. (CVE-2006-3011) An unspecified vulnerability in session.c in PHP before 5.1.3 has unknown impact and attack vectors, related to 'certain characters in session names', including special characters that are frequently associated with CRLF injection, SQL injection, and cross-site scripting (XSS) vulnerabilities. NOTE: while the nature of the vulnerability is unspecified, it is likely that this is related to a violation of an expectation by PHP applications that the session name is alphanumeric, as implied in the PHP manual for session_name(). (CVE-2006-3016) An unspecified vulnerability in PHP before 5.1.3 can prevent a variable from being unset even when the unset function is called, which might cause the variable's value to be used in security-relevant operations. (CVE-2006-3017) An unspecified vulnerability in the session extension functionality in PHP before 5.1.3 has unkown impact and attack vectors related to heap corruption. (CVE-2006-3018) Multiple heap-based buffer overflows in the (1) str_repeat and (2) wordwrap functions in ext/standard/string.c in PHP before 5.1.5, when used on a 64-bit system, have unspecified impact and attack vectors, a different vulnerability than CVE-2006-1990. (CVE-2006-4482) The cURL extension files (1) ext/curl/interface.c and (2) ext/curl/streams.c in PHP before 5.1.5 permit the CURLOPT_FOLLOWLOCATION option when open_basedir or safe_mode is enabled, which allows attackers to perform unauthorized actions, possibly related to the realpath cache. (CVE-2006-4483) Unspecified vulnerability in PHP before 5.1.6, when running on a 64-bit system, has unknown impact and attack vectors related to the memory_limit restriction. (CVE-2006-4486) The GD related issues (CVE-2004-0941, CVE-2004-0990, CVE-2006-2906) affect only Corporate 3 and Mandrake Network Firewall 2. The php-curl issues (CVE-2006-2563, CVE-2006-4483) affect only Mandriva 2006.0. Updated packages have been patched to address all these issues. Once these packages have been installed, you will need to restart Apache (service httpd restart) in order for the changes to take effect." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64php5_common5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64php_common432"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libphp5_common5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libphp_common432"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-fcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php432-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:mandrakesoft:mandrake_linux:le2005"); script_set_attribute(attribute:"patch_publication_date", value:"2006/07/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"lib64php_common432-4.3.10-7.14.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", cpu:"i386", reference:"libphp_common432-4.3.10-7.14.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"php-cgi-4.3.10-7.14.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"php-cli-4.3.10-7.14.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"php-imap-4.3.10-6.3.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"php432-devel-4.3.10-7.14.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64php5_common5-5.0.4-9.12.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libphp5_common5-5.0.4-9.12.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"php-cgi-5.0.4-9.12.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"php-cli-5.0.4-9.12.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"php-curl-5.0.4-1.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"php-devel-5.0.4-9.12.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"php-fcgi-5.0.4-9.12.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"php-imap-5.0.4-2.3.20060mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1206.NASL description Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3353 Tim Starling discovered that missing input sanitising in the EXIF module could lead to denial of service. - CVE-2006-3017 Stefan Esser discovered a security-critical programming error in the hashtable implementation of the internal Zend engine. - CVE-2006-4482 It was discovered that str_repeat() and wordwrap() functions perform insufficient checks for buffer boundaries on 64 bit systems, which might lead to the execution of arbitrary code. - CVE-2006-5465 Stefan Esser discovered a buffer overflow in the htmlspecialchars() and htmlentities(), which might lead to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 23655 published 2006-11-20 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23655 title Debian DSA-1206-1 : php4 - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1206. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(23655); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2005-3353", "CVE-2006-3017", "CVE-2006-4482", "CVE-2006-5465"); script_xref(name:"DSA", value:"1206"); script_name(english:"Debian DSA-1206-1 : php4 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3353 Tim Starling discovered that missing input sanitising in the EXIF module could lead to denial of service. - CVE-2006-3017 Stefan Esser discovered a security-critical programming error in the hashtable implementation of the internal Zend engine. - CVE-2006-4482 It was discovered that str_repeat() and wordwrap() functions perform insufficient checks for buffer boundaries on 64 bit systems, which might lead to the execution of arbitrary code. - CVE-2006-5465 Stefan Esser discovered a buffer overflow in the htmlspecialchars() and htmlentities(), which might lead to the execution of arbitrary code." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-3353" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-3017" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-4482" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-5465" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1206" ); script_set_attribute( attribute:"solution", value: "Upgrade the php4 packages. For the stable distribution (sarge) these problems have been fixed in version 4:4.3.10-18. Builds for hppa and m68k will be provided later once they are available." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/20"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"libapache-mod-php4", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"libapache2-mod-php4", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-cgi", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-cli", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-common", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-curl", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-dev", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-domxml", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-gd", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-imap", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-ldap", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-mcal", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-mhash", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-mysql", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-odbc", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-pear", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-recode", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-snmp", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-sybase", reference:"4:4.3.10-18")) flag++; if (deb_check(release:"3.1", prefix:"php4-xslt", reference:"4:4.3.10-18")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_052.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:052 (php4,php5). Various security problems have been fixed in the PHP script language engine and its modules, versions 4 and 5. The PHP4 updated packages were released on September 12, the PHP5 update packages were released on September 20. The following security problems were fixed, with respective Mitre CVE ID: - The CURL module lacked checks for control characters (CVE-2006-2563) - A potential basedir evasion in the CURL module (CVE-2006-4483) - basedir and safemode evasion in the IMAP module (CVE-2006-4481) - str_repeat() contained an integer overflow (CVE-2006-4482) - GIF LZWReadByte overflow in the GD extension (CVE-2006-4484) - ext/wddx contained a buffer overflow - memory_limit() lacked checks for integer overflows - fixed memory overflow in foreach (CVE-2006-4482) - a bug in sscanf() could potentially be exploited to execute arbitrary code (CVE-2006-4020) last seen 2019-10-28 modified 2007-02-18 plugin id 24430 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24430 title SUSE-SA:2006:052: php4,php5 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:052 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(24430); script_version ("1.9"); name["english"] = "SUSE-SA:2006:052: php4,php5"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2006:052 (php4,php5). Various security problems have been fixed in the PHP script language engine and its modules, versions 4 and 5. The PHP4 updated packages were released on September 12, the PHP5 update packages were released on September 20. The following security problems were fixed, with respective Mitre CVE ID: - The CURL module lacked checks for control characters (CVE-2006-2563) - A potential basedir evasion in the CURL module (CVE-2006-4483) - basedir and safemode evasion in the IMAP module (CVE-2006-4481) - str_repeat() contained an integer overflow (CVE-2006-4482) - GIF LZWReadByte overflow in the GD extension (CVE-2006-4484) - ext/wddx contained a buffer overflow - memory_limit() lacked checks for integer overflows - fixed memory overflow in foreach (CVE-2006-4482) - a bug in sscanf() could potentially be exploited to execute arbitrary code (CVE-2006-4020)" ); script_set_attribute(attribute:"solution", value: "http://www.novell.com/linux/security/advisories/2006_52_php.html" ); script_set_attribute(attribute:"risk_factor", value:"Medium" ); script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/18"); script_end_attributes(); summary["english"] = "Check for the version of the php4,php5 package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"apache2-mod_php4-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php5-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-curl-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-devel-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-exif-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-fastcgi-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-gd-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-imap-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-mbstring-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-pgsql-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-servlet-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-session-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-unixODBC-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-wddx-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-bcmath-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-curl-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-devel-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-dom-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-exif-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-fastcgi-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-ftp-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-gd-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-iconv-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-imap-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-ldap-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mbstring-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mysql-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mysqli-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-pear-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-pgsql-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-soap-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-wddx-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-xmlrpc-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php4-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-curl-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-devel-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-exif-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-fastcgi-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-gd-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-imap-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-mbstring-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-pear-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-pgsql-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-session-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-sysvshm-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-wddx-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php4-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php5-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-curl-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-devel-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-exif-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-fastcgi-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-gd-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-imap-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-mbstring-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-pear-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-pgsql-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-session-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-sysvshm-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-wddx-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-bcmath-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-curl-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-dba-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-devel-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-dom-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-exif-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-fastcgi-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-ftp-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-gd-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-iconv-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-imap-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-ldap-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mbstring-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mysql-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mysqli-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-pear-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-pgsql-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-soap-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-wddx-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-xmlrpc-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0669.NASL description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 22423 published 2006-09-22 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22423 title CentOS 3 / 4 : php (CESA-2006:0669) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0682.NASL description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered found in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 22444 published 2006-09-22 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22444 title RHEL 2.1 : php (RHSA-2006:0682) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-342-1.NASL description The sscanf() function did not properly check array boundaries. In applications which use sscanf() with argument swapping, a remote attacker could potentially exploit this to crash the affected web application or even execute arbitrary code with the application last seen 2020-06-01 modified 2020-06-02 plugin id 27921 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27921 title Ubuntu 5.04 / 5.10 / 6.06 LTS : php4, php5 vulnerabilities (USN-342-1) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_EA09C5DF436211DB81E1000E0C2E438A.NASL description The PHP development team reports : - Added missing safe_mode/open_basedir checks inside the error_log(), file_exists(), imap_open() and imap_reopen() functions. - Fixed overflows inside str_repeat() and wordwrap() functions on 64bit systems. - Fixed possible open_basedir/safe_mode bypass in cURL extension and with realpath cache. - Fixed overflow in GD extension on invalid GIF images. - Fixed a buffer overflow inside sscanf() function. - Fixed an out of bounds read inside stripos() function. - Fixed memory_limit restriction on 64 bit system. last seen 2020-06-01 modified 2020-06-02 plugin id 22343 published 2006-09-14 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22343 title FreeBSD : php -- multiple vulnerabilities (ea09c5df-4362-11db-81e1-000e0c2e438a) NASL family CGI abuses NASL id PHP_5_1_5.NASL description According to its banner, the version of PHP 5.x installed on the remote host is older than 5.1.5. Such versions may be affected by the following vulnerabilities : - The c-client library 2000, 2001, or 2004 for PHP does not check the safe_mode or open_basedir functions. (CVE-2006-1017) - A buffer overflow exists in the sscanf function. (CVE-2006-4020) - The file_exists and imap_reopen functions do not check for the safe_mode and open_basedir settings, which allows local users to bypass the settings. (CVE-2006-4481) - Multiple heap-based buffer overflows exist in the str_repeat and wordwrap functions in ext/standard/string.c. (CVE-2006-4482) - The cURL extension files permit the CURLOPT_FOLLOWLOCATION option when open_basedir or safe_mode is enabled, which allows attackers to perform unauthorized actions. (CVE-2006-4483) - A buffer overflow vulnerability exists in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the GD extension. (CVE-2006-4484) - The stripos function is affected by an out-of-bounds read. (CVE-2006-4485) last seen 2020-06-01 modified 2020-06-02 plugin id 17713 published 2011-11-18 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17713 title PHP 5.1.x < 5.1.5 Multiple Vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2006-1024.NASL description This update includes the latest upstream release of PHP 5.1, version 5.1.6, fixing a number of security vulnerabilities, and other bugs. An integer overflow was discovered in the PHP memory handling routines. If a script can cause memory allocation based on untrusted user data, a remote attacker sending a carefully crafted request could execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 24032 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24032 title Fedora Core 5 : php-5.1.6-1.1 (2006-1024) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2006-0730.NASL description Updated PHP packages that fix a security issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. These packages also contain a fix for a bug where certain input strings to the metaphone() function could cause memory corruption. From Red Hat Security Advisory 2006:0730 : The Hardened-PHP Project discovered an overflow in the PHP htmlentities() and htmlspecialchars() routines. If a PHP script used the vulnerable functions to parse UTF-8 data, a remote attacker sending a carefully crafted request could trigger the overflow and potentially execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 67421 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/67421 title Oracle Linux 4 : php (ELSA-2006-0730 / ELSA-2006-0669) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0669.NASL description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 22443 published 2006-09-22 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22443 title RHEL 3 / 4 : php (RHSA-2006:0669)
Oval
| accepted | 2013-04-29T04:01:56.180-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | Multiple heap-based buffer overflows in the (1) str_repeat and (2) wordwrap functions in ext/standard/string.c in PHP before 5.1.5, when used on a 64-bit system, have unspecified impact and attack vectors, a different vulnerability than CVE-2006-1990. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:10121 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | Multiple heap-based buffer overflows in the (1) str_repeat and (2) wordwrap functions in ext/standard/string.c in PHP before 5.1.5, when used on a 64-bit system, have unspecified impact and attack vectors, a different vulnerability than CVE-2006-1990. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||||||
| rpms |
|
References
- http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.10&r2=1.445.2.14.2.11
- http://www.php.net/ChangeLog-5.php#5.1.5
- http://www.php.net/release_5_1_5.php
- http://secunia.com/advisories/21546
- http://www.ubuntu.com/usn/usn-342-1
- http://secunia.com/advisories/21768
- http://www.redhat.com/support/errata/RHSA-2006-0669.html
- http://www.redhat.com/support/errata/RHSA-2006-0682.html
- http://www.novell.com/linux/security/advisories/2006_52_php.html
- http://secunia.com/advisories/22004
- http://secunia.com/advisories/22069
- http://securitytracker.com/id?1016984
- https://issues.rpath.com/browse/RPL-683
- http://secunia.com/advisories/22225
- http://support.avaya.com/elmodocs2/security/ASA-2006-221.htm
- http://support.avaya.com/elmodocs2/security/ASA-2006-222.htm
- http://secunia.com/advisories/22440
- http://support.avaya.com/elmodocs2/security/ASA-2006-223.htm
- http://rhn.redhat.com/errata/RHSA-2006-0688.html
- ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
- http://www.securityfocus.com/bid/19582
- http://secunia.com/advisories/22538
- http://secunia.com/advisories/22487
- http://www.debian.org/security/2006/dsa-1206
- http://secunia.com/advisories/22713
- http://secunia.com/advisories/22039
- http://www.turbolinux.com/security/2006/TLSA-2006-38.txt
- http://www.vupen.com/english/advisories/2006/3318
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10121
- http://www.securityfocus.com/archive/1/447866/100/0/threaded