Vulnerabilities > CVE-2007-1825 - Buffer Overflow vulnerability in PHP Imap_Mail_Compose() Function

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
php
nessus
exploit available

Summary

Buffer overflow in the imap_mail_compose function in PHP 5 before 5.2.1, and PHP 4 before 4.4.5, allows remote attackers to execute arbitrary code via a long boundary string in a type.parameters field. NOTE: as of 20070411, it appears that this issue might be subsumed by CVE-2007-0906.3.

Exploit-Db

descriptionPHP 5.1.6 Imap_Mail_Compose() Function Buffer Overflow Vulnerability. CVE-2007-1825. Remote exploit for php platform
idEDB-ID:29807
last seen2016-02-03
modified2007-03-31
published2007-03-31
reporterStefan Esser
sourcehttps://www.exploit-db.com/download/29807/
titlePHP <= 5.1.6 Imap_Mail_Compose Function Buffer Overflow Vulnerability

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2007-0076.NASL
    descriptionUpdated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A number of buffer overflow flaws were found in the PHP session extension, the str_replace() function, and the imap_mail_compose() function. If very long strings under the control of an attacker are passed to the str_replace() function then an integer overflow could occur in memory allocation. If a script uses the imap_mail_compose() function to create a new MIME message based on an input body from an untrusted source, it could result in a heap overflow. An attacker who is able to access a PHP application affected by any these issues could trigger these flaws and possibly execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id24673
    published2007-02-21
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/24673
    titleCentOS 3 / 4 : php (CESA-2007:0076)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2007:0076 and 
    # CentOS Errata and Security Advisory 2007:0076 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24673);
      script_version("1.19");
      script_cvs_date("Date: 2019/10/25 13:36:03");
    
      script_cve_id("CVE-2007-0906", "CVE-2007-0907", "CVE-2007-0908", "CVE-2007-0909", "CVE-2007-0910", "CVE-2007-0988", "CVE-2007-1380", "CVE-2007-1701", "CVE-2007-1825");
      script_bugtraq_id(22496);
      script_xref(name:"RHSA", value:"2007:0076");
    
      script_name(english:"CentOS 3 / 4 : php (CESA-2007:0076)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated PHP packages that fix several security issues are now
    available for Red Hat Enterprise Linux 3 and 4.
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    PHP is an HTML-embedded scripting language commonly used with the
    Apache HTTP Web server.
    
    A number of buffer overflow flaws were found in the PHP session
    extension, the str_replace() function, and the imap_mail_compose()
    function. If very long strings under the control of an attacker are
    passed to the str_replace() function then an integer overflow could
    occur in memory allocation. If a script uses the imap_mail_compose()
    function to create a new MIME message based on an input body from an
    untrusted source, it could result in a heap overflow. An attacker who
    is able to access a PHP application affected by any these issues could
    trigger these flaws and possibly execute arbitrary code as the
    'apache' user. (CVE-2007-0906)
    
    If unserializing untrusted data on 64-bit platforms, the
    zend_hash_init() function can be forced to enter an infinite loop,
    consuming CPU resources for a limited length of time, until the script
    timeout alarm aborts execution of the script. (CVE-2007-0988)
    
    If the wddx extension is used to import WDDX data from an untrusted
    source, certain WDDX input packets may allow a random portion of heap
    memory to be exposed. (CVE-2007-0908)
    
    If the odbc_result_all() function is used to display data from a
    database, and the contents of the database table are under the control
    of an attacker, a format string vulnerability is possible which could
    lead to the execution of arbitrary code. (CVE-2007-0909)
    
    A one byte memory read will always occur before the beginning of a
    buffer, which could be triggered for example by any use of the
    header() function in a script. However it is unlikely that this would
    have any effect. (CVE-2007-0907)
    
    Several flaws in PHP could allows attackers to 'clobber' certain
    super-global variables via unspecified vectors. (CVE-2007-0910)
    
    Users of PHP should upgrade to these updated packages which contain
    backported patches to correct these issues.
    
    Red Hat would like to thank Stefan Esser for his help diagnosing these
    issues."
      );
      # https://lists.centos.org/pipermail/centos-announce/2007-February/013543.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3940e92c"
      );
      # https://lists.centos.org/pipermail/centos-announce/2007-February/013544.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?f8b50cef"
      );
      # https://lists.centos.org/pipermail/centos-announce/2007-February/013545.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e5afc62e"
      );
      # https://lists.centos.org/pipermail/centos-announce/2007-February/013546.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?43c21194"
      );
      # https://lists.centos.org/pipermail/centos-announce/2007-February/013558.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?187f0d51"
      );
      # https://lists.centos.org/pipermail/centos-announce/2007-February/013559.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?d8af9a87"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected php packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-domxml");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-gd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-mbstring");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-ncurses");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-pear");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-snmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-xmlrpc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/02/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2007/02/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/21");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-3", reference:"php-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"php-devel-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"php-imap-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"php-ldap-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"php-mysql-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"php-odbc-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"php-pgsql-4.3.2-39.ent")) flag++;
    
    if (rpm_check(release:"CentOS-4", reference:"php-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"php-devel-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"php-domxml-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"php-gd-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"php-imap-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"php-ldap-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"php-mbstring-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"php-mysql-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"php-ncurses-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"php-odbc-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"php-pear-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"php-pgsql-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"php-snmp-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"php-xmlrpc-4.3.9-3.22.3")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-devel / php-domxml / php-gd / php-imap / php-ldap / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-0082.NASL
    descriptionUpdated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A number of buffer overflow flaws were found in the PHP session extension; the str_replace() function; and the imap_mail_compose() function. If very long strings were passed to the str_replace() function, an integer overflow could occur in memory allocation. If a script used the imap_mail_compose() function to create a new MIME message based on an input body from an untrusted source, it could result in a heap overflow. An attacker with access to a PHP application affected by any these issues could trigger the flaws and possibly execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id25317
    published2007-05-25
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25317
    titleRHEL 5 : php (RHSA-2007:0082)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2007:0082. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(25317);
      script_version ("1.24");
      script_cvs_date("Date: 2019/10/25 13:36:12");
    
      script_cve_id("CVE-2007-0906", "CVE-2007-0907", "CVE-2007-0908", "CVE-2007-0909", "CVE-2007-0910", "CVE-2007-0988", "CVE-2007-1285", "CVE-2007-1380", "CVE-2007-1701", "CVE-2007-1825");
      script_bugtraq_id(22496, 22764);
      script_xref(name:"RHSA", value:"2007:0082");
    
      script_name(english:"RHEL 5 : php (RHSA-2007:0082)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated PHP packages that fix several security issues are now
    available for Red Hat Enterprise Linux 5.
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    PHP is an HTML-embedded scripting language commonly used with the
    Apache HTTP Web server.
    
    A number of buffer overflow flaws were found in the PHP session
    extension; the str_replace() function; and the imap_mail_compose()
    function. If very long strings were passed to the str_replace()
    function, an integer overflow could occur in memory allocation. If a
    script used the imap_mail_compose() function to create a new MIME
    message based on an input body from an untrusted source, it could
    result in a heap overflow. An attacker with access to a PHP
    application affected by any these issues could trigger the flaws and
    possibly execute arbitrary code as the 'apache' user. (CVE-2007-0906)
    
    When unserializing untrusted data on 64-bit platforms, the
    zend_hash_init() function could be forced into an infinite loop,
    consuming CPU resources for a limited time, until the script timeout
    alarm aborted execution of the script. (CVE-2007-0988)
    
    If the wddx extension was used to import WDDX data from an untrusted
    source, certain WDDX input packets could expose a random portion of
    heap memory. (CVE-2007-0908)
    
    If the odbc_result_all() function was used to display data from a
    database, and the database table contents were under an attacker's
    control, a format string vulnerability was possible which could allow
    arbitrary code execution. (CVE-2007-0909)
    
    A one byte memory read always occurs before the beginning of a buffer.
    This could be triggered, for example, by any use of the header()
    function in a script. However it is unlikely that this would have any
    effect. (CVE-2007-0907)
    
    Several flaws in PHP could allow attackers to 'clobber' certain
    super-global variables via unspecified vectors. (CVE-2007-0910)
    
    An input validation bug allowed a remote attacker to trigger a denial
    of service attack by submitting an input variable with a
    deeply-nested-array. (CVE-2007-1285)
    
    Users of PHP should upgrade to these updated packages which contain
    backported patches to correct these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-0906"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-0907"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-0908"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-0909"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-0910"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-0988"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-1285"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-1380"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-1701"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-1825"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2007:0082"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-bcmath");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-cli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-dba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-gd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-mbstring");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-ncurses");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-pdo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-snmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-soap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-xml");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-xmlrpc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/02/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2007/03/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/25");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2007:0082";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-bcmath-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-bcmath-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-bcmath-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-cli-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-cli-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-cli-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-common-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-common-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-common-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-dba-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-dba-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-dba-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-devel-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-devel-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-devel-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-gd-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-gd-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-gd-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-imap-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-imap-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-imap-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-ldap-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-ldap-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-ldap-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-mbstring-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-mbstring-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-mbstring-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-mysql-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-mysql-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-mysql-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-ncurses-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-ncurses-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-ncurses-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-odbc-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-odbc-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-odbc-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-pdo-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-pdo-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-pdo-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-pgsql-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-pgsql-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-pgsql-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-snmp-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-snmp-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-snmp-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-soap-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-soap-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-soap-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-xml-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-xml-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-xml-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-xmlrpc-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-xmlrpc-5.1.6-7.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-xmlrpc-5.1.6-7.el5")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-bcmath / php-cli / php-common / php-dba / php-devel / etc");
      }
    }
    
  • NASL familyCGI abuses
    NASL idPHP_5_2_1.NASL
    descriptionAccording to its banner, the version of PHP installed on the remote host is older than 5.2.1. Such versions may be affected by several issues, including buffer overflows, format string vulnerabilities, arbitrary code execution,
    last seen2020-06-01
    modified2020-06-02
    plugin id24907
    published2007-04-02
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24907
    titlePHP < 5.2.1 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24907);
      script_version("1.27");
      script_cvs_date("Date: 2018/07/24 18:56:10");
    
      script_cve_id(
        "CVE-2006-6383",
        "CVE-2007-0905",
        "CVE-2007-0906",
        "CVE-2007-0907",
        "CVE-2007-0908",
        "CVE-2007-0909",
        "CVE-2007-0910",
        "CVE-2007-0988",
        "CVE-2007-1376",
        "CVE-2007-1380",
        "CVE-2007-1383",
        "CVE-2007-1452",
        "CVE-2007-1453",
        "CVE-2007-1454",
        "CVE-2007-1700",
        "CVE-2007-1701",
        "CVE-2007-1824",
        "CVE-2007-1825",
        "CVE-2007-1835",
        "CVE-2007-1884",
        "CVE-2007-1885",
        "CVE-2007-1886",
        "CVE-2007-1887",
        "CVE-2007-1889",
        "CVE-2007-1890",
        "CVE-2007-4441",
        "CVE-2007-4586"
      );
      script_bugtraq_id(
        21508, 
        22496, 
        22805,
        22806,
        22862,
        22922,
        23119,
        23120,
        23219,
        23233, 
        23234, 
        23235, 
        23236, 
        23237, 
        23238
      );
    
      script_name(english:"PHP < 5.2.1 Multiple Vulnerabilities");
      script_summary(english:"Checks version of PHP");
     
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote web server uses a version of PHP that is affected by
    multiple flaws."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "According to its banner, the version of PHP installed on the remote
    host is older than 5.2.1.  Such versions may be affected by several
    issues, including buffer overflows, format string vulnerabilities,
    arbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and
    clobbering of super-globals."
      );
      script_set_attribute(attribute:"see_also", value:"http://www.php.net/releases/5_2_1.php");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to PHP version 5.2.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 119, 189, 399);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2007/02/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/02");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
      script_end_attributes();
     
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
    
      script_dependencies("php_version.nasl");
      script_require_ports("Services/www", 80);
      script_require_keys("www/PHP");
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("audit.inc");
    include("webapp_func.inc");
    
    port = get_http_port(default:80, php:TRUE);
    
    php = get_php_from_kb(
      port : port,
      exit_on_fail : TRUE
    );
    
    version = php["ver"];
    source = php["src"];
    
    backported = get_kb_item('www/php/'+port+'/'+version+'/backported');
    
    if (report_paranoia < 2 && backported)
      audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");
    
    if (version =~ "^5\.[01]\." || 
        version =~ "^5\.2\.0($|[^0-9])"
    )
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source     : '+source +
          '\n  Installed version  : '+version+
          '\n  Fixed version      : 5.2.1\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-0081.NASL
    descriptionUpdated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A number of buffer overflow flaws were found in the PHP session extension; the str_replace() function; and the imap_mail_compose() function. If very long strings were passed to the str_replace() function, an integer overflow could occur in memory allocation. If a script used the imap_mail_compose() function to create a new MIME message based on an input body from an untrusted source, it could result in a heap overflow. An attacker with access to a PHP application affected by any these issues could trigger the flaws and possibly execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id24697
    published2007-02-23
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/24697
    titleRHEL 2.1 : php (RHSA-2007:0081)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2007:0081. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24697);
      script_version ("1.24");
      script_cvs_date("Date: 2019/10/25 13:36:12");
    
      script_cve_id("CVE-2007-0906", "CVE-2007-0907", "CVE-2007-0908", "CVE-2007-0909", "CVE-2007-0910", "CVE-2007-0988", "CVE-2007-1380", "CVE-2007-1701", "CVE-2007-1825");
      script_bugtraq_id(22496);
      script_xref(name:"RHSA", value:"2007:0081");
    
      script_name(english:"RHEL 2.1 : php (RHSA-2007:0081)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated PHP packages that fix several security issues are now
    available for Red Hat Enterprise Linux 2.1.
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    PHP is an HTML-embedded scripting language commonly used with the
    Apache HTTP Web server.
    
    A number of buffer overflow flaws were found in the PHP session
    extension; the str_replace() function; and the imap_mail_compose()
    function. If very long strings were passed to the str_replace()
    function, an integer overflow could occur in memory allocation. If a
    script used the imap_mail_compose() function to create a new MIME
    message based on an input body from an untrusted source, it could
    result in a heap overflow. An attacker with access to a PHP
    application affected by any these issues could trigger the flaws and
    possibly execute arbitrary code as the 'apache' user. (CVE-2007-0906)
    
    When unserializing untrusted data on 64-bit platforms, the
    zend_hash_init() function could be forced into an infinite loop,
    consuming CPU resources for a limited time, until the script timeout
    alarm aborted execution of the script. (CVE-2007-0988)
    
    If the wddx extension was used to import WDDX data from an untrusted
    source, certain WDDX input packets could expose a random portion of
    heap memory. (CVE-2007-0908)
    
    If the odbc_result_all() function was used to display data from a
    database, and the database table contents were under an attacker's
    control, a format string vulnerability was possible which could allow
    arbitrary code execution. (CVE-2007-0909)
    
    A one byte memory read always occurs before the beginning of a buffer.
    This could be triggered, for example, by any use of the header()
    function in a script. However it is unlikely that this would have any
    effect. (CVE-2007-0907)
    
    Several flaws in PHP could allow attackers to 'clobber' certain
    super-global variables via unspecified vectors. (CVE-2007-0910)
    
    Users of PHP should upgrade to these updated packages which contain
    backported patches to correct these issues.
    
    Red Hat would like to thank Stefan Esser for his help diagnosing these
    issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-0906"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-0907"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-0908"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-0909"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-0910"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-0988"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-1380"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-1701"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-1825"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2007:0081"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-manual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-pgsql");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/02/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2007/02/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2007:0081";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-4.1.2-2.14")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-devel-4.1.2-2.14")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-imap-4.1.2-2.14")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-ldap-4.1.2-2.14")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-manual-4.1.2-2.14")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-mysql-4.1.2-2.14")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-odbc-4.1.2-2.14")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"php-pgsql-4.1.2-2.14")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-devel / php-imap / php-ldap / php-manual / php-mysql / etc");
      }
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2007-0076.NASL
    descriptionFrom Red Hat Security Advisory 2007:0076 : Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A number of buffer overflow flaws were found in the PHP session extension, the str_replace() function, and the imap_mail_compose() function. If very long strings under the control of an attacker are passed to the str_replace() function then an integer overflow could occur in memory allocation. If a script uses the imap_mail_compose() function to create a new MIME message based on an input body from an untrusted source, it could result in a heap overflow. An attacker who is able to access a PHP application affected by any these issues could trigger these flaws and possibly execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id67451
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67451
    titleOracle Linux 3 / 4 : php (ELSA-2007-0076)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2007:0076 and 
    # Oracle Linux Security Advisory ELSA-2007-0076 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(67451);
      script_version("1.10");
      script_cvs_date("Date: 2019/10/25 13:36:06");
    
      script_cve_id("CVE-2007-0906", "CVE-2007-0907", "CVE-2007-0908", "CVE-2007-0909", "CVE-2007-0910", "CVE-2007-0988", "CVE-2007-1380", "CVE-2007-1701", "CVE-2007-1825");
      script_bugtraq_id(22496);
      script_xref(name:"RHSA", value:"2007:0076");
    
      script_name(english:"Oracle Linux 3 / 4 : php (ELSA-2007-0076)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2007:0076 :
    
    Updated PHP packages that fix several security issues are now
    available for Red Hat Enterprise Linux 3 and 4.
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    PHP is an HTML-embedded scripting language commonly used with the
    Apache HTTP Web server.
    
    A number of buffer overflow flaws were found in the PHP session
    extension, the str_replace() function, and the imap_mail_compose()
    function. If very long strings under the control of an attacker are
    passed to the str_replace() function then an integer overflow could
    occur in memory allocation. If a script uses the imap_mail_compose()
    function to create a new MIME message based on an input body from an
    untrusted source, it could result in a heap overflow. An attacker who
    is able to access a PHP application affected by any these issues could
    trigger these flaws and possibly execute arbitrary code as the
    'apache' user. (CVE-2007-0906)
    
    If unserializing untrusted data on 64-bit platforms, the
    zend_hash_init() function can be forced to enter an infinite loop,
    consuming CPU resources for a limited length of time, until the script
    timeout alarm aborts execution of the script. (CVE-2007-0988)
    
    If the wddx extension is used to import WDDX data from an untrusted
    source, certain WDDX input packets may allow a random portion of heap
    memory to be exposed. (CVE-2007-0908)
    
    If the odbc_result_all() function is used to display data from a
    database, and the contents of the database table are under the control
    of an attacker, a format string vulnerability is possible which could
    lead to the execution of arbitrary code. (CVE-2007-0909)
    
    A one byte memory read will always occur before the beginning of a
    buffer, which could be triggered for example by any use of the
    header() function in a script. However it is unlikely that this would
    have any effect. (CVE-2007-0907)
    
    Several flaws in PHP could allows attackers to 'clobber' certain
    super-global variables via unspecified vectors. (CVE-2007-0910)
    
    Users of PHP should upgrade to these updated packages which contain
    backported patches to correct these issues.
    
    Red Hat would like to thank Stefan Esser for his help diagnosing these
    issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2007-February/000052.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2007-March/000098.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected php packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-domxml");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-gd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-mbstring");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-ncurses");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-pear");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-snmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-xmlrpc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/02/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2007/02/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 3 / 4", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL3", cpu:"i386", reference:"php-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"EL3", cpu:"x86_64", reference:"php-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"EL3", cpu:"i386", reference:"php-devel-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"EL3", cpu:"x86_64", reference:"php-devel-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"EL3", cpu:"i386", reference:"php-imap-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"EL3", cpu:"x86_64", reference:"php-imap-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"EL3", cpu:"i386", reference:"php-ldap-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"EL3", cpu:"x86_64", reference:"php-ldap-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"EL3", cpu:"i386", reference:"php-mysql-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"EL3", cpu:"x86_64", reference:"php-mysql-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"EL3", cpu:"i386", reference:"php-odbc-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"EL3", cpu:"x86_64", reference:"php-odbc-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"EL3", cpu:"i386", reference:"php-pgsql-4.3.2-39.ent")) flag++;
    if (rpm_check(release:"EL3", cpu:"x86_64", reference:"php-pgsql-4.3.2-39.ent")) flag++;
    
    if (rpm_check(release:"EL4", cpu:"i386", reference:"php-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"php-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"i386", reference:"php-devel-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"php-devel-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"i386", reference:"php-domxml-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"php-domxml-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"i386", reference:"php-gd-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"php-gd-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"i386", reference:"php-imap-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"php-imap-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"i386", reference:"php-ldap-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"php-ldap-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"i386", reference:"php-mbstring-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"php-mbstring-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"i386", reference:"php-mysql-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"php-mysql-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"i386", reference:"php-ncurses-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"php-ncurses-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"i386", reference:"php-odbc-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"php-odbc-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"i386", reference:"php-pear-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"php-pear-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"i386", reference:"php-pgsql-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"php-pgsql-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"i386", reference:"php-snmp-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"php-snmp-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"i386", reference:"php-xmlrpc-4.3.9-3.22.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"php-xmlrpc-4.3.9-3.22.3")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-devel / php-domxml / php-gd / php-imap / php-ldap / etc");
    }
    
  • NASL familyCGI abuses
    NASL idPHP_4_4_5.NASL
    descriptionAccording to its banner, the version of PHP installed on the remote host is older than 4.4.5. Such versions may be affected by several issues, including buffer overflows, format string vulnerabilities, arbitrary code execution,
    last seen2020-06-01
    modified2020-06-02
    plugin id24906
    published2007-04-02
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24906
    titlePHP < 4.4.5 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24906);
      script_version("1.25");
      script_cvs_date("Date: 2018/07/24 18:56:10");
    
      script_cve_id(
        "CVE-2006-4625",
        "CVE-2007-0905",
        "CVE-2007-0906",
        "CVE-2007-0907",
        "CVE-2007-0908",
        "CVE-2007-0909",
        "CVE-2007-0910",
        "CVE-2007-0988",
        "CVE-2007-1286",
        "CVE-2007-1376",
        "CVE-2007-1378",
        "CVE-2007-1379",
        "CVE-2007-1380",
        "CVE-2007-1700",
        "CVE-2007-1701",
        "CVE-2007-1777",
        "CVE-2007-1825",
        "CVE-2007-1835",
        "CVE-2007-1884",
        "CVE-2007-1885",
        "CVE-2007-1886",
        "CVE-2007-1887",
        "CVE-2007-1890"
      );
      script_bugtraq_id(
        22496, 
        22805, 
        22806, 
        22833, 
        22862,
        23119, 
        23120, 
        23169, 
        23219,
        23233, 
        23234, 
        23235,
        23236
      );
    
      script_name(english:"PHP < 4.4.5 Multiple Vulnerabilities");
      script_summary(english:"Checks version of PHP");
     
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote web server uses a version of PHP that is affected by
    multiple flaws."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "According to its banner, the version of PHP installed on the remote
    host is older than 4.4.5.  Such versions may be affected by several
    issues, including buffer overflows, format string vulnerabilities,
    arbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and
    clobbering of super-globals."
      );
      script_set_attribute(attribute:"see_also", value:"http://www.php.net/releases/4_4_5.php");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to PHP version 4.4.5 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_set_attribute(attribute:"metasploit_name", value:'PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_cwe_id(20, 399);
    
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/02");
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/02/09");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
    
      script_dependencies("php_version.nasl");
      script_require_ports("Services/www", 80);
      script_require_keys("www/PHP");
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("audit.inc");
    include("webapp_func.inc");
    
    port = get_http_port(default:80, php:TRUE);
    
    php = get_php_from_kb(
      port : port,
      exit_on_fail : TRUE
    );
    
    version = php["ver"];
    source = php["src"];
    
    backported = get_kb_item('www/php/'+port+'/'+version+'/backported');
    
    if (report_paranoia < 2 && backported)
      audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");
    
    if (version =~ "^3\." ||
        version =~ "^4\.[0-3]\." ||
        version =~ "^4\.4\.[0-4]($|[^0-9])"
    )
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source     : '+source +
          '\n  Installed version  : '+version+
          '\n  Fixed version      : 4.4.5\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-0076.NASL
    descriptionUpdated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A number of buffer overflow flaws were found in the PHP session extension, the str_replace() function, and the imap_mail_compose() function. If very long strings under the control of an attacker are passed to the str_replace() function then an integer overflow could occur in memory allocation. If a script uses the imap_mail_compose() function to create a new MIME message based on an input body from an untrusted source, it could result in a heap overflow. An attacker who is able to access a PHP application affected by any these issues could trigger these flaws and possibly execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id24677
    published2007-02-21
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/24677
    titleRHEL 3 / 4 : php (RHSA-2007:0076)

Oval

accepted2013-04-29T04:05:08.964-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionBuffer overflow in the imap_mail_compose function in PHP 5 before 5.2.1, and PHP 4 before 4.4.5, allows remote attackers to execute arbitrary code via a long boundary string in a type.parameters field. NOTE: as of 20070411, it appears that this issue might be subsumed by CVE-2007-0906.3.
familyunix
idoval:org.mitre.oval:def:10377
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleBuffer overflow in the imap_mail_compose function in PHP 5 before 5.2.1, and PHP 4 before 4.4.5, allows remote attackers to execute arbitrary code via a long boundary string in a type.parameters field. NOTE: as of 20070411, it appears that this issue might be subsumed by CVE-2007-0906.3.
version27

Redhat

advisories
  • bugzilla
    id228858
    titleCVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 4 is installed
        ovaloval:com.redhat.rhba:tst:20070304025
      • OR
        • AND
          • commentphp-ncurses is earlier than 0:4.3.9-3.22.3
            ovaloval:com.redhat.rhsa:tst:20070076001
          • commentphp-ncurses is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276016
        • AND
          • commentphp-mbstring is earlier than 0:4.3.9-3.22.3
            ovaloval:com.redhat.rhsa:tst:20070076003
          • commentphp-mbstring is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276020
        • AND
          • commentphp-pear is earlier than 0:4.3.9-3.22.3
            ovaloval:com.redhat.rhsa:tst:20070076005
          • commentphp-pear is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276018
        • AND
          • commentphp-pgsql is earlier than 0:4.3.9-3.22.3
            ovaloval:com.redhat.rhsa:tst:20070076007
          • commentphp-pgsql is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276004
        • AND
          • commentphp-ldap is earlier than 0:4.3.9-3.22.3
            ovaloval:com.redhat.rhsa:tst:20070076009
          • commentphp-ldap is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276024
        • AND
          • commentphp-devel is earlier than 0:4.3.9-3.22.3
            ovaloval:com.redhat.rhsa:tst:20070076011
          • commentphp-devel is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276028
        • AND
          • commentphp-gd is earlier than 0:4.3.9-3.22.3
            ovaloval:com.redhat.rhsa:tst:20070076013
          • commentphp-gd is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276026
        • AND
          • commentphp-snmp is earlier than 0:4.3.9-3.22.3
            ovaloval:com.redhat.rhsa:tst:20070076015
          • commentphp-snmp is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276014
        • AND
          • commentphp-imap is earlier than 0:4.3.9-3.22.3
            ovaloval:com.redhat.rhsa:tst:20070076017
          • commentphp-imap is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276002
        • AND
          • commentphp-mysql is earlier than 0:4.3.9-3.22.3
            ovaloval:com.redhat.rhsa:tst:20070076019
          • commentphp-mysql is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276010
        • AND
          • commentphp-domxml is earlier than 0:4.3.9-3.22.3
            ovaloval:com.redhat.rhsa:tst:20070076021
          • commentphp-domxml is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276022
        • AND
          • commentphp is earlier than 0:4.3.9-3.22.3
            ovaloval:com.redhat.rhsa:tst:20070076023
          • commentphp is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276012
        • AND
          • commentphp-xmlrpc is earlier than 0:4.3.9-3.22.3
            ovaloval:com.redhat.rhsa:tst:20070076025
          • commentphp-xmlrpc is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276006
        • AND
          • commentphp-odbc is earlier than 0:4.3.9-3.22.3
            ovaloval:com.redhat.rhsa:tst:20070076027
          • commentphp-odbc is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276008
    rhsa
    idRHSA-2007:0076
    released2007-02-19
    severityImportant
    titleRHSA-2007:0076: php security update (Important)
  • bugzilla
    id231597
    titleCVE-2007-1285 PHP Variable Destructor Deep Recursion Stack Overflow
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 5 is installed
        ovaloval:com.redhat.rhba:tst:20070331005
      • OR
        • AND
          • commentphp-snmp is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082001
          • commentphp-snmp is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082002
        • AND
          • commentphp-imap is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082003
          • commentphp-imap is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082004
        • AND
          • commentphp-bcmath is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082005
          • commentphp-bcmath is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082006
        • AND
          • commentphp-xml is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082007
          • commentphp-xml is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082008
        • AND
          • commentphp-odbc is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082009
          • commentphp-odbc is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082010
        • AND
          • commentphp-ldap is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082011
          • commentphp-ldap is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082012
        • AND
          • commentphp-mbstring is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082013
          • commentphp-mbstring is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082014
        • AND
          • commentphp-ncurses is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082015
          • commentphp-ncurses is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082016
        • AND
          • commentphp-gd is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082017
          • commentphp-gd is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082018
        • AND
          • commentphp-devel is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082019
          • commentphp-devel is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082020
        • AND
          • commentphp is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082021
          • commentphp is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082022
        • AND
          • commentphp-mysql is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082023
          • commentphp-mysql is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082024
        • AND
          • commentphp-pdo is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082025
          • commentphp-pdo is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082026
        • AND
          • commentphp-pgsql is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082027
          • commentphp-pgsql is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082028
        • AND
          • commentphp-cli is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082029
          • commentphp-cli is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082030
        • AND
          • commentphp-dba is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082031
          • commentphp-dba is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082032
        • AND
          • commentphp-soap is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082033
          • commentphp-soap is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082034
        • AND
          • commentphp-xmlrpc is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082035
          • commentphp-xmlrpc is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082036
        • AND
          • commentphp-common is earlier than 0:5.1.6-7.el5
            ovaloval:com.redhat.rhsa:tst:20070082037
          • commentphp-common is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082038
    rhsa
    idRHSA-2007:0082
    released2007-03-14
    severityImportant
    titleRHSA-2007:0082: php security update (Important)
rpms
  • php-0:4.3.2-39.ent
  • php-0:4.3.9-3.22.3
  • php-debuginfo-0:4.3.2-39.ent
  • php-debuginfo-0:4.3.9-3.22.3
  • php-devel-0:4.3.2-39.ent
  • php-devel-0:4.3.9-3.22.3
  • php-domxml-0:4.3.9-3.22.3
  • php-gd-0:4.3.9-3.22.3
  • php-imap-0:4.3.2-39.ent
  • php-imap-0:4.3.9-3.22.3
  • php-ldap-0:4.3.2-39.ent
  • php-ldap-0:4.3.9-3.22.3
  • php-mbstring-0:4.3.9-3.22.3
  • php-mysql-0:4.3.2-39.ent
  • php-mysql-0:4.3.9-3.22.3
  • php-ncurses-0:4.3.9-3.22.3
  • php-odbc-0:4.3.2-39.ent
  • php-odbc-0:4.3.9-3.22.3
  • php-pear-0:4.3.9-3.22.3
  • php-pgsql-0:4.3.2-39.ent
  • php-pgsql-0:4.3.9-3.22.3
  • php-snmp-0:4.3.9-3.22.3
  • php-xmlrpc-0:4.3.9-3.22.3
  • php-0:4.1.2-2.14
  • php-devel-0:4.1.2-2.14
  • php-imap-0:4.1.2-2.14
  • php-ldap-0:4.1.2-2.14
  • php-manual-0:4.1.2-2.14
  • php-mysql-0:4.1.2-2.14
  • php-odbc-0:4.1.2-2.14
  • php-pgsql-0:4.1.2-2.14
  • php-0:5.1.6-7.el5
  • php-bcmath-0:5.1.6-7.el5
  • php-cli-0:5.1.6-7.el5
  • php-common-0:5.1.6-7.el5
  • php-dba-0:5.1.6-7.el5
  • php-debuginfo-0:5.1.6-7.el5
  • php-devel-0:5.1.6-7.el5
  • php-gd-0:5.1.6-7.el5
  • php-imap-0:5.1.6-7.el5
  • php-ldap-0:5.1.6-7.el5
  • php-mbstring-0:5.1.6-7.el5
  • php-mysql-0:5.1.6-7.el5
  • php-ncurses-0:5.1.6-7.el5
  • php-odbc-0:5.1.6-7.el5
  • php-pdo-0:5.1.6-7.el5
  • php-pgsql-0:5.1.6-7.el5
  • php-snmp-0:5.1.6-7.el5
  • php-soap-0:5.1.6-7.el5
  • php-xml-0:5.1.6-7.el5
  • php-xmlrpc-0:5.1.6-7.el5
  • php-0:5.1.6-3.el4s1.5
  • php-bcmath-0:5.1.6-3.el4s1.5
  • php-cli-0:5.1.6-3.el4s1.5
  • php-common-0:5.1.6-3.el4s1.5
  • php-dba-0:5.1.6-3.el4s1.5
  • php-debuginfo-0:5.1.6-3.el4s1.5
  • php-devel-0:5.1.6-3.el4s1.5
  • php-gd-0:5.1.6-3.el4s1.5
  • php-imap-0:5.1.6-3.el4s1.5
  • php-ldap-0:5.1.6-3.el4s1.5
  • php-mbstring-0:5.1.6-3.el4s1.5
  • php-mysql-0:5.1.6-3.el4s1.5
  • php-ncurses-0:5.1.6-3.el4s1.5
  • php-odbc-0:5.1.6-3.el4s1.5
  • php-pdo-0:5.1.6-3.el4s1.5
  • php-pgsql-0:5.1.6-3.el4s1.5
  • php-snmp-0:5.1.6-3.el4s1.5
  • php-soap-0:5.1.6-3.el4s1.5
  • php-xml-0:5.1.6-3.el4s1.5
  • php-xmlrpc-0:5.1.6-3.el4s1.5
  • stronghold-php-0:4.1.2-12
  • stronghold-php-devel-0:4.1.2-12
  • stronghold-php-imap-0:4.1.2-12
  • stronghold-php-ldap-0:4.1.2-12
  • stronghold-php-manual-0:4.1.2-12
  • stronghold-php-mysql-0:4.1.2-12
  • stronghold-php-odbc-0:4.1.2-12
  • stronghold-php-pgsql-0:4.1.2-12
  • stronghold-php-snmp-0:4.1.2-12

Statements

contributorMark J Cox
lastmodified2007-04-16
organizationRed Hat
statementThis CVE name is a duplicate as the vulnerability is addressed by CVE-2007-0906.