Vulnerabilities > CVE-2008-2108 - Insufficient Entropy vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
php
fedoraproject
canonical
debian
CWE-331
critical
nessus

Summary

The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-628-1.NASL
    descriptionIt was discovered that PHP did not properly check the length of the string parameter to the fnmatch function. An attacker could cause a denial of service in the PHP interpreter if a script passed untrusted input to the fnmatch function. (CVE-2007-4782) Maksymilian Arciemowicz discovered a flaw in the cURL library that allowed safe_mode and open_basedir restrictions to be bypassed. If a PHP application were tricked into processing a bad file:// request, an attacker could read arbitrary files. (CVE-2007-4850) Rasmus Lerdorf discovered that the htmlentities and htmlspecialchars functions did not correctly stop when handling partial multibyte sequences. A remote attacker could exploit this to read certain areas of memory, possibly gaining access to sensitive information. This issue affects Ubuntu 8.04 LTS, and an updated fix is included for Ubuntu 6.06 LTS, 7.04 and 7.10. (CVE-2007-5898) It was discovered that the output_add_rewrite_var function would sometimes leak session id information to forms targeting remote URLs. Malicious remote sites could use this information to gain access to a PHP application user
    last seen2020-06-01
    modified2020-06-02
    plugin id33575
    published2008-07-24
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33575
    titleUbuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : php5 vulnerabilities (USN-628-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200811-05.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200811-05 (PHP: Multiple vulnerabilities) Several vulnerabilitites were found in PHP: PHP ships a vulnerable version of the PCRE library which allows for the circumvention of security restrictions or even for remote code execution in case of an application which accepts user-supplied regular expressions (CVE-2008-0674). Multiple crash issues in several PHP functions have been discovered. Ryan Permeh reported that the init_request_info() function in sapi/cgi/cgi_main.c does not properly consider operator precedence when calculating the length of PATH_TRANSLATED (CVE-2008-0599). An off-by-one error in the metaphone() function may lead to memory corruption. Maksymilian Arciemowicz of SecurityReason Research reported an integer overflow, which is triggerable using printf() and related functions (CVE-2008-1384). Andrei Nigmatulin reported a stack-based buffer overflow in the FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050). Stefan Esser reported that PHP does not correctly handle multibyte characters inside the escapeshellcmd() function, which is used to sanitize user input before its usage in shell commands (CVE-2008-2051). Stefan Esser reported that a short-coming in PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id34787
    published2008-11-17
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34787
    titleGLSA-200811-05 : PHP: Multiple vulnerabilities
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-128.NASL
    descriptionA number of vulnerabilities have been found and corrected in PHP : php-cgi in PHP prior to 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors (CVE-2008-0599). The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown impact and context-dependent attack vectors related to incomplete multibyte characters (CVE-2008-2051). Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, CVE-2008-2108). The IMAP module in PHP uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request (CVE-2008-2829). In addition, the updated packages provide a number of bug fixes. The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id36486
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36486
    titleMandriva Linux Security Advisory : php (MDVSA-2008:128)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0545.NASL
    descriptionUpdated php packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) The PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user
    last seen2020-06-01
    modified2020-06-02
    plugin id33511
    published2008-07-16
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33511
    titleRHEL 4 : php (RHSA-2008:0545)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0545.NASL
    descriptionUpdated php packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) The PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user
    last seen2020-06-01
    modified2020-06-02
    plugin id43693
    published2010-01-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43693
    titleCentOS 4 : php (CESA-2008:0545)
  • NASL familyCGI abuses
    NASL idPHP_5_2_5.NASL
    descriptionAccording to its banner, the version of PHP installed on the remote host is older than 5.2.5. Such versions may be affected by various issues, including but not limited to several buffer overflows.
    last seen2020-06-01
    modified2020-06-02
    plugin id28181
    published2007-11-12
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/28181
    titlePHP < 5.2.5 Multiple Vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0546.NASL
    descriptionUpdated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) The PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user
    last seen2020-06-01
    modified2020-06-02
    plugin id33512
    published2008-07-16
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33512
    titleRHEL 2.1 : php (RHSA-2008:0546)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0545.NASL
    descriptionFrom Red Hat Security Advisory 2008:0545 : Updated php packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) The PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user
    last seen2020-06-01
    modified2020-06-02
    plugin id67712
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67712
    titleOracle Linux 4 : php (ELSA-2008-0545)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20080716_PHP_ON_SL5_X.NASL
    descriptionIt was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user
    last seen2020-06-01
    modified2020-06-02
    plugin id60445
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60445
    titleScientific Linux Security Update : php on SL5.x i386/x86_64
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-126.NASL
    descriptionA number of vulnerabilities have been found and corrected in PHP : PHP 5.2.1 would allow context-dependent attackers to read portions of heap memory by executing certain scripts with a serialized data input string beginning with
    last seen2020-06-01
    modified2020-06-02
    plugin id37584
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/37584
    titleMandriva Linux Security Advisory : php (MDVSA-2008:126)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0544.NASL
    descriptionFrom Red Hat Security Advisory 2008:0544 : Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user
    last seen2020-06-01
    modified2020-06-02
    plugin id67711
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67711
    titleOracle Linux 3 / 5 : php (ELSA-2008-0544)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1789.NASL
    descriptionSeveral remote vulnerabilities have been discovered in the PHP 5 hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems. The following four vulnerabilities have already been fixed in the stable (lenny) version of php5 prior to the release of lenny. This update now addresses them for etch (oldstable) as well : - CVE-2008-2107 / CVE-2008-2108 The GENERATE_SEED macro has several problems that make predicting generated random numbers easier, facilitating attacks against measures that use rand() or mt_rand() as part of a protection. - CVE-2008-5557 A buffer overflow in the mbstring extension allows attackers to execute arbitrary code via a crafted string containing an HTML entity. - CVE-2008-5624 The page_uid and page_gid variables are not correctly set, allowing use of some functionality intended to be restricted to root. - CVE-2008-5658 Directory traversal vulnerability in the ZipArchive::extractTo function allows attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences. This update also addresses the following three vulnerabilities for both oldstable (etch) and stable (lenny) : - CVE-2008-5814 Cross-site scripting (XSS) vulnerability, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML. - CVE-2009-0754 When running on Apache, PHP allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server. - CVE-2009-1271 The JSON_parser function allows a denial of service (segmentation fault) via a malformed string to the json_decode API function. Furthermore, two updates originally scheduled for the next point update for oldstable are included in the etch package : - Let PHP use the system timezone database instead of the embedded timezone database which is out of date. - From the source tarball, the unused
    last seen2020-06-01
    modified2020-06-02
    plugin id38691
    published2009-05-06
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38691
    titleDebian DSA-1789-1 : php5 - several vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0544.NASL
    descriptionUpdated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user
    last seen2020-06-01
    modified2020-06-02
    plugin id33510
    published2008-07-16
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33510
    titleRHEL 3 / 5 : php (RHSA-2008:0544)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-3606.NASL
    descriptionThis release updates PHP to the latest upstream version 5.2.6, fixing multiple bugs and security issues. See upstream release notes for further details: http://www.php.net/releases/5_2_6.php It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) It was discovered that a PHP script using the transparent session ID configuration option, or using the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form which is posted to a third-party website, the user
    last seen2020-06-01
    modified2020-06-02
    plugin id33231
    published2008-06-24
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33231
    titleFedora 9 : php-5.2.6-2.fc9 (2008-3606)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20080716_PHP_ON_SL4_X.NASL
    descriptionIt was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) The PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user
    last seen2020-06-01
    modified2020-06-02
    plugin id60444
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60444
    titleScientific Linux Security Update : php on SL4.x i386/x86_64
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-3864.NASL
    descriptionThis release updates PHP to the latest upstream version 5.2.6, fixing multiple bugs and security issues. See upstream release notes for further details: http://www.php.net/releases/5_2_5.php http://www.php.net/releases/5_2_6.php It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. An attacker could use this flaw to conduct cross-site scripting attack against users of such browsers. (CVE-2007-5898) It was discovered that a PHP script using the transparent session ID configuration option, or using the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form which is posted to a third-party website, the user
    last seen2020-06-01
    modified2020-06-02
    plugin id33232
    published2008-06-24
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33232
    titleFedora 8 : php-5.2.6-2.fc8 (2008-3864)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-127.NASL
    descriptionA number of vulnerabilities have been found and corrected in PHP : The htmlentities() and htmlspecialchars() functions in PHP prior to 5.2.5 accepted partial multibyte sequences, which has unknown impact and attack vectors (CVE-2007-5898). The output_add_rewrite_var() function in PHP prior to 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which could allow a remote attacker to obtain potentially sensitive information by reading the requests for this URL (CVE-2007-5899). php-cgi in PHP prior to 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors (CVE-2008-0599). The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown impact and context-dependent attack vectors related to incomplete multibyte characters (CVE-2008-2051). Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, CVE-2008-2108). The IMAP module in PHP uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request (CVE-2008-2829). In addition, this update also corrects an issue with some float to string conversions. The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id38042
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38042
    titleMandriva Linux Security Advisory : php (MDVSA-2008:127)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0544.NASL
    descriptionUpdated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external websites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user
    last seen2020-06-01
    modified2020-06-02
    plugin id33524
    published2008-07-17
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33524
    titleCentOS 3 / 5 : php (CESA-2008:0544)
  • NASL familyCGI abuses
    NASL idPHP_4_4_8.NASL
    descriptionAccording to its banner, the version of PHP installed on the remote host is older than 4.4.8. Such versions may be affected by several issues, including integer overflows involving the
    last seen2020-06-01
    modified2020-06-02
    plugin id29833
    published2008-01-03
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29833
    titlePHP < 4.4.8 Multiple Vulnerabilities

Oval

accepted2013-04-29T04:09:17.247-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionThe GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions.
familyunix
idoval:org.mitre.oval:def:10844
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleThe GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions.
version27

Redhat

advisories
  • bugzilla
    id445685
    titleCVE-2008-2108 PHP weak 64 bit random seed
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 5 is installed
        ovaloval:com.redhat.rhba:tst:20070331005
      • OR
        • AND
          • commentphp-snmp is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544001
          • commentphp-snmp is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082002
        • AND
          • commentphp-ncurses is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544003
          • commentphp-ncurses is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082016
        • AND
          • commentphp-pdo is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544005
          • commentphp-pdo is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082026
        • AND
          • commentphp-mbstring is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544007
          • commentphp-mbstring is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082014
        • AND
          • commentphp-ldap is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544009
          • commentphp-ldap is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082012
        • AND
          • commentphp-devel is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544011
          • commentphp-devel is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082020
        • AND
          • commentphp-odbc is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544013
          • commentphp-odbc is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082010
        • AND
          • commentphp-imap is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544015
          • commentphp-imap is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082004
        • AND
          • commentphp-gd is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544017
          • commentphp-gd is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082018
        • AND
          • commentphp-mysql is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544019
          • commentphp-mysql is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082024
        • AND
          • commentphp-pgsql is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544021
          • commentphp-pgsql is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082028
        • AND
          • commentphp-bcmath is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544023
          • commentphp-bcmath is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082006
        • AND
          • commentphp-dba is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544025
          • commentphp-dba is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082032
        • AND
          • commentphp-xmlrpc is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544027
          • commentphp-xmlrpc is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082036
        • AND
          • commentphp-common is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544029
          • commentphp-common is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082038
        • AND
          • commentphp-soap is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544031
          • commentphp-soap is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082034
        • AND
          • commentphp-cli is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544033
          • commentphp-cli is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082030
        • AND
          • commentphp-xml is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544035
          • commentphp-xml is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082008
        • AND
          • commentphp is earlier than 0:5.1.6-20.el5_2.1
            ovaloval:com.redhat.rhsa:tst:20080544037
          • commentphp is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070082022
    rhsa
    idRHSA-2008:0544
    released2008-07-16
    severityModerate
    titleRHSA-2008:0544: php security update (Moderate)
  • bugzilla
    id445685
    titleCVE-2008-2108 PHP weak 64 bit random seed
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 4 is installed
        ovaloval:com.redhat.rhba:tst:20070304025
      • OR
        • AND
          • commentphp-imap is earlier than 0:4.3.9-3.22.12
            ovaloval:com.redhat.rhsa:tst:20080545001
          • commentphp-imap is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276002
        • AND
          • commentphp-gd is earlier than 0:4.3.9-3.22.12
            ovaloval:com.redhat.rhsa:tst:20080545003
          • commentphp-gd is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276026
        • AND
          • commentphp-odbc is earlier than 0:4.3.9-3.22.12
            ovaloval:com.redhat.rhsa:tst:20080545005
          • commentphp-odbc is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276008
        • AND
          • commentphp-ldap is earlier than 0:4.3.9-3.22.12
            ovaloval:com.redhat.rhsa:tst:20080545007
          • commentphp-ldap is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276024
        • AND
          • commentphp-pear is earlier than 0:4.3.9-3.22.12
            ovaloval:com.redhat.rhsa:tst:20080545009
          • commentphp-pear is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276018
        • AND
          • commentphp-ncurses is earlier than 0:4.3.9-3.22.12
            ovaloval:com.redhat.rhsa:tst:20080545011
          • commentphp-ncurses is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276016
        • AND
          • commentphp-snmp is earlier than 0:4.3.9-3.22.12
            ovaloval:com.redhat.rhsa:tst:20080545013
          • commentphp-snmp is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276014
        • AND
          • commentphp-xmlrpc is earlier than 0:4.3.9-3.22.12
            ovaloval:com.redhat.rhsa:tst:20080545015
          • commentphp-xmlrpc is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276006
        • AND
          • commentphp-devel is earlier than 0:4.3.9-3.22.12
            ovaloval:com.redhat.rhsa:tst:20080545017
          • commentphp-devel is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276028
        • AND
          • commentphp is earlier than 0:4.3.9-3.22.12
            ovaloval:com.redhat.rhsa:tst:20080545019
          • commentphp is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276012
        • AND
          • commentphp-mbstring is earlier than 0:4.3.9-3.22.12
            ovaloval:com.redhat.rhsa:tst:20080545021
          • commentphp-mbstring is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276020
        • AND
          • commentphp-domxml is earlier than 0:4.3.9-3.22.12
            ovaloval:com.redhat.rhsa:tst:20080545023
          • commentphp-domxml is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276022
        • AND
          • commentphp-pgsql is earlier than 0:4.3.9-3.22.12
            ovaloval:com.redhat.rhsa:tst:20080545025
          • commentphp-pgsql is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276004
        • AND
          • commentphp-mysql is earlier than 0:4.3.9-3.22.12
            ovaloval:com.redhat.rhsa:tst:20080545027
          • commentphp-mysql is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276010
    rhsa
    idRHSA-2008:0545
    released2008-07-16
    severityModerate
    titleRHSA-2008:0545: php security and bug fix update (Moderate)
  • rhsa
    idRHSA-2008:0505
  • rhsa
    idRHSA-2008:0546
  • rhsa
    idRHSA-2008:0582
rpms
  • httpd-0:2.2.8-1.el5s2
  • httpd-debuginfo-0:2.2.8-1.el5s2
  • httpd-devel-0:2.2.8-1.el5s2
  • httpd-manual-0:2.2.8-1.el5s2
  • mod_jk-ap20-0:1.2.26-1.el5s2
  • mod_jk-debuginfo-0:1.2.26-1.el5s2
  • mod_perl-0:2.0.4-3.el5s2
  • mod_perl-debuginfo-0:2.0.4-3.el5s2
  • mod_perl-devel-0:2.0.4-3.el5s2
  • mod_ssl-1:2.2.8-1.el5s2
  • mysql-0:5.0.50sp1a-2.el5s2
  • mysql-bench-0:5.0.50sp1a-2.el5s2
  • mysql-cluster-0:5.0.50sp1a-2.el5s2
  • mysql-connector-odbc-0:3.51.24r1071-1.el5s2
  • mysql-connector-odbc-debuginfo-0:3.51.24r1071-1.el5s2
  • mysql-debuginfo-0:5.0.50sp1a-2.el5s2
  • mysql-devel-0:5.0.50sp1a-2.el5s2
  • mysql-jdbc-0:5.0.8-1jpp.1.el5s2
  • mysql-libs-0:5.0.50sp1a-2.el5s2
  • mysql-server-0:5.0.50sp1a-2.el5s2
  • mysql-test-0:5.0.50sp1a-2.el5s2
  • perl-DBD-MySQL-0:4.006-1.el5s2
  • perl-DBD-MySQL-debuginfo-0:4.006-1.el5s2
  • perl-DBI-0:1.604-1.el5s2
  • perl-DBI-debuginfo-0:1.604-1.el5s2
  • php-0:5.2.6-2.el5s2
  • php-bcmath-0:5.2.6-2.el5s2
  • php-cli-0:5.2.6-2.el5s2
  • php-common-0:5.2.6-2.el5s2
  • php-dba-0:5.2.6-2.el5s2
  • php-debuginfo-0:5.2.6-2.el5s2
  • php-devel-0:5.2.6-2.el5s2
  • php-gd-0:5.2.6-2.el5s2
  • php-imap-0:5.2.6-2.el5s2
  • php-ldap-0:5.2.6-2.el5s2
  • php-mbstring-0:5.2.6-2.el5s2
  • php-mysql-0:5.2.6-2.el5s2
  • php-ncurses-0:5.2.6-2.el5s2
  • php-odbc-0:5.2.6-2.el5s2
  • php-pdo-0:5.2.6-2.el5s2
  • php-pgsql-0:5.2.6-2.el5s2
  • php-snmp-0:5.2.6-2.el5s2
  • php-soap-0:5.2.6-2.el5s2
  • php-xml-0:5.2.6-2.el5s2
  • php-xmlrpc-0:5.2.6-2.el5s2
  • postgresql-0:8.2.9-1.el5s2
  • postgresql-contrib-0:8.2.9-1.el5s2
  • postgresql-debuginfo-0:8.2.9-1.el5s2
  • postgresql-devel-0:8.2.9-1.el5s2
  • postgresql-docs-0:8.2.9-1.el5s2
  • postgresql-jdbc-0:8.2.508-1jpp.el5s2
  • postgresql-jdbc-debuginfo-0:8.2.508-1jpp.el5s2
  • postgresql-libs-0:8.2.9-1.el5s2
  • postgresql-odbc-0:08.02.0500-1.el5s2
  • postgresql-odbc-debuginfo-0:08.02.0500-1.el5s2
  • postgresql-plperl-0:8.2.9-1.el5s2
  • postgresql-plpython-0:8.2.9-1.el5s2
  • postgresql-pltcl-0:8.2.9-1.el5s2
  • postgresql-python-0:8.2.9-1.el5s2
  • postgresql-server-0:8.2.9-1.el5s2
  • postgresql-tcl-0:8.2.9-1.el5s2
  • postgresql-test-0:8.2.9-1.el5s2
  • postgresqlclient81-0:8.1.11-1.el5s2
  • postgresqlclient81-debuginfo-0:8.1.11-1.el5s2
  • unixODBC-0:2.2.12-8.el5s2
  • unixODBC-debuginfo-0:2.2.12-8.el5s2
  • unixODBC-devel-0:2.2.12-8.el5s2
  • unixODBC-kde-0:2.2.12-8.el5s2
  • php-0:4.3.2-48.ent
  • php-0:5.1.6-20.el5_2.1
  • php-bcmath-0:5.1.6-20.el5_2.1
  • php-cli-0:5.1.6-20.el5_2.1
  • php-common-0:5.1.6-20.el5_2.1
  • php-dba-0:5.1.6-20.el5_2.1
  • php-debuginfo-0:4.3.2-48.ent
  • php-debuginfo-0:5.1.6-20.el5_2.1
  • php-devel-0:4.3.2-48.ent
  • php-devel-0:5.1.6-20.el5_2.1
  • php-gd-0:5.1.6-20.el5_2.1
  • php-imap-0:4.3.2-48.ent
  • php-imap-0:5.1.6-20.el5_2.1
  • php-ldap-0:4.3.2-48.ent
  • php-ldap-0:5.1.6-20.el5_2.1
  • php-mbstring-0:5.1.6-20.el5_2.1
  • php-mysql-0:4.3.2-48.ent
  • php-mysql-0:5.1.6-20.el5_2.1
  • php-ncurses-0:5.1.6-20.el5_2.1
  • php-odbc-0:4.3.2-48.ent
  • php-odbc-0:5.1.6-20.el5_2.1
  • php-pdo-0:5.1.6-20.el5_2.1
  • php-pgsql-0:4.3.2-48.ent
  • php-pgsql-0:5.1.6-20.el5_2.1
  • php-snmp-0:5.1.6-20.el5_2.1
  • php-soap-0:5.1.6-20.el5_2.1
  • php-xml-0:5.1.6-20.el5_2.1
  • php-xmlrpc-0:5.1.6-20.el5_2.1
  • php-0:4.3.9-3.22.12
  • php-debuginfo-0:4.3.9-3.22.12
  • php-devel-0:4.3.9-3.22.12
  • php-domxml-0:4.3.9-3.22.12
  • php-gd-0:4.3.9-3.22.12
  • php-imap-0:4.3.9-3.22.12
  • php-ldap-0:4.3.9-3.22.12
  • php-mbstring-0:4.3.9-3.22.12
  • php-mysql-0:4.3.9-3.22.12
  • php-ncurses-0:4.3.9-3.22.12
  • php-odbc-0:4.3.9-3.22.12
  • php-pear-0:4.3.9-3.22.12
  • php-pgsql-0:4.3.9-3.22.12
  • php-snmp-0:4.3.9-3.22.12
  • php-xmlrpc-0:4.3.9-3.22.12
  • php-0:4.1.2-2.20
  • php-devel-0:4.1.2-2.20
  • php-imap-0:4.1.2-2.20
  • php-ldap-0:4.1.2-2.20
  • php-manual-0:4.1.2-2.20
  • php-mysql-0:4.1.2-2.20
  • php-odbc-0:4.1.2-2.20
  • php-pgsql-0:4.1.2-2.20
  • php-0:5.1.6-3.el4s1.10
  • php-bcmath-0:5.1.6-3.el4s1.10
  • php-cli-0:5.1.6-3.el4s1.10
  • php-common-0:5.1.6-3.el4s1.10
  • php-dba-0:5.1.6-3.el4s1.10
  • php-debuginfo-0:5.1.6-3.el4s1.10
  • php-devel-0:5.1.6-3.el4s1.10
  • php-gd-0:5.1.6-3.el4s1.10
  • php-imap-0:5.1.6-3.el4s1.10
  • php-ldap-0:5.1.6-3.el4s1.10
  • php-mbstring-0:5.1.6-3.el4s1.10
  • php-mysql-0:5.1.6-3.el4s1.10
  • php-ncurses-0:5.1.6-3.el4s1.10
  • php-odbc-0:5.1.6-3.el4s1.10
  • php-pdo-0:5.1.6-3.el4s1.10
  • php-pgsql-0:5.1.6-3.el4s1.10
  • php-snmp-0:5.1.6-3.el4s1.10
  • php-soap-0:5.1.6-3.el4s1.10
  • php-xml-0:5.1.6-3.el4s1.10
  • php-xmlrpc-0:5.1.6-3.el4s1.10

References