Vulnerabilities > CVE-2008-3658 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in PHP
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Buffer overflow in the imageloadfont function in ext/gd/gd.c in PHP 4.4.x before 4.4.9 and PHP 5.2 before 5.2.6-r6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 16 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0338.NASL description From Red Hat Security Advisory 2009:0338 : Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 67818 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67818 title Oracle Linux 5 : php (ELSA-2009-0338) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2009:0338 and # Oracle Linux Security Advisory ELSA-2009-0338 respectively. # include("compat.inc"); if (description) { script_id(67818); script_version("1.12"); script_cvs_date("Date: 2019/10/25 13:36:07"); script_cve_id("CVE-2008-3658", "CVE-2008-3660", "CVE-2008-5498", "CVE-2008-5557", "CVE-2008-5814", "CVE-2009-0754"); script_bugtraq_id(30649, 31612, 32948, 33002, 33542); script_xref(name:"RHSA", value:"2009:0338"); script_name(english:"Oracle Linux 5 : php (ELSA-2009-0338)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2009:0338 : Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A flaw was found in the handling of the 'mbstring.func_overload' configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the 'background color' argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had 'display_errors' enabled, a remote attacker able to set a specially crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814) All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The httpd web server must be restarted for the changes to take effect." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2009-April/000949.html" ); script_set_attribute(attribute:"solution", value:"Update the affected php packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 79, 119, 134, 200); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-ncurses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/08/14"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL5", reference:"php-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-bcmath-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-cli-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-common-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-dba-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-devel-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-gd-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-imap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-ldap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-mbstring-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-mysql-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-ncurses-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-odbc-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-pdo-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-pgsql-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-snmp-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-soap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-xml-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-xmlrpc-5.1.6-23.2.el5_3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-bcmath / php-cli / php-common / php-dba / php-devel / etc"); }NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-022.NASL description A vulnerability in PHP allowed context-dependent attackers to cause a denial of service (crash) via a certain long string in the glob() or fnmatch() functions (CVE-2007-4782). A vulnerability in the cURL library in PHP allowed context-dependent attackers to bypass safe_mode and open_basedir restrictions and read arbitrary files using a special URL request (CVE-2007-4850). An integer overflow in PHP allowed context-dependent attackers to cause a denial of serivce via a special printf() format parameter (CVE-2008-1384). A stack-based buffer overflow in the FastCGI SAPI in PHP has unknown impact and attack vectors (CVE-2008-2050). A buffer overflow in the imageloadfont() function in PHP allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via a crafted font file (CVE-2008-3658). A buffer overflow in the memnstr() function allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via the delimiter argument to the explode() function (CVE-2008-3659). PHP, when used as a FastCGI module, allowed remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension (CVE-2008-3660). An array index error in the imageRotate() function in PHP allowed context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument to the function for an indexed image (CVE-2008-5498). The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36294 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36294 title Mandriva Linux Security Advisory : php (MDVSA-2009:022) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2009:022. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(36294); script_version ("1.21"); script_cvs_date("Date: 2019/08/02 13:32:51"); script_cve_id( "CVE-2007-4782", "CVE-2007-4850", "CVE-2008-1384", "CVE-2008-2050", "CVE-2008-3658", "CVE-2008-3659", "CVE-2008-3660", "CVE-2008-5498" ); script_bugtraq_id( 26403, 29009, 30649, 31612, 33002 ); script_xref(name:"MDVSA", value:"2009:022"); script_name(english:"Mandriva Linux Security Advisory : php (MDVSA-2009:022)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability in PHP allowed context-dependent attackers to cause a denial of service (crash) via a certain long string in the glob() or fnmatch() functions (CVE-2007-4782). A vulnerability in the cURL library in PHP allowed context-dependent attackers to bypass safe_mode and open_basedir restrictions and read arbitrary files using a special URL request (CVE-2007-4850). An integer overflow in PHP allowed context-dependent attackers to cause a denial of serivce via a special printf() format parameter (CVE-2008-1384). A stack-based buffer overflow in the FastCGI SAPI in PHP has unknown impact and attack vectors (CVE-2008-2050). A buffer overflow in the imageloadfont() function in PHP allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via a crafted font file (CVE-2008-3658). A buffer overflow in the memnstr() function allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via the delimiter argument to the explode() function (CVE-2008-3659). PHP, when used as a FastCGI module, allowed remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension (CVE-2008-3660). An array index error in the imageRotate() function in PHP allowed context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument to the function for an indexed image (CVE-2008-5498). The updated packages have been patched to correct these issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 94, 119, 189, 200, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64php5_common5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libphp5_common5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-bz2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-calendar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ctype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-dbase"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-dom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-exif"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-fcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-filter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-hash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-iconv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mhash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mime_magic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ming"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mssql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mysqli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ncurses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pcntl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_dblib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-posix"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-readline"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-session"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-shmop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-simplexml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sockets"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sysvmsg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sysvsem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sysvshm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-tokenizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-wddx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xmlreader"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xmlwriter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xsl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-zlib"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/01/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64php5_common5-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libphp5_common5-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-bcmath-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-bz2-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-calendar-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-cgi-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-cli-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-ctype-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-curl-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-dba-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-dbase-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-devel-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-dom-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-exif-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-fcgi-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-filter-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-ftp-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-gd-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-gettext-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-gmp-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-hash-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-iconv-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-imap-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-json-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-ldap-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-mbstring-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-mcrypt-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-mhash-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-mime_magic-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-ming-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-mssql-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-mysql-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-mysqli-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-ncurses-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-odbc-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-openssl-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pcntl-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pdo-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pdo_dblib-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pdo_mysql-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pdo_odbc-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pdo_pgsql-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pdo_sqlite-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pgsql-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-posix-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pspell-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-readline-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-recode-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-session-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-shmop-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-simplexml-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-snmp-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-soap-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-sockets-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-sqlite-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-sysvmsg-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-sysvsem-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-sysvshm-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-tidy-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-tokenizer-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-wddx-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-xml-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-xmlreader-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-xmlrpc-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-xmlwriter-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-xsl-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-zlib-5.2.4-3.3mdv2008.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-0338.NASL description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 43732 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43732 title CentOS 5 : php (CESA-2009:0338) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2009:0338 and # CentOS Errata and Security Advisory 2009:0338 respectively. # include("compat.inc"); if (description) { script_id(43732); script_version("1.18"); script_cvs_date("Date: 2019/10/25 13:36:04"); script_cve_id("CVE-2008-3658", "CVE-2008-3660", "CVE-2008-5498", "CVE-2008-5557", "CVE-2008-5814", "CVE-2009-0754"); script_bugtraq_id(30649, 31612, 32948, 33002, 33542); script_xref(name:"RHSA", value:"2009:0338"); script_name(english:"CentOS 5 : php (CESA-2009:0338)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A flaw was found in the handling of the 'mbstring.func_overload' configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the 'background color' argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had 'display_errors' enabled, a remote attacker able to set a specially crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814) All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The httpd web server must be restarted for the changes to take effect." ); # https://lists.centos.org/pipermail/centos-announce/2009-April/015724.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?607ae89b" ); # https://lists.centos.org/pipermail/centos-announce/2009-April/015725.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6d2cb33c" ); script_set_attribute(attribute:"solution", value:"Update the affected php packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 79, 119, 134, 200); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-ncurses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/08/14"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-5", reference:"php-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-bcmath-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-cli-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-common-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-dba-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-devel-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-gd-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-imap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-ldap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-mbstring-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-mysql-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-ncurses-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-odbc-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-pdo-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-pgsql-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-snmp-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-soap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-xml-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-xmlrpc-5.1.6-23.2.el5_3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-bcmath / php-cli / php-common / php-dba / php-devel / etc"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200811-05.NASL description The remote host is affected by the vulnerability described in GLSA-200811-05 (PHP: Multiple vulnerabilities) Several vulnerabilitites were found in PHP: PHP ships a vulnerable version of the PCRE library which allows for the circumvention of security restrictions or even for remote code execution in case of an application which accepts user-supplied regular expressions (CVE-2008-0674). Multiple crash issues in several PHP functions have been discovered. Ryan Permeh reported that the init_request_info() function in sapi/cgi/cgi_main.c does not properly consider operator precedence when calculating the length of PATH_TRANSLATED (CVE-2008-0599). An off-by-one error in the metaphone() function may lead to memory corruption. Maksymilian Arciemowicz of SecurityReason Research reported an integer overflow, which is triggerable using printf() and related functions (CVE-2008-1384). Andrei Nigmatulin reported a stack-based buffer overflow in the FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050). Stefan Esser reported that PHP does not correctly handle multibyte characters inside the escapeshellcmd() function, which is used to sanitize user input before its usage in shell commands (CVE-2008-2051). Stefan Esser reported that a short-coming in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 34787 published 2008-11-17 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34787 title GLSA-200811-05 : PHP: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-MOD_PHP5-5546.NASL description CVE-2008-3658, CVE-2008-3659 and CVE-2008-3660 have been fixed in the php5 update. last seen 2020-06-01 modified 2020-06-02 plugin id 34233 published 2008-09-17 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34233 title openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-5546) NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-MOD_PHP5-5580.NASL description This update fixes some overflows in the gd extension and the memnstr() function that could crash php or even cause a buffer overflow. (CVE-2008-3658 / CVE-2008-3659 / CVE-2008-3660) last seen 2020-06-01 modified 2020-06-02 plugin id 41474 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41474 title SuSE 10 Security Update : PHP5 (ZYPP Patch Number 5580) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0338.NASL description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 36098 published 2009-04-07 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36098 title RHEL 5 : php (RHSA-2009:0338) NASL family CGI abuses NASL id PHP_4_4_9.NASL description According to its banner, the version of PHP installed on the remote host is older than 4.4.9. Such versions may be affected by several security issues : - There are unspecified issues in the bundled PCRE library fixed by version 7.7. - A buffer overflow in the last seen 2020-06-01 modified 2020-06-02 plugin id 33849 published 2008-08-08 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33849 title PHP < 4.4.9 Multiple Vulnerabilities NASL family CGI abuses NASL id PHP_5_2_7.NASL description According to its banner, the version of PHP installed on the remote host is prior to 5.2.7. It is, therefore, affected by multiple vulnerabilities : - There is a buffer overflow flaw in the bundled PCRE library that allows a denial of service attack. (CVE-2008-2371) - Multiple directory traversal vulnerabilities exist in functions such as last seen 2020-06-01 modified 2020-06-02 plugin id 35043 published 2008-12-05 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35043 title PHP 5 < 5.2.7 Multiple Vulnerabilities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0337.NASL description From Red Hat Security Advisory 2009:0337 : Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 67817 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67817 title Oracle Linux 3 / 4 : php (ELSA-2009-0337) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-021.NASL description A buffer overflow in the imageloadfont() function in PHP allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via a crafted font file (CVE-2008-3658). A buffer overflow in the memnstr() function allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via the delimiter argument to the explode() function (CVE-2008-3659). PHP, when used as a FastCGI module, allowed remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension (CVE-2008-3660). An array index error in the imageRotate() function in PHP allowed context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument to the function for an indexed image (CVE-2008-5498). The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37701 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37701 title Mandriva Linux Security Advisory : php (MDVSA-2009:021) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_27D01223C45711DDA7210030843D3802.NASL description Secunia reports : Some vulnerabilities have been reported in PHP, where some have an unknown impact and others can potentially be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. An input validation error exists within the last seen 2020-06-01 modified 2020-06-02 plugin id 35051 published 2008-12-08 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35051 title FreeBSD : php -- multiple vulnerabilities (27d01223-c457-11dd-a721-0030843d3802) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-720-1.NASL description It was discovered that PHP did not properly enforce php_admin_value and php_admin_flag restrictions in the Apache configuration file. A local attacker could create a specially crafted PHP script that would bypass intended security restrictions. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2007-5900) It was discovered that PHP did not correctly handle certain malformed font files. If a PHP application were tricked into processing a specially crafted font file, an attacker may be able to cause a denial of service and possibly execute arbitrary code with application privileges. (CVE-2008-3658) It was discovered that PHP did not properly check the delimiter argument to the explode function. If a script passed untrusted input to the explode function, an attacker could cause a denial of service and possibly execute arbitrary code with application privileges. (CVE-2008-3659) It was discovered that PHP, when used as FastCGI module, did not properly sanitize requests. By performing a request with multiple dots preceding the extension, an attacker could cause a denial of service. (CVE-2008-3660) It was discovered that PHP did not properly handle Unicode conversion in the mbstring extension. If a PHP application were tricked into processing a specially crafted string containing an HTML entity, an attacker could execute arbitrary code with application privileges. (CVE-2008-5557) It was discovered that PHP did not properly initialize the page_uid and page_gid global variables for use by the SAPI php_getuid function. An attacker could exploit this issue to bypass safe_mode restrictions. (CVE-2008-5624) It was dicovered that PHP did not properly enforce error_log safe_mode restrictions when set by php_admin_flag in the Apache configuration file. A local attacker could create a specially crafted PHP script that would overwrite arbitrary files. (CVE-2008-5625) It was discovered that PHP contained a flaw in the ZipArchive::extractTo function. If a PHP application were tricked into processing a specially crafted zip file that had filenames containing last seen 2020-06-01 modified 2020-06-02 plugin id 36665 published 2009-04-23 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36665 title Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : php5 vulnerabilities (USN-720-1) NASL family Scientific Linux Local Security Checks NASL id SL_20090406_PHP_ON_SL3_X.NASL description A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 60561 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60561 title Scientific Linux Security Update : php on SL3.x, SL4.x, SL5.x i386/x86_64 NASL family SuSE Local Security Checks NASL id SUSE_11_0_APACHE2-MOD_PHP5-080820.NASL description CVE-2008-3658, CVE-2008-3659 and CVE-2008-3660 have been fixed in the php5 update. last seen 2020-06-01 modified 2020-06-02 plugin id 39913 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39913 title openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-168) NASL family Fedora Local Security Checks NASL id FEDORA_2009-3848.NASL description Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 38957 published 2009-06-01 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38957 title Fedora 9 : maniadrive-1.2-13.fc9 / php-5.2.9-2.fc9 (2009-3848) NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-MOD_PHP5-5661.NASL description This update fixes some overflows in the gd extension and the memnstr() function that could crash php or even cause a buffer overflow (CVE-2008-3658 / CVE-2008-3659) In addition it fixes a bug in gd support. (bnc#411272) last seen 2020-06-01 modified 2020-06-02 plugin id 34429 published 2008-10-16 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34429 title SuSE 10 Security Update : PHP5 (ZYPP Patch Number 5661) NASL family Fedora Local Security Checks NASL id FEDORA_2009-3768.NASL description Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 38956 published 2009-06-01 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38956 title Fedora 10 : maniadrive-1.2-13.fc10 / php-5.2.9-2.fc10 (2009-3768) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2008-339-01.NASL description New php packages are available for Slackware 12.0, 12.1, and -current to fix security issues, as well as make improvements and fix bugs. last seen 2020-06-01 modified 2020-06-02 plugin id 35035 published 2008-12-05 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35035 title Slackware 12.0 / 12.1 / current : php (SSA:2008-339-01) NASL family MacOS X Local Security Checks NASL id MACOSX_10_5_7.NASL description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 38744 published 2009-05-13 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38744 title Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-0337.NASL description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 36089 published 2009-04-07 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36089 title CentOS 3 / 4 : php (CESA-2009:0337) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0337.NASL description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 36097 published 2009-04-07 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36097 title RHEL 3 / 4 : php (RHSA-2009:0337) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1647.NASL description Several vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-3658 Buffer overflow in the imageloadfont function allows a denial of service or code execution through a crafted font file. - CVE-2008-3659 Buffer overflow in the memnstr function allows a denial of service or code execution via a crafted delimiter parameter to the explode function. - CVE-2008-3660 Denial of service is possible in the FastCGI module by a remote attacker by making a request with multiple dots before the extension. last seen 2020-06-01 modified 2020-06-02 plugin id 34355 published 2008-10-07 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/34355 title Debian DSA-1647-1 : php5 - several vulnerabilities
Oval
| accepted | 2013-04-29T04:21:38.176-04:00 | ||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||
| description | Buffer overflow in the imageloadfont function in ext/gd/gd.c in PHP 4.4.x before 4.4.9 and PHP 5.2 before 5.2.6-r6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file. | ||||||||||||||||||||||||||||||||
| family | unix | ||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:9724 | ||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||||||||||
| title | Buffer overflow in the imageloadfont function in ext/gd/gd.c in PHP 4.4.x before 4.4.9 and PHP 5.2 before 5.2.6-r6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file. | ||||||||||||||||||||||||||||||||
| version | 27 |
Redhat
| advisories |
| ||||
| rpms |
|
Statements
| contributor | Joshua Bressers |
| lastmodified | 2009-04-07 |
| organization | Red Hat |
| statement | This issue has been addressed in the affected versions of PHP packages shipped in Red Hat Enterprise Linux via advisories listed on the following page: https://rhn.redhat.com/errata/CVE-2008-3658.html |
References
- http://bugs.gentoo.org/show_bug.cgi?id=234102
- http://bugs.gentoo.org/show_bug.cgi?id=234102
- http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
- http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00006.html
- http://marc.info/?l=bugtraq&m=123376588623823&w=2
- http://marc.info/?l=bugtraq&m=123376588623823&w=2
- http://marc.info/?l=bugtraq&m=123376588623823&w=2
- http://marc.info/?l=bugtraq&m=123376588623823&w=2
- http://marc.info/?l=bugtraq&m=125631037611762&w=2
- http://marc.info/?l=bugtraq&m=125631037611762&w=2
- http://marc.info/?l=bugtraq&m=125631037611762&w=2
- http://marc.info/?l=bugtraq&m=125631037611762&w=2
- http://news.php.net/php.cvs/51219
- http://news.php.net/php.cvs/51219
- http://osvdb.org/47484
- http://osvdb.org/47484
- http://secunia.com/advisories/31982
- http://secunia.com/advisories/31982
- http://secunia.com/advisories/32148
- http://secunia.com/advisories/32148
- http://secunia.com/advisories/32316
- http://secunia.com/advisories/32316
- http://secunia.com/advisories/32746
- http://secunia.com/advisories/32746
- http://secunia.com/advisories/32884
- http://secunia.com/advisories/32884
- http://secunia.com/advisories/33797
- http://secunia.com/advisories/33797
- http://secunia.com/advisories/35074
- http://secunia.com/advisories/35074
- http://secunia.com/advisories/35306
- http://secunia.com/advisories/35306
- http://security.gentoo.org/glsa/glsa-200811-05.xml
- http://security.gentoo.org/glsa/glsa-200811-05.xml
- http://support.apple.com/kb/HT3549
- http://support.apple.com/kb/HT3549
- http://wiki.rpath.com/Advisories:rPSA-2009-0035
- http://wiki.rpath.com/Advisories:rPSA-2009-0035
- http://www.debian.org/security/2008/dsa-1647
- http://www.debian.org/security/2008/dsa-1647
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:021
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:021
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:022
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:022
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:023
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:023
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:024
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:024
- http://www.openwall.com/lists/oss-security/2008/08/08/2
- http://www.openwall.com/lists/oss-security/2008/08/08/2
- http://www.openwall.com/lists/oss-security/2008/08/13/8
- http://www.openwall.com/lists/oss-security/2008/08/13/8
- http://www.php.net/archive/2008.php#id2008-08-07-1
- http://www.php.net/archive/2008.php#id2008-08-07-1
- http://www.redhat.com/support/errata/RHSA-2009-0350.html
- http://www.redhat.com/support/errata/RHSA-2009-0350.html
- http://www.securityfocus.com/archive/1/498647/100/0/threaded
- http://www.securityfocus.com/archive/1/498647/100/0/threaded
- http://www.securityfocus.com/archive/1/498647/100/0/threaded
- http://www.securityfocus.com/archive/1/498647/100/0/threaded
- http://www.securityfocus.com/archive/1/501376/100/0/threaded
- http://www.securityfocus.com/archive/1/501376/100/0/threaded
- http://www.securityfocus.com/bid/30649
- http://www.securityfocus.com/bid/30649
- http://www.us-cert.gov/cas/techalerts/TA09-133A.html
- http://www.us-cert.gov/cas/techalerts/TA09-133A.html
- http://www.vupen.com/english/advisories/2008/2336
- http://www.vupen.com/english/advisories/2008/2336
- http://www.vupen.com/english/advisories/2008/3275
- http://www.vupen.com/english/advisories/2008/3275
- http://www.vupen.com/english/advisories/2009/0320
- http://www.vupen.com/english/advisories/2009/0320
- http://www.vupen.com/english/advisories/2009/1297
- http://www.vupen.com/english/advisories/2009/1297
- https://exchange.xforce.ibmcloud.com/vulnerabilities/44401
- https://exchange.xforce.ibmcloud.com/vulnerabilities/44401
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9724
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9724
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01451.html
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01451.html
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01465.html
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01465.html