Vulnerabilities > CVE-2008-5557 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in PHP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Heap-based buffer overflow in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring extension in PHP 4.3.0 through 5.2.6 allows context-dependent attackers to execute arbitrary code via a crafted string containing an HTML entity, which is not properly handled during Unicode conversion, related to the (1) mb_convert_encoding, (2) mb_check_encoding, (3) mb_convert_variables, and (4) mb_parse_str functions.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0338.NASL description From Red Hat Security Advisory 2009:0338 : Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 67818 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67818 title Oracle Linux 5 : php (ELSA-2009-0338) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2009:0338 and # Oracle Linux Security Advisory ELSA-2009-0338 respectively. # include("compat.inc"); if (description) { script_id(67818); script_version("1.12"); script_cvs_date("Date: 2019/10/25 13:36:07"); script_cve_id("CVE-2008-3658", "CVE-2008-3660", "CVE-2008-5498", "CVE-2008-5557", "CVE-2008-5814", "CVE-2009-0754"); script_bugtraq_id(30649, 31612, 32948, 33002, 33542); script_xref(name:"RHSA", value:"2009:0338"); script_name(english:"Oracle Linux 5 : php (ELSA-2009-0338)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2009:0338 : Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A flaw was found in the handling of the 'mbstring.func_overload' configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the 'background color' argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had 'display_errors' enabled, a remote attacker able to set a specially crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814) All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The httpd web server must be restarted for the changes to take effect." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2009-April/000949.html" ); script_set_attribute(attribute:"solution", value:"Update the affected php packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 79, 119, 134, 200); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-ncurses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/08/14"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL5", reference:"php-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-bcmath-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-cli-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-common-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-dba-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-devel-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-gd-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-imap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-ldap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-mbstring-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-mysql-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-ncurses-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-odbc-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-pdo-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-pgsql-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-snmp-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-soap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-xml-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"EL5", reference:"php-xmlrpc-5.1.6-23.2.el5_3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-bcmath / php-cli / php-common / php-dba / php-devel / etc"); }NASL family Web Servers NASL id HPSMH_6_0_0_95.NASL description According to its self-reported version number, the HP System Management Homepage install on the remote host is earlier than 6.0.0.96 / 6.0.0-95. Such versions are potentially affected by the following vulnerabilities : - A cross-site scripting (XSS) vulnerability due to a failure to sanitize UTF-7 encoded input. Browsers are only affected if encoding is set to auto-select. (CVE-2008-1468) - An integer overflow in the libxml2 library that can result in a heap overflow. (CVE-2008-4226) - A buffer overflow in the PHP mbstring extension. (CVE-2008-5557) - An unspecified XSS in PHP when last seen 2020-06-01 modified 2020-06-02 plugin id 46015 published 2010-04-27 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/46015 title HP System Management Homepage < 6.0.0.96 / 6.0.0-95 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(46015); script_version("1.23"); script_cvs_date("Date: 2018/11/15 20:50:25"); script_cve_id( "CVE-2008-1468", "CVE-2008-4226", "CVE-2008-5557", "CVE-2008-5814", "CVE-2009-1377", "CVE-2009-1378", "CVE-2009-1379", "CVE-2009-1386", "CVE-2009-1387", "CVE-2010-1034", "CVE-2009-4185" ); script_bugtraq_id( 28380, 32326, 32948, 35001, 35138, 35174, 35417, 38081, 39632 ); script_xref(name:"Secunia", value:"38341"); script_name(english:"HP System Management Homepage < 6.0.0.96 / 6.0.0-95 Multiple Vulnerabilities"); script_summary(english:"Does a banner check"); script_set_attribute(attribute:"synopsis", value:"The remote web server has multiple vulnerabilities."); script_set_attribute( attribute:"description", value: "According to its self-reported version number, the HP System Management Homepage install on the remote host is earlier than 6.0.0.96 / 6.0.0-95. Such versions are potentially affected by the following vulnerabilities : - A cross-site scripting (XSS) vulnerability due to a failure to sanitize UTF-7 encoded input. Browsers are only affected if encoding is set to auto-select. (CVE-2008-1468) - An integer overflow in the libxml2 library that can result in a heap overflow. (CVE-2008-4226) - A buffer overflow in the PHP mbstring extension. (CVE-2008-5557) - An unspecified XSS in PHP when 'display_errors' is enabled. (CVE-2008-5814) - Multiple denial of service vulnerabilities in OpenSSL DTLS. (CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386, CVE-2009-1387) - A cross-site scripting vulnerability due to a failure to sanitize input to the 'servercert' parameter of '/proxy/smhu/getuiinfo'. (CVE-2009-4185) - An unspecified vulnerability that could allow an attacker to access sensitive information, modify data, or cause a denial of service. (CVE-2010-1034)" ); # https://web.archive.org/web/20100611001622/http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-15 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?857eff38" ); script_set_attribute( attribute:"see_also", value:"https://seclists.org/bugtraq/2010/Apr/205" ); script_set_attribute( attribute:"see_also", value:"https://seclists.org/bugtraq/2010/Feb/47" ); script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2eb58026" ); script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?205d52bb" ); script_set_attribute( attribute:"solution", value: "Upgrade to HP System Management Homepage 6.0.0.96 (Windows) / 6.0.0-95 (Linux) or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(79, 119, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2008/03/21"); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/04/27"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:system_management_homepage"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("compaq_wbem_detect.nasl"); script_require_keys("www/hp_smh"); script_require_ports("Services/www", 2301, 2381); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); port = get_http_port(default:2381, embedded:TRUE); install = get_install_from_kb(appname:'hp_smh', port:port, exit_on_fail:TRUE); dir = install['dir']; version = install['ver']; prod = get_kb_item_or_exit("www/"+port+"/hp_smh/variant"); if (version == UNKNOWN_VER) exit(1, 'The version of '+prod+' installed at '+build_url(port:port, qs:dir+"/")+' is unknown.'); # nb: 'version' can have non-numeric characters in it so we'll create # an alternate form and make sure that's safe for use in 'ver_compare()'. version_alt = ereg_replace(pattern:"[_-]", replace:".", string:version); if (!ereg(pattern:"^[0-9][0-9.]+$", string:version_alt)) exit(1, 'The version of '+prod+' installed at '+build_url(port:port, qs:dir+"/")+' does not look valid ('+version+').'); # technically 6.0.0.95 is the fix for Linux and 6.0.0.96 is the fix for # Windows, but there is no way to infer OS from the banner. since there # is no 6.0.0.95 publicly released for Windows, this check should be # Good Enough fixed_version = '6.0.0.95'; if (ver_compare(ver:version_alt, fix:fixed_version, strict:FALSE) == -1) { if (report_verbosity > 0) { source_line = get_kb_item("www/"+port+"/hp_smh/source"); report = '\n Product : ' + prod; if (!isnull(source_line)) report += '\n Version source : ' + source_line; report += '\n Installed version : ' + version + '\n Fixed version : 6.0.0.96 (Windows) / 6.0.0-95 (Linux)\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else exit(0, prod+" "+version+" is listening on port "+port+" and is not affected.");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201001-03.NASL description The remote host is affected by the vulnerability described in GLSA-201001-03 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below and the associated PHP release notes for details. Impact : A context-dependent attacker could execute arbitrary code via a specially crafted string containing an HTML entity when the mbstring extension is enabled. Furthermore a remote attacker could execute arbitrary code via a specially crafted GD graphics file. A remote attacker could also cause a Denial of Service via a malformed string passed to the json_decode() function, via a specially crafted ZIP file passed to the php_zip_make_relative_path() function, via a malformed JPEG image passed to the exif_read_data() function, or via temporary file exhaustion. It is also possible for an attacker to spoof certificates, bypass various safe_mode and open_basedir restrictions when certain criteria are met, perform Cross-site scripting attacks, more easily perform SQL injection attacks, manipulate settings of other virtual hosts on the same server via a malicious .htaccess entry when running on Apache, disclose memory portions, and write arbitrary files via a specially crafted ZIP archive. Some vulnerabilities with unknown impact and attack vectors have been reported as well. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 44892 published 2010-02-25 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44892 title GLSA-201001-03 : PHP: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201001-03. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(44892); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:45"); script_cve_id("CVE-2008-5498", "CVE-2008-5514", "CVE-2008-5557", "CVE-2008-5624", "CVE-2008-5625", "CVE-2008-5658", "CVE-2008-5814", "CVE-2008-5844", "CVE-2008-7002", "CVE-2009-0754", "CVE-2009-1271", "CVE-2009-1272", "CVE-2009-2626", "CVE-2009-2687", "CVE-2009-3291", "CVE-2009-3292", "CVE-2009-3293", "CVE-2009-3546", "CVE-2009-3557", "CVE-2009-3558", "CVE-2009-4017", "CVE-2009-4142", "CVE-2009-4143"); script_bugtraq_id(32625, 32948, 32958, 33002, 33542, 35440, 36449, 36712, 37079, 37390); script_xref(name:"GLSA", value:"201001-03"); script_name(english:"GLSA-201001-03 : PHP: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201001-03 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below and the associated PHP release notes for details. Impact : A context-dependent attacker could execute arbitrary code via a specially crafted string containing an HTML entity when the mbstring extension is enabled. Furthermore a remote attacker could execute arbitrary code via a specially crafted GD graphics file. A remote attacker could also cause a Denial of Service via a malformed string passed to the json_decode() function, via a specially crafted ZIP file passed to the php_zip_make_relative_path() function, via a malformed JPEG image passed to the exif_read_data() function, or via temporary file exhaustion. It is also possible for an attacker to spoof certificates, bypass various safe_mode and open_basedir restrictions when certain criteria are met, perform Cross-site scripting attacks, more easily perform SQL injection attacks, manipulate settings of other virtual hosts on the same server via a malicious .htaccess entry when running on Apache, disclose memory portions, and write arbitrary files via a specially crafted ZIP archive. Some vulnerabilities with unknown impact and attack vectors have been reported as well. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200911-03" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201001-03" ); script_set_attribute( attribute:"solution", value: "All PHP users should upgrade to the latest version. As PHP is statically linked against a vulnerable version of the c-client library when the imap or kolab USE flag is enabled (GLSA 200911-03), users should upgrade net-libs/c-client beforehand: # emerge --sync # emerge --ask --oneshot --verbose '>=net-libs/c-client-2007e' # emerge --ask --oneshot --verbose '>=dev-lang/php-5.2.12'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(16, 20, 22, 79, 119, 134, 200, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:php"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2010/01/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-lang/php", unaffected:make_list("ge 5.2.12"), vulnerable:make_list("lt 5.2.12"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "PHP"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-0338.NASL description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 43732 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43732 title CentOS 5 : php (CESA-2009:0338) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2009:0338 and # CentOS Errata and Security Advisory 2009:0338 respectively. # include("compat.inc"); if (description) { script_id(43732); script_version("1.18"); script_cvs_date("Date: 2019/10/25 13:36:04"); script_cve_id("CVE-2008-3658", "CVE-2008-3660", "CVE-2008-5498", "CVE-2008-5557", "CVE-2008-5814", "CVE-2009-0754"); script_bugtraq_id(30649, 31612, 32948, 33002, 33542); script_xref(name:"RHSA", value:"2009:0338"); script_name(english:"CentOS 5 : php (CESA-2009:0338)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A flaw was found in the handling of the 'mbstring.func_overload' configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the 'background color' argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had 'display_errors' enabled, a remote attacker able to set a specially crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814) All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The httpd web server must be restarted for the changes to take effect." ); # https://lists.centos.org/pipermail/centos-announce/2009-April/015724.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?607ae89b" ); # https://lists.centos.org/pipermail/centos-announce/2009-April/015725.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6d2cb33c" ); script_set_attribute(attribute:"solution", value:"Update the affected php packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 79, 119, 134, 200); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-ncurses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/08/14"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-5", reference:"php-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-bcmath-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-cli-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-common-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-dba-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-devel-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-gd-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-imap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-ldap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-mbstring-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-mysql-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-ncurses-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-odbc-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-pdo-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-pgsql-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-snmp-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-soap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-xml-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"CentOS-5", reference:"php-xmlrpc-5.1.6-23.2.el5_3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-bcmath / php-cli / php-common / php-dba / php-devel / etc"); }NASL family SuSE Local Security Checks NASL id SUSE_11_0_APACHE2-MOD_PHP5-090114.NASL description This update of php5 fixes a directory traversal bug in ZipArchive (CVE-2008-5658) and a buffer overflow in the mstring extension (CVE-2008-5557). last seen 2020-06-01 modified 2020-06-02 plugin id 39915 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39915 title openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-441) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update apache2-mod_php5-441. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(39915); script_version("1.11"); script_cvs_date("Date: 2019/10/25 13:36:33"); script_cve_id("CVE-2008-5557", "CVE-2008-5658"); script_name(english:"openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-441)"); script_summary(english:"Check for the apache2-mod_php5-441 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update of php5 fixes a directory traversal bug in ZipArchive (CVE-2008-5658) and a buffer overflow in the mstring extension (CVE-2008-5557)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=462499" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=464048" ); script_set_attribute( attribute:"solution", value:"Update the affected apache2-mod_php5 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(22, 119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bz2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-calendar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ctype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dbase"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-exif"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fastcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-hash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-iconv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ncurses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pcntl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pear"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-posix"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-readline"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-shmop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sockets"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-suhosin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvmsg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvsem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvshm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tokenizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-wddx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlreader"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlwriter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xsl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zip"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zlib"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/01/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.0", reference:"apache2-mod_php5-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-bcmath-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-bz2-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-calendar-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-ctype-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-curl-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-dba-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-dbase-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-devel-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-dom-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-exif-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-fastcgi-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-ftp-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-gd-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-gettext-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-gmp-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-hash-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-iconv-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-imap-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-json-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-ldap-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-mbstring-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-mcrypt-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-mysql-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-ncurses-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-odbc-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-openssl-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-pcntl-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-pdo-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-pear-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-pgsql-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-posix-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-pspell-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-readline-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-shmop-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-snmp-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-soap-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-sockets-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-sqlite-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-suhosin-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-sysvmsg-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-sysvsem-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-sysvshm-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-tidy-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-tokenizer-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-wddx-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-xmlreader-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-xmlrpc-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-xmlwriter-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-xsl-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-zip-5.2.6-0.8") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"php5-zlib-5.2.6-0.8") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php5"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_A2074AC6124C11DEA9640030843D3802.NASL description SecurityFocus reports : PHP is prone to a buffer-overflow vulnerability because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. The issue affects the last seen 2020-06-01 modified 2020-06-02 plugin id 35939 published 2009-03-17 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35939 title FreeBSD : php-mbstring -- php mbstring buffer overflow vulnerability (a2074ac6-124c-11de-a964-0030843d3802) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(35939); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:40"); script_cve_id("CVE-2008-5557"); script_bugtraq_id(32948); script_name(english:"FreeBSD : php-mbstring -- php mbstring buffer overflow vulnerability (a2074ac6-124c-11de-a964-0030843d3802)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "SecurityFocus reports : PHP is prone to a buffer-overflow vulnerability because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. The issue affects the 'mbstring' extension included in the standard distribution. An attacker can exploit this issue to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver, denying service to legitimate users." ); # https://vuxml.freebsd.org/freebsd/a2074ac6-124c-11de-a964-0030843d3802.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?cd22ac13" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:php4-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:php5-mbstring"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/12/21"); script_set_attribute(attribute:"patch_publication_date", value:"2009/03/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/03/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"php4-mbstring<4.4.9")) flag++; if (pkg_test(save_report:TRUE, pkg:"php5-mbstring<5.2.9")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0338.NASL description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 36098 published 2009-04-07 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36098 title RHEL 5 : php (RHSA-2009:0338) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2009:0338. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(36098); script_version ("1.26"); script_cvs_date("Date: 2019/10/25 13:36:14"); script_cve_id("CVE-2008-3658", "CVE-2008-3660", "CVE-2008-5498", "CVE-2008-5557", "CVE-2008-5814", "CVE-2009-0754"); script_bugtraq_id(30649, 31612, 32948, 33002, 33542); script_xref(name:"RHSA", value:"2009:0338"); script_name(english:"RHEL 5 : php (RHSA-2009:0338)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A flaw was found in the handling of the 'mbstring.func_overload' configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the 'background color' argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had 'display_errors' enabled, a remote attacker able to set a specially crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814) All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The httpd web server must be restarted for the changes to take effect." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-3658" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-3660" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-5498" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-5557" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-5814" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2009-0754" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2009:0338" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 79, 119, 134, 200); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-ncurses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.3"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/08/14"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2009:0338"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-bcmath-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-bcmath-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-bcmath-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-cli-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-cli-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-cli-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-common-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-common-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-common-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-dba-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-dba-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-dba-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-devel-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-devel-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-devel-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-gd-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-gd-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-gd-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-imap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-imap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-imap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-ldap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-ldap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-ldap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-mbstring-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-mbstring-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-mbstring-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-mysql-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-mysql-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-mysql-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-ncurses-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-ncurses-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-ncurses-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-odbc-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-odbc-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-odbc-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-pdo-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-pdo-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-pdo-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-pgsql-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-pgsql-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-pgsql-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-snmp-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-snmp-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-snmp-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-soap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-soap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-soap-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-xml-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-xml-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-xml-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-xmlrpc-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-xmlrpc-5.1.6-23.2.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-xmlrpc-5.1.6-23.2.el5_3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-bcmath / php-cli / php-common / php-dba / php-devel / etc"); } }NASL family SuSE Local Security Checks NASL id SUSE9_12382.NASL description Specially crafted strings could trigger a heap-based buffer overflow in the php mbstring extension. Attackers could potenially exploit that to execute arbitrary code. (CVE-2008-5557) last seen 2020-06-01 modified 2020-06-02 plugin id 41287 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41287 title SuSE9 Security Update : PHP4 (YOU Patch Number 12382) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(41287); script_version("1.7"); script_cvs_date("Date: 2019/10/25 13:36:33"); script_cve_id("CVE-2008-5557"); script_name(english:"SuSE9 Security Update : PHP4 (YOU Patch Number 12382)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 9 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Specially crafted strings could trigger a heap-based buffer overflow in the php mbstring extension. Attackers could potenially exploit that to execute arbitrary code. (CVE-2008-5557)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2008-5557.html" ); script_set_attribute(attribute:"solution", value:"Apply YOU patch number 12382."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/03/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SUSE9", reference:"apache-mod_php4-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"apache2-mod_php4-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"mod_php4-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"mod_php4-apache2-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"mod_php4-core-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"mod_php4-servlet-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-bcmath-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-bz2-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-calendar-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-ctype-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-curl-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-dba-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-dbase-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-devel-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-domxml-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-exif-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-fastcgi-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-filepro-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-ftp-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-gd-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-gettext-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-gmp-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-imap-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-ldap-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-mbstring-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-mcal-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-mcrypt-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-mhash-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-mime_magic-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-mysql-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-pear-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-pgsql-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-qtdom-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-readline-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-recode-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-servlet-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-session-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-shmop-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-snmp-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-sockets-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-sysvsem-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-sysvshm-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-unixODBC-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-wddx-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-xslt-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-yp-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", reference:"php4-zlib-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", cpu:"i586", reference:"php4-iconv-4.3.4-43.91")) flag++; if (rpm_check(release:"SUSE9", cpu:"i586", reference:"php4-swf-4.3.4-43.91")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-MOD_PHP5-5909.NASL description This update of php5 fixes a directory traversal bug in ZipArchive (CVE-2008-5658) and a buffer overflow in the mstring extension. (CVE-2008-5557) last seen 2020-06-01 modified 2020-06-02 plugin id 41475 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41475 title SuSE 10 Security Update : PHP5 (ZYPP Patch Number 5909) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(41475); script_version ("1.11"); script_cvs_date("Date: 2019/10/25 13:36:36"); script_cve_id("CVE-2008-5557", "CVE-2008-5658"); script_name(english:"SuSE 10 Security Update : PHP5 (ZYPP Patch Number 5909)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This update of php5 fixes a directory traversal bug in ZipArchive (CVE-2008-5658) and a buffer overflow in the mstring extension. (CVE-2008-5557)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2008-5557.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2008-5658.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 5909."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(22, 119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/01/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLES10", sp:2, reference:"apache2-mod_php5-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-bcmath-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-bz2-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-calendar-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-ctype-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-curl-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-dba-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-dbase-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-devel-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-dom-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-exif-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-fastcgi-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-ftp-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-gd-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-gettext-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-gmp-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-iconv-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-imap-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-json-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-ldap-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-mbstring-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-mcrypt-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-mhash-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-mysql-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-ncurses-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-odbc-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-openssl-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-pcntl-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-pdo-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-pear-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-pgsql-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-posix-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-pspell-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-shmop-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-snmp-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-soap-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-sockets-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-sqlite-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-suhosin-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-sysvmsg-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-sysvsem-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-sysvshm-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-tokenizer-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-wddx-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-xmlreader-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-xmlrpc-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-xsl-5.2.5-9.12")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"php5-zlib-5.2.5-9.12")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family CGI abuses NASL id PHP_5_2_7.NASL description According to its banner, the version of PHP installed on the remote host is prior to 5.2.7. It is, therefore, affected by multiple vulnerabilities : - There is a buffer overflow flaw in the bundled PCRE library that allows a denial of service attack. (CVE-2008-2371) - Multiple directory traversal vulnerabilities exist in functions such as last seen 2020-06-01 modified 2020-06-02 plugin id 35043 published 2008-12-05 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35043 title PHP 5 < 5.2.7 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-MOD_PHP5-5934.NASL description This update of php5 fixes a directory traversal bug in ZipArchive (CVE-2008-5658) and a buffer overflow in the mstring extension (CVE-2008-5557). last seen 2020-06-01 modified 2020-06-02 plugin id 35606 published 2009-02-06 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35606 title openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-5934) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL9761.NASL description A heap-based buffer overflow in PHP 4.3.0 through 5.2.6 may allow attackers to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 78229 published 2014-10-10 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78229 title F5 Networks BIG-IP : PHP vulnerability (SOL9761) NASL family SuSE Local Security Checks NASL id SUSE_11_1_APACHE2-MOD_PHP5-090119.NASL description This update of php5 fixes a directory traversal bug in ZipArchive (CVE-2008-5658) and a buffer overflow in the mstring extension (CVE-2008-5557). last seen 2020-06-01 modified 2020-06-02 plugin id 40186 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40186 title openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-441) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1789.NASL description Several remote vulnerabilities have been discovered in the PHP 5 hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems. The following four vulnerabilities have already been fixed in the stable (lenny) version of php5 prior to the release of lenny. This update now addresses them for etch (oldstable) as well : - CVE-2008-2107 / CVE-2008-2108 The GENERATE_SEED macro has several problems that make predicting generated random numbers easier, facilitating attacks against measures that use rand() or mt_rand() as part of a protection. - CVE-2008-5557 A buffer overflow in the mbstring extension allows attackers to execute arbitrary code via a crafted string containing an HTML entity. - CVE-2008-5624 The page_uid and page_gid variables are not correctly set, allowing use of some functionality intended to be restricted to root. - CVE-2008-5658 Directory traversal vulnerability in the ZipArchive::extractTo function allows attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences. This update also addresses the following three vulnerabilities for both oldstable (etch) and stable (lenny) : - CVE-2008-5814 Cross-site scripting (XSS) vulnerability, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML. - CVE-2009-0754 When running on Apache, PHP allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server. - CVE-2009-1271 The JSON_parser function allows a denial of service (segmentation fault) via a malformed string to the json_decode API function. Furthermore, two updates originally scheduled for the next point update for oldstable are included in the etch package : - Let PHP use the system timezone database instead of the embedded timezone database which is out of date. - From the source tarball, the unused last seen 2020-06-01 modified 2020-06-02 plugin id 38691 published 2009-05-06 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38691 title Debian DSA-1789-1 : php5 - several vulnerabilities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0337.NASL description From Red Hat Security Advisory 2009:0337 : Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 67817 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67817 title Oracle Linux 3 / 4 : php (ELSA-2009-0337) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-720-1.NASL description It was discovered that PHP did not properly enforce php_admin_value and php_admin_flag restrictions in the Apache configuration file. A local attacker could create a specially crafted PHP script that would bypass intended security restrictions. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2007-5900) It was discovered that PHP did not correctly handle certain malformed font files. If a PHP application were tricked into processing a specially crafted font file, an attacker may be able to cause a denial of service and possibly execute arbitrary code with application privileges. (CVE-2008-3658) It was discovered that PHP did not properly check the delimiter argument to the explode function. If a script passed untrusted input to the explode function, an attacker could cause a denial of service and possibly execute arbitrary code with application privileges. (CVE-2008-3659) It was discovered that PHP, when used as FastCGI module, did not properly sanitize requests. By performing a request with multiple dots preceding the extension, an attacker could cause a denial of service. (CVE-2008-3660) It was discovered that PHP did not properly handle Unicode conversion in the mbstring extension. If a PHP application were tricked into processing a specially crafted string containing an HTML entity, an attacker could execute arbitrary code with application privileges. (CVE-2008-5557) It was discovered that PHP did not properly initialize the page_uid and page_gid global variables for use by the SAPI php_getuid function. An attacker could exploit this issue to bypass safe_mode restrictions. (CVE-2008-5624) It was dicovered that PHP did not properly enforce error_log safe_mode restrictions when set by php_admin_flag in the Apache configuration file. A local attacker could create a specially crafted PHP script that would overwrite arbitrary files. (CVE-2008-5625) It was discovered that PHP contained a flaw in the ZipArchive::extractTo function. If a PHP application were tricked into processing a specially crafted zip file that had filenames containing last seen 2020-06-01 modified 2020-06-02 plugin id 36665 published 2009-04-23 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36665 title Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : php5 vulnerabilities (USN-720-1) NASL family Scientific Linux Local Security Checks NASL id SL_20090406_PHP_ON_SL3_X.NASL description A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 60561 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60561 title Scientific Linux Security Update : php on SL3.x, SL4.x, SL5.x i386/x86_64 NASL family Fedora Local Security Checks NASL id FEDORA_2009-3848.NASL description Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 38957 published 2009-06-01 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38957 title Fedora 9 : maniadrive-1.2-13.fc9 / php-5.2.9-2.fc9 (2009-3848) NASL family Fedora Local Security Checks NASL id FEDORA_2009-3768.NASL description Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 38956 published 2009-06-01 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38956 title Fedora 10 : maniadrive-1.2-13.fc10 / php-5.2.9-2.fc10 (2009-3768) NASL family MacOS X Local Security Checks NASL id MACOSX_10_5_7.NASL description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 38744 published 2009-05-13 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38744 title Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-0337.NASL description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 36089 published 2009-04-07 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36089 title CentOS 3 / 4 : php (CESA-2009:0337) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-045.NASL description A number of vulnerabilities have been found and corrected in PHP : improve mbfl_filt_conv_html_dec_flush() error handling in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c (CVE-2008-5557). Additionally on Mandriva Linux 2009.0 and up the php-mbstring module is linked against a separate shared libmbfl library that also have been patched to address CVE-2008-5557. Directory traversal vulnerability in the ZipArchive::extractTo function in PHP 5.2.6 and earlier allows context-dependent attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences. (CVE-2008-5658) make sure the page_uid and page_gid get initialized properly in ext/standard/basic_functions.c. Also, init server_context before processing config variables in sapi/apache/mod_php5.c (CVE-2008-5624). enforce restrictions when merging in dir entry in sapi/apache/mod_php5.c and sapi/apache2handler/apache_config.c (CVE-2008-5625). On 2008.1, 2009.0 and cooker (2009.1) seen on x86_64 and with the latest phpmyadmin 3.1.2 software made apache+php segfault (#26274, #45864). This problem has been addressed by using -O0 for compiler optimization and by using -fno-strict-aliasing. Either the bug is in php and/or in gcc 4.3.2. Preferable just make it work as expected for now. In addition, the updated packages provide a number of bug fixes. The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36677 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36677 title Mandriva Linux Security Advisory : php (MDVSA-2009:045) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0337.NASL description Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 36097 published 2009-04-07 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36097 title RHEL 3 / 4 : php (RHSA-2009:0337)
Oval
| accepted | 2013-04-29T04:04:19.149-04:00 | ||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||
| description | Heap-based buffer overflow in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring extension in PHP 4.3.0 through 5.2.6 allows context-dependent attackers to execute arbitrary code via a crafted string containing an HTML entity, which is not properly handled during Unicode conversion, related to the (1) mb_convert_encoding, (2) mb_check_encoding, (3) mb_convert_variables, and (4) mb_parse_str functions. | ||||||||||||||||||||||||||||||||
| family | unix | ||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:10286 | ||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||||||||||
| title | Heap-based buffer overflow in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring extension in PHP 4.3.0 through 5.2.6 allows context-dependent attackers to execute arbitrary code via a crafted string containing an HTML entity, which is not properly handled during Unicode conversion, related to the (1) mb_convert_encoding, (2) mb_check_encoding, (3) mb_convert_variables, and (4) mb_parse_str functions. | ||||||||||||||||||||||||||||||||
| version | 27 |
Redhat
| advisories |
| ||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 32948 CVE ID:CVE-2008-5557 PHP是一款网络编程语言。 PHP mbstring扩展存在输入验证错误,远程攻击者可以利用漏洞使应用程序崩溃。 mbstring扩展用于处理多字节unicode字符串,在解码部分HTML实体为unicode字符串时存在问题,由于解码器不正确处理错误条件,堆分配缓冲区的边界检查可被有效的绕过。攻击者利用漏洞可传送任意数据到堆特定域而以应用程序权限执行任意指令。 PHP PHP 5.2.6 PHP PHP 5.2.5 PHP PHP 5.2.4 PHP PHP 5.2.3 PHP PHP 5.2.2 PHP PHP 5.2.1 + Ubuntu Ubuntu Linux 7.04 sparc + Ubuntu Ubuntu Linux 7.04 powerpc + Ubuntu Ubuntu Linux 7.04 i386 + Ubuntu Ubuntu Linux 7.04 amd64 PHP PHP 5.1.6 + Ubuntu Ubuntu Linux 6.10 sparc + Ubuntu Ubuntu Linux 6.10 powerpc + Ubuntu Ubuntu Linux 6.10 i386 + Ubuntu Ubuntu Linux 6.10 amd64 PHP PHP 5.1.5 PHP PHP 5.1.4 PHP PHP 5.1.3 PHP PHP 5.1.3 PHP PHP 5.1.2 + Ubuntu Ubuntu Linux 6.06 LTS sparc + Ubuntu Ubuntu Linux 6.06 LTS powerpc + Ubuntu Ubuntu Linux 6.06 LTS i386 + Ubuntu Ubuntu Linux 6.06 LTS amd64 PHP PHP 5.1.1 PHP PHP 5.1 PHP PHP 5.0.5 PHP PHP 5.0.4 PHP PHP 5.0.3 + Trustix Secure Linux 2.2 PHP PHP 5.0.2 PHP PHP 5.0.1 PHP PHP 5.0 candidate 3 PHP PHP 5.0 candidate 2 PHP PHP 5.0 candidate 1 PHP PHP 5.0 .0 PHP PHP 4.4.9 PHP PHP 4.4.8 PHP PHP 4.4.7 - Slackware Linux 10.2 - Slackware Linux 11.0 - Slackware Linux -current PHP PHP 4.4.6 PHP PHP 4.4.5 PHP PHP 4.4.4 PHP PHP 4.4.3 PHP PHP 4.4.2 PHP PHP 4.4.1 PHP PHP 4.4 .0 PHP PHP 4.3.11 PHP PHP 4.3.10 + Gentoo Linux + RedHat Fedora Core3 + Trustix Secure Enterprise Linux 2.0 + Trustix Secure Linux 2.2 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.0 + Trustix Secure Linux 1.5 PHP PHP 4.3.9 PHP PHP 4.3.8 + MandrakeSoft Linux Mandrake 10.1 x86_64 + MandrakeSoft Linux Mandrake 10.1 + S.u.S.E. Linux Personal 9.2 + Turbolinux Turbolinux Server 10.0 + Ubuntu Ubuntu Linux 4.1 ppc + Ubuntu Ubuntu Linux 4.1 ia64 + Ubuntu Ubuntu Linux 4.1 ia32 PHP PHP 4.3.7 PHP PHP 4.3.6 PHP PHP 4.3.5 PHP PHP 4.3.4 + MandrakeSoft Corporate Server 3.0 x86_64 + MandrakeSoft Corporate Server 3.0 + MandrakeSoft Linux Mandrake 10.0 AMD64 + MandrakeSoft Linux Mandrake 10.0 + S.u.S.E. Linux Personal 9.1 PHP PHP 4.3.3 + S.u.S.E. Linux Personal 9.0 x86_64 + S.u.S.E. Linux Personal 9.0 + Turbolinux Home + Turbolinux Turbolinux 10 F... + Turbolinux Turbolinux Desktop 10.0 PHP PHP 4.3.2 PHP PHP 4.3.1 + MandrakeSoft Linux Mandrake 9.1 ppc + MandrakeSoft Linux Mandrake 9.1 + OpenPKG OpenPKG Current + S.u.S.E. Linux Personal 8.2 PHP PHP 4.3 PHP PHP 5.2 + Debian Linux 4.0 sparc + Debian Linux 4.0 s/390 + Debian Linux 4.0 powerpc + Debian Linux 4.0 mipsel + Debian Linux 4.0 mips + Debian Linux 4.0 m68k + Debian Linux 4.0 ia-64 + Debian Linux 4.0 ia-32 + Debian Linux 4.0 hppa + Debian Linux 4.0 arm + Debian Linux 4.0 amd64 + Debian Linux 4.0 alpha + Debian Linux 4.0 升级到PHP 5.2.8版本: <a href=http://www.php.net/ target=_blank>http://www.php.net/</a> |
| id | SSV:4590 |
| last seen | 2017-11-19 |
| modified | 2008-12-24 |
| published | 2008-12-24 |
| reporter | Root |
| title | PHP 'mbstring扩展缓冲区溢出漏洞 |
References
- http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0477.html
- http://bugs.php.net/bug.php?id=45722
- http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c?r1=1.7&r2=1.8
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02029444
- http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html
- http://marc.info/?l=bugtraq&m=124654546101607&w=2
- http://marc.info/?l=bugtraq&m=125631037611762&w=2
- http://secunia.com/advisories/34642
- http://secunia.com/advisories/35003
- http://secunia.com/advisories/35074
- http://secunia.com/advisories/35306
- http://secunia.com/advisories/35650
- http://securitytracker.com/id?1021482
- http://support.apple.com/kb/HT3549
- http://wiki.rpath.com/Advisories:rPSA-2009-0035
- http://www.debian.org/security/2009/dsa-1789
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:045
- http://www.php.net/ChangeLog-5.php#5.2.7
- http://www.redhat.com/support/errata/RHSA-2009-0350.html
- http://www.securityfocus.com/archive/1/501376/100/0/threaded
- http://www.securityfocus.com/bid/32948
- http://www.us-cert.gov/cas/techalerts/TA09-133A.html
- http://www.vupen.com/english/advisories/2009/1297
- https://exchange.xforce.ibmcloud.com/vulnerabilities/47525
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10286
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01451.html
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01465.html