Vulnerabilities > CVE-2009-4018 - Permissions, Privileges, and Access Controls vulnerability in PHP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Accessing, Modifying or Executing Executable Files An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Blue Boxing This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
- Restful Privilege Elevation Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
- Target Programs with Elevated Privileges This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
Exploit-Db
description | Kolang (proc_open PHP safe mode bypass 4.3.10 - 5.3.0). CVE-2009-4018. Webapps exploit for php platform |
id | EDB-ID:11636 |
last seen | 2016-02-01 |
modified | 2010-03-05 |
published | 2010-03-05 |
reporter | Hamid Ebadi |
source | https://www.exploit-db.com/download/11636/ |
title | Kolang proc_open PHP safe mode bypass 4.3.10 - 5.3.0 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-304.NASL description Some vulnerabilities were discovered and corrected in php : PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive (CVE-2009-4017). The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable (CVE-2009-4018). The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 42918 published 2009-11-30 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42918 title Mandriva Linux Security Advisory : php (MDVSA-2009:304) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2009:304. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(42918); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:52"); script_cve_id("CVE-2009-4017", "CVE-2009-4018", "CVE-2009-4022"); script_bugtraq_id(37079, 37118, 37138); script_xref(name:"MDVSA", value:"2009:304"); script_name(english:"Mandriva Linux Security Advisory : php (MDVSA-2009:304)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Some vulnerabilities were discovered and corrected in php : PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive (CVE-2009-4017). The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable (CVE-2009-4018). The updated packages have been patched to correct these issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64php5_common5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libphp5_common5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-bz2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-calendar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ctype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-dbase"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-dom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-exif"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-fcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-filter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-hash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-iconv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ini"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mhash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mime_magic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ming"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mssql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mysqli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ncurses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pcntl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_dblib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-posix"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-readline"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-session"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-shmop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sockets"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sybase"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sysvmsg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sysvsem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sysvshm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-tokenizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-wddx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xmlreader"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xmlwriter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xsl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-zlib"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64php5_common5-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libphp5_common5-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-bcmath-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-bz2-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-calendar-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-cgi-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-cli-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-ctype-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-curl-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-dba-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-dbase-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-devel-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-dom-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-exif-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-fcgi-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-filter-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-ftp-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-gd-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-gettext-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-gmp-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-hash-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-iconv-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-imap-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-ini-5.2.6-2.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-json-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-ldap-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-mbstring-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-mcrypt-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-mhash-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-mime_magic-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-ming-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-mssql-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-mysql-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-mysqli-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-ncurses-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-odbc-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-openssl-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-pcntl-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-pdo-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-pdo_dblib-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-pdo_mysql-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-pdo_odbc-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-pdo_pgsql-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-pdo_sqlite-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-pgsql-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-posix-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-pspell-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-readline-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-recode-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-session-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-shmop-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-snmp-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-soap-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-sockets-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-sqlite-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-sybase-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-sysvmsg-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-sysvsem-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-sysvshm-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-tidy-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-tokenizer-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-wddx-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-xml-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-xmlreader-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-xmlrpc-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-xmlwriter-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-xsl-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"php-zlib-5.2.6-18.9mdv2009.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Web Servers NASL id HPSMH_6_2_0_12.NASL description According to its self-reported version number, the HP System Management Homepage install on the remote host is earlier than 6.2. Such versions are reportedly affected by the following vulnerabilities : - Session renegotiations are not handled properly, which could be exploited to insert arbitrary plaintext in a man-in-the-middle attack. (CVE-2009-3555) - An attacker may be able to upload files using a POST request with last seen 2020-06-01 modified 2020-06-02 plugin id 49272 published 2010-09-17 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49272 title HP System Management Homepage < 6.2 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(49272); script_version("1.23"); script_cvs_date("Date: 2018/11/15 20:50:25"); script_cve_id( "CVE-2009-3555", "CVE-2009-4017", "CVE-2009-4018", "CVE-2009-4143", "CVE-2010-1586", "CVE-2010-2068", "CVE-2010-3009", "CVE-2010-3011", "CVE-2010-3012", "CVE-2010-3283", "CVE-2010-3284" ); script_bugtraq_id( 36935, 37079, 37138, 37390, 43208, 43269, 43334, 43423, 43462, 43463 ); script_name(english:"HP System Management Homepage < 6.2 Multiple Vulnerabilities"); script_summary(english:"Does a banner check"); script_set_attribute(attribute:"synopsis", value:"The remote web server is affected by multiple vulnerabilities."); script_set_attribute( attribute:"description", value: "According to its self-reported version number, the HP System Management Homepage install on the remote host is earlier than 6.2. Such versions are reportedly affected by the following vulnerabilities : - Session renegotiations are not handled properly, which could be exploited to insert arbitrary plaintext in a man-in-the-middle attack. (CVE-2009-3555) - An attacker may be able to upload files using a POST request with 'multipart/form-data' content even if the target script doesn't actually support file uploads per se. (CVE-2009-4017) - PHP's 'proc_open' function can be abused to bypass 'safe_mode_allowed_env_vars' and 'safe_mode_protected_env_vars' directives. (CVE-2009-4018) - PHP does not properly protect session data as relates to interrupt corruption of '$_SESSION' and the 'session.save_path' directive. (CVE-2009-4143) - The application allows arbitrary URL redirections. (CVE-2010-1586 and CVE-2010-3283) - An information disclosure vulnerability exists in Apache's mod_proxy_ajp, mod_reqtimeout, and mod_proxy_http relating to timeout conditions. Note that this issue only affects SMH on Windows. (CVE-2010-2068) - An as-yet unspecified information disclosure vulnerability may allow an authorized user to gain access to sensitive information, which in turn could be leveraged to obtain root access on Linux installs of SMH. (CVE-2010-3009) - There is an as-yet unspecified HTTP response splitting issue. (CVE-2010-3011) - There is an as-yet unspecified cross-site scripting issue. (CVE-2010-3012) - An as-yet unspecified vulnerability could lead to remote disclosure of sensitive information. (CVE-2010-3284)" ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/513684/30/0/threaded"); script_set_attribute( attribute:"see_also", value:"https://www.securityfocus.com/archive/1/513771/30/0/threaded" ); script_set_attribute( attribute:"see_also", value:"https://www.securityfocus.com/archive/1/513840/30/0/threaded" ); script_set_attribute( attribute:"see_also", value:"https://www.securityfocus.com/archive/1/513917/30/0/threaded" ); script_set_attribute( attribute:"see_also", value:"https://www.securityfocus.com/archive/1/513918/30/0/threaded" ); script_set_attribute( attribute:"see_also", value:"https://www.securityfocus.com/archive/1/513920/30/0/threaded" ); script_set_attribute(attribute:"solution", value:"Upgrade to HP System Management Homepage 6.2.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(264, 310); script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/23"); script_set_attribute(attribute:"patch_publication_date", value:"2010/08/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/09/17"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:system_management_homepage"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("compaq_wbem_detect.nasl"); script_require_keys("www/hp_smh"); script_require_ports("Services/www", 2301, 2381); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); port = get_http_port(default:2381, embedded:TRUE); install = get_install_from_kb(appname:'hp_smh', port:port, exit_on_fail:TRUE); dir = install['dir']; version = install['ver']; prod = get_kb_item_or_exit("www/"+port+"/hp_smh/variant"); if (version == UNKNOWN_VER) exit(1, 'The version of '+prod+' installed at '+build_url(port:port, qs:dir+"/")+' is unknown.'); # nb: 'version' can have non-numeric characters in it so we'll create # an alternate form and make sure that's safe for use in 'ver_compare()'. version_alt = ereg_replace(pattern:"[_-]", replace:".", string:version); if (!ereg(pattern:"^[0-9][0-9.]+$", string:version_alt)) exit(1, 'The version of '+prod+' installed at '+build_url(port:port, qs:dir+"/")+' does not look valid ('+version+').'); # NB: while 6.2.0.12 is the fix for Linux and 6.2.0.13 is the fix for # Windows, there is no way to infer OS from the banner. Since # there is no 6.2.0.12 publicly released for Windows, this check # should be "Good Enough". fixed_version = '6.2.0.12'; if (ver_compare(ver:version_alt, fix:fixed_version, strict:FALSE) == -1) { if (report_verbosity > 0) { source_line = get_kb_item("www/"+port+"/hp_smh/source"); report = '\n Product : ' + prod; if (!isnull(source_line)) report += '\n Version source : ' + source_line; report += '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else exit(0, prod+" "+version+" is listening on port "+port+" and is not affected.");
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-324.NASL description Multiple vulnerabilities was discovered and corrected in php : The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent attackers to cause a denial of service (file truncation) via a key with the NULL byte. NOTE: this might only be a vulnerability in limited circumstances in which the attacker can modify or add database entries but does not have permissions to truncate the file (CVE-2008-7068). The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x before 5.2.9 allows remote attackers to cause a denial of service (segmentation fault) via a malformed string to the json_decode API function (CVE-2009-1271). - Fixed upstream bug #48378 (exif_read_data() segfaults on certain corrupted .jpeg files) (CVE-2009-2687). The php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform certificate validation, which has unknown impact and attack vectors, probably related to an ability to spoof certificates (CVE-2009-3291). Unspecified vulnerability in PHP before 5.2.11 has unknown impact and attack vectors related to missing sanity checks around exif processing. (CVE-2009-3292) Unspecified vulnerability in the imagecolortransparent function in PHP before 5.2.11 has unknown impact and attack vectors related to an incorrect sanity check for the color index. (CVE-2009-3293) The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third-party information (CVE-2009-3546). The tempnam function in ext/standard/file.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass safe_mode restrictions, and create files in group-writable or world-writable directories, via the dir and prefix arguments (CVE-2009-3557). The posix_mkfifo function in ext/posix/posix.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass open_basedir restrictions, and create FIFO files, via the pathname and mode arguments, as demonstrated by creating a .htaccess file (CVE-2009-3558). PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive (CVE-2009-4017). The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable (CVE-2009-4018). The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent attackers to cause a denial of service (file truncation) via a key with the NULL byte. NOTE: this might only be a vulnerability in limited circumstances in which the attacker can modify or add database entries but does not have permissions to truncate the file (CVE-2008-7068). The php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform certificate validation, which has unknown impact and attack vectors, probably related to an ability to spoof certificates (CVE-2009-3291). Unspecified vulnerability in PHP before 5.2.11 has unknown impact and attack vectors related to missing sanity checks around exif processing. (CVE-2009-3292) Unspecified vulnerability in the imagecolortransparent function in PHP before 5.2.11 has unknown impact and attack vectors related to an incorrect sanity check for the color index. (CVE-2009-3293). However in Mandriva we don last seen 2020-06-01 modified 2020-06-02 plugin id 43043 published 2009-12-08 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43043 title Mandriva Linux Security Advisory : php (MDVSA-2009:324) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2009:324. # The text itself is copyright (C) Mandriva S.A. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(43043); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:52"); script_cve_id("CVE-2008-7068", "CVE-2009-1271", "CVE-2009-2687", "CVE-2009-3291", "CVE-2009-3292", "CVE-2009-3293", "CVE-2009-3546", "CVE-2009-3557", "CVE-2009-3558", "CVE-2009-4017", "CVE-2009-4018"); script_bugtraq_id(35440, 36449, 36712, 37079, 37138); script_xref(name:"MDVSA", value:"2009:324"); script_name(english:"Mandriva Linux Security Advisory : php (MDVSA-2009:324)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities was discovered and corrected in php : The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent attackers to cause a denial of service (file truncation) via a key with the NULL byte. NOTE: this might only be a vulnerability in limited circumstances in which the attacker can modify or add database entries but does not have permissions to truncate the file (CVE-2008-7068). The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x before 5.2.9 allows remote attackers to cause a denial of service (segmentation fault) via a malformed string to the json_decode API function (CVE-2009-1271). - Fixed upstream bug #48378 (exif_read_data() segfaults on certain corrupted .jpeg files) (CVE-2009-2687). The php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform certificate validation, which has unknown impact and attack vectors, probably related to an ability to spoof certificates (CVE-2009-3291). Unspecified vulnerability in PHP before 5.2.11 has unknown impact and attack vectors related to missing sanity checks around exif processing. (CVE-2009-3292) Unspecified vulnerability in the imagecolortransparent function in PHP before 5.2.11 has unknown impact and attack vectors related to an incorrect sanity check for the color index. (CVE-2009-3293) The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third-party information (CVE-2009-3546). The tempnam function in ext/standard/file.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass safe_mode restrictions, and create files in group-writable or world-writable directories, via the dir and prefix arguments (CVE-2009-3557). The posix_mkfifo function in ext/posix/posix.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass open_basedir restrictions, and create FIFO files, via the pathname and mode arguments, as demonstrated by creating a .htaccess file (CVE-2009-3558). PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive (CVE-2009-4017). The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable (CVE-2009-4018). The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent attackers to cause a denial of service (file truncation) via a key with the NULL byte. NOTE: this might only be a vulnerability in limited circumstances in which the attacker can modify or add database entries but does not have permissions to truncate the file (CVE-2008-7068). The php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform certificate validation, which has unknown impact and attack vectors, probably related to an ability to spoof certificates (CVE-2009-3291). Unspecified vulnerability in PHP before 5.2.11 has unknown impact and attack vectors related to missing sanity checks around exif processing. (CVE-2009-3292) Unspecified vulnerability in the imagecolortransparent function in PHP before 5.2.11 has unknown impact and attack vectors related to an incorrect sanity check for the color index. (CVE-2009-3293). However in Mandriva we don't use the bundled libgd source in php per default, there is a unsupported package in contrib named php-gd-bundled that eventually will get updated to pickup these fixes. The php-suhosin package has been upgraded to 0.9.22 which has better support for apache vhosts. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides a solution to these vulnerabilities." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64php5_common5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libphp5_common5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-bz2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-calendar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ctype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-dbase"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-dom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-exif"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-fcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-filter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-hash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-iconv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ini"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mhash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mime_magic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ming"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mssql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mysqli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ncurses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pcntl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_dblib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-posix"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-readline"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-session"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-shmop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-simplexml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sockets"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-suhosin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sysvmsg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sysvsem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sysvshm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-tokenizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-wddx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xmlreader"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xmlwriter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xsl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-zlib"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/12/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64php5_common5-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libphp5_common5-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-bcmath-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-bz2-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-calendar-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-cgi-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-cli-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-ctype-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-curl-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-dba-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-dbase-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-devel-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-dom-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-exif-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-fcgi-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-filter-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-ftp-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-gd-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-gettext-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-gmp-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-hash-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-iconv-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-imap-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-ini-5.2.4-1.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-json-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-ldap-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-mbstring-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-mcrypt-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-mhash-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-mime_magic-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-ming-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-mssql-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-mysql-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-mysqli-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-ncurses-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-odbc-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-openssl-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pcntl-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pdo-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pdo_dblib-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pdo_mysql-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pdo_odbc-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pdo_pgsql-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pdo_sqlite-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pgsql-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-posix-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-pspell-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-readline-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-recode-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-session-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-shmop-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-simplexml-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-snmp-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-soap-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-sockets-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-sqlite-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-suhosin-0.9.22-1.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-sysvmsg-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-sysvsem-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-sysvshm-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-tidy-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-tokenizer-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-wddx-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-xml-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-xmlreader-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-xmlrpc-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-xmlwriter-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-xsl-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"php-zlib-5.2.4-3.6mdv2008.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family CGI abuses NASL id PHP_5_2_11.NASL description According to its banner, the version of PHP installed on the remote host is older than 5.2.11. Such versions may be affected by several security issues : - An unspecified error occurs in certificate validation inside last seen 2020-06-01 modified 2020-06-02 plugin id 41014 published 2009-09-18 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41014 title PHP < 5.2.11 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(41014); script_version("1.18"); script_cvs_date("Date: 2018/07/24 18:56:10"); script_cve_id( "CVE-2009-3291", "CVE-2009-3292", "CVE-2009-3293", "CVE-2009-3294", "CVE-2009-4018", "CVE-2009-5016" ); script_bugtraq_id(36449, 44889); script_xref(name:"Secunia", value:"36791"); script_name(english:"PHP < 5.2.11 Multiple Vulnerabilities"); script_summary(english:"Checks version of PHP"); script_set_attribute( attribute:"synopsis", value: "The remote web server uses a version of PHP that is affected by multiple flaws." ); script_set_attribute( attribute:"description", value: "According to its banner, the version of PHP installed on the remote host is older than 5.2.11. Such versions may be affected by several security issues : - An unspecified error occurs in certificate validation inside 'php_openssl_apply_verification_policy'. - An unspecified input validation vulnerability affects the color index in 'imagecolortransparent()'. - An unspecified input validation vulnerability affects exif processing. - Calling 'popen()' with an invalid mode can cause a crash under Windows. (Bug #44683) - An integer overflow in 'xml_utf8_decode()' can make it easier to bypass cross-site scripting and SQL injection protection mechanisms using a specially crafted string with a long UTF-8 encoding. (Bug #49687) - 'proc_open()' can bypass 'safe_mode_protected_env_vars'. (Bug #49026)" ); script_set_attribute( attribute:"see_also", value:"http://www.php.net/ChangeLog-5.php#5.2.11" ); script_set_attribute( attribute:"see_also", value:"http://www.php.net/releases/5_2_11.php" ); script_set_attribute( attribute:"see_also", value:"http://news.php.net/php.internals/45597" ); script_set_attribute( attribute:"see_also", value:"http://www.php.net/ChangeLog-5.php#5.2.11" ); script_set_attribute( attribute:"solution", value:"Upgrade to PHP version 5.2.11 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 134, 264); script_set_attribute(attribute:"patch_publication_date", value:"2009/09/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("php_version.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("audit.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); php = get_php_from_kb( port : port, exit_on_fail : TRUE ); version = php["ver"]; source = php["src"]; backported = get_kb_item('www/php/'+port+'/'+version+'/backported'); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install"); if (version =~ "^[0-4]\." || version =~ "^5\.[01]\." || version =~ "^5\.2\.([0-9]|10)($|[^0-9])" ) { if (report_verbosity > 0) { report = '\n Version source : '+source + '\n Installed version : '+version+ '\n Fixed version : 5.2.11\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);
NASL family CGI abuses NASL id PHP_5_3_1.NASL description According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.1. Such versions may be affected by several security issues : - Sanity checks are missing in exif processing. - It is possible to bypass the last seen 2020-06-01 modified 2020-06-02 plugin id 42862 published 2009-11-20 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42862 title PHP 5.3 < 5.3.1 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(42862); script_version("1.21"); script_cvs_date("Date: 2018/11/15 20:50:18"); script_cve_id( "CVE-2009-3557", "CVE-2009-3559", "CVE-2009-4017", "CVE-2009-4018", "CVE-2010-1128" ); script_bugtraq_id(36554, 36555, 37079, 37138); script_xref(name:"Secunia", value:"37412"); script_name(english:"PHP 5.3 < 5.3.1 Multiple Vulnerabilities"); script_summary(english:"Checks version of PHP"); script_set_attribute( attribute:"synopsis", value: "The remote web server uses a version of PHP that is affected by multiple flaws." ); script_set_attribute( attribute:"description", value: "According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.1. Such versions may be affected by several security issues : - Sanity checks are missing in exif processing. - It is possible to bypass the 'safe_mode' configuration setting using 'tempnam()'. - It is possible to bypass the 'open_basedir' configuration setting using 'posix_mkfifo()'. - The 'safe_mode_include_dir' configuration setting may be ignored. (Bug #50063) - Calling 'popen()' with an invalid mode can cause a crash under Windows. (Bug #44683) - Provided file uploading is enabled (it is by default), an attacker can upload files using a POST request with 'multipart/form-data' content even if the target script doesn't actually support file uploads per se. By supplying a large number (15,000+) of files, an attacker could cause the web server to stop responding while it processes the file list. - 'proc_open()' can bypass 'safe_mode_protected_env_vars'. (Bug #49026) - An unspecified vulnerability affects the LCG entropy." ); script_set_attribute( attribute:"see_also", value:"https://www.securityfocus.com/archive/1/507982/30/0/threaded" ); script_set_attribute( attribute:"see_also", value:"http://www.php.net/releases/5_3_1.php" ); script_set_attribute( attribute:"see_also", value:"http://www.php.net/ChangeLog-5.php#5.3.1" ); script_set_attribute( attribute:"solution", value:"Upgrade to PHP version 5.3.1 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(264); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/20"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("php_version.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("audit.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); php = get_php_from_kb( port : port, exit_on_fail : TRUE ); version = php["ver"]; source = php["src"]; backported = get_kb_item('www/php/'+port+'/'+version+'/backported'); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install"); if (version =~ "^5\.3\.0($|[^0-9])") { if (report_verbosity > 0) { report = '\n Version source : '+source + '\n Installed version : '+version+ '\n Fixed version : 5.3.1\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-303.NASL description Some vulnerabilities were discovered and corrected in php-5.2.11 : The tempnam function in ext/standard/file.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass safe_mode restrictions, and create files in group-writable or world-writable directories, via the dir and prefix arguments (CVE-2009-3557). The posix_mkfifo function in ext/posix/posix.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass open_basedir restrictions, and create FIFO files, via the pathname and mode arguments, as demonstrated by creating a .htaccess file (CVE-2009-3558). PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive (CVE-2009-4017). The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable (CVE-2009-4018). Intermittent segfaults occured on x86_64 with the latest phpmyadmin and with apache (#53735). Additionally, some packages which require so, have been rebuilt and are being provided as updates. last seen 2020-06-01 modified 2020-06-02 plugin id 48159 published 2010-07-30 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/48159 title Mandriva Linux Security Advisory : php (MDVSA-2009:303) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2009:303. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(48159); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:52"); script_cve_id("CVE-2009-3557", "CVE-2009-3558", "CVE-2009-4017", "CVE-2009-4018"); script_bugtraq_id(37079, 37138); script_xref(name:"MDVSA", value:"2009:303"); script_name(english:"Mandriva Linux Security Advisory : php (MDVSA-2009:303)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Some vulnerabilities were discovered and corrected in php-5.2.11 : The tempnam function in ext/standard/file.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass safe_mode restrictions, and create files in group-writable or world-writable directories, via the dir and prefix arguments (CVE-2009-3557). The posix_mkfifo function in ext/posix/posix.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass open_basedir restrictions, and create FIFO files, via the pathname and mode arguments, as demonstrated by creating a .htaccess file (CVE-2009-3558). PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive (CVE-2009-4017). The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable (CVE-2009-4018). Intermittent segfaults occured on x86_64 with the latest phpmyadmin and with apache (#53735). Additionally, some packages which require so, have been rebuilt and are being provided as updates." ); script_set_attribute( attribute:"see_also", value:"https://qa.mandriva.com/53735" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64php5_common5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libphp5_common5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-apc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-apc-admin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-bz2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-calendar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ctype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-dbase"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-dbx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-dio"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-dom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-eaccelerator"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-eaccelerator-admin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-exif"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-fam"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-fcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-fileinfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-filepro"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-filter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-hash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-iconv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-idn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ini"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mcal"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mhash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mime_magic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ming"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mssql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mysqli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ncurses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-optimizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pcntl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_dblib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-posix"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-readline"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sasl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-session"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-shmop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sockets"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ssh2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-suhosin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sybase"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sysvmsg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sysvsem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sysvshm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-tclink"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-tokenizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-translit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-vld"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-wddx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xattr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xdebug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xmlreader"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xmlwriter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xsl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-zip"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-zlib"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.1"); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2009.1", reference:"apache-mod_php-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", cpu:"x86_64", reference:"lib64php5_common5-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", cpu:"i386", reference:"libphp5_common5-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-apc-3.1.3p1-0.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-apc-admin-3.1.3p1-0.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-bcmath-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-bz2-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-calendar-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-cgi-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-cli-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-ctype-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-curl-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-dba-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-dbase-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-dbx-1.1.0-26.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-devel-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-dio-0.0.2-3.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-dom-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-eaccelerator-0.9.5.3-8.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-eaccelerator-admin-0.9.5.3-8.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-exif-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-fam-5.0.1-7.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-fcgi-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-fileinfo-1.0.4-15.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-filepro-5.1.6-17.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-filter-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-ftp-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-gd-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-gettext-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-gmp-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-hash-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-iconv-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-idn-1.2b-15.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-imap-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-ini-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-json-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-ldap-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-mbstring-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-mcal-0.6-27.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-mcrypt-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-mhash-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-mime_magic-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-ming-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-mssql-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-mysql-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-mysqli-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-ncurses-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-odbc-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-openssl-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-optimizer-0.1-0.alpha1.5.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-pcntl-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-pdo-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-pdo_dblib-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-pdo_mysql-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-pdo_odbc-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-pdo_pgsql-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-pdo_sqlite-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-pgsql-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-posix-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-pspell-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-readline-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-recode-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-sasl-0.1.0-25.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-session-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-shmop-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-snmp-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-soap-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-sockets-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-sqlite-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-ssh2-0.11.0-2.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-suhosin-0.9.29-0.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-sybase-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-sysvmsg-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-sysvsem-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-sysvshm-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-tclink-3.4.4-10.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-tidy-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-tokenizer-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-translit-0.6.0-7.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-vld-0.9.1-8.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-wddx-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-xattr-1.1.0-6.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-xdebug-2.0.5-0.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-xml-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-xmlreader-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-xmlrpc-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-xmlwriter-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-xsl-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-zip-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"php-zlib-5.2.11-0.2mdv2009.1", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-862-1.NASL description Maksymilian Arciemowicz discovered that PHP did not properly validate arguments to the dba_replace function. If a script passed untrusted input to the dba_replace function, an attacker could truncate the database. This issue only applied to Ubuntu 6.06 LTS, 8.04 LTS, and 8.10. (CVE-2008-7068) It was discovered that PHP last seen 2020-06-01 modified 2020-06-02 plugin id 42930 published 2009-11-30 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42930 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : php5 vulnerabilities (USN-862-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-862-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(42930); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:33:02"); script_cve_id("CVE-2008-7068", "CVE-2009-3291", "CVE-2009-3292", "CVE-2009-3557", "CVE-2009-3558", "CVE-2009-4017", "CVE-2009-4018"); script_bugtraq_id(36449, 37079, 37138); script_xref(name:"USN", value:"862-1"); script_name(english:"Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : php5 vulnerabilities (USN-862-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Maksymilian Arciemowicz discovered that PHP did not properly validate arguments to the dba_replace function. If a script passed untrusted input to the dba_replace function, an attacker could truncate the database. This issue only applied to Ubuntu 6.06 LTS, 8.04 LTS, and 8.10. (CVE-2008-7068) It was discovered that PHP's php_openssl_apply_verification_policy function did not correctly handle SSL certificates with zero bytes in the Common Name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2009-3291) It was discovered that PHP did not properly handle certain malformed images when being parsed by the Exif module. A remote attacker could exploit this flaw and cause the PHP server to crash, resulting in a denial of service. (CVE-2009-3292) Grzegorz Stachowiak discovered that PHP did not properly enforce restrictions in the tempnam function. An attacker could exploit this issue to bypass safe_mode restrictions. (CVE-2009-3557) Grzegorz Stachowiak discovered that PHP did not properly enforce restrictions in the posix_mkfifo function. An attacker could exploit this issue to bypass open_basedir restrictions. (CVE-2009-3558) Bogdan Calin discovered that PHP did not limit the number of temporary files created when handling multipart/form-data POST requests. A remote attacker could exploit this flaw and cause the PHP server to consume all available resources, resulting in a denial of service. (CVE-2009-4017) ATTENTION: This update changes previous PHP behaviour by limiting the number of files in a POST request to 50. This may be increased by adding a 'max_file_uploads' directive to the php.ini configuration file. It was discovered that PHP did not properly enforce restrictions in the proc_open function. An attacker could exploit this issue to bypass safe_mode_protected_env_vars restrictions and possibly execute arbitrary code with application privileges. (CVE-2009-4018). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/862-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libapache2-mod-php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libapache2-mod-php5filter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php-pear"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-cgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-mhash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-mysqli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-sybase"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-xsl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(6\.06|8\.04|8\.10|9\.04|9\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 8.04 / 8.10 / 9.04 / 9.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"6.06", pkgname:"libapache2-mod-php5", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php-pear", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-cgi", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-cli", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-common", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-curl", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-dev", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-gd", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-ldap", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-mhash", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-mysql", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-mysqli", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-odbc", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-pgsql", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-recode", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-snmp", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-sqlite", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-sybase", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-xmlrpc", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"php5-xsl", pkgver:"5.1.2-1ubuntu3.17")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libapache2-mod-php5", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php-pear", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-cgi", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-cli", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-common", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-curl", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-dev", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-gd", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-gmp", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-ldap", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-mhash", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-mysql", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-odbc", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-pgsql", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-pspell", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-recode", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-snmp", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-sqlite", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-sybase", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-tidy", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-xmlrpc", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"php5-xsl", pkgver:"5.2.4-2ubuntu5.9")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libapache2-mod-php5", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libapache2-mod-php5filter", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php-pear", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-cgi", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-cli", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-common", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-curl", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-dbg", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-dev", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-gd", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-gmp", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-ldap", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-mhash", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-mysql", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-odbc", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-pgsql", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-pspell", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-recode", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-snmp", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-sqlite", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-sybase", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-tidy", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-xmlrpc", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"php5-xsl", pkgver:"5.2.6-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libapache2-mod-php5", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libapache2-mod-php5filter", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php-pear", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-cgi", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-cli", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-common", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-curl", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-dbg", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-dev", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-gd", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-gmp", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-ldap", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-mhash", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-mysql", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-odbc", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-pgsql", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-pspell", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-recode", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-snmp", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-sqlite", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-sybase", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-tidy", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-xmlrpc", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"php5-xsl", pkgver:"5.2.6.dfsg.1-3ubuntu4.4")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libapache2-mod-php5", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libapache2-mod-php5filter", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php-pear", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-cgi", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-cli", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-common", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-curl", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-dbg", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-dev", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-gd", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-gmp", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-ldap", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-mhash", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-mysql", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-odbc", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-pgsql", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-pspell", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-recode", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-snmp", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-sqlite", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-sybase", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-tidy", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-xmlrpc", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"php5-xsl", pkgver:"5.2.10.dfsg.1-2ubuntu6.3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libapache2-mod-php5 / libapache2-mod-php5filter / php-pear / php5 / etc"); }
Oval
accepted | 2015-04-20T04:02:33.759-04:00 | ||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||
contributors |
| ||||||||||||||||||||
description | The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable. | ||||||||||||||||||||
family | unix | ||||||||||||||||||||
id | oval:org.mitre.oval:def:7256 | ||||||||||||||||||||
status | accepted | ||||||||||||||||||||
submitted | 2010-10-25T11:50:46.000-05:00 | ||||||||||||||||||||
title | HP-UX Running Apache with PHP, Remote Denial of Service (DoS), Unauthorized Access, Privileged Access, Cross Site Scripting (XSS) | ||||||||||||||||||||
version | 47 |
Seebug
bulletinFamily exploit description No description provided by source. id SSV:19231 last seen 2017-11-19 modified 2010-03-06 published 2010-03-06 reporter Root source https://www.seebug.org/vuldb/ssvid-19231 title Kolang (proc_open PHP safe mode bypass 4.3.10 - 5.3.0) bulletinFamily exploit description BUGTRAQ ID: 37138 CVE ID: CVE-2009-4018 PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。 PHP没有执行任何检查便允许传送对proc_open所指定的环境变量,这就忽略了safe_mode_allowed_env_vars和safe_mode_protected_env_vars设置。用户可以绕过safe_mode限制访问Apache UID可访问的任意文件。 PHP 5.3.x 厂商补丁: PHP --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://svn.php.net/viewvc/?view=revision&revision=286360 id SSV:14994 last seen 2017-11-19 modified 2009-11-30 published 2009-11-30 reporter Root source https://www.seebug.org/vuldb/ssvid-14994 title PHP proc_open()绕过safe_mode_protected_env_var限制漏洞
Statements
contributor | Tomas Hoger |
lastmodified | 2009-11-30 |
organization | Red Hat |
statement | We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php |
References
- http://bugs.php.net/bug.php?id=49026
- http://marc.info/?l=bugtraq&m=127680701405735&w=2
- http://marc.info/?l=oss-security&m=125886770008678&w=2
- http://marc.info/?l=oss-security&m=125897935330618&w=2
- http://secunia.com/advisories/40262
- http://secunia.com/advisories/41480
- http://secunia.com/advisories/41490
- http://svn.php.net/viewvc/?view=revision&revision=286360
- http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/standard/proc_open.c?r1=286360&r2=286359&pathrev=286360
- http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/standard/proc_open.c?r1=286360&r2=286359&pathrev=286360
- http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:303
- http://www.openwall.com/lists/oss-security/2009/11/23/15
- http://www.php.net/ChangeLog-5.php
- http://www.securityfocus.com/bid/37138
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7256