Vulnerabilities > CVE-2009-5016 - Numeric Errors vulnerability in PHP
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Integer overflow in the xml_utf8_decode function in ext/xml/xml.c in PHP before 5.2.11 makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string that uses overlong UTF-8 encoding, a different vulnerability than CVE-2010-3870.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20101129_PHP_ON_SL4_X.NASL description An input validation flaw was discovered in the PHP session serializer. If a PHP script generated session variable names from untrusted user input, a remote attacker could use this flaw to inject an arbitrary variable into the PHP session. (CVE-2010-3065) An information leak flaw was discovered in the PHP var_export() function implementation. If some fatal error occurred during the execution of this function (such as the exhaustion of memory or script execution time limit), part of the function last seen 2020-06-01 modified 2020-06-02 plugin id 60908 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60908 title Scientific Linux Security Update : php on SL4.x, SL5.x i386/x86_64 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(60908); script_version("1.5"); script_cvs_date("Date: 2019/10/25 13:36:19"); script_cve_id("CVE-2009-5016", "CVE-2010-0397", "CVE-2010-1128", "CVE-2010-1917", "CVE-2010-2531", "CVE-2010-3065", "CVE-2010-3870"); script_name(english:"Scientific Linux Security Update : php on SL4.x, SL5.x i386/x86_64"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An input validation flaw was discovered in the PHP session serializer. If a PHP script generated session variable names from untrusted user input, a remote attacker could use this flaw to inject an arbitrary variable into the PHP session. (CVE-2010-3065) An information leak flaw was discovered in the PHP var_export() function implementation. If some fatal error occurred during the execution of this function (such as the exhaustion of memory or script execution time limit), part of the function's output was sent to the user as script output, possibly leading to the disclosure of sensitive information. (CVE-2010-2531) A numeric truncation error and an input validation flaw were found in the way the PHP utf8_decode() function decoded partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use these flaws to perform a cross-site scripting attack. (CVE-2009-5016, CVE-2010-3870) It was discovered that the PHP lcg_value() function used insufficient entropy to seed the pseudo-random number generator. A remote attacker could possibly use this flaw to predict values returned by the function, which are used to generate session identifiers by default. This update changes the function's implementation to use more entropy during seeding. (CVE-2010-1128) It was discovered that the PHP fnmatch() function did not restrict the length of the pattern argument. A remote attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted matching patterns. (CVE-2010-1917) A NULL pointer dereference flaw was discovered in the PHP XML-RPC extension. A malicious XML-RPC client or server could use this flaw to crash the PHP interpreter via a specially crafted XML-RPC request. (CVE-2010-0397) After installing the updated packages, the httpd daemon must be restarted for the update to take effect." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1011&L=scientific-linux-errata&T=0&P=1564 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a48d3681" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2010/11/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL4", reference:"php-4.3.9-3.31")) flag++; if (rpm_check(release:"SL4", reference:"php-devel-4.3.9-3.31")) flag++; if (rpm_check(release:"SL4", reference:"php-domxml-4.3.9-3.31")) flag++; if (rpm_check(release:"SL4", reference:"php-gd-4.3.9-3.31")) flag++; if (rpm_check(release:"SL4", reference:"php-imap-4.3.9-3.31")) flag++; if (rpm_check(release:"SL4", reference:"php-ldap-4.3.9-3.31")) flag++; if (rpm_check(release:"SL4", reference:"php-mbstring-4.3.9-3.31")) flag++; if (rpm_check(release:"SL4", reference:"php-mysql-4.3.9-3.31")) flag++; if (rpm_check(release:"SL4", reference:"php-ncurses-4.3.9-3.31")) flag++; if (rpm_check(release:"SL4", reference:"php-odbc-4.3.9-3.31")) flag++; if (rpm_check(release:"SL4", reference:"php-pear-4.3.9-3.31")) flag++; if (rpm_check(release:"SL4", reference:"php-pgsql-4.3.9-3.31")) flag++; if (rpm_check(release:"SL4", reference:"php-snmp-4.3.9-3.31")) flag++; if (rpm_check(release:"SL4", reference:"php-xmlrpc-4.3.9-3.31")) flag++; if (rpm_check(release:"SL5", reference:"php-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-bcmath-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-cli-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-common-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-dba-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-devel-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-gd-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-imap-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-ldap-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-mbstring-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-mysql-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-ncurses-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-odbc-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-pdo-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-pgsql-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-snmp-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-soap-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-xml-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"SL5", reference:"php-xmlrpc-5.1.6-27.el5_5.3")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0919.NASL description Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. An input validation flaw was discovered in the PHP session serializer. If a PHP script generated session variable names from untrusted user input, a remote attacker could use this flaw to inject an arbitrary variable into the PHP session. (CVE-2010-3065) An information leak flaw was discovered in the PHP var_export() function implementation. If some fatal error occurred during the execution of this function (such as the exhaustion of memory or script execution time limit), part of the function last seen 2020-06-01 modified 2020-06-02 plugin id 50841 published 2010-11-30 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50841 title RHEL 4 / 5 : php (RHSA-2010:0919) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2010:0919. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(50841); script_version ("1.20"); script_cvs_date("Date: 2019/10/25 13:36:15"); script_cve_id("CVE-2009-5016", "CVE-2010-0397", "CVE-2010-1128", "CVE-2010-1917", "CVE-2010-2531", "CVE-2010-3065", "CVE-2010-3870"); script_bugtraq_id(38430, 38708, 41991, 44605, 44889); script_xref(name:"RHSA", value:"2010:0919"); script_name(english:"RHEL 4 / 5 : php (RHSA-2010:0919)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. An input validation flaw was discovered in the PHP session serializer. If a PHP script generated session variable names from untrusted user input, a remote attacker could use this flaw to inject an arbitrary variable into the PHP session. (CVE-2010-3065) An information leak flaw was discovered in the PHP var_export() function implementation. If some fatal error occurred during the execution of this function (such as the exhaustion of memory or script execution time limit), part of the function's output was sent to the user as script output, possibly leading to the disclosure of sensitive information. (CVE-2010-2531) A numeric truncation error and an input validation flaw were found in the way the PHP utf8_decode() function decoded partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use these flaws to perform a cross-site scripting attack. (CVE-2009-5016, CVE-2010-3870) It was discovered that the PHP lcg_value() function used insufficient entropy to seed the pseudo-random number generator. A remote attacker could possibly use this flaw to predict values returned by the function, which are used to generate session identifiers by default. This update changes the function's implementation to use more entropy during seeding. (CVE-2010-1128) It was discovered that the PHP fnmatch() function did not restrict the length of the pattern argument. A remote attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted matching patterns. (CVE-2010-1917) A NULL pointer dereference flaw was discovered in the PHP XML-RPC extension. A malicious XML-RPC client or server could use this flaw to crash the PHP interpreter via a specially crafted XML-RPC request. (CVE-2010-0397) All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2009-5016" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2010-0397" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2010-1128" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2010-1917" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2010-2531" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2010-3065" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2010-3870" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2010:0919" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-domxml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-ncurses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-pear"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4.8"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/03/16"); script_set_attribute(attribute:"patch_publication_date", value:"2010/11/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x / 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2010:0919"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL4", reference:"php-4.3.9-3.31")) flag++; if (rpm_check(release:"RHEL4", reference:"php-devel-4.3.9-3.31")) flag++; if (rpm_check(release:"RHEL4", reference:"php-domxml-4.3.9-3.31")) flag++; if (rpm_check(release:"RHEL4", reference:"php-gd-4.3.9-3.31")) flag++; if (rpm_check(release:"RHEL4", reference:"php-imap-4.3.9-3.31")) flag++; if (rpm_check(release:"RHEL4", reference:"php-ldap-4.3.9-3.31")) flag++; if (rpm_check(release:"RHEL4", reference:"php-mbstring-4.3.9-3.31")) flag++; if (rpm_check(release:"RHEL4", reference:"php-mysql-4.3.9-3.31")) flag++; if (rpm_check(release:"RHEL4", reference:"php-ncurses-4.3.9-3.31")) flag++; if (rpm_check(release:"RHEL4", reference:"php-odbc-4.3.9-3.31")) flag++; if (rpm_check(release:"RHEL4", reference:"php-pear-4.3.9-3.31")) flag++; if (rpm_check(release:"RHEL4", reference:"php-pgsql-4.3.9-3.31")) flag++; if (rpm_check(release:"RHEL4", reference:"php-snmp-4.3.9-3.31")) flag++; if (rpm_check(release:"RHEL4", reference:"php-xmlrpc-4.3.9-3.31")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-bcmath-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-bcmath-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-bcmath-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-cli-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-cli-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-cli-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-common-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-common-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-common-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-dba-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-dba-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-dba-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-devel-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-devel-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-devel-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-gd-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-gd-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-gd-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-imap-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-imap-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-imap-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-ldap-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-ldap-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-ldap-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-mbstring-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-mbstring-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-mbstring-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-mysql-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-mysql-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-mysql-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-ncurses-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-ncurses-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-ncurses-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-odbc-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-odbc-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-odbc-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-pdo-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-pdo-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-pdo-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-pgsql-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-pgsql-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-pgsql-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-snmp-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-snmp-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-snmp-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-soap-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-soap-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-soap-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-xml-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-xml-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-xml-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"php-xmlrpc-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"php-xmlrpc-5.1.6-27.el5_5.3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"php-xmlrpc-5.1.6-27.el5_5.3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-bcmath / php-cli / php-common / php-dba / php-devel / etc"); } }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201110-06.NASL description The remote host is affected by the vulnerability described in GLSA-201110-06 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker could execute arbitrary code, obtain sensitive information from process memory, bypass intended access restrictions, or cause a Denial of Service in various ways. A remote attacker could cause a Denial of Service in various ways, bypass spam detections, or bypass open_basedir restrictions. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 56459 published 2011-10-12 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56459 title GLSA-201110-06 : PHP: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201110-06. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(56459); script_version("1.9"); script_cvs_date("Date: 2018/07/11 17:09:26"); script_cve_id("CVE-2006-7243", "CVE-2009-5016", "CVE-2010-1128", "CVE-2010-1129", "CVE-2010-1130", "CVE-2010-1860", "CVE-2010-1861", "CVE-2010-1862", "CVE-2010-1864", "CVE-2010-1866", "CVE-2010-1868", "CVE-2010-1914", "CVE-2010-1915", "CVE-2010-1917", "CVE-2010-2093", "CVE-2010-2094", "CVE-2010-2097", "CVE-2010-2100", "CVE-2010-2101", "CVE-2010-2190", "CVE-2010-2191", "CVE-2010-2225", "CVE-2010-2484", "CVE-2010-2531", "CVE-2010-2950", "CVE-2010-3062", "CVE-2010-3063", "CVE-2010-3064", "CVE-2010-3065", "CVE-2010-3436", "CVE-2010-3709", "CVE-2010-3710", "CVE-2010-3870", "CVE-2010-4150", "CVE-2010-4409", "CVE-2010-4645", "CVE-2010-4697", "CVE-2010-4698", "CVE-2010-4699", "CVE-2010-4700", "CVE-2011-0420", "CVE-2011-0421", "CVE-2011-0708", "CVE-2011-0752", "CVE-2011-0753", "CVE-2011-0755", "CVE-2011-1092", "CVE-2011-1148", "CVE-2011-1153", "CVE-2011-1464", "CVE-2011-1466", "CVE-2011-1467", "CVE-2011-1468", "CVE-2011-1469", "CVE-2011-1470", "CVE-2011-1471", "CVE-2011-1657", "CVE-2011-1938", "CVE-2011-2202", "CVE-2011-2483", "CVE-2011-3182", "CVE-2011-3189", "CVE-2011-3267", "CVE-2011-3268"); script_xref(name:"GLSA", value:"201110-06"); script_name(english:"GLSA-201110-06 : PHP: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201110-06 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker could execute arbitrary code, obtain sensitive information from process memory, bypass intended access restrictions, or cause a Denial of Service in various ways. A remote attacker could cause a Denial of Service in various ways, bypass spam detections, or bypass open_basedir restrictions. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201110-06" ); script_set_attribute( attribute:"solution", value: "All PHP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-lang/php-5.3.8'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:php"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2011/10/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-lang/php", unaffected:make_list("ge 5.3.8"), vulnerable:make_list("lt 5.3.8"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "PHP"); }NASL family Scientific Linux Local Security Checks NASL id SL_20110203_PHP_ON_SL6_X.NASL description A flaw was found in the way PHP converted certain floating point values from string representation to a number. If a PHP script evaluated an attacker last seen 2020-06-01 modified 2020-06-02 plugin id 60949 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60949 title Scientific Linux Security Update : php on SL6.x i386/x86_64 NASL family Fedora Local Security Checks NASL id FEDORA_2010-18976.NASL description Security Enhancements and Fixes in PHP 5.3.4 : - Fixed crash in zip extract method (possible CWE-170). - Paths with NULL in them (foo\0bar.txt) are now considered as invalid (CVE-2006-7243). - Fixed a possible double free in imap extension (Identified by Mateusz Kocielski). (CVE-2010-4150). - Fixed NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709). - Fixed possible flaw in open_basedir (CVE-2010-3436). - Fixed MOPS-2010-24, fix string validation. (CVE-2010-2950). - Fixed symbolic resolution support when the target is a DFS share. - Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data) (CVE-2010-3710). Key Bug Fixes in PHP 5.3.4 include : - Added stat support for zip stream. - Added follow_location (enabled by default) option for the http stream support. - Added a 3rd parameter to get_html_translation_table. It now takes a charset hint, like htmlentities et al. - Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect zend multibyte at runtime. Full upstream Changelog : http://www.php.net/ChangeLog-5.php#5.3.4 This update also provides php-eaccelerator and maniadrive packages rebuild against update php. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 51412 published 2011-01-05 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51412 title Fedora 14 : maniadrive-1.2-23.fc14 / php-5.3.4-1.fc14.1 / php-eaccelerator-0.9.6.1-3.fc14 (2010-18976) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2010-0919.NASL description Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. An input validation flaw was discovered in the PHP session serializer. If a PHP script generated session variable names from untrusted user input, a remote attacker could use this flaw to inject an arbitrary variable into the PHP session. (CVE-2010-3065) An information leak flaw was discovered in the PHP var_export() function implementation. If some fatal error occurred during the execution of this function (such as the exhaustion of memory or script execution time limit), part of the function last seen 2020-06-01 modified 2020-06-02 plugin id 50862 published 2010-12-02 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50862 title CentOS 4 / 5 : php (CESA-2010:0919) NASL family Fedora Local Security Checks NASL id FEDORA_2010-19011.NASL description Security Enhancements and Fixes in PHP 5.3.4 : - Fixed crash in zip extract method (possible CWE-170). - Paths with NULL in them (foo\0bar.txt) are now considered as invalid (CVE-2006-7243). - Fixed a possible double free in imap extension (Identified by Mateusz Kocielski). (CVE-2010-4150). - Fixed NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709). - Fixed possible flaw in open_basedir (CVE-2010-3436). - Fixed MOPS-2010-24, fix string validation. (CVE-2010-2950). - Fixed symbolic resolution support when the target is a DFS share. - Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data) (CVE-2010-3710). Key Bug Fixes in PHP 5.3.4 include : - Added stat support for zip stream. - Added follow_location (enabled by default) option for the http stream support. - Added a 3rd parameter to get_html_translation_table. It now takes a charset hint, like htmlentities et al. - Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect zend multibyte at runtime. Full upstream Changelog : http://www.php.net/ChangeLog-5.php#5.3.4 This update also provides php-eaccelerator and maniadrive packages rebuild against update php. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 51413 published 2011-01-05 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51413 title Fedora 13 : maniadrive-1.2-23.fc13 / php-5.3.4-1.fc13.1 / php-eaccelerator-0.9.6.1-3.fc13 (2010-19011) NASL family CGI abuses NASL id PHP_5_2_11.NASL description According to its banner, the version of PHP installed on the remote host is older than 5.2.11. Such versions may be affected by several security issues : - An unspecified error occurs in certificate validation inside last seen 2020-06-01 modified 2020-06-02 plugin id 41014 published 2009-09-18 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41014 title PHP < 5.2.11 Multiple Vulnerabilities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-0195.NASL description From Red Hat Security Advisory 2011:0195 : Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way PHP converted certain floating point values from string representation to a number. If a PHP script evaluated an attacker last seen 2020-06-01 modified 2020-06-02 plugin id 68191 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68191 title Oracle Linux 6 : php (ELSA-2011-0195) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1042-1.NASL description It was discovered that an integer overflow in the XML UTF-8 decoding code could allow an attacker to bypass cross-site scripting (XSS) protections. This issue only affected Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, and Ubuntu 9.10. (CVE-2009-5016) It was discovered that the XML UTF-8 decoding code did not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which could allow an attacker to bypass cross-site scripting (XSS) protections. (CVE-2010-3870) It was discovered that attackers might be able to bypass open_basedir() restrictions by passing a specially crafted filename. (CVE-2010-3436) Maksymilian Arciemowicz discovered that a NULL pointer derefence in the ZIP archive handling code could allow an attacker to cause a denial of service through a specially crafted ZIP archive. This issue only affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, and Ubuntu 10.10. (CVE-2010-3709) It was discovered that a stack consumption vulnerability in the filter_var() PHP function when in FILTER_VALIDATE_EMAIL mode, could allow a remote attacker to cause a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, and Ubuntu 10.10. (CVE-2010-3710) It was discovered that the mb_strcut function in the Libmbfl library within PHP could allow an attacker to read arbitrary memory within the application process. This issue only affected Ubuntu 10.10. (CVE-2010-4156) Maksymilian Arciemowicz discovered that an integer overflow in the NumberFormatter::getSymbol function could allow an attacker to cause a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 10.10. (CVE-2010-4409) Rick Regan discovered that when handing PHP textual representations of the largest subnormal double-precision floating-point number, the zend_strtod function could go into an infinite loop on 32bit x86 processors, allowing an attacker to cause a denial of service. (CVE-2010-4645). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 51502 published 2011-01-12 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51502 title Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : php5 vulnerabilities (USN-1042-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-0195.NASL description Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way PHP converted certain floating point values from string representation to a number. If a PHP script evaluated an attacker last seen 2020-06-01 modified 2020-06-02 plugin id 51866 published 2011-02-04 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51866 title RHEL 6 : php (RHSA-2011:0195) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2010-0919.NASL description From Red Hat Security Advisory 2010:0919 : Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. An input validation flaw was discovered in the PHP session serializer. If a PHP script generated session variable names from untrusted user input, a remote attacker could use this flaw to inject an arbitrary variable into the PHP session. (CVE-2010-3065) An information leak flaw was discovered in the PHP var_export() function implementation. If some fatal error occurred during the execution of this function (such as the exhaustion of memory or script execution time limit), part of the function last seen 2020-06-01 modified 2020-06-02 plugin id 68150 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68150 title Oracle Linux 4 / 5 : php (ELSA-2010-0919)
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- http://bugs.php.net/bug.php?id=49687
- http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052836.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052845.html
- http://secunia.com/advisories/42410
- http://secunia.com/advisories/42812
- http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html
- http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf
- http://www.redhat.com/support/errata/RHSA-2010-0919.html
- http://www.redhat.com/support/errata/RHSA-2011-0195.html
- http://www.securityfocus.com/bid/44889
- http://www.ubuntu.com/usn/USN-1042-1
- http://www.vupen.com/english/advisories/2010/3081
- http://www.vupen.com/english/advisories/2011/0020
- http://www.vupen.com/english/advisories/2011/0021
- http://www.vupen.com/english/advisories/2011/0077