Vulnerabilities > CVE-2011-3189 - Cryptographic Issues vulnerability in PHP 5.3.7
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The crypt function in PHP 5.3.7, when the MD5 hash type is used, returns the value of the salt argument instead of the hashed string, which might allow remote attackers to bypass authentication via an arbitrary password, a different vulnerability than CVE-2011-2483.
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201110-06.NASL description The remote host is affected by the vulnerability described in GLSA-201110-06 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker could execute arbitrary code, obtain sensitive information from process memory, bypass intended access restrictions, or cause a Denial of Service in various ways. A remote attacker could cause a Denial of Service in various ways, bypass spam detections, or bypass open_basedir restrictions. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 56459 published 2011-10-12 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56459 title GLSA-201110-06 : PHP: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201110-06. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(56459); script_version("1.9"); script_cvs_date("Date: 2018/07/11 17:09:26"); script_cve_id("CVE-2006-7243", "CVE-2009-5016", "CVE-2010-1128", "CVE-2010-1129", "CVE-2010-1130", "CVE-2010-1860", "CVE-2010-1861", "CVE-2010-1862", "CVE-2010-1864", "CVE-2010-1866", "CVE-2010-1868", "CVE-2010-1914", "CVE-2010-1915", "CVE-2010-1917", "CVE-2010-2093", "CVE-2010-2094", "CVE-2010-2097", "CVE-2010-2100", "CVE-2010-2101", "CVE-2010-2190", "CVE-2010-2191", "CVE-2010-2225", "CVE-2010-2484", "CVE-2010-2531", "CVE-2010-2950", "CVE-2010-3062", "CVE-2010-3063", "CVE-2010-3064", "CVE-2010-3065", "CVE-2010-3436", "CVE-2010-3709", "CVE-2010-3710", "CVE-2010-3870", "CVE-2010-4150", "CVE-2010-4409", "CVE-2010-4645", "CVE-2010-4697", "CVE-2010-4698", "CVE-2010-4699", "CVE-2010-4700", "CVE-2011-0420", "CVE-2011-0421", "CVE-2011-0708", "CVE-2011-0752", "CVE-2011-0753", "CVE-2011-0755", "CVE-2011-1092", "CVE-2011-1148", "CVE-2011-1153", "CVE-2011-1464", "CVE-2011-1466", "CVE-2011-1467", "CVE-2011-1468", "CVE-2011-1469", "CVE-2011-1470", "CVE-2011-1471", "CVE-2011-1657", "CVE-2011-1938", "CVE-2011-2202", "CVE-2011-2483", "CVE-2011-3182", "CVE-2011-3189", "CVE-2011-3267", "CVE-2011-3268"); script_xref(name:"GLSA", value:"201110-06"); script_name(english:"GLSA-201110-06 : PHP: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201110-06 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker could execute arbitrary code, obtain sensitive information from process memory, bypass intended access restrictions, or cause a Denial of Service in various ways. A remote attacker could cause a Denial of Service in various ways, bypass spam detections, or bypass open_basedir restrictions. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201110-06" ); script_set_attribute( attribute:"solution", value: "All PHP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-lang/php-5.3.8'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:php"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2011/10/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-lang/php", unaffected:make_list("ge 5.3.8"), vulnerable:make_list("lt 5.3.8"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "PHP"); }NASL family Web Servers NASL id HPSMH_7_0_0_24.NASL description According to the web server last seen 2020-06-01 modified 2020-06-02 plugin id 58811 published 2012-04-20 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58811 title HP System Management Homepage < 7.0 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(58811); script_version("1.26"); script_cvs_date("Date: 2018/11/15 20:50:25"); script_cve_id( "CVE-2009-0037", "CVE-2010-0734", "CVE-2010-1452", "CVE-2010-1623", "CVE-2010-2068", "CVE-2010-2791", "CVE-2010-3436", "CVE-2010-4409", "CVE-2010-4645", "CVE-2011-0014", "CVE-2011-0195", "CVE-2011-0419", "CVE-2011-1148", "CVE-2011-1153", "CVE-2011-1464", "CVE-2011-1467", "CVE-2011-1468", "CVE-2011-1470", "CVE-2011-1471", "CVE-2011-1928", "CVE-2011-1938", "CVE-2011-1945", "CVE-2011-2192", "CVE-2011-2202", "CVE-2011-2483", "CVE-2011-3182", "CVE-2011-3189", "CVE-2011-3192", "CVE-2011-3207", "CVE-2011-3210", "CVE-2011-3267", "CVE-2011-3268", "CVE-2011-3348", "CVE-2011-3368", "CVE-2011-3639", "CVE-2011-3846", "CVE-2012-0135", "CVE-2012-1993" ); script_bugtraq_id( 33962, 38162, 40827, 41963, 42102, 43673, 44723, 45119, 45668, 46264, 46843, 46854, 46968, 46969, 46975, 46977, 47668, 47820, 47888, 47929, 47950, 48259, 48434, 49241, 49249, 49303, 49376, 49469, 49471, 49616, 49957, 52974, 53121 ); script_name(english:"HP System Management Homepage < 7.0 Multiple Vulnerabilities"); script_summary(english:"Does a banner check"); script_set_attribute( attribute:"synopsis", value:"The remote web server is affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote host is earlier than 7.0. As such, it is reportedly affected by the following vulnerabilities : - An error exists in the 'generate-id' function in the bundled libxslt library that can allow disclosure of heap memory addresses. (CVE-2011-0195) - An unspecified input validation error exists and can allow cross-site request forgery attacks. (CVE-2011-3846) - Unspecified errors can allow attackers to carry out denial of service attacks via unspecified vectors. (CVE-2012-0135, CVE-2012-1993) - The bundled version of PHP contains multiple vulnerabilities. (CVE-2010-3436, CVE-2010-4409, CVE-2010-4645, CVE-2011-1148, CVE-2011-1153, CVE-2011-1464, CVE-2011-1467, CVE-2011-1468, CVE-2011-1470, CVE-2011-1471, CVE-2011-1938, CVE-2011-2202, CVE-2011-2483, CVE-2011-3182, CVE-2011-3189, CVE-2011-3267, CVE-2011-3268) - The bundled version of Apache contains multiple vulnerabilities. (CVE-2010-1452, CVE-2010-1623, CVE-2010-2068, CVE-2010-2791, CVE-2011-0419, CVE-2011-1928, CVE-2011-3192, CVE-2011-3348, CVE-2011-3368, CVE-2011-3639) - OpenSSL libraries are contained in several of the bundled components and contain multiple vulnerabilities. (CVE-2011-0014, CVE-2011-1468, CVE-2011-1945, CVE-2011-3207,CVE-2011-3210) - Curl libraries are contained in several of the bundled components and contain multiple vulnerabilities. (CVE-2009-0037, CVE-2010-0734, CVE-2011-2192)" ); script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?106ec533" ); script_set_attribute( attribute:"solution", value:"Upgrade to HP System Management Homepage 7.0 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploithub_sku", value:"EH-14-410"); script_set_attribute(attribute:"exploit_framework_exploithub", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(352); script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/16"); script_set_attribute(attribute:"patch_publication_date", value:"2012/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/20"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:system_management_homepage"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("compaq_wbem_detect.nasl"); script_require_keys("www/hp_smh"); script_require_ports("Services/www", 2301, 2381); exit(0); } include("global_settings.inc"); include("audit.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); port = get_http_port(default:2381, embedded:TRUE); install = get_install_from_kb(appname:'hp_smh', port:port, exit_on_fail:TRUE); dir = install['dir']; version = install['ver']; prod = get_kb_item_or_exit("www/"+port+"/hp_smh/variant"); if (version == UNKNOWN_VER) exit(1, 'The version of '+prod+' installed at '+build_url(port:port, qs:dir+"/")+' is unknown.'); # nb: 'version' can have non-numeric characters in it so we'll create # an alternate form and make sure that's safe for use in 'ver_compare()'. version_alt = ereg_replace(pattern:"[_-]", replace:".", string:version); if (!ereg(pattern:"^[0-9][0-9.]+$", string:version_alt)) exit(1, 'The version of '+prod+' installed at '+build_url(port:port, qs:dir+"/")+' does not look valid ('+version+').'); fixed_version = '7.0.0.24'; if (ver_compare(ver:version_alt, fix:fixed_version, strict:FALSE) == -1) { set_kb_item(name:'www/'+port+'/XSS', value:TRUE); set_kb_item(name:'www/'+port+'/XSRF', value:TRUE); if (report_verbosity > 0) { source_line = get_kb_item("www/"+port+"/hp_smh/source"); report = '\n Product : ' + prod; if (!isnull(source_line)) report += '\n Version source : ' + source_line; report += '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, prod, port, version);NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2012-001.NASL description The remote host is running a version of Mac OS X 10.6 that does not have Security Update 2012-001 applied. This update contains multiple security-related fixes for the following components : - Apache - ATS - ColorSync - CoreAudio - CoreMedia - CoreText - curl - Data Security - dovecot - filecmds - libresolv - libsecurity - OpenGL - PHP - QuickTime - SquirrelMail - Subversion - Tomcat - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 57798 published 2012-02-02 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57798 title Mac OS X Multiple Vulnerabilities (Security Update 2012-001) (BEAST) NASL family MacOS X Local Security Checks NASL id MACOSX_10_7_3.NASL description The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.3. The newer version contains multiple security-related fixes for the following components : - Address Book - Apache - ATS - CFNetwork - CoreMedia - CoreText - CoreUI - curl - Data Security - dovecot - filecmds - ImageIO - Internet Sharing - Libinfo - libresolv - libsecurity - OpenGL - PHP - QuickTime - Subversion - Time Machine - WebDAV Sharing - Webmail - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 57797 published 2012-02-02 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57797 title Mac OS X 10.7.x < 10.7.3 Multiple Vulnerabilities (BEAST) NASL family CGI abuses NASL id PHP_5_3_8.NASL description According to its banner, PHP 5.3.7 is installed on the remote host. This version contains a bug in the crypt() function when generating salted MD5 hashes. The function only returns the salt rather than the salt and hash. Any authentication mechanism that uses crypt() could authorize all authentication attempts due to this bug. last seen 2020-06-01 modified 2020-06-02 plugin id 55969 published 2011-08-24 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55969 title PHP 5.3.7 crypt() MD5 Incorrect Return Value
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 49376 CVE ID: CVE-2011-3189 PHP是一种在电脑上运行的脚本语言,主要用途是在于处理动态网页,包含了命令行运行接口或者产生图形用户界面程序。 PHP在crypt()函数的实现上存在安全漏洞,攻击者可利用此漏洞绕过某些安全限制。 0 PHP PHP 5.3.7 PHP PHP 5.3.6 PHP PHP 5.3.5 厂商补丁: PHP --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.php.net |
| id | SSV:30077 |
| last seen | 2017-11-19 |
| modified | 2012-02-04 |
| published | 2012-02-04 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-30077 |
| title | PHP "crypt()"函数安全限制绕过漏洞 |
References
- http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
- http://osvdb.org/74726
- http://secunia.com/advisories/45678
- http://support.apple.com/kb/HT5130
- http://www.openwall.com/lists/oss-security/2011/08/23/4
- http://www.php.net/archive/2011.php#id2011-08-23-1
- http://www.php.net/ChangeLog-5.php#5.3.8
- https://bugs.gentoo.org/show_bug.cgi?id=380261
- https://bugs.php.net/bug.php?id=55439
- https://exchange.xforce.ibmcloud.com/vulnerabilities/69429