Vulnerabilities > CVE-2011-3379 - Code Injection vulnerability in PHP 5.3.7/5.3.8
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the __autoload function, which makes it easier for remote attackers to execute arbitrary code by providing a crafted URL and leveraging potentially unsafe behavior in certain PEAR packages and custom autoloaders.
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Nessus
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2011-7.NASL description PHP before 5.3.7 does not properly check the return values of the malloc, calloc, and realloc library functions, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function. The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the __autoload function, which makes it easier for remote attackers to execute arbitrary code by providing a crafted URL and leveraging potentially unsafe behavior in certain PEAR packages and custom autoloaders. php: changes to is_a() in 5.3.7 may allow arbitrary code execution with certain code A signedness issue was found in the way the PHP crypt() function handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value. A signedness issue was found in the way the crypt() function in the PostgreSQL pgcrypto module handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value. crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash. A stack-based buffer overflow flaw was found in the way the PHP socket extension handled long AF_UNIX socket addresses. An attacker able to make a PHP script connect to a long AF_UNIX socket address could use this flaw to crash the PHP interpreter. Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket. The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a last seen 2020-06-01 modified 2020-06-02 plugin id 78268 published 2014-10-12 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78268 title Amazon Linux AMI : php (ALAS-2011-7) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2011-7. # include("compat.inc"); if (description) { script_id(78268); script_version("1.5"); script_cvs_date("Date: 2019/07/10 16:04:12"); script_cve_id("CVE-2011-1148", "CVE-2011-1938", "CVE-2011-2202", "CVE-2011-2483", "CVE-2011-3182", "CVE-2011-3379"); script_xref(name:"ALAS", value:"2011-7"); script_name(english:"Amazon Linux AMI : php (ALAS-2011-7)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "PHP before 5.3.7 does not properly check the return values of the malloc, calloc, and realloc library functions, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function. The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the __autoload function, which makes it easier for remote attackers to execute arbitrary code by providing a crafted URL and leveraging potentially unsafe behavior in certain PEAR packages and custom autoloaders. php: changes to is_a() in 5.3.7 may allow arbitrary code execution with certain code A signedness issue was found in the way the PHP crypt() function handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value. A signedness issue was found in the way the crypt() function in the PostgreSQL pgcrypto module handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value. crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash. A stack-based buffer overflow flaw was found in the way the PHP socket extension handled long AF_UNIX socket addresses. An attacker able to make a PHP script connect to a long AF_UNIX socket address could use this flaw to crash the PHP interpreter. Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket. The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a 'file path injection vulnerability.' An off-by-one flaw was found in PHP. If an attacker uploaded a file with a specially crafted file name it could cause a PHP script to attempt to write a file to the root (/) directory. By default, PHP runs as the 'apache' user, preventing it from writing to the root directory. The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a 'file path injection vulnerability.' Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments. A use-after-free flaw was found in the PHP substr_replace() function. If a PHP script used the same variable as multiple function arguments, a remote attacker could possibly use this to crash the PHP interpreter or, possibly, execute arbitrary code." ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2011-7.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update php' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-embedded"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-mssql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-process"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-zts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/18"); script_set_attribute(attribute:"patch_publication_date", value:"2014/09/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"php-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-bcmath-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-cli-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-common-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-dba-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-debuginfo-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-devel-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-embedded-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-fpm-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-gd-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-imap-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-intl-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ldap-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-mbstring-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-mcrypt-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-mssql-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-mysql-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-odbc-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-pdo-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-pgsql-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-process-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-pspell-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-snmp-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-soap-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-tidy-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-xml-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-xmlrpc-5.3.8-3.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-zts-5.3.8-3.19.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php / php-bcmath / php-cli / php-common / php-dba / php-debuginfo / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2011-13472.NASL description - Revert is_a() behavior to php <= 5.3.6 and add a new new option (allow_string) for the new behavior (accept string and raise autoload if needed) - Provides MySQL Native Driver in new php-mysqlnd package. Upstream documentation: http://www.php.net/manual/en/mysqlnd.overview.php This is a drop-in replacement of MySQL Client Library used by php-mysql package. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56423 published 2011-10-10 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56423 title Fedora 16 : php-5.3.8-3.fc16 (2011-13472) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2011-13472. # include("compat.inc"); if (description) { script_id(56423); script_version("1.8"); script_cvs_date("Date: 2019/08/02 13:32:34"); script_cve_id("CVE-2011-3379"); script_xref(name:"FEDORA", value:"2011-13472"); script_name(english:"Fedora 16 : php-5.3.8-3.fc16 (2011-13472)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Revert is_a() behavior to php <= 5.3.6 and add a new new option (allow_string) for the new behavior (accept string and raise autoload if needed) - Provides MySQL Native Driver in new php-mysqlnd package. Upstream documentation: http://www.php.net/manual/en/mysqlnd.overview.php This is a drop-in replacement of MySQL Client Library used by php-mysql package. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"http://www.php.net/manual/en/mysqlnd.overview.php" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=741020" ); # https://lists.fedoraproject.org/pipermail/package-announce/2011-October/067480.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ef3e7e86" ); script_set_attribute(attribute:"solution", value:"Update the affected php package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:16"); script_set_attribute(attribute:"patch_publication_date", value:"2011/09/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^16([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 16.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC16", reference:"php-5.3.8-3.fc16")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php"); }NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2011-166.NASL description A vulnerability has been identified and fixed in php : The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the __autoload function, which makes it easier for remote attackers to execute arbitrary code by providing a crafted URL and leveraging potentially unsafe behavior in certain PEAR packages and custom autoloaders (CVE-2011-3379). The php-ini-5.3.8 package was missing with the MDVSA-2011:165 advisory and is now being provided, the php-timezonedb package was upgraded to the latest version (2011.14) for 2011. The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 56708 published 2011-11-04 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56708 title Mandriva Linux Security Advisory : php (MDVSA-2011:166) NASL family Fedora Local Security Checks NASL id FEDORA_2011-13458.NASL description Revert is_a() behavior to php <= 5.3.6 and add a new new option (allow_string) for the new behavior (accept string and raise autoload if needed) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56422 published 2011-10-10 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56422 title Fedora 14 : php-5.3.8-3.fc14 (2011-13458) NASL family Web Servers NASL id HPSMH_7_1_1_1.NASL description According to the web server last seen 2020-06-01 modified 2020-06-02 plugin id 59851 published 2012-07-05 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59851 title HP System Management Homepage < 7.1.1 Multiple Vulnerabilities NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201209-03.NASL description The remote host is affected by the vulnerability described in GLSA-201209-03 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, create arbitrary files, conduct directory traversal attacks, bypass protection mechanisms, or perform further attacks with unspecified impact. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 62236 published 2012-09-24 reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62236 title GLSA-201209-03 : PHP: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2011-13446.NASL description Revert is_a() behavior to php <= 5.3.6 and add a new new option (allow_string) for the new behavior (accept string and raise autoload if needed) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56420 published 2011-10-10 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56420 title Fedora 15 : php-5.3.8-3.fc15 (2011-13446) NASL family CGI abuses NASL id PHP_5_3_9.NASL description According to its banner, the version of PHP installed on the remote host is older than 5.3.9. As such, it may be affected by the following security issues : - The last seen 2020-06-01 modified 2020-06-02 plugin id 57537 published 2012-01-13 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57537 title PHP < 5.3.9 Multiple Vulnerabilities NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2011-07.NASL description The MITRE CVE database describes these CVEs as : Revert is_a() behavior to php <= 5.3.6 and add a new new option (allow_string) for the new behavior (accept string and raise autoload if needed) Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments. Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket. The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a last seen 2020-06-01 modified 2020-06-02 plugin id 69566 published 2013-09-04 reporter This script is Copyright (C) 2013-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69566 title Amazon Linux AMI : php (ALAS-2011-07)
References
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
- http://securityreason.com/securityalert/8525
- http://svn.php.net/viewvc/?view=revision&revision=317183
- http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/
- http://www.securityfocus.com/archive/1/519770/30/0/threaded
- https://bugs.php.net/bug.php?id=55475
- https://bugzilla.redhat.com/show_bug.cgi?id=741020