Vulnerabilities > CVE-2014-0185 - Improper Privilege Management vulnerability in PHP

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
php
CWE-269
nessus

Summary

sapi/fpm/fpm/fpm_unix.c in the FastCGI Process Manager (FPM) in PHP before 5.4.28 and 5.5.x before 5.5.12 uses 0666 permissions for the UNIX socket, which allows local users to gain privileges via a crafted FastCGI client.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2014-087.NASL
    descriptionA vulnerability has been discovered and corrected in php : PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain socket with world-writable permissions by default, which allows any local user to connect to it and execute PHP scripts as the apache user (CVE-2014-0185). The updated php packages have been upgraded to the 5.5.12 version which is not vulnerable to this issue. Additionally, the timezonedb packages has been upgraded to the latest 2014.3 version, the php-suhosin packages has been upgraded to the latest 0.9.35 version which has better support for php-5.5 and the PECL packages which requires so has been rebuilt for php-5.5.12.
    last seen2020-06-01
    modified2020-06-02
    plugin id74029
    published2014-05-16
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74029
    titleMandriva Linux Security Advisory : php (MDVSA-2014:087)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2014:087. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(74029);
      script_version("1.8");
      script_cvs_date("Date: 2019/08/02 13:32:56");
    
      script_cve_id("CVE-2014-0185");
      script_bugtraq_id(67118);
      script_xref(name:"MDVSA", value:"2014:087");
    
      script_name(english:"Mandriva Linux Security Advisory : php (MDVSA-2014:087)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability has been discovered and corrected in php :
    
    PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain
    socket with world-writable permissions by default, which allows any
    local user to connect to it and execute PHP scripts as the apache user
    (CVE-2014-0185).
    
    The updated php packages have been upgraded to the 5.5.12 version
    which is not vulnerable to this issue.
    
    Additionally, the timezonedb packages has been upgraded to the latest
    2014.3 version, the php-suhosin packages has been upgraded to the
    latest 0.9.35 version which has better support for php-5.5 and the
    PECL packages which requires so has been rebuilt for php-5.5.12."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_php");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64php5_common5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-apc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-apc-admin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-bcmath");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-bz2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-calendar");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cgi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ctype");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-dba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-dom");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-enchant");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-exif");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-fileinfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-filter");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-fpm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ftp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-gd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-gettext");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-gmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-hash");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-iconv");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ini");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-intl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-json");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mbstring");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mcrypt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mssql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mysqli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mysqlnd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-opcache");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-openssl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pcntl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_dblib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pdo_sqlite");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-phar");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-posix");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-readline");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-recode");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-session");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-shmop");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-snmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-soap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sockets");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sqlite3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-suhosin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sybase_ct");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sysvmsg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sysvsem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-sysvshm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-tidy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-timezonedb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-tokenizer");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-wddx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xml");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xmlreader");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xmlrpc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xmlwriter");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-xsl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-zip");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-zlib");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/05/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/05/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"apache-mod_php-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"lib64php5_common5-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-apc-3.1.15-1.6.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-apc-admin-3.1.15-1.6.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-bcmath-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-bz2-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-calendar-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-cgi-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-cli-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-ctype-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-curl-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-dba-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-devel-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", reference:"php-doc-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-dom-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-enchant-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-exif-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-fileinfo-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-filter-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-fpm-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-ftp-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-gd-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-gettext-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-gmp-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-hash-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-iconv-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-imap-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-ini-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-intl-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-json-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-ldap-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-mbstring-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-mcrypt-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-mssql-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-mysql-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-mysqli-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-mysqlnd-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-odbc-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-opcache-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-openssl-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-pcntl-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-pdo-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-pdo_dblib-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-pdo_mysql-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-pdo_odbc-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-pdo_pgsql-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-pdo_sqlite-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-pgsql-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-phar-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-posix-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-readline-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-recode-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-session-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-shmop-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-snmp-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-soap-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-sockets-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-sqlite3-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-suhosin-0.9.35-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-sybase_ct-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-sysvmsg-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-sysvsem-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-sysvshm-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-tidy-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-timezonedb-2014.3-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-tokenizer-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-wddx-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-xml-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-xmlreader-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-xmlrpc-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-xmlwriter-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-xsl-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-zip-5.5.12-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-zlib-5.5.12-1.mbs1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_9_5.NASL
    descriptionThe remote host is running a version of Mac OS X 10.9.x that is prior to version 10.9.5. This update contains several security-related fixes for the following components : - apache_mod_php - Bluetooth - CoreGraphics - Foundation - Intel Graphics Driver - IOAcceleratorFamily - IOHIDFamily - IOKit - Kernel - Libnotify - OpenSSL - QT Media Foundation - ruby Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id77748
    published2014-09-18
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/77748
    titleMac OS X 10.9.x < 10.9.5 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(77748);
      script_version("1.9");
      script_cvs_date("Date: 2018/07/14  1:59:36");
    
      script_cve_id(
        "CVE-2013-7345",
        "CVE-2014-0076",
        "CVE-2014-0185",
        "CVE-2014-0195",
        "CVE-2014-0207",
        "CVE-2014-0221",
        "CVE-2014-0224",
        "CVE-2014-0237",
        "CVE-2014-0238",
        "CVE-2014-1391",
        "CVE-2014-1943",
        "CVE-2014-2270",
        "CVE-2014-2525",
        "CVE-2014-3470",
        "CVE-2014-3478",
        "CVE-2014-3479",
        "CVE-2014-3480",
        "CVE-2014-3487",
        "CVE-2014-3515",
        "CVE-2014-3981",
        "CVE-2014-4049",
        "CVE-2014-4350",
        "CVE-2014-4374",
        "CVE-2014-4376",
        "CVE-2014-4377",
        "CVE-2014-4378",
        "CVE-2014-4379",
        "CVE-2014-4381",
        "CVE-2014-4388",
        "CVE-2014-4389",
        "CVE-2014-4390",
        "CVE-2014-4393",
        "CVE-2014-4394",
        "CVE-2014-4395",
        "CVE-2014-4396",
        "CVE-2014-4397",
        "CVE-2014-4398",
        "CVE-2014-4399",
        "CVE-2014-4400",
        "CVE-2014-4401",
        "CVE-2014-4402",
        "CVE-2014-4403",
        "CVE-2014-4416",
        "CVE-2014-4979"
      );
      script_bugtraq_id(
        65596,
        66002,
        66363,
        66406,
        66478,
        67118,
        67759,
        67765,
        67837,
        67898,
        67899,
        67900,
        67901,
        68007,
        68120,
        68237,
        68238,
        68239,
        68241,
        68243,
        68852,
        69888,
        69891,
        69892,
        69893,
        69894,
        69895,
        69896,
        69897,
        69898,
        69901,
        69903,
        69905,
        69906,
        69907,
        69908,
        69910,
        69915,
        69916,
        69921,
        69925,
        69931,
        69948,
        69950
      );
      script_xref(name:"APPLE-SA", value:"APPLE-SA-2014-09-17-3");
    
      script_name(english:"Mac OS X 10.9.x < 10.9.5 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of Mac OS X.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a Mac OS X update that fixes multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote host is running a version of Mac OS X 10.9.x that is prior
    to version 10.9.5. This update contains several security-related fixes
    for the following components :
    
      - apache_mod_php
      - Bluetooth
      - CoreGraphics
      - Foundation
      - Intel Graphics Driver
      - IOAcceleratorFamily
      - IOHIDFamily
      - IOKit
      - Kernel
      - Libnotify
      - OpenSSL
      - QT Media Foundation
      - ruby
    
    Note that successful exploitation of the most serious issues can
    result in arbitrary code execution.");
      script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/533483/30/0/threaded");
      script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT6443");
      script_set_attribute(attribute:"see_also", value:"http://osdir.com/ml/general/2014-09/msg34124.html");
      script_set_attribute(attribute:"solution", value:"Upgrade to Mac OS X 10.9.5 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
    script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/09/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/18");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
      script_require_ports("Host/MacOSX/Version", "Host/OS");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    os = get_kb_item("Host/MacOSX/Version");
    if (!os)
    {
      os = get_kb_item_or_exit("Host/OS");
      if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "Mac OS X");
    
      c = get_kb_item("Host/OS/Confidence");
      if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence.");
    }
    if (!os) audit(AUDIT_OS_NOT, "Mac OS X");
    
    
    match = eregmatch(pattern:"Mac OS X ([0-9]+(\.[0-9])+)", string:os);
    if (isnull(match)) exit(1, "Failed to parse the Mac OS X version ('" + os + "').");
    
    version = match[1];
    if (!ereg(pattern:"^10\.9([^0-9]|$)", string:version)) audit(AUDIT_OS_NOT, "Mac OS X 10.9", "Mac OS X "+version);
    
    fixed_version = "10.9.5";
    if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)
    {
      if (report_verbosity > 0)
        {
          report = '\n  Installed version : ' + version +
                   '\n  Fixed version     : ' + fixed_version +
                   '\n';
          security_hole(port:0, extra:report);
        }
        else security_hole(0);
        exit(0);
    }
    else exit(0, "The host is not affected as it is running Mac OS X "+version+".");
    
  • NASL familyCGI abuses
    NASL idPHP_5_4_28.NASL
    descriptionAccording to its banner, the version of PHP 5.4.x installed on the remote host is a version prior to 5.4.28. It is, therefore, potentially affected by a permission escalation vulnerability. A flaw exists within the FastCGI Process Manager (FPM) when setting permissions for a Unix socket. This could allow a remote attacker to gain elevated privileges after gaining access to the socket. Note that this plugin has not attempted to exploit this issue, but instead relied only on PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id73862
    published2014-05-05
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73862
    titlePHP 5.4.x < 5.4.28 FPM Unix Socket Insecure Permission Escalation
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-080.NASL
    descriptionMultiple vulnerabilities has been discovered and corrected in php : It was discovered that the file utility contains a flaw in the handling of indirect magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files (CVE-2014-1943). A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code (CVE-2014-2270). The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters (CVE-2013-7345). PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain socket with world-writable permissions by default, which allows any local user to connect to it and execute PHP scripts as the apache user (CVE-2014-0185). A flaw was found in the way file
    last seen2020-06-01
    modified2020-06-02
    plugin id82333
    published2015-03-30
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82333
    titleMandriva Linux Security Advisory : php (MDVSA-2015:080)
  • NASL familyCGI abuses
    NASL idPHP_5_6_0.NASL
    descriptionAccording to its banner, the version of PHP installed on the remote host is a development version of 5.6.0. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not attempted to exploit this issue but has instead relied only on application
    last seen2020-06-01
    modified2020-06-02
    plugin id78556
    published2014-10-17
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78556
    titlePHP 5.6.0 Multiple Vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2943.NASL
    descriptionSeveral vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development : - CVE-2014-0185 The default PHP FPM socket permission has been changed from 0666 to 0660 to mitigate a security vulnerability ( CVE-2014-0185 ) in PHP FPM that allowed any local user to run a PHP code under the active user of FPM process via crafted FastCGI client. The default Debian setup now correctly sets the listen.owner and listen.group to www-data:www-data in default php-fpm.conf. If you have more FPM instances or a webserver not running under www-data user you need to adjust the configuration of FPM pools in /etc/php5/fpm/pool.d/ so the accessing process has rights to access the socket. - CVE-2014-0237 / CVE-2014-0238 Denial of service in the CDF parser of the fileinfo module. - CVE-2014-2270 Denial of service in the fileinfo module.
    last seen2020-03-17
    modified2014-06-03
    plugin id74279
    published2014-06-03
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74279
    titleDebian DSA-2943-1 : php5 - security update
  • NASL familyCGI abuses
    NASL idPHP_5_5_12.NASL
    descriptionAccording to its banner, the version of PHP 5.5.x installed on the remote host is a version prior to 5.5.12. It is, therefore, potentially affected by a permission escalation vulnerability. A flaw exists within the FastCGI Process Manager (FPM) when setting permissions for a Unix socket. This could allow a remote attacker to gain elevated privileges after gaining access to the socket. Note that this plugin has not attempted to exploit this issue, but instead relied only on PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id73863
    published2014-05-05
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/73863
    titlePHP 5.5.x < 5.5.12 FPM Unix Socket Insecure Permission Escalation
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2254-1.NASL
    descriptionChristian Hoffmann discovered that the PHP FastCGI Process Manager (FPM) set incorrect permissions on the UNIX socket. A local attacker could use this issue to possibly elevate their privileges. This issue only affected Ubuntu 12.04 LTS, Ubuntu 13.10, and Ubuntu 14.04 LTS. (CVE-2014-0185) Francisco Alonso discovered that the PHP Fileinfo component incorrectly handled certain CDF documents. A remote attacker could use this issue to cause PHP to hang or crash, resulting in a denial of service. (CVE-2014-0237, CVE-2014-0238) Stefan Esser discovered that PHP incorrectly handled DNS TXT records. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-4049). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id76201
    published2014-06-24
    reporterUbuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/76201
    titleUbuntu 10.04 LTS / 12.04 LTS / 13.10 / 14.04 LTS : php5 vulnerabilities (USN-2254-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-5984.NASL
    descriptionNotice: to fix CVE-2014-0185 this version change default php-fpm unix domain socket permission to 660 (instead of 666). Check your configuration if php-fpm use UDS (default configuration use a network socket). Upstream Changelog: 01 May 2014, PHP 5.5.12 Core : - Fixed bug #61019 (Out of memory on command stream_get_contents). (Mike) - Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets). (Mike) - Fixed bug #66182 (exit in stream filter produces segfault). (Mike) - Fixed bug #66736 (fpassthru broken). (Mike) - Fixed bug #67024 (getimagesize should recognize BMP files with negative height). (Gabor Buella) - Fixed bug #67043 (substr_compare broke by previous change) (Tjerk) cURL : - Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent). (Freek Lijten) Date : - Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied). (Boro Sitnikovski) Embed : - Fixed bug #65715 (php5embed.lib isn
    last seen2020-03-17
    modified2014-05-12
    plugin id73956
    published2014-05-12
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73956
    titleFedora 19 : php-5.5.12-1.fc19 (2014-5984)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-636.NASL
    descriptionfroxlor was updated to version 0.9.34 (bnc#846355), fixing bugs and bringing features.
    last seen2020-06-05
    modified2015-10-06
    plugin id86286
    published2015-10-06
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/86286
    titleopenSUSE Security Update : froxlor (openSUSE-2015-636)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2254-2.NASL
    descriptionUSN-2254-1 fixed vulnerabilities in PHP. The fix for CVE-2014-0185 further restricted the permissions on the PHP FastCGI Process Manager (FPM) UNIX socket. This update grants socket access to the www-data user and group so installations and documentation relying on the previous socket permissions will continue to function. Christian Hoffmann discovered that the PHP FastCGI Process Manager (FPM) set incorrect permissions on the UNIX socket. A local attacker could use this issue to possibly elevate their privileges. This issue only affected Ubuntu 12.04 LTS, Ubuntu 13.10, and Ubuntu 14.04 LTS. (CVE-2014-0185) Francisco Alonso discovered that the PHP Fileinfo component incorrectly handled certain CDF documents. A remote attacker could use this issue to cause PHP to hang or crash, resulting in a denial of service. (CVE-2014-0237, CVE-2014-0238) Stefan Esser discovered that PHP incorrectly handled DNS TXT records. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-4049). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id76249
    published2014-06-26
    reporterUbuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/76249
    titleUbuntu 13.10 / 14.04 LTS : php5 updates (USN-2254-2)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-5960.NASL
    descriptionNotice: to fix CVE-2014-0185 this version change default php-fpm unix domain socket permission to 660 (instead of 666). Check your configuration if php-fpm use UDS (default configuration use a network socket). Upstream Changelog: 01 May 2014, PHP 5.5.12 Core : - Fixed bug #61019 (Out of memory on command stream_get_contents). (Mike) - Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets). (Mike) - Fixed bug #66182 (exit in stream filter produces segfault). (Mike) - Fixed bug #66736 (fpassthru broken). (Mike) - Fixed bug #67024 (getimagesize should recognize BMP files with negative height). (Gabor Buella) - Fixed bug #67043 (substr_compare broke by previous change) (Tjerk) cURL : - Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent). (Freek Lijten) Date : - Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied). (Boro Sitnikovski) Embed : - Fixed bug #65715 (php5embed.lib isn
    last seen2020-03-17
    modified2014-05-06
    plugin id73880
    published2014-05-06
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73880
    titleFedora 20 : php-5.5.12-1.fc20 (2014-5960)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2014-419.NASL
    descriptionphp5 was updated to fix several security issues. These issues were fixed : - Performance degradation by too many file_printf calls (CVE-2014-0237) - DoS in Fileinfo component (CVE-2014-0238) - NULL pointer dereference in GD XPM decoder (CVE-2014-2497) - Privilege escalation due to insecure default config (CVE-2014-0185)
    last seen2020-06-05
    modified2014-06-13
    plugin id75385
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75385
    titleopenSUSE Security Update : php5 (openSUSE-SU-2014:0784-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201408-11.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201408-11 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker can cause arbitrary code execution, create a Denial of Service condition, read or write arbitrary files, impersonate other servers, hijack a web session, or have other unspecified impact. Additionally, a local attacker could gain escalated privileges. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id77455
    published2014-08-30
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/77455
    titleGLSA-201408-11 : PHP: Multiple vulnerabilities
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2014-160-01.NASL
    descriptionNew php packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id74380
    published2014-06-10
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74380
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : php (SSA:2014-160-01)