Vulnerabilities > CVE-2016-5385 - Open Redirect vulnerability in multiple products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Fake the Source of Data An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
Nessus
NASL family CGI abuses NASL id PHP_7_0_9.NASL description According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.9. It is, therefore, affected by multiple vulnerabilities : - A man-in-the-middle vulnerability exists, known as last seen 2020-06-01 modified 2020-06-02 plugin id 92556 published 2016-07-26 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92556 title PHP 7.0.x < 7.0.9 Multiple Vulnerabilities (httpoxy) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(92556); script_version("1.11"); script_cvs_date("Date: 2019/11/19"); script_cve_id( "CVE-2016-5385", "CVE-2016-5399", "CVE-2016-6207", "CVE-2016-6289", "CVE-2016-6290", "CVE-2016-6291", "CVE-2016-6292", "CVE-2016-6293", "CVE-2016-6294", "CVE-2016-6295", "CVE-2016-6296", "CVE-2016-6297" ); script_bugtraq_id( 91821, 92051, 92073, 92074, 92078, 92094, 92095, 92097, 92099 ); script_xref(name:"CERT", value:"797896"); script_xref(name:"EDB-ID", value:"40155"); script_name(english:"PHP 7.0.x < 7.0.9 Multiple Vulnerabilities (httpoxy)"); script_summary(english:"Checks the version of PHP."); script_set_attribute(attribute:"synopsis", value: "The version of PHP running on the remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.9. It is, therefore, affected by multiple vulnerabilities : - A man-in-the-middle vulnerability exists, known as 'httpoxy', due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5385) - An overflow condition exists in the php_bz2iop_read() function within file ext/bz2/bz2.c due to improper handling of error conditions. An unauthenticated, remote attacker can exploit this, via a crafted request, to execute arbitrary code. (CVE-2016-5399) - A flaw exists in the GD Graphics Library (libgd), specifically in the gdImageScaleTwoPass() function within file gd_interpolation.c, due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6207) - An integer overflow condition exists in the virtual_file_ex() function within file Zend/zend_virtual_cwd.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-6289) - A use-after-free error exists within the file ext/session/session.c when handling 'var_hash' destruction. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6290) - An out-of-bounds read error exists in the exif_process_IFD_in_MAKERNOTE() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. (CVE-2016-6291) - A NULL pointer dereference flaw exists in the exif_process_user_comment() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6292) - Multiple out-of-bounds read errors exist in the locale_accept_from_http() function within file ext/intl/locale/locale_methods.c. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or disclose memory contents. (CVE-2016-6293, CVE-2016-6294) - A use-after-free error exists within file ext/snmp/snmp.c when handling garbage collection during deserialization of user-supplied input. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6295) - A heap-based buffer overflow condition exists in the simplestring_addn() function within file simplestring.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-6296) - An integer overflow condition exists in the php_stream_zip_opener() function within file ext/zip/zip_stream.c due to improper validation of user-supplied input when handling zip streams. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-6297) - An out-of-bounds read error exists in the GD Graphics Library (libgd), specifically in the gdImageScaleBilinearPalette() function within file gd_interpolation.c, when handling transparent color. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. - A heap-based buffer overflow condition exists in the mdecrypt_generic() function within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - A flaw exists in the curl_unescape() function within file ext/curl/interface.c when handling string lengths. An unauthenticated, remote attacker can exploit this to cause heap corruption, resulting in a denial of service condition. - A heap-based buffer overflow condition exists in the mcrypt_generic() function within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - A NULL write flaw exists in the GD Graphics Library (libgd) in the gdImageColorTransparent() function due to improper handling of negative transparent colors. A remote attacker can exploit this to disclose memory contents."); script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.0.9"); script_set_attribute(attribute:"see_also", value:"https://httpoxy.org"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP version 7.0.9 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6296"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/18"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/26"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("php_version.nasl"); script_require_keys("www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); php = get_php_from_kb( port : port, exit_on_fail : TRUE ); version = php["ver"]; source = php["src"]; backported = get_kb_item('www/php/'+port+'/'+version+'/backported'); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install"); # Check that it is the correct version of PHP if (version =~ "^7(\.0)?$") audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version); if (version !~ "^7\.0\.") audit(AUDIT_NOT_DETECT, "PHP version 7.0.x", port); if (version =~ "^7\.0\." && ver_compare(ver:version, fix:"7.0.9", strict:FALSE) < 0){ security_report_v4( port : port, extra : '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : 7.0.9' + '\n', severity:SECURITY_HOLE ); } else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);NASL family Fedora Local Security Checks NASL id FEDORA_2016-4E7DB3D437.NASL description ## 6.2.1 - 2016-07-18 - Address HTTP_PROXY security vulnerability, CVE-2016-5385: https://httpoxy.org/ - Fixing timeout bug with StreamHandler: https://github.com/guzzle/guzzle/pull/1488 - Only read up to `Content-Length` in PHP StreamHandler to avoid timeouts when a server does not honor `Connection: close`. - Ignore URI fragment when sending requests. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-29 plugin id 92616 published 2016-07-29 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92616 title Fedora 24 : php-guzzlehttp-guzzle6 (2016-4e7db3d437) (httpoxy) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2016-4e7db3d437. # include("compat.inc"); if (description) { script_id(92616); script_version("2.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-5385"); script_xref(name:"FEDORA", value:"2016-4e7db3d437"); script_name(english:"Fedora 24 : php-guzzlehttp-guzzle6 (2016-4e7db3d437) (httpoxy)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "## 6.2.1 - 2016-07-18 - Address HTTP_PROXY security vulnerability, CVE-2016-5385: https://httpoxy.org/ - Fixing timeout bug with StreamHandler: https://github.com/guzzle/guzzle/pull/1488 - Only read up to `Content-Length` in PHP StreamHandler to avoid timeouts when a server does not honor `Connection: close`. - Ignore URI fragment when sending requests. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-4e7db3d437" ); script_set_attribute( attribute:"solution", value:"Update the affected php-guzzlehttp-guzzle6 package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-guzzlehttp-guzzle6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/19"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/29"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^24([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC24", reference:"php-guzzlehttp-guzzle6-6.2.1-1.fc24")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-guzzlehttp-guzzle6"); }NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-728.NASL description A stack consumption vulnerability in GD in PHP allows remote attackers to cause a denial of service via a crafted imagefilltoborder call. (CVE-2015-8874) An integer overflow, leading to a heap-based buffer overflow was found in the imagecreatefromgd2() function of PHP last seen 2020-06-01 modified 2020-06-02 plugin id 92663 published 2016-08-02 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/92663 title Amazon Linux AMI : php55 / php56 (ALAS-2016-728) (httpoxy) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2016-728. # include("compat.inc"); if (description) { script_id(92663); script_version("2.9"); script_cvs_date("Date: 2018/04/18 15:09:36"); script_cve_id("CVE-2015-8874", "CVE-2016-5385", "CVE-2016-5766", "CVE-2016-5767", "CVE-2016-5768", "CVE-2016-5769", "CVE-2016-5770", "CVE-2016-5771", "CVE-2016-5772", "CVE-2016-5773"); script_xref(name:"ALAS", value:"2016-728"); script_name(english:"Amazon Linux AMI : php55 / php56 (ALAS-2016-728) (httpoxy)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "A stack consumption vulnerability in GD in PHP allows remote attackers to cause a denial of service via a crafted imagefilltoborder call. (CVE-2015-8874) An integer overflow, leading to a heap-based buffer overflow was found in the imagecreatefromgd2() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application, using gd via a specially crafted GD2 image. (CVE-2016-5766) An integer overflow, leading to a heap-based buffer overflow was found in the gdImagePaletteToTrueColor() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application, using gd via a specially crafted image buffer. (CVE-2016-5767) A double free flaw was found in the mb_ereg_replace_callback() function of php which is used to perform regex search. This flaw could possibly cause a PHP application to crash. (CVE-2016-5768) The mcrypt_generic() and mdecrypt_generic() functions are prone to integer overflows, resulting in a heap-based overflow. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application. (CVE-2016-5769) A type confusion issue was found in the SPLFileObject fread() function. A remote attacker able to submit a specially crafted input to a PHP application, which uses this function, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application. (CVE-2016-5770) A use-after-free vulnerability that can occur when calling unserialize() on untrusted input was discovered. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application if the application unserializes untrusted input. (CVE-2016-5771 , CVE-2016-5773) A double free can occur in wddx_deserialize() when trying to deserialize malicious XML input from user's request. This flaw could possibly cause a PHP application to crash. (CVE-2016-5772) It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385) (Updated on 2016-08-17: CVE-2016-5385 was fixed in this release but was not previously part of this errata)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2016-728.html" ); script_set_attribute( attribute:"solution", value: "Run 'yum update php55' to update your system. Run 'yum update php56' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-embedded"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-mssql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-mysqlnd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-opcache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-process"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-embedded"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-mssql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-mysqlnd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-opcache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-process"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2016/08/01"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"php55-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-bcmath-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-cli-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-common-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-dba-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-debuginfo-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-devel-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-embedded-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-enchant-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-fpm-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-gd-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-gmp-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-imap-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-intl-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-ldap-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-mbstring-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-mcrypt-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-mssql-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-mysqlnd-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-odbc-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-opcache-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-pdo-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-pgsql-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-process-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-pspell-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-recode-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-snmp-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-soap-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-tidy-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-xml-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-xmlrpc-5.5.38-1.116.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-bcmath-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-cli-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-common-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-dba-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-dbg-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-debuginfo-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-devel-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-embedded-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-enchant-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-fpm-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-gd-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-gmp-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-imap-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-intl-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-ldap-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-mbstring-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-mcrypt-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-mssql-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-mysqlnd-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-odbc-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-opcache-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-pdo-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-pgsql-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-process-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-pspell-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-recode-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-snmp-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-soap-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-tidy-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-xml-5.6.24-1.126.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php56-xmlrpc-5.6.24-1.126.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php55 / php55-bcmath / php55-cli / php55-common / php55-dba / etc"); }NASL family Web Servers NASL id HPSMH_7_6.NASL description According to its banner, the version of HP System Management Homepage (SMH) hosted on the remote web server is prior to 7.6. It is, therefore, affected by the following vulnerabilities : - A heap buffer overflow condition exists in OpenSSL in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in OpenSSL in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Multiple flaws exist OpenSSL in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - Multiple unspecified flaws exist in OpenSSL in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - A certificate validation bypass vulnerability exists in cURL and libcurl due to improper validation of TLS certificates. A man-in-the-middle attacker can exploit this, via a spoofed certificate that appears valid, to disclose or manipulate transmitted data. (CVE-2016-3739) - An integer overflow condition exists in PHP in the php_raw_url_encode() function within file ext/standard/url.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2016-4070) - A flaw exists in PHP in the php_snmp_error() function within file ext/snmp/snmp.c that is triggered when handling format string specifiers. An unauthenticated, remote attacker can exploit this, via a crafted SNMP object, to cause a denial of service or to execute arbitrary code. (CVE-2016-4071) - An invalid memory write error exists in PHP when handling the path of phar file names that allows an attacker to have an unspecified impact. (CVE-2016-4072) - A remote code execution vulnerability exists in PHP in phar_object.c due to improper handling of zero-length uncompressed data. An unauthenticated, remote attacker can exploit this, via a specially crafted TAR, ZIP, or PHAR file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4342) - A remote code execution vulnerability exists in PHP in the phar_make_dirstream() function within file ext/phar/dirstream.c due to improper handling of ././@LongLink files. An unauthenticated, remote attacker can exploit this, via a specially crafted TAR file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4343) - A cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user last seen 2020-06-01 modified 2020-06-02 plugin id 94654 published 2016-11-09 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94654 title HP System Management Homepage < 7.6 Multiple Vulnerabilities (HPSBMU03653) (httpoxy) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(94654); script_version("1.12"); script_cvs_date("Date: 2019/11/14"); script_cve_id( "CVE-2016-2105", "CVE-2016-2106", "CVE-2016-2107", "CVE-2016-2109", "CVE-2016-3739", "CVE-2016-4070", "CVE-2016-4071", "CVE-2016-4072", "CVE-2016-4342", "CVE-2016-4343", "CVE-2016-4393", "CVE-2016-4394", "CVE-2016-4395", "CVE-2016-4396", "CVE-2016-4537", "CVE-2016-4538", "CVE-2016-4539", "CVE-2016-4540", "CVE-2016-4541", "CVE-2016-4542", "CVE-2016-4543", "CVE-2016-5385", "CVE-2016-5387", "CVE-2016-5388" ); script_bugtraq_id( 85800, 85801, 85993, 87940, 89154, 89179, 89744, 89757, 89760, 89844, 90172, 90173, 90174, 90726, 91816, 91818, 91821, 93961 ); script_xref(name:"CERT", value:"797896"); script_xref(name:"EDB-ID", value:"39645"); script_xref(name:"EDB-ID", value:"39653"); script_xref(name:"EDB-ID", value:"39768"); script_xref(name:"HP", value:"HPSBMU03653"); script_xref(name:"HP", value:"emr_na-c05320149"); script_xref(name:"HP", value:"PSRT110145"); script_xref(name:"HP", value:"PSRT110263"); script_xref(name:"HP", value:"PSRT110115"); script_xref(name:"HP", value:"PSRT110116"); script_xref(name:"TRA", value:"TRA-2016-32"); script_xref(name:"ZDI", value:"ZDI-16-587"); script_name(english:"HP System Management Homepage < 7.6 Multiple Vulnerabilities (HPSBMU03653) (httpoxy)"); script_summary(english:"Performs a banner check."); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of HP System Management Homepage (SMH) hosted on the remote web server is prior to 7.6. It is, therefore, affected by the following vulnerabilities : - A heap buffer overflow condition exists in OpenSSL in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in OpenSSL in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Multiple flaws exist OpenSSL in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - Multiple unspecified flaws exist in OpenSSL in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - A certificate validation bypass vulnerability exists in cURL and libcurl due to improper validation of TLS certificates. A man-in-the-middle attacker can exploit this, via a spoofed certificate that appears valid, to disclose or manipulate transmitted data. (CVE-2016-3739) - An integer overflow condition exists in PHP in the php_raw_url_encode() function within file ext/standard/url.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2016-4070) - A flaw exists in PHP in the php_snmp_error() function within file ext/snmp/snmp.c that is triggered when handling format string specifiers. An unauthenticated, remote attacker can exploit this, via a crafted SNMP object, to cause a denial of service or to execute arbitrary code. (CVE-2016-4071) - An invalid memory write error exists in PHP when handling the path of phar file names that allows an attacker to have an unspecified impact. (CVE-2016-4072) - A remote code execution vulnerability exists in PHP in phar_object.c due to improper handling of zero-length uncompressed data. An unauthenticated, remote attacker can exploit this, via a specially crafted TAR, ZIP, or PHAR file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4342) - A remote code execution vulnerability exists in PHP in the phar_make_dirstream() function within file ext/phar/dirstream.c due to improper handling of ././@LongLink files. An unauthenticated, remote attacker can exploit this, via a specially crafted TAR file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4343) - A cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-4393) - An unspecified HTTP Strict Transport Security (HSTS) bypass vulnerability exists that allows authenticated, remote attackers to disclose sensitive information. (CVE-2016-4394) - A remote code execution vulnerability exists due to an overflow condition in the mod_smh_config.so library caused by improper validation of user-supplied input when parsing the admin-group parameter supplied to the /proxy/SetSMHData endpoint. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4395) - A remote code execution vulnerability exists due to an overflow condition in the mod_smh_config.so library caused by improper validation of user-supplied input when parsing the TKN parameter supplied to the /Proxy/SSO endpoint. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4396) - An out-of-bounds read error exists in PHP in the php_str2num() function in bcmath.c when handling negative scales. An unauthenticated, remote attacker can exploit this, via a crafted call, to cause a denial of service condition or the disclosure of memory contents. (CVE-2016-4537) - A flaw exists in PHP the bcpowmod() function in bcmath.c due to modifying certain data structures without considering whether they are copies of the _zero_, _one_, or _two_ global variables. An unauthenticated, remote attacker can exploit this, via a crafted call, to cause a denial of service condition. (CVE-2016-4538) - A flaw exists in PHP in the xml_parse_into_struct() function in xml.c when handling specially crafted XML contents. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-4539) - Multiple out-of-bounds read errors exist in PHP within file ext/intl/grapheme/grapheme_string.c when handling negative offsets in the zif_grapheme_stripos() and zif_grapheme_strpos() functions. An unauthenticated, remote attacker can exploit these issues to cause a denial of service condition or disclose memory contents. (CVE-2016-4540, CVE-2016-4541) - A flaw exists in PHP in the exif_process_IFD_TAG() function in exif.c due to improper construction of spprintf arguments. An unauthenticated, remote attacker can exploit this, via crafted header data, to cause an out-of-bounds read error, resulting in a denial of service condition or the disclosure of memory contents. (CVE-2016-4542) - A flaw exists in PHP in the exif_process_IFD_in_JPEG() function in exif.c due to improper validation of IFD sizes. An unauthenticated, remote attacker can exploit this, via crafted header data, to cause an out-of-bounds read error, resulting in a denial of service condition or the disclosure of memory contents. (CVE-2016-4543) - A man-in-the-middle vulnerability exists, known as 'httpoxy', in the Apache Tomcat, Apache HTTP Server, and PHP components due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. A remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5385, CVE-2016-5387, CVE-2016-5388) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05320149 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b7e1b347"); script_set_attribute(attribute:"see_also", value:"https://httpoxy.org"); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2016-32"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-16-587/"); script_set_attribute(attribute:"solution", value: "Upgrade to HP System Management Homepage (SMH) version 7.6 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-4342"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/26"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:system_management_homepage"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("compaq_wbem_detect.nasl", "os_fingerprint.nasl"); script_require_keys("www/hp_smh"); script_require_ports("Services/www", 2301, 2381); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); # Only Linux and Windows are affected -- HP-UX is not mentioned os = get_kb_item_or_exit("Host/OS"); if ("Windows" >!< os && "Linux" >!< os) audit(AUDIT_OS_NOT, "Windows or Linux", os); port = get_http_port(default:2381, embedded:TRUE); app = "hp_smh"; get_install_count(app_name:app, exit_if_zero:TRUE); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); dir = install['dir']; version = install['version']; prod = get_kb_item_or_exit("www/"+port+"/hp_smh/variant"); source_line = get_kb_item("www/"+port+"/hp_smh/source"); if (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, prod, build_url(port:port, qs:dir+"/") ); # nb: 'version' can have non-numeric characters in it so we'll create # an alternate form and make sure that's safe for use in 'ver_compare()'. version_alt = ereg_replace(pattern:"[_-]", replace:".", string:version); if (!ereg(pattern:"^[0-9][0-9.]+$", string:version_alt)) audit(AUDIT_VER_FORMAT, version); if (ver_compare(ver:version_alt, fix:"7.6", strict:FALSE) == -1) { report = '\n Product : ' + prod; if (!isnull(source_line)) report += '\n Version source : ' + source_line; report += '\n Installed version : ' + version + '\n Fixed version : 7.6' + '\n'; security_report_v4(severity:SECURITY_HOLE, port:port, extra:report, xss:TRUE); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, prod, port, version);NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2016-203-02.NASL description New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 92499 published 2016-07-22 reporter This script is Copyright (C) 2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/92499 title Slackware 14.0 / 14.1 / 14.2 / current : php (SSA:2016-203-02) (httpoxy) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2016-203-02. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(92499); script_version("$Revision: 2.3 $"); script_cvs_date("$Date: 2016/10/24 13:46:12 $"); script_cve_id("CVE-2016-5385", "CVE-2016-6207"); script_xref(name:"SSA", value:"2016-203-02"); script_name(english:"Slackware 14.0 / 14.1 / 14.2 / current : php (SSA:2016-203-02) (httpoxy)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.425458 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d89b3856" ); script_set_attribute(attribute:"solution", value:"Update the affected php package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:php"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/21"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"14.0", pkgname:"php", pkgver:"5.6.24", pkgarch:"i486", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"php", pkgver:"5.6.24", pkgarch:"x86_64", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.1", pkgname:"php", pkgver:"5.6.24", pkgarch:"i486", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"php", pkgver:"5.6.24", pkgarch:"x86_64", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.2", pkgname:"php", pkgver:"5.6.24", pkgarch:"i586", pkgnum:"1_slack14.2")) flag++; if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"php", pkgver:"5.6.24", pkgarch:"x86_64", pkgnum:"1_slack14.2")) flag++; if (slackware_check(osver:"current", pkgname:"php", pkgver:"5.6.24", pkgarch:"i586", pkgnum:"1")) flag++; if (slackware_check(osver:"current", arch:"x86_64", pkgname:"php", pkgver:"5.6.24", pkgarch:"x86_64", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3045-1.NASL description It was discovered that PHP incorrectly handled certain SplMinHeap::compare operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-4116) It was discovered that PHP incorrectly handled recursive method calls. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8873) It was discovered that PHP incorrectly validated certain Exception objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8876) It was discovered that PHP header() function performed insufficient filtering for Internet Explorer. A remote attacker could possibly use this issue to perform a XSS attack. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8935) It was discovered that PHP incorrectly handled certain locale operations. An attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5093) It was discovered that the PHP php_html_entities() function incorrectly handled certain string lengths. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5094, CVE-2016-5095) It was discovered that the PHP fread() function incorrectly handled certain lengths. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5096) It was discovered that the PHP FastCGI Process Manager (FPM) SAPI incorrectly handled memory in the access logging feature. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly expose sensitive information. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5114) It was discovered that PHP would not protect applications from contents of the HTTP_PROXY environment variable when based on the contents of the Proxy header from HTTP requests. A remote attacker could possibly use this issue in combination with scripts that honour the HTTP_PROXY variable to redirect outgoing HTTP requests. (CVE-2016-5385) Hans Jerry Illikainen discovered that the PHP bzread() function incorrectly performed error handling. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-5399) It was discovered that certain PHP multibyte string functions incorrectly handled memory. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-5768) It was discovered that the PHP Mcrypt extension incorrectly handled memory. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5769) It was discovered that the PHP garbage collector incorrectly handled certain objects when unserializing malicious data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue was only addressed in Ubuntu Ubuntu 14.04 LTS. (CVE-2016-5771, CVE-2016-5773) It was discovered that PHP incorrectly handled memory when unserializing malicious xml data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5772) It was discovered that the PHP php_url_parse_ex() function incorrectly handled string termination. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-6288) It was discovered that PHP incorrectly handled path lengths when extracting certain Zip archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6289) It was discovered that PHP incorrectly handled session deserialization. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6290) It was discovered that PHP incorrectly handled exif headers when processing certain JPEG images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6291, CVE-2016-6292) It was discovered that PHP incorrectly handled certain locale operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6294) It was discovered that the PHP garbage collector incorrectly handled certain objects when unserializing SNMP data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6295) It was discovered that the PHP xmlrpc_encode_request() function incorrectly handled certain lengths. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6296) It was discovered that the PHP php_stream_zip_opener() function incorrectly handled memory. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6297). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 92699 published 2016-08-03 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92699 title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : php5, php7.0 vulnerabilities (USN-3045-1) (httpoxy) NASL family CGI abuses NASL id PHP_5_5_38.NASL description According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.38. It is, therefore, affected by multiple vulnerabilities : - A Segfault condition occurs when accessing nvarchar(max) defined columns. (CVE-2015-8879) - A man-in-the-middle vulnerability exists, known as last seen 2020-06-01 modified 2020-06-02 plugin id 92554 published 2016-07-26 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92554 title PHP 5.5.x < 5.5.38 Multiple Vulnerabilities (httpoxy) NASL family Fedora Local Security Checks NASL id FEDORA_2016-8EB11666AA.NASL description 21 Jul 2016, **PHP 5.6.24** **Core:** - Fixed bug php#71936 (Segmentation fault destroying HTTP_RAW_POST_DATA). (mike dot laspina at gmail dot com, Remi) - Fixed bug php#72496 (Cannot declare public method with signature incompatible with parent private method). (Pedro Magalhães) - Fixed bug php#72138 (Integer Overflow in Length of String-typed ZVAL). (Stas) - Fixed bug php#72513 (Stack-based buffer overflow vulnerability in virtual_file_ex). (loianhtuan at gmail dot com) - Fixed bug php#72562 (Use After Free in unserialize() with Unexpected Session Deserialization). (taoguangchen at icloud dot com) - Fixed bug php#72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications). (CVE-2016-5385) (Stas) **bz2:** - Fixed bug php#72447 (Type Confusion in php_bz2_filter_create()). (gogil at stealien dot com). - Fixed bug php#72613 (Inadequate error handling in bzread()). (Stas) **EXIF:** - Fixed bug php#50845 (exif_read_data() returns corrupted exif headers). (Bartosz Dziewoński) - Fixed bug php#72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE). (Stas) - Fixed bug #72618 (NULL pointer Dereference in exif_process_user_comment). (Stas) **Intl:** - Fixed bug php#72533 (locale_accept_from_http out-of-bounds access). (Stas) **ODBC:** - Fixed bug php#69975 (PHP segfaults when accessing nvarchar(max) defined columns) **OpenSSL:** - Fixed bug php#71915 (openssl_random_pseudo_bytes is not fork-safe). (Jakub Zelenka) - Fixed bug php#72336 (openssl_pkey_new does not fail for invalid DSA params). (Jakub Zelenka) **SNMP:** - Fixed bug php#72479 (Use After Free Vulnerability in SNMP with GC and unserialize()). (taoguangchen at icloud dot com) **SPL:** - Fixed bug php#55701 (GlobIterator throws LogicException). (Valentin VĂLCIU) **SQLite3:** - Fixed bug php#70628 (Clearing bindings on a SQLite3 statement doesn last seen 2020-06-05 modified 2016-08-01 plugin id 92648 published 2016-08-01 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92648 title Fedora 24 : php (2016-8eb11666aa) (httpoxy) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-1613.NASL description An update for php is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. Bug Fix(es) : * Previously, an incorrect logic in the SAPI header callback routine caused that the callback counter was not incremented. Consequently, when a script included a header callback, it could terminate unexpectedly with a segmentation fault. With this update, the callback counter is properly managed, and scripts with a header callback implementation work as expected. (BZ#1346758) last seen 2020-06-01 modified 2020-06-02 plugin id 92941 published 2016-08-12 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92941 title RHEL 7 : php (RHSA-2016:1613) (httpoxy) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-1609.NASL description An update for php is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 92872 published 2016-08-12 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92872 title CentOS 6 : php (CESA-2016:1609) (httpoxy) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-2941-1.NASL description This update for php7 fixes the following security issues : - CVE-2016-5385: Setting HTTP_PROXY environment variable via Proxy header (httpoxy) (bsc#988486). - CVE-2016-9137: Fixing a Use After Free in unserialize() (bsc#1008029). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-24 modified 2019-01-02 plugin id 119987 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119987 title SUSE SLES12 Security Update : php7 (SUSE-SU-2016:2941-1) (httpoxy) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1440.NASL description This update for php7 fixes the following security issues : - CVE-2016-5385: Setting HTTP_PROXY environment variable via Proxy header (httpoxy) (bsc#988486). - CVE-2016-9137: Fixing a Use After Free in unserialize() (bsc#1008029). This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2016-12-13 plugin id 95746 published 2016-12-13 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/95746 title openSUSE Security Update : php7 (openSUSE-2016-1440) (httpoxy) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-749.NASL description CVE-2016-5385 PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application last seen 2020-03-17 modified 2016-12-20 plugin id 96010 published 2016-12-20 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96010 title Debian DLA-749-1 : php5 security update (httpoxy) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3631.NASL description Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.24, which includes additional bug fixes. Please refer to the upstream changelog for more information : last seen 2020-06-01 modified 2020-06-02 plugin id 92573 published 2016-07-27 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92573 title Debian DSA-3631-1 : php5 - security update (httpoxy) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-1613.NASL description An update for php is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. Bug Fix(es) : * Previously, an incorrect logic in the SAPI header callback routine caused that the callback counter was not incremented. Consequently, when a script included a header callback, it could terminate unexpectedly with a segmentation fault. With this update, the callback counter is properly managed, and scripts with a header callback implementation work as expected. (BZ#1346758) last seen 2020-06-01 modified 2020-06-02 plugin id 92952 published 2016-08-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92952 title CentOS 7 : php (CESA-2016:1613) (httpoxy) NASL family Fedora Local Security Checks NASL id FEDORA_2016-CD2BD0800F.NASL description 21 Jul 2016, **PHP 5.6.24** **Core:** - Fixed bug php#71936 (Segmentation fault destroying HTTP_RAW_POST_DATA). (mike dot laspina at gmail dot com, Remi) - Fixed bug php#72496 (Cannot declare public method with signature incompatible with parent private method). (Pedro Magalhães) - Fixed bug php#72138 (Integer Overflow in Length of String-typed ZVAL). (Stas) - Fixed bug php#72513 (Stack-based buffer overflow vulnerability in virtual_file_ex). (loianhtuan at gmail dot com) - Fixed bug php#72562 (Use After Free in unserialize() with Unexpected Session Deserialization). (taoguangchen at icloud dot com) - Fixed bug php#72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications). (CVE-2016-5385) (Stas) **bz2:** - Fixed bug php#72447 (Type Confusion in php_bz2_filter_create()). (gogil at stealien dot com). - Fixed bug php#72613 (Inadequate error handling in bzread()). (Stas) **EXIF:** - Fixed bug php#50845 (exif_read_data() returns corrupted exif headers). (Bartosz Dziewoński) - Fixed bug php#72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE). (Stas) - Fixed bug #72618 (NULL pointer Dereference in exif_process_user_comment). (Stas) **Intl:** - Fixed bug php#72533 (locale_accept_from_http out-of-bounds access). (Stas) **ODBC:** - Fixed bug php#69975 (PHP segfaults when accessing nvarchar(max) defined columns) **OpenSSL:** - Fixed bug php#71915 (openssl_random_pseudo_bytes is not fork-safe). (Jakub Zelenka) - Fixed bug php#72336 (openssl_pkey_new does not fail for invalid DSA params). (Jakub Zelenka) **SNMP:** - Fixed bug php#72479 (Use After Free Vulnerability in SNMP with GC and unserialize()). (taoguangchen at icloud dot com) **SPL:** - Fixed bug php#55701 (GlobIterator throws LogicException). (Valentin VĂLCIU) **SQLite3:** - Fixed bug php#70628 (Clearing bindings on a SQLite3 statement doesn last seen 2020-06-05 modified 2016-08-01 plugin id 92650 published 2016-08-01 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92650 title Fedora 23 : php (2016-cd2bd0800f) (httpoxy) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201611-22.NASL description The remote host is affected by the vulnerability described in GLSA-201611-22 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : An attacker can possibly execute arbitrary code or create a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 95421 published 2016-12-01 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95421 title GLSA-201611-22 : PHP: Multiple vulnerabilities (httpoxy) NASL family CGI abuses NASL id DRUPAL_8_1_7.NASL description The version of Drupal running on the remote web server is 8.x prior to 8.1.7. It is, therefore, affected by a man-in-the-middle vulnerability known as last seen 2020-06-01 modified 2020-06-02 plugin id 92495 published 2016-07-21 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92495 title Drupal 8.x < 8.1.7 PHP HTTP_PROXY Environment Variable Namespace Collision Vulnerability (httpoxy) NASL family Scientific Linux Local Security Checks NASL id SL_20160811_PHP_ON_SL7_X.NASL description Security Fix(es) : - It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker- controlled proxy via a malicious HTTP request. (CVE-2016-5385) Bug Fix(es) : - Previously, an incorrect logic in the SAPI header callback routine caused that the callback counter was not incremented. Consequently, when a script included a header callback, it could terminate unexpectedly with a segmentation fault. With this update, the callback counter is properly managed, and scripts with a header callback implementation work as expected. last seen 2020-03-18 modified 2016-08-17 plugin id 92997 published 2016-08-17 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92997 title Scientific Linux Security Update : php on SL7.x x86_64 (20160811) (httpoxy) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-1613.NASL description From Red Hat Security Advisory 2016:1613 : An update for php is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. Bug Fix(es) : * Previously, an incorrect logic in the SAPI header callback routine caused that the callback counter was not incremented. Consequently, when a script included a header callback, it could terminate unexpectedly with a segmentation fault. With this update, the callback counter is properly managed, and scripts with a header callback implementation work as expected. (BZ#1346758) last seen 2020-06-01 modified 2020-06-02 plugin id 92937 published 2016-08-12 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92937 title Oracle Linux 7 : php (ELSA-2016-1613) (httpoxy) NASL family Fedora Local Security Checks NASL id FEDORA_2016-AEF8A45AFE.NASL description ## 5.3.1 - 2016-07-18 - Address HTTP_PROXY security vulnerability, CVE-2016-5385: https://httpoxy.org/ - Event name fix: https://github.com/guzzle/guzzle/commit/fcae91ff31de41e3 12fe113ec3acbcda31b2622e - Response header case sensitivity fix: https://github.com/guzzle/guzzle/commit/043eeadf20ee40dd c6712faee4d3957a91f2b041 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-29 plugin id 92619 published 2016-07-29 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92619 title Fedora 24 : php-guzzlehttp-guzzle (2016-aef8a45afe) (httpoxy) NASL family Scientific Linux Local Security Checks NASL id SL_20160811_PHP_ON_SL6_X.NASL description Security Fix(es) : - It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker- controlled proxy via a malicious HTTP request. (CVE-2016-5385) last seen 2020-03-18 modified 2016-08-15 plugin id 92965 published 2016-08-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92965 title Scientific Linux Security Update : php on SL6.x i386/x86_64 (20160811) (httpoxy) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-1609.NASL description From Red Hat Security Advisory 2016:1609 : An update for php is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 92936 published 2016-08-12 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92936 title Oracle Linux 6 : php (ELSA-2016-1609) (httpoxy) NASL family Web Servers NASL id HTTP_HTTPOXY.NASL description The web application running on the remote web server is affected by a man-in-the-middle vulnerability known as last seen 2020-06-01 modified 2020-06-02 plugin id 92539 published 2016-07-25 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92539 title HTTP_PROXY Environment Variable Namespace Collision Vulnerability (httpoxy) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_B6402385533B11E6A7BD14DAE9D210B8.NASL description PHP reports : - Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns) - Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()). - Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access). - Fixed bug #72519 (imagegif/output out-of-bounds access). - Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener). - Fixed bug #72533 (locale_accept_from_http out-of-bounds access). - Fixed bug #72541 (size_t overflow lead to heap corruption). - Fixed bug #72551, bug #72552 (Incorrect casting from size_t to int lead to heap overflow in mdecrypt_generic). - Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()). - Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications). - Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE). - Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c). - Fixed bug #72613 (Inadequate error handling in bzread()). - Fixed bug #72618 (NULL pointer Dereference in exif_process_user_comment). last seen 2020-06-01 modified 2020-06-02 plugin id 92574 published 2016-07-27 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92574 title FreeBSD : php -- multiple vulnerabilities (b6402385-533b-11e6-a7bd-14dae9d210b8) (httpoxy) NASL family Misc. NASL id ORACLE_ENTERPRISE_MANAGER_JUL_2017_CPU.NASL description The version of Oracle Enterprise Manager Grid Control installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Bouncy Castle Java library due to improper validation of a point within the elliptic curve. An unauthenticated, remote attacker can exploit this to obtain private keys by using a series of specially crafted elliptic curve Diffie-Hellman (ECDH) key exchanges, also known as an last seen 2020-06-01 modified 2020-06-02 plugin id 101837 published 2017-07-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101837 title Oracle Enterprise Manager Grid Control Multiple Vulnerabilities (July 2017 CPU) (httpoxy) NASL family CGI abuses NASL id PHP_5_6_24.NASL description According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.24. It is, therefore, affected by multiple vulnerabilities : - A man-in-the-middle vulnerability exists, known as last seen 2020-06-01 modified 2020-06-02 plugin id 92555 published 2016-07-26 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92555 title PHP 5.6.x < 5.6.24 Multiple Vulnerabilities (httpoxy) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-921.NASL description This update for php5 fixes the following issues : - It is possible to launch a web server with last seen 2020-06-05 modified 2016-08-04 plugin id 92714 published 2016-08-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/92714 title openSUSE Security Update : php5 (openSUSE-2016-921) (httpoxy) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-1609.NASL description An update for php is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 92940 published 2016-08-12 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92940 title RHEL 6 : php (RHSA-2016:1609) (httpoxy) NASL family Fedora Local Security Checks NASL id FEDORA_2016-9C8CF5912C.NASL description ## 6.2.1 - 2016-07-18 - Address HTTP_PROXY security vulnerability, CVE-2016-5385: https://httpoxy.org/ - Fixing timeout bug with StreamHandler: https://github.com/guzzle/guzzle/pull/1488 - Only read up to `Content-Length` in PHP StreamHandler to avoid timeouts when a server does not honor `Connection: close`. - Ignore URI fragment when sending requests. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-29 plugin id 92618 published 2016-07-29 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92618 title Fedora 23 : php-guzzlehttp-guzzle6 (2016-9c8cf5912c) (httpoxy) NASL family Fedora Local Security Checks NASL id FEDORA_2016-E2C8F5F95A.NASL description ## 5.3.1 - 2016-07-18 - Address HTTP_PROXY security vulnerability, CVE-2016-5385: https://httpoxy.org/ - Event name fix: https://github.com/guzzle/guzzle/commit/fcae91ff31de41e3 12fe113ec3acbcda31b2622e - Response header case sensitivity fix: https://github.com/guzzle/guzzle/commit/043eeadf20ee40dd c6712faee4d3957a91f2b041 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-29 plugin id 92621 published 2016-07-29 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92621 title Fedora 23 : php-guzzlehttp-guzzle (2016-e2c8f5f95a) (httpoxy)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1353794
- http://www.kb.cert.org/vuls/id/797896
- https://httpoxy.org/
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297
- http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html
- http://www.securityfocus.com/bid/91821
- http://rhn.redhat.com/errata/RHSA-2016-1611.html
- http://rhn.redhat.com/errata/RHSA-2016-1612.html
- http://rhn.redhat.com/errata/RHSA-2016-1613.html
- http://rhn.redhat.com/errata/RHSA-2016-1610.html
- http://rhn.redhat.com/errata/RHSA-2016-1609.html
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
- https://www.drupal.org/SA-CORE-2016-003
- https://github.com/guzzle/guzzle/releases/tag/6.2.1
- https://security.gentoo.org/glsa/201611-22
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
- http://www.securitytracker.com/id/1036335
- http://www.debian.org/security/2016/dsa-3631
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/