Executive Summary
Summary | |
---|---|
Title | New php4 packages fix privilege escalation |
Informations | |||
---|---|---|---|
Name | DSA-1296 | First vendor Publication | 2007-05-21 |
Vendor | Debian | Last vendor Modification | 2007-05-21 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:H/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 2.6 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | High |
Cvss Expoit Score | 4.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
It was discovered that the ftp extension of PHP, a server-side, HTML-embedded scripting language performs insufficient input sanitising, which permits an attacker to execute arbitrary FTP commands. This requires the attacker to already have access to the FTP server. For the oldstable distribution (sarge) this problem has been fixed in version 4.3.10-21. For the stable distribution (etch) this problem has been fixed in version 4.4.4-8+etch3. For the unstable distribution (sid) this problem won't be fixed, as php4 will be removed from sid; thus you are strongly advised to migrate to php5 if you prefer to follow the unstable distribution. We recommend that you upgrade your PHP packages. Packages for the Sparc architectures are not yet available, due to problems on the build host. They will be provided later. |
Original Source
Url : http://www.debian.org/security/2007/dsa-1296 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:18493 | |||
Oval ID: | oval:org.mitre.oval:def:18493 | ||
Title: | DSA-1296-1 php4 | ||
Description: | It was discovered that the ftp extension of PHP, a server-side, HTML-embedded scripting language performs insufficient input sanitising, which permits an attacker to execute arbitrary FTP commands. This requires the attacker to already have access to the FTP server. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1296-1 CVE-2007-2509 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | php4 |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-10-10 | Name : SLES9: Security update for PHP4 File : nvt/sles9p5012110.nasl |
2009-04-09 | Name : Mandriva Update for php MDKSA-2007:102 (php) File : nvt/gb_mandriva_MDKSA_2007_102.nasl |
2009-03-23 | Name : Ubuntu Update for php5 vulnerabilities USN-462-1 File : nvt/gb_ubuntu_USN_462_1.nasl |
2009-02-27 | Name : Fedora Update for php FEDORA-2007-503 File : nvt/gb_fedora_2007_503_php_fc6.nasl |
2009-02-27 | Name : Fedora Update for php FEDORA-2007-526 File : nvt/gb_fedora_2007_526_php_fc5.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200705-19 (php) File : nvt/glsa_200705_19.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1295-1 (php5) File : nvt/deb_1295_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1296-1 (php4) File : nvt/deb_1296_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
34672 | PHP ftp_putcmd Function CRLF Injection PHP contains a flaw that may allow a remote attacker to manipulate FTP commands. The issue is due to the ftp_putcmd function not properly sanitizing user-supplied input. By passing CRLF (newline) characters to FTP commands, it is possible to manipulate input to inject arbitrary FTP commands. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-10-10 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL7859.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0889.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0349.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0348.nasl - Type : ACT_GATHER_INFO |
2013-06-29 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0349.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20070926_php_on_SL3.nasl - Type : ACT_GATHER_INFO |
2007-12-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_php5-3754.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-462-1.nasl - Type : ACT_GATHER_INFO |
2007-10-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0888.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_php5-3753.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_php5-3745.nasl - Type : ACT_GATHER_INFO |
2007-10-03 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0889.nasl - Type : ACT_GATHER_INFO |
2007-09-26 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0889.nasl - Type : ACT_GATHER_INFO |
2007-05-29 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200705-19.nasl - Type : ACT_GATHER_INFO |
2007-05-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0348.nasl - Type : ACT_GATHER_INFO |
2007-05-25 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1296.nasl - Type : ACT_GATHER_INFO |
2007-05-25 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1295.nasl - Type : ACT_GATHER_INFO |
2007-05-25 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-526.nasl - Type : ACT_GATHER_INFO |
2007-05-16 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-503.nasl - Type : ACT_GATHER_INFO |
2007-05-11 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0348.nasl - Type : ACT_GATHER_INFO |
2007-05-11 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-102.nasl - Type : ACT_GATHER_INFO |
2007-05-10 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0349.nasl - Type : ACT_GATHER_INFO |
2007-05-04 | Name : The remote web server uses a version of PHP that is affected by multiple flaws. File : php_4_4_7_or_5_2_2.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:26:38 |
|