Executive Summary

Informations
NameMDVSA-2009:303First vendor Publication2009-11-28
VendorMandrivaLast vendor Modification2009-11-28
Severity (Vendor) N/ARevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score7.5Attack RangeNetwork
Cvss Impact Score6.4Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Some vulnerabilities were discovered and corrected in php-5.2.11:

The tempnam function in ext/standard/file.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass safe_mode restrictions, and create files in group-writable or world-writable directories, via the dir and prefix arguments (CVE-2009-3557).

The posix_mkfifo function in ext/posix/posix.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass open_basedir restrictions, and create FIFO files, via the pathname and mode arguments, as demonstrated by creating a .htaccess file (CVE-2009-3558).

PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive (CVE-2009-4017).

The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable (CVE-2009-4018).

Intermittent segfaults occured on x86_64 with the latest phpmyadmin and with apache (#53735).

Additionally, some packages which require so, have been rebuilt and are being provided as updates.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2009:303

CAPEC : Common Attack Pattern Enumeration & Classification

idName
CAPEC-82Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Servi...
CAPEC-99XML Parser Attack
CAPEC-119Resource Depletion
CAPEC-121Locate and Exploit Test APIs
CAPEC-125Resource Depletion through Flooding
CAPEC-130Resource Depletion through Allocation
CAPEC-147XML Ping of Death
CAPEC-197XEE (XML Entity Expansion)
CAPEC-227Denial of Service through Resource Depletion
CAPEC-228Resource Depletion through DTD Injection in a SOAP Message
CAPEC-229XML Attribute Blowup

CWE : Common Weakness Enumeration

idName
CWE-770Allocation of Resources Without Limits or Throttling
CWE-264Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:7396
 
Oval ID: oval:org.mitre.oval:def:7396
Title: HP-UX Running Apache with PHP, Remote Denial of Service (DoS), Unauthorized Access, Privileged Access, Cross Site Scripting (XSS)
Description: The tempnam function in ext/standard/file.c in PHP before 5.2.12 and 5.3.x before 5.3.1 allows context-dependent attackers to bypass safe_mode restrictions, and create files in group-writable or world-writable directories, via the dir and prefix arguments.
Family: unix Class: vulnerability
Reference(s): CVE-2009-3557
Version: 6
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6667
 
Oval ID: oval:org.mitre.oval:def:6667
Title: HP-UX Running Apache with PHP, Remote Denial of Service (DoS), Unauthorized Access, Privileged Access, Cross Site Scripting (XSS)
Description: PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.
Family: unix Class: vulnerability
Reference(s): CVE-2009-4017
Version: 6
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10483
 
Oval ID: oval:org.mitre.oval:def:10483
Title: PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.
Description: PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.
Family: unix Class: vulnerability
Reference(s): CVE-2009-4017
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7256
 
Oval ID: oval:org.mitre.oval:def:7256
Title: HP-UX Running Apache with PHP, Remote Denial of Service (DoS), Unauthorized Access, Privileged Access, Cross Site Scripting (XSS)
Description: The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable.
Family: unix Class: vulnerability
Reference(s): CVE-2009-4018
Version: 6
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13706
 
Oval ID: oval:org.mitre.oval:def:13706
Title: USN-862-1 -- php5 vulnerabilities
Description: Maksymilian Arciemowicz discovered that PHP did not properly validate arguments to the dba_replace function. If a script passed untrusted input to the dba_replace function, an attacker could truncate the database. This issue only applied to Ubuntu 6.06 LTS, 8.04 LTS, and 8.10. It was discovered that PHP�s php_openssl_apply_verification_policy function did not correctly handle SSL certificates with zero bytes in the Common Name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. It was discovered that PHP did not properly handle certain malformed images when being parsed by the Exif module. A remote attacker could exploit this flaw and cause the PHP server to crash, resulting in a denial of service. Grzegorz Stachowiak discovered that PHP did not properly enforce restrictions in the tempnam function. An attacker could exploit this issue to bypass safe_mode restrictions. Grzegorz Stachowiak discovered that PHP did not properly enforce restrictions in the posix_mkfifo function. An attacker could exploit this issue to bypass open_basedir restrictions. Bogdan Calin discovered that PHP did not limit the number of temporary files created when handling multipart/form-data POST requests. A remote attacker could exploit this flaw and cause the PHP server to consume all available resources, resulting in a denial of service. ATTENTION: This update changes previous PHP behaviour by limiting the number of files in a POST request to 50. This may be increased by adding a "max_file_uploads" directive to the php.ini configuration file. It was discovered that PHP did not properly enforce restrictions in the proc_open function. An attacker could exploit this issue to bypass safe_mode_protected_env_vars restrictions and possibly execute arbitrary code with application privileges
Family: unix Class: patch
Reference(s): USN-862-1
CVE-2008-7068
CVE-2009-3291
CVE-2009-3292
CVE-2009-3557
CVE-2009-3558
CVE-2009-4017
CVE-2009-4018
Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 8.10
Ubuntu 9.10
Ubuntu 6.06
Ubuntu 9.04
Product(s): php5
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application118

ExploitDB Exploits

idDescription
2010-03-05Kolang (proc_open PHP safe mode bypass 4.3.10 - 5.3.0)

OpenVAS Exploits

DateDescription
2012-06-21Name : PHP version smaller than 5.2.11
File : nvt/nopsec_php_5_2_11.nasl
2012-06-21Name : PHP version smaller than 5.3.1
File : nvt/nopsec_php_5_3_1.nasl
2011-08-09Name : CentOS Update for php CESA-2010:0040 centos5 i386
File : nvt/gb_CESA-2010_0040_php_centos5_i386.nasl
2010-06-23Name : HP-UX Update for Apache with PHP HPSBUX02543
File : nvt/gb_hp_ux_HPSBUX02543.nasl
2010-05-12Name : Mac OS X 10.6.3 Update / Mac OS X Security Update 2010-002
File : nvt/macosx_upd_10_6_3_secupd_2010-002.nasl
2010-03-02Name : Fedora Update for maniadrive FEDORA-2010-0495
File : nvt/gb_fedora_2010_0495_maniadrive_fc11.nasl
2010-03-02Name : Fedora Update for php FEDORA-2010-0495
File : nvt/gb_fedora_2010_0495_php_fc11.nasl
2010-01-19Name : CentOS Update for php CESA-2010:0040 centos3 i386
File : nvt/gb_CESA-2010_0040_php_centos3_i386.nasl
2010-01-19Name : CentOS Update for php CESA-2010:0040 centos3 x86_64
File : nvt/gb_CESA-2010_0040_php_centos3_x86_64.nasl
2010-01-19Name : CentOS Update for php CESA-2010:0040 centos4 i386
File : nvt/gb_CESA-2010_0040_php_centos4_i386.nasl
2010-01-19Name : CentOS Update for php CESA-2010:0040 centos4 x86_64
File : nvt/gb_CESA-2010_0040_php_centos4_x86_64.nasl
2010-01-19Name : RedHat Update for php RHSA-2010:0040-01
File : nvt/gb_RHSA-2010_0040-01_php.nasl
2009-12-30Name : FreeBSD Ports: php5
File : nvt/freebsd_php56.nasl
2009-12-10Name : Mandriva Security Advisory MDVSA-2009:305 (php)
File : nvt/mdksa_2009_305.nasl
2009-12-10Name : Mandriva Security Advisory MDVSA-2009:324 (php)
File : nvt/mdksa_2009_324.nasl
2009-12-04Name : PHP Multiple Vulnerabilities Dec-09
File : nvt/gb_php_mult_vuln_dec09.nasl
2009-12-03Name : Mandriva Security Advisory MDVSA-2009:303 (php)
File : nvt/mdksa_2009_303.nasl
2009-12-03Name : Ubuntu USN-862-1 (php5)
File : nvt/ubuntu_862_1.nasl
0000-00-00Name : Slackware Advisory SSA:2010-024-02 php
File : nvt/esoft_slk_ssa_2010_024_02.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
60451PHP File Upload Crafted multipart/form-data Temporary File Exhaustion Remote DoS
60438PHP ext/standard/proc_open.c proc_open() Function safe_mode_*_env_vars Bypass
60435PHP ext/posix/posix.c posix_mkfifo() Function open_basedir Bypass
60434PHP ext/standard/file.c tempnam() Function safe_mode Bypass

Nessus® Vulnerability Scanner

DateDescription
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0040.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20100113_php_on_SL3_x.nasl - Type : ACT_GATHER_INFO
2010-10-11Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_apache2-mod_php5-6847.nasl - Type : ACT_GATHER_INFO
2010-09-17Name : The remote web server is affected by multiple vulnerabilities.
File : hpsmh_6_2_0_12.nasl - Type : ACT_GATHER_INFO
2010-07-30Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-302.nasl - Type : ACT_GATHER_INFO
2010-07-30Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-303.nasl - Type : ACT_GATHER_INFO
2010-07-01Name : The remote Fedora host is missing one or more security updates.
File : fedora_2010-0495.nasl - Type : ACT_GATHER_INFO
2010-03-29Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_10_6_3.nasl - Type : ACT_GATHER_INFO
2010-03-29Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_SecUpd2010-002.nasl - Type : ACT_GATHER_INFO
2010-02-25Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201001-03.nasl - Type : ACT_GATHER_INFO
2010-02-23Name : The remote openSUSE host is missing a security update.
File : suse_11_0_apache2-mod_php5-100212.nasl - Type : ACT_GATHER_INFO
2010-02-23Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_apache2-mod_php5-100212.nasl - Type : ACT_GATHER_INFO
2010-02-23Name : The remote openSUSE host is missing a security update.
File : suse_11_2_apache2-mod_php5-100215.nasl - Type : ACT_GATHER_INFO
2010-02-23Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_apache2-mod_php5-6846.nasl - Type : ACT_GATHER_INFO
2010-02-23Name : The remote openSUSE host is missing a security update.
File : suse_11_1_apache2-mod_php5-100212.nasl - Type : ACT_GATHER_INFO
2010-01-25Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2010-024-02.nasl - Type : ACT_GATHER_INFO
2010-01-14Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0040.nasl - Type : ACT_GATHER_INFO
2010-01-14Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0040.nasl - Type : ACT_GATHER_INFO
2009-12-18Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_39a25a63eb5c11deb65000215c6a37bb.nasl - Type : ACT_GATHER_INFO
2009-12-18Name : The remote web server uses a version of PHP that is affected by multiple flaws.
File : php_5_2_12.nasl - Type : ACT_GATHER_INFO
2009-12-08Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-324.nasl - Type : ACT_GATHER_INFO
2009-11-30Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-304.nasl - Type : ACT_GATHER_INFO
2009-11-30Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-862-1.nasl - Type : ACT_GATHER_INFO
2009-11-20Name : The remote web server uses a version of PHP that is affected by multiple flaws.
File : php_5_3_1.nasl - Type : ACT_GATHER_INFO
2009-10-22Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-285.nasl - Type : ACT_GATHER_INFO
2009-09-18Name : The remote web server uses a version of PHP that is affected by multiple flaws.
File : php_5_2_11.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:40:59
  • Multiple Updates