Executive Summary
| Summary | |
|---|---|
| Title | New suphp packages fix local privilege escalation |
| Informations | |||
|---|---|---|---|
| Name | DSA-1550 | First vendor Publication | 2008-04-17 |
| Vendor | Debian | Last vendor Modification | 2008-04-17 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:L/AC:L/Au:S/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 4.3 | Attack Range | Local |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 3.1 | Authentication | Requires single instance |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| It was discovered that suphp, an Apache module to run PHP scripts with owner permissions handles symlinks insecurely, which may lead to privilege escalation by local users. For the stable distribution (etch), this problem has been fixed in version 0.6.2-1+etch0. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your suphp packages. |
Original Source
| Url : http://www.debian.org/security/2008/dsa-1550 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:20183 | |||
| Oval ID: | oval:org.mitre.oval:def:20183 | ||
| Title: | DSA-1550-1 suphp | ||
| Description: | It was discovered that suphp, an Apache module to run PHP scripts with owner permissions handles symlinks insecurely, which may lead to privilege escalation by local users. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1550-1 CVE-2008-1614 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 4.0 | Product(s): | suphp |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:8236 | |||
| Oval ID: | oval:org.mitre.oval:def:8236 | ||
| Title: | DSA-1550 suphp -- programming error | ||
| Description: | It was discovered that suphp, an Apache module to run PHP scripts with owner permissions handles symlinks insecurely, which may lead to privilege escalation by local users. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1550 CVE-2008-1614 | Version: | 3 |
| Platform(s): | Debian GNU/Linux 4.0 | Product(s): | suphp |
| Definition Synopsis: | |||
| |||
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-02-16 | Name : Fedora Update for mod_suphp FEDORA-2008-2815 File : nvt/gb_fedora_2008_2815_mod_suphp_fc7.nasl |
| 2009-02-16 | Name : Fedora Update for mod_suphp FEDORA-2008-2868 File : nvt/gb_fedora_2008_2868_mod_suphp_fc8.nasl |
| 2008-09-04 | Name : FreeBSD Ports: suphp File : nvt/freebsd_suphp.nasl |
| 2008-04-21 | Name : Debian Security Advisory DSA 1550-1 (suphp) File : nvt/deb_1550_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 43994 | suPHP for Apache (mod_suphp) Directory Symlink Local Privilege Escalation |
| 43993 | suPHP for Apache (mod_suphp) Owner Mode Race Condition Symlink Local Privileg... |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2008-04-22 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1550.nasl - Type : ACT_GATHER_INFO |
| 2008-04-11 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_fb67233002db11ddbd060017319806e7.nasl - Type : ACT_GATHER_INFO |
| 2008-04-04 | Name : The remote Fedora host is missing a security update. File : fedora_2008-2815.nasl - Type : ACT_GATHER_INFO |
| 2008-04-04 | Name : The remote Fedora host is missing a security update. File : fedora_2008-2868.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:27:33 |
|
