SSRT100018

APPLE-SA-2010-08-24-1

38708

40551

1023661

http://support.apple.com/kb/HT4312

http://www.php.net/ChangeLog-5.php

http://www.php.net/releases/5_2_13.php

38431

ADV-2010-0479

ADV-2010-1796

The remote host is affected by the vulnerability described in GLSA-201110-06 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker could execute arbitrary code, obtain       sensitive information from process memory, bypass intended access       restrictions, or cause a Denial of Service in various ways.
    A remote attacker could cause a Denial of Service in various ways,       bypass spam detections, or bypass open_basedir restrictions.
  Workaround :

    There is no known workaround at this time.

Auke van Slooten discovered that PHP incorrectly handled certain xmlrpc requests. An attacker could exploit this issue to cause the PHP server to crash, resulting in a denial of service. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 9.04 and 9.10. (CVE-2010-0397)

It was discovered that the pseudorandom number generator in PHP did not provide the expected entropy. An attacker could exploit this issue to predict values that were intended to be random, such as session cookies. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 9.04 and 9.10. (CVE-2010-1128)

It was discovered that PHP did not properly handle directory pathnames that lacked a trailing slash character. An attacker could exploit this issue to bypass safe_mode restrictions. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 9.04 and 9.10. (CVE-2010-1129)

Grzegorz Stachowiak discovered that the PHP session extension did not properly handle semicolon characters. An attacker could exploit this issue to bypass safe_mode restrictions. This issue only affected Ubuntu 8.04 LTS, 9.04 and 9.10. (CVE-2010-1130)

Stefan Esser discovered that PHP incorrectly decoded remote HTTP chunked encoding streams. An attacker could exploit this issue to cause the PHP server to crash and possibly execute arbitrary code with application privileges. This issue only affected Ubuntu 10.04 LTS.
(CVE-2010-1866)

Mateusz Kocielski discovered that certain PHP SQLite functions incorrectly handled empty SQL queries. An attacker could exploit this issue to possibly execute arbitrary code with application privileges.
(CVE-2010-1868)

Mateusz Kocielski discovered that PHP incorrectly handled certain arguments to the fnmatch function. An attacker could exploit this flaw and cause the PHP server to consume all available stack memory, resulting in a denial of service. (CVE-2010-1917)

Stefan Esser discovered that PHP incorrectly handled certain strings in the phar extension. An attacker could exploit this flaw to possibly view sensitive information. This issue only affected Ubuntu 10.04 LTS.
(CVE-2010-2094, CVE-2010-2950)

Stefan Esser discovered that PHP incorrectly handled deserialization of SPLObjectStorage objects. A remote attacker could exploit this issue to view sensitive information and possibly execute arbitrary code with application privileges. This issue only affected Ubuntu 8.04 LTS, 9.04, 9.10 and 10.04 LTS. (CVE-2010-2225)

It was discovered that PHP incorrectly filtered error messages when limits for memory, execution time, or recursion were exceeded. A remote attacker could exploit this issue to possibly view sensitive information. (CVE-2010-2531)

Stefan Esser discovered that the PHP session serializer incorrectly handled the PS_UNDEF_MARKER marker. An attacker could exploit this issue to alter arbitrary session variables. (CVE-2010-3065).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running a version of Mac OS X 10.6 or 10.5 that does not have Security Update 2010-005 applied. 

This security update contains fixes for the following products :

  - ATS
  - CFNetwork
  - ClamAV
  - CoreGraphics
  - libsecurity
  - PHP
  - Samba

Multiple vulnerabilities has been found and corrected in php :

  - Improved LCG entropy. (Rasmus, Samy Kamkar)     (CVE-2010-1128)

    - Fixed safe_mode validation inside tempnam() when the       directory path does not end with a /). (Martin Jansen)       (CVE-2010-1129)

  - Fixed a possible open_basedir/safe_mode bypass in the     session extension identified by Grzegorz Stachowiak.
    (Ilia) (CVE-2010-1130)

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.

The updated packages have been patched to correct these issues.

According to its banner, the version of PHP installed on the remote host is earlier than 5.3.2 / 5.2.13.  Such versions are potentially affected by multiple vulnerabilities : 

  - A safe_mode validation issue inside 'tempnam()' when the directory path does not end with a '/'.

  - A possible open_basedir/safe_mode bypass in the session extension.



According to its banner, the version of PHP installed on the remote host is older than 5.3.2 / 5.2.13.  Such versions may be affected by several security issues :

  - Directory paths not ending with '/' may not be     correctly validated inside 'tempnam()' in     'safe_mode' configuration.

  - It may be possible to bypass the 'open_basedir'/     'safe_mode' configuration restrictions due to an     error in session extensions.

  - An unspecified vulnerability affects the LCG entropy.

ID	Name	Product	Family	Severity
56459	GLSA-201110-06 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
49306	Ubuntu 6.06 LTS / 8.04 LTS / 9.04 / 9.10 / 10.04 LTS : php5 vulnerabilities (USN-989-1)	Nessus	Ubuntu Local Security Checks	high
48424	Mac OS X Multiple Vulnerabilities (Security Update 2010-005)	Nessus	MacOS X Local Security Checks	high
45029	Mandriva Linux Security Advisory : php (MDVSA-2010:058)	Nessus	Mandriva Local Security Checks	high
801102	PHP < 5.3.2 / 5.2.13 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	medium
5346	PHP < 5.2.13 / 5.3.x < 5.3.2 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
44921	PHP < 5.3.2 / 5.2.13 Multiple Vulnerabilities	Nessus	CGI abuses	medium

CVE-2010-1129

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

high

high

medium

high

medium