APPLE-SA-2011-10-12-3

APPLE-SA-2011-03-21-1

42729

42812

http://security-tracker.debian.org/tracker/CVE-2010-3436

SSA:2010-357-01

http://support.apple.com/kb/HT4581

http://support.apple.com/kb/HT5002

http://svn.php.net/viewvc/php/php-src/trunk/main/fopen_wrappers.c?r1=303824&r2=303823&pathrev=303824

http://svn.php.net/viewvc?view=revision&revision=303824

MDVSA-2010:218

http://www.php.net/archive/2010.php#id2010-12-10-1

http://www.php.net/ChangeLog-5.php

http://www.php.net/releases/5_2_15.php

http://www.php.net/releases/5_3_4.php

44723

USN-1042-1

ADV-2010-3313

ADV-2011-0077

According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote host is earlier than 7.0.  As such, it is reportedly affected by the following vulnerabilities :

 - An error exists in the 'generate-id' function in the    bundled libxslt library that can allow disclosure of    heap memory addresses. (CVE-2011-0195)

 - An unspecified input validation error exists and can    allow cross-site request forgery attacks. (CVE-2011-3846)

 - Unspecified errors can allow attackers to carry out    denial of service attacks via unspecified vectors.
   (CVE-2012-0135, CVE-2012-1993)

 - The bundled version of PHP contains multiple    vulnerabilities. (CVE-2010-3436, CVE-2010-4409,    CVE-2010-4645, CVE-2011-1148, CVE-2011-1153,    CVE-2011-1464, CVE-2011-1467, CVE-2011-1468,    CVE-2011-1470, CVE-2011-1471, CVE-2011-1938,    CVE-2011-2202, CVE-2011-2483, CVE-2011-3182,    CVE-2011-3189, CVE-2011-3267, CVE-2011-3268)

 - The bundled version of Apache contains multiple    vulnerabilities. (CVE-2010-1452, CVE-2010-1623,    CVE-2010-2068,  CVE-2010-2791, CVE-2011-0419,    CVE-2011-1928, CVE-2011-3192, CVE-2011-3348,    CVE-2011-3368, CVE-2011-3639)

 - OpenSSL libraries are contained in several of the    bundled components and contain multiple vulnerabilities.
   (CVE-2011-0014, CVE-2011-1468, CVE-2011-1945,    CVE-2011-3207,CVE-2011-3210)

 - Curl libraries are contained in several of the bundled    components and contain multiple vulnerabilities.
   (CVE-2009-0037, CVE-2010-0734, CVE-2011-2192)

The remote host is running a version of Mac OS X 10.6 that does not have Security Update 2011-006 applied.  This update contains numerous security-related fixes for the following components :

  - Apache
  - Application Firewall
  - ATS
  - BIND
  - Certificate Trust Policy
  - CFNetwork
  - CoreFoundation
  - CoreMedia
  - File Systems
  - IOGraphics
  - iChat Server
  - Mailman
  - MediaKit
  - PHP
  - postfix
  - python
  - QuickTime
  - Tomcat
  - User Documentation
  - Web Server
  - X11

The remote host is affected by the vulnerability described in GLSA-201110-06 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker could execute arbitrary code, obtain       sensitive information from process memory, bypass intended access       restrictions, or cause a Denial of Service in various ways.
    A remote attacker could cause a Denial of Service in various ways,       bypass spam detections, or bypass open_basedir restrictions.
  Workaround :

    There is no known workaround at this time.

The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2011-001 applied. 

This security update contains fixes for the following products :

  - Apache
  - bzip2
  - ClamAV
  - ImageIO
  - Kerberos
  - Libinfo
  - libxml
  - Mailman
  - PHP
  - QuickLook
  - Ruby
  - X11

Versions of Mac OS X 10.6 earlier than 10.6.7 are potentially affected by a security issue.  Mac OS X 10.6.7 contains a security fix for the following products :

  - Airport

  - Apache

  - AppleScript

  - ATS

  - bzip2

  - CarbonCore

  - ClamAV

  - CoreText

  - HFS

  - ImageIO

  - Image RAW

  - Installer

  - Kerberos

  - Kernel

  - Libinfo

  - libxml

  - Mailman

  - PHP

  - QuickLook

  - QuickTime

  - Ruby

  - Samba

  - Subversion

  - Terminal

  - X11
IAVB Reference : 2010-B-0083
STIG Finding Severity : Category II

Versions of Mac OS X 10.6 earlier than 10.6.7 are potentially affected by a security issue.  Mac OS X 10.6.7 contains a security fix for the following products :

  - Airport

  - Apache

  - AppleScript

  - ATS

  - bzip2

  - CarbonCore

  - ClamAV

  - CoreText

  - HFS

  - ImageIO

  - Image RAW

  - Installer

  - Kerberos

  - Kernel

  - Libinfo

  - libxml

  - Mailman

  - PHP

  - QuickLook

  - QuickTime

  - Ruby

  - Samba

  - Subversion

  - Terminal

  - X11

USN-1042-1 fixed vulnerabilities in PHP5. The fix for CVE-2010-3436 introduced a regression in the open_basedir restriction handling code.
This update fixes the problem.

We apologize for the inconvenience.

It was discovered that attackers might be able to bypass open_basedir() restrictions by passing a specially crafted filename.
(CVE-2010-3436).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

MITRE reports :

fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass open_basedir restrictions via vectors related to the length of a filename.

It was discovered that an integer overflow in the XML UTF-8 decoding code could allow an attacker to bypass cross-site scripting (XSS) protections. This issue only affected Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, and Ubuntu 9.10. (CVE-2009-5016)

It was discovered that the XML UTF-8 decoding code did not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which could allow an attacker to bypass cross-site scripting (XSS) protections. (CVE-2010-3870)

It was discovered that attackers might be able to bypass open_basedir() restrictions by passing a specially crafted filename.
(CVE-2010-3436)

Maksymilian Arciemowicz discovered that a NULL pointer derefence in the ZIP archive handling code could allow an attacker to cause a denial of service through a specially crafted ZIP archive. This issue only affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, and Ubuntu 10.10. (CVE-2010-3709)

It was discovered that a stack consumption vulnerability in the filter_var() PHP function when in FILTER_VALIDATE_EMAIL mode, could allow a remote attacker to cause a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, and Ubuntu 10.10. (CVE-2010-3710)

It was discovered that the mb_strcut function in the Libmbfl library within PHP could allow an attacker to read arbitrary memory within the application process. This issue only affected Ubuntu 10.10.
(CVE-2010-4156)

Maksymilian Arciemowicz discovered that an integer overflow in the NumberFormatter::getSymbol function could allow an attacker to cause a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 10.10. (CVE-2010-4409)

Rick Regan discovered that when handing PHP textual representations of the largest subnormal double-precision floating-point number, the zend_strtod function could go into an infinite loop on 32bit x86 processors, allowing an attacker to cause a denial of service.
(CVE-2010-4645).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New php packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix security issues.

According to its banner the version of PHP installed on the remote host is earlier than 5.2.15.  Such versions are potentially affected by multiple vulnerabilities :

  - A crash in the zip extract method.

  - A possible double free exists in the IMAP extension. (CVE-2010-4150)

  - An unspecified flaw exists in 'open_basedir'. (CVE-2010-3436)

  - A possible crash could occur in 'mssql_fetch_batch()'.

  - A NULL pointer dereference exists in 'zipArchive::getArchiveComment'. (CVE-2010-3709)

  - A crash exists if anti-aliasing steps are invalid. (Bug 53492)

  - A crash exists in pdo_firebird get_Attribute(). (Bug 53323)

  - A use-after-free vulnerability in the Zend engine when a '__set()', '__get()', or '__unset()' method is called can allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)

  - A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 / CVE-2010-4698)

  - The extract function does not prevent use of the EXTR_OVERWRITE parameter to overwrite the GLOBALS superglobal array and the 'this' variable, which allows attackers to bypass intended access restrictions. (CVE-2011-0752)

According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.4.  Such versions may be affected by several security issues :

  - A crash in the zip extract method.

  - A stack-based buffer overflow in impagepstext()     of the GD extension.

  - An unspecified vulnerability related to     symbolic resolution when using a DFS share.

  - A security bypass vulnerability related     to using pathnames containing NULL bytes.
    (CVE-2006-7243)

  - Multiple format string vulnerabilities.
    (CVE-2010-2094, CVE-2010-2950)

  - An unspecified security bypass vulnerability     in open_basedir(). (CVE-2010-3436)

  - A NULL pointer dereference in     ZipArchive::getArchiveComment. (CVE-2010-3709)

  - Memory corruption in php_filter_validate_email().
    (CVE-2010-3710)

  - An input validation vulnerability in     xml_utf8_decode(). (CVE-2010-3870)

  - A possible double free in the IMAP extension.
    (CVE-2010-4150)

  - An information disclosure vulnerability in     'mb_strcut()'. (CVE-2010-4156)

  - An integer overflow vulnerability in 'getSymbol()'.
    (CVE-2010-4409)

  - A use-after-free vulnerability in the Zend engine when     a '__set()', '__get()', '__isset()' or '__unset()'     method is called can allow for a denial of service     attack. (Bug #52879 / CVE-2010-4697)

  - A stack-based buffer overflow exists in the     'imagepstext()' function in the GD extension. (Bug     #53492 / CVE-2010-4698)

  - The 'iconv_mime_decode_headers()' function in the iconv     extension fails to properly handle encodings that are     not recognized by the iconv and mbstring     implementations. (Bug #52941 / CVE-2010-4699)

  - The 'set_magic_quotes_runtime()' function when the     MySQLi extension is used does not properly interact     with the 'mysqli_fetch_assoc()' function. (Bug #52221 /     CVE-2010-4700)

  - A race condition exists in the PCNTL extension.
    (CVE-2011-0753)

  - The SplFileInfo::getType function in the Standard PHP     Library extension does not properly detect symbolic     links. (CVE-2011-0754)

  - An integer overflow exists in the mt_rand function.
    (CVE-2011-0755)

According to its banner, the version of PHP 5.2 installed on the remote host is older than 5.2.15.  Such versions may be affected by several security issues :
  - A crash in the zip extract method.

  - A possible double free exists in the imap extension.
    (CVE-2010-4150)

  - An unspecified flaw exists in 'open_basedir'.     (CVE-2010-3436)

  - A possible crash could occur in 'mssql_fetch_batch()'.
  - A NULL pointer dereference exists in     'ZipArchive::getArchiveComment'. (CVE-2010-3709)

  - A crash exists if anti-aliasing steps are invalid.
    (Bug #53492)

  - A crash exists in pdo_firebird getAttribute(). (Bug     #53323)

  - A user-after-free vulnerability in the Zend engine when     a '__set()', '__get()', '__isset()' or '__unset()'     method is called can allow for a denial of service     attack. (Bug #52879 / CVE-2010-4697)

  - A stack-based buffer overflow exists in the     'imagepstext()' function in the GD extension. (Bug     #53492 / CVE-2010-4698)     
  - The extract function does not prevent use of the     EXTR_OVERWRITE parameter to overwrite the GLOBALS     superglobal array and the 'this' variable, which     allows attackers to bypass intended access restrictions.
    (CVE-2011-0752)

According to its banner the version of PHP installed on the remote host is 5.3.x earlier than 5.3.4.  Such versions are potentially affected by multiple vulnerabilities :

  - A crash in the zip extract method.

  - A stack buffer overflow in impagepstext() of the GD extension.

  - An unspecified vulnerability related to symbolic resolution when using a DFS share.

  - A security bypass vulnerability related to using pathnames containing NULL bytes. (CVE-2006-7243)

  - Multiple format string vulnerabilities. (CVE-2010-2094, CVE-2010-2950)

  - An unspecified security bypass vulnerability in open_basedir(). (CVE-2010-3436)

  - A NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709)

  - Memory corruption in php_filter_validate_email(). (CVE-2010-3710)

  - An input validation vulnerability in xml_utf8_decode(). (CVE-2010-3870)

  - A possible double free in the IMAP extension. (CVE-2010-4150)
  - An information disclosure vulnerability in 'mb_strcut()'. (CVE-2010-4156)

  - An integer overflow vulnerability in 'getSymbol()'. (CVE-2010-4409)

  - A use-after-free vulnerability in the Zend engine when a '__set()', '__get()', '__isset()' or '__unset()' method is called can allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)

  - A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 / CVE-2010-4698)

  - The 'iconv_mime_decode_headers()' function in the iconv extension fails to properly handle encodings that are not recognized by the iconv and mbstring implementations. (Bug #52941 / CVE-2010-4699)

  - The 'set_magic_quotes_runtime()' function when the MySQLi extension is used does not properly interact with the 'mysqli_fetch_assoc()' function. (Bug #52221 / CVE-2010-4700)

  - A race condition exists in the PCNTL extension. (CVE-2011-0753)

  - The SplFileInfo::getType function in the Standard PHP Library extension does not properly detect symbolic links. (CVE-2011-0754)

  - An integer overflow exists in the mt_rand function. (CVE-2011-0755)

According to its banner the version of PHP installed on the remote host is 5.3.x earlier than 5.3.4.  Such versions are potentially affected by multiple vulnerabilities :

  - A crash in the zip extract method.
  - A stack buffer overflow in impagepstext() of the GD extension.
  - An unspecified vulnerability related to symbolic resolution when using a DFS share.
  - A security bypass vulnerability related to using pathnames containing NULL bytes. (CVE-2006-7243)
  - Multiple format string vulnerabilities. (CVE-2010-2094, CVE-2010-2950)
  - An unspecified security bypass vulnerability in open_basedir(). (CVE-2010-3436)
  - A NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709)
  - Memory corruption in php_filter_validate_email(). (CVE-2010-3710)
  - An input validation vulnerability in xml_utf8_decode(). (CVE-2010-3870)
  - A possible double free in the IMAP extension. (CVE-2010-4150)
  - An information disclosure vulnerability in 'mb_strcut()'. (CVE-2010-4156)
  - An integer overflow vulnerability in 'getSymbol()'. (CVE-2010-4409)
  - A use-after-free vulnerability in the Zend engine when a '__set()', '__get()', '__isset()' or '__unset()' method is called can allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)
  - A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 / CVE-2010-4698)
  - The 'iconv_mime_decode_headers()' function in the iconv extension fails to properly handle encodings that are not recognized by the iconv and mbstring implementations. (Bug #52941 / CVE-2010-4699)
  - The 'set_magic_quotes_runtime()' function when the MySQLi extension is used does not properly interact with the 'mysqli_fetch_assoc()' function. (Bug #52221 / CVE-2010-4700)
  - A race condition exists in the PCNTL extension. (CVE-2011-0753)
  - The SplFileInfo::getType function in the Standard PHP Library extension does not properly detect symbolic links. (CVE-2011-0754)
  - An integer overflow exists in the mt_rand function. (CVE-2011-0755)

Multiple vulnerabilities were discovered and corrected in php :

Stack consumption vulnerability in the filter_var function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows remote attackers to cause a denial of service (memory consumption and application crash) via a long e-mail address string (CVE-2010-3710).

A NULL pointer dereference was discovered in ZipArchive::getArchiveComment (CVE-2010-3709).

A possible flaw was discovered in open_basedir (CVE-2010-3436).

Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=4 90

The updated packages have been patched to correct these issues.

ID	Name	Product	Family	Severity
58811	HP System Management Homepage < 7.0 Multiple Vulnerabilities	Nessus	Web Servers	critical
56481	Mac OS X Multiple Vulnerabilities (Security Update 2011-006)	Nessus	MacOS X Local Security Checks	critical
56459	GLSA-201110-06 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
52753	Mac OS X Multiple Vulnerabilities (Security Update 2011-001)	Nessus	MacOS X Local Security Checks	high
800796	Mac OS X 10.6 < 10.6.7 Multiple Vulnerabilities	Log Correlation Engine	Operating System Detection	high
5826	Mac OS X 10.6 < 10.6.7 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
51525	Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : php5 regression (USN-1042-2)	Nessus	Ubuntu Local Security Checks	medium
51506	FreeBSD : php -- open_basedir bypass (73634294-0fa7-11e0-becc-0022156e8794)	Nessus	FreeBSD Local Security Checks	medium
51502	Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : php5 vulnerabilities (USN-1042-1)	Nessus	Ubuntu Local Security Checks	medium
51371	Slackware 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / current : php (SSA:2010-357-01)	Nessus	Slackware Local Security Checks	medium
801097	PHP 5.2.x < 5.2.15 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	high
51140	PHP 5.3 < 5.3.4 Multiple Vulnerabilities	Nessus	CGI abuses	medium
51139	PHP 5.2 < 5.2.15 Multiple Vulnerabilities	Nessus	CGI abuses	medium
5733	PHP 5.2.x < 5.2.15 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
801074	PHP 5.3 < 5.3.4 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	high
5732	PHP 5.3.x < 5.3.4 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
50429	Mandriva Linux Security Advisory : php (MDVSA-2010:218)	Nessus	Mandriva Local Security Checks	medium

CVE-2010-3436

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins