Ubuntu 4.10 / 5.04 / 5.10 : php4, php5 vulnerabilities (USN-232-1)

Ubuntu Security Notice (C) 2005-2016 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.

Synopsis :

The remote Ubuntu host is missing one or more security-related

Description :

Eric Romang discovered a local Denial of Service vulnerability in the
handling of the 'session.save_path' parameter in PHP's Apache 2.0
module. By setting this parameter to an invalid value in an .htaccess
file, a local user could crash the Apache server. (CVE-2005-3319)

A Denial of Service flaw was found in the EXIF module. By sending an
image with specially crafted EXIF data to a PHP program that
automatically evaluates them (e. g. a web gallery), a remote attacker
could cause an infinite recursion in the PHP interpreter, which caused
the web server to crash. (CVE-2005-3353)

Stefan Esser reported a Cross Site Scripting vulnerability in the
phpinfo() function. By tricking a user into retrieving a specially
crafted URL to a PHP page that exposes phpinfo(), a remote attacker
could inject arbitrary HTML or web script into the output page and
possibly steal private data like cookies or session identifiers.

Stefan Esser discovered a vulnerability of the parse_str() function
when it is called with just one argument. By calling such programs
with specially crafted parameters, a remote attacker could enable the
'register_globals' option which is normally turned off for security
reasons. Once this option is enabled, the remote attacker could
exploit other security flaws of PHP programs which are normally
protected by 'register_globals' being deactivated. (CVE-2005-3389)

Stefan Esser discovered that a remote attacker could overwrite the
$GLOBALS array in PHP programs that allow file uploads and run with
'register_globals' enabled. Depending on the particular application,
this can lead to unexpected vulnerabilities. (CVE-2005-3390)

The 'gd' image processing and cURL modules did not properly check
processed file names against the 'open_basedir' and 'safe_mode'
restrictions, which could be exploited to circumvent these
limitations. (CVE-2005-3391)

Another bypass of the 'open_basedir' and 'safe_mode' restrictions was
found in virtual() function. A local attacker could exploit this to
circumvent these restrictions with specially crafted PHP INI files
when virtual Apache 2.0 hosts are used. (CVE-2005-3392)

The mb_send_mail() function did not properly check its arguments for
invalid embedded line breaks. By setting the 'To:' field of an email
to a specially crafted value in a PHP web mail application, a remote
attacker could inject arbitrary headers into the sent email.

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
CVSS Temporal Score : 6.5
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 20776 ()

Bugtraq ID: 15248

CVE ID: CVE-2005-3319

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now