English | Deutsch | Español | Português
 Benutzerkennung:
 Passwort:
Registrieren
 About:   Dediziert  | Erweitert  | Standard  | Wiederkehrend  | Risikolos  | Desktop  | Basis  | Einmalig  | Sicherheits Siegel  | FAQ
  Preis/Funktionszusammenfassung  | Bestellen  | Neue Anfälligkeiten  | Vertraulichkeit  | Anfälligkeiten Suche
 Anfälligkeitssuche        Suche in 75096 CVE Beschreibungen
und 39644 Test Beschreibungen,
Zugriff auf 10,000+ Quellverweise.
Tests   CVE   Alle  

Test Kennung:1.3.6.1.4.1.25623.1.0.66320
Kategorie:Mandrake Local Security Checks
Titel:Mandriva Security Advisory MDVSA-2009:303 (php)
Zusammenfassung:Mandriva Security Advisory MDVSA-2009:303 (php)
Beschreibung:The remote host is missing an update to php
announced via advisory MDVSA-2009:303.

Some vulnerabilities were discovered and corrected in php-5.2.11:

The tempnam function in ext/standard/file.c in PHP 5.2.11 and
earlier, and 5.3.x before 5.3.1, allows context-dependent attackers
to bypass safe_mode restrictions, and create files in group-writable
or world-writable directories, via the dir and prefix arguments
(CVE-2009-3557).

The posix_mkfifo function in ext/posix/posix.c in PHP 5.2.11 and
earlier, and 5.3.x before 5.3.1, allows context-dependent attackers
to bypass open_basedir restrictions, and create FIFO files, via the
pathname and mode arguments, as demonstrated by creating a .htaccess
file (CVE-2009-3558).

PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number
of temporary files created when handling a multipart/form-data POST
request, which allows remote attackers to cause a denial of service
(resource exhaustion), and makes it easier for remote attackers to
exploit local file inclusion vulnerabilities, via multiple requests,
related to lack of support for the max_file_uploads directive
(CVE-2009-4017).

The proc_open function in ext/standard/proc_open.c in PHP
before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1)
safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars
directives, which allows context-dependent attackers to execute
programs with an arbitrary environment via the env parameter, as
demonstrated by a crafted value of the LD_LIBRARY_PATH environment
variable (CVE-2009-4018).

Intermittent segfaults occured on x86_64 with the latest phpmyadmin
and with apache (#53735).

Additionally, some packages which require so, have been rebuilt and
are being provided as updates.

Affected: 2009.1

Solution:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

http://www.securityspace.com/smysecure/catid.html?in=MDVSA-2009:303
Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2009-3557
http://www.openwall.com/lists/oss-security/2009/11/20/2
http://www.openwall.com/lists/oss-security/2009/11/20/3
http://www.openwall.com/lists/oss-security/2009/11/20/5
http://news.php.net/php.announce/79
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
HPdes Security Advisory: HPSBUX02543
http://marc.info/?l=bugtraq&m=127680701405735&w=2
HPdes Security Advisory: SSRT100152
http://www.mandriva.com/security/advisories?name=MDVSA-2009:302
http://www.mandriva.com/security/advisories?name=MDVSA-2009:285
http://www.mandriva.com/security/advisories?name=MDVSA-2009:303
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7396
http://secunia.com/advisories/37412
http://secunia.com/advisories/37821
http://secunia.com/advisories/40262
http://securityreason.com/securityalert/6601
http://www.vupen.com/english/advisories/2009/3593
Common Vulnerability Exposure (CVE) ID: CVE-2009-3558
http://securityreason.com/securityalert/6600
Common Vulnerability Exposure (CVE) ID: CVE-2009-4017
Bugtraq: 20091120 PHP "multipart/form-data" denial of service (Google Search)
http://www.securityfocus.com/archive/1/archive/1/507982/100/0/threaded
http://seclists.org/fulldisclosure/2009/Nov/228
http://www.openwall.com/lists/oss-security/2009/11/20/7
http://www.acunetix.com/blog/websecuritynews/php-multipartform-data-denial-of-service/
Debian Security Information: DSA-1940 (Google Search)
http://www.debian.org/security/2009/dsa-1940
HPdes Security Advisory: HPSBMA02568
http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995
HPdes Security Advisory: SSRT100219
http://www.mandriva.com/security/advisories?name=MDVSA-2009:305
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10483
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:6667
http://secunia.com/advisories/37482
http://secunia.com/advisories/41480
http://secunia.com/advisories/41490
XForce ISS Database: php-multipart-formdata-dos(54455)
http://xforce.iss.net/xforce/xfdb/54455
Common Vulnerability Exposure (CVE) ID: CVE-2009-4018
http://marc.info/?l=oss-security&m=125886770008678&w=2
http://marc.info/?l=oss-security&m=125897935330618&w=2
http://www.openwall.com/lists/oss-security/2009/11/23/15
BugTraq ID: 37138
http://www.securityfocus.com/bid/37138
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7256
CopyrightCopyright (c) 2009 E-Soft Inc. http://www.securityspace.com

Dies ist nur einer von 39644 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.

Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Registrierung eines neuen Benutzers
Email:
Benutzerkennung:
Passwort:
Bitte schicken Sie mir den monatlichen Newsletter, der mich über die neuesten Services, Verbesserungen und Umfragen informiert.
Bitte schicken Sie mir eine Anfälligkeitstest Benachrichtigung, wenn ein neuer Test hinzugefügt wird.
   Datenschutz
Anmeldung für registrierte Benutzer
 
Benutzerkennung:   
Passwort:  

 Benutzerkennung oder Passwort vergessen?
Email/Benutzerkennung:




Startseite | Über uns | Kontakt | Partnerprogramme | Datenschutz | Mailinglisten | Missbrauch
Sicherheits Überprüfungen | Verwaltete DNS | Netzwerk Überwachung | Webseiten Analysator | Internet Recherche Berichte
Web Sonde | Whois

© 1998-2014 E-Soft Inc. Alle Rechte vorbehalten.