Web application abuses : PHP Multiple Vulnerabilities Dec-09

Price/Feature Summary | Order | New Vulnerabilities | Confidentiality | Vulnerability Search

Vulnerability Search		Search 61204 CVE descriptions and 32582 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.801060

Category: Web application abuses

Title: PHP Multiple Vulnerabilities Dec-09

Summary: Check for the version of PHP

Description:
Overview: This host is running PHP and is prone to multiple vulnerabilities.

Vulnerability Insight:
Multiple flaws are due to:
- Error in 'proc_open()' function in 'ext/standard/proc_open.c' that does not
enforce the 'safe_mode_allowed_env_vars' and 'safe_mode_protected_env_vars'
directives, which allows attackers to execute programs with an arbitrary
environment via the env parameter.
- Error in 'zend_restore_ini_entry_cb()' function in 'zend_ini.c', which
allows attackers to obtain sensitive information.

Impact:
Successful exploitation could allow local attackers to bypass certain
security restrictions and cause denial of service.

Impact Level: Network

Affected Software/OS:
PHP version 5.2.10 and prior.
PHP version 5.3.x before 5.3.1

Fix: Upgrade to PHP version 5.3.1
http://www.php.net/downloads.php

References:
http://secunia.com/advisories/37482
http://bugs.php.net/bug.php?id=49026
http://securityreason.com/achievement_securityalert/65
http://www.openwall.com/lists/oss-security/2009/11/23/15

Cross-Ref: BugTraq ID: 37138
BugTraq ID: 36009
Common Vulnerability Exposure (CVE) ID: CVE-2009-4018
http://marc.info/?l=oss-security&m=125886770008678&w=2
http://marc.info/?l=oss-security&m=125897935330618&w=2
http://www.openwall.com/lists/oss-security/2009/11/23/15
HPdes Security Advisory: HPSBUX02543
http://marc.info/?l=bugtraq&m=127680701405735&w=2
HPdes Security Advisory: SSRT100152
HPdes Security Advisory: HPSBMA02568
http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995
HPdes Security Advisory: SSRT100219
http://www.mandriva.com/security/advisories?name=MDVSA-2009:303
http://www.securityfocus.com/bid/37138
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7256
http://secunia.com/advisories/40262
http://secunia.com/advisories/41480
http://secunia.com/advisories/41490
Common Vulnerability Exposure (CVE) ID: CVE-2009-2626
http://securityreason.com/achievement_securityalert/65
Debian Security Information: DSA-1940 (Google Search)
http://www.debian.org/security/2009/dsa-1940
http://www.securityfocus.com/bid/36009
http://secunia.com/advisories/37482

Copyright Copyright (C) 2009 Greenbone Networks GmbH

This is only one of 32582 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

New User Registration
Email:

UserID:

Passwd:

Please email me your monthly newsletters, informing the latest services, improvements & surveys.

Please email me a vulnerability test announcement whenever a new test is added.

Privacy

Registered User Login

UserID:

Passwd:

Forgot userid or passwd?

Email/Userid:

Test ID:	1.3.6.1.4.1.25623.1.0.801060
Category:	Web application abuses
Title:	PHP Multiple Vulnerabilities Dec-09
Summary:	Check for the version of PHP
Description:	Overview: This host is running PHP and is prone to multiple vulnerabilities. Vulnerability Insight: Multiple flaws are due to: - Error in 'proc_open()' function in 'ext/standard/proc_open.c' that does not enforce the 'safe_mode_allowed_env_vars' and 'safe_mode_protected_env_vars' directives, which allows attackers to execute programs with an arbitrary environment via the env parameter. - Error in 'zend_restore_ini_entry_cb()' function in 'zend_ini.c', which allows attackers to obtain sensitive information. Impact: Successful exploitation could allow local attackers to bypass certain security restrictions and cause denial of service. Impact Level: Network Affected Software/OS: PHP version 5.2.10 and prior. PHP version 5.3.x before 5.3.1 Fix: Upgrade to PHP version 5.3.1 http://www.php.net/downloads.php References: http://secunia.com/advisories/37482 http://bugs.php.net/bug.php?id=49026 http://securityreason.com/achievement_securityalert/65 http://www.openwall.com/lists/oss-security/2009/11/23/15
Cross-Ref:	BugTraq ID: 37138 BugTraq ID: 36009 Common Vulnerability Exposure (CVE) ID: CVE-2009-4018 http://marc.info/?l=oss-security&m=125886770008678&w=2 http://marc.info/?l=oss-security&m=125897935330618&w=2 http://www.openwall.com/lists/oss-security/2009/11/23/15 HPdes Security Advisory: HPSBUX02543 http://marc.info/?l=bugtraq&m=127680701405735&w=2 HPdes Security Advisory: SSRT100152 HPdes Security Advisory: HPSBMA02568 http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995 HPdes Security Advisory: SSRT100219 http://www.mandriva.com/security/advisories?name=MDVSA-2009:303 http://www.securityfocus.com/bid/37138 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7256 http://secunia.com/advisories/40262 http://secunia.com/advisories/41480 http://secunia.com/advisories/41490 Common Vulnerability Exposure (CVE) ID: CVE-2009-2626 http://securityreason.com/achievement_securityalert/65 Debian Security Information: DSA-1940 (Google Search) http://www.debian.org/security/2009/dsa-1940 http://www.securityfocus.com/bid/36009 http://secunia.com/advisories/37482
Copyright	Copyright (C) 2009 Greenbone Networks GmbH