Multiple cross-site scripting (XSS) vulnerabilities in PHP 4.4.1 and 5.1.1, when display_errors and html_errors are on, allow remote attackers to inject arbitrary web script or HTML via inputs to PHP applications that are not filtered when they are included in the resulting error message.

According to its banner, the version of PHP 5.1.x installed on the remote host is older than 5.1.2.  Such versions may be affected by multiple vulnerabilities :

  - A format string vulnerability exists in the     error-reporting feature of the mysqli extension.
    (CVE-2006-0200)

  - Multiple HTTP response splitting vulnerabilities exist     that would allow remote attackers to inject arbitrary     HTTP headers via a crafted Set-Cookie header.     (CVE-2006-0207)

  - Multiple cross-site scripting vulnerabilities exist when     display_errors and html_errors are on. (CVE-2006-0208)

According to its banner, the version of PHP installed on the remote host is older than 4.4.2.  Such versions are potentially affected by multiple cross-site scripting vulnerabilities when display_errors and html_errors are on.

Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.

The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996)

The html_entity_decode() PHP function was found to not be binary safe.
An attacker could use this flaw to disclose a certain part of the memory. In order for this issue to be exploitable the target site would need to have a PHP script which called the 'html_entity_decode()' function with untrusted input from the user and displayed the result. (CVE-2006-1490)

The error handling output was found to not properly escape HTML output in certain cases. An attacker could use this flaw to perform cross-site scripting attacks against sites where both display_errors and html_errors are enabled. (CVE-2006-0208)

An input validation error was found in the 'mb_send_mail()' function.
An attacker could use this flaw to inject arbitrary headers in a mail sent via a script calling the 'mb_send_mail()' function where the 'To' parameter can be controlled by the attacker. (CVE-2005-3883)

A buffer overflow flaw was discovered in uw-imap, the University of Washington's IMAP Server. php-imap is compiled against the static c-client libraries from imap and therefore needed to be recompiled against the fixed version. This issue only affected Red Hat Enterprise Linux 3. (CVE-2005-2933).

Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues.

Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.

The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996)

The error handling output was found to not properly escape HTML output in certain cases. An attacker could use this flaw to perform cross-site scripting attacks against sites where both display_errors and html_errors are enabled. (CVE-2006-0208)

A buffer overflow flaw was discovered in uw-imap, the University of Washington's IMAP Server. php-imap is compiled against the static c-client libraries from imap and therefore needed to be recompiled against the fixed version. (CVE-2005-2933)

The wordwrap() PHP function did not properly check for integer overflow in the handling of the 'break' parameter. An attacker who could control the string passed to the 'break' parameter could cause a heap overflow. (CVE-2006-1990)

Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues.

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2006:0276 advisory.

    PHP is an HTML-embedded scripting language commonly used with the Apache     HTTP Web server.

    The phpinfo() PHP function did not properly sanitize long strings.  An     attacker could use this to perform cross-site scripting attacks against     sites that have publicly-available PHP scripts that call phpinfo().
    (CVE-2006-0996)

    The html_entity_decode() PHP function was found to not be binary safe. An     attacker could use this flaw to disclose a certain part of the memory.  In     order for this issue to be exploitable the target site would need to have a     PHP script which called the html_entity_decode() function with untrusted     input from the user and displayed the result.  (CVE-2006-1490)

    The error handling output was found to not properly escape HTML output in     certain cases.  An attacker could use this flaw to perform cross-site     scripting attacks against sites where both display_errors and html_errors     are enabled.  (CVE-2006-0208)

    An input validation error was found in the mb_send_mail() function.  An     attacker could use this flaw to inject arbitrary headers in a mail sent via     a script calling the mb_send_mail() function where the To parameter can     be controlled by the attacker.  (CVE-2005-3883)

    A buffer overflow flaw was discovered in uw-imap, the University of     Washington's IMAP Server.  php-imap is compiled against the static c-client     libraries from imap and therefore needed to be recompiled against the fixed     version.  This issue only affected Red Hat Enterprise Linux 3.
    (CVE-2005-2933).

    Users of PHP should upgrade to these updated packages, which contain     backported patches that resolve these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-200603-22 (PHP: Format string and XSS vulnerabilities)

    Stefan Esser of the Hardened PHP project has reported a few     vulnerabilities found in PHP:
    Input passed to the session     ID in the session extension isn't properly sanitised before being     returned to the user via a 'Set-Cookie' HTTP header, which can contain     arbitrary injected data.
    A format string error while     processing error messages using the mysqli extension in version 5.1 and     above.
  Impact :

    By sending a specially crafted request, a remote attacker can     exploit this vulnerability to inject arbitrary HTTP headers, which will     be included in the response sent to the user. The format string     vulnerability may be exploited to execute arbitrary code.
  Workaround :

    There is no known workaround at this time.

Stefan Esser discovered that the 'session' module did not sufficiently verify the validity of the user-supplied session ID. A remote attacker could exploit this to insert arbitrary HTTP headers into the response sent by the PHP application, which could lead to HTTP Response Splitting (forging of arbitrary responses on behalf the PHP application) and Cross Site Scripting (XSS) (execution of arbitrary web script code in the client's browser) attacks. (CVE-2006-0207)

PHP applications were also vulnerable to several Cross Site Scripting (XSS) flaws if the options 'display_errors' and 'html_errors' were enabled. Please note that enabling 'html_errors' is not recommended for production systems. (CVE-2006-0208).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple response splitting vulnerabilities in PHP allow remote attackers to inject arbitrary HTTP headers via unknown attack vectors, possibly involving a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function.
(CVE-2006-0207)

Multiple cross-site scripting (XSS) vulnerabilities in PHP allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in 'certain error conditions.' (CVE-2006-0208). This issue does not affect Corporate Server 2.1.

Updated packages are patched to address these issues. Users must execute 'service httpd restart' for the new PHP modules to be loaded by Apache.

There is a flaw in the remote UW-IMAP server that allows an authenticated user to execute arbitrary code on the server.  The flaw is in the way that UW-IMAP handles quoted mailbox names.  Specifically, an attacker supplying a long mailbox name which only contained one '"' would be able to overwrite memory and execute arbitrary code.

ID	Name	Product	Family	Severity
17712	PHP 5.1.x < 5.1.2 Multiple Vulnerabilities	Nessus	CGI abuses	high
17709	PHP < 4.4.2 Multiple XSS Vulnerabilities	Nessus	CGI abuses : XSS	low
21897	CentOS 3 / 4 : php (CESA-2006:0276)	Nessus	CentOS Local Security Checks	high
21594	RHEL 2.1 : php (RHSA-2006:0501)	Nessus	Red Hat Local Security Checks	high
21287	RHEL 4 : php (RHSA-2006:0276)	Nessus	Red Hat Local Security Checks	medium
21129	GLSA-200603-22 : PHP: Format string and XSS vulnerabilities	Nessus	Gentoo Local Security Checks	medium
21068	Ubuntu 4.10 / 5.04 / 5.10 : php4, php5 vulnerabilities (USN-261-1)	Nessus	Ubuntu Local Security Checks	medium
20849	Mandrake Linux Security Advisory : php (MDKSA-2006:028)	Nessus	Mandriva Local Security Checks	medium
3251	UW-IMAP Quote String Buffer Overflow	Nessus Network Monitor	IMAP Servers	medium

Detections

Analytics

CVE-2006-0208

medium

Tenable Plugins

high

low

high

high

medium

medium

medium

medium

medium