A flaw was found in the way PHP converted certain floating point values from string representation to a number. If a PHP script evaluated an attacker's input in a numeric context, the PHP interpreter could cause high CPU usage until the script execution time limit is reached. This issue only affected i386 systems.
(CVE-2010-4645)

A stack memory exhaustion flaw was found in the way the PHP filter_var() function validated email addresses. An attacker could use this flaw to crash the PHP interpreter by providing excessively long input to be validated as an email address. (CVE-2010-3710)

A memory disclosure flaw was found in the PHP multi-byte string extension. If the mb_strcut() function was called with a length argument exceeding the input string size, the function could disclose a portion of the PHP interpreter's memory. (CVE-2010-4156)

After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

It was discovered that an integer overflow in the XML UTF-8 decoding code could allow an attacker to bypass cross-site scripting (XSS) protections. This issue only affected Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, and Ubuntu 9.10. (CVE-2009-5016)

It was discovered that the XML UTF-8 decoding code did not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which could allow an attacker to bypass cross-site scripting (XSS) protections. (CVE-2010-3870)

It was discovered that attackers might be able to bypass open_basedir() restrictions by passing a specially crafted filename.
(CVE-2010-3436)

Maksymilian Arciemowicz discovered that a NULL pointer derefence in the ZIP archive handling code could allow an attacker to cause a denial of service through a specially crafted ZIP archive. This issue only affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, and Ubuntu 10.10. (CVE-2010-3709)

It was discovered that a stack consumption vulnerability in the filter_var() PHP function when in FILTER_VALIDATE_EMAIL mode, could allow a remote attacker to cause a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, and Ubuntu 10.10. (CVE-2010-3710)

It was discovered that the mb_strcut function in the Libmbfl library within PHP could allow an attacker to read arbitrary memory within the application process. This issue only affected Ubuntu 10.10.
(CVE-2010-4156)

Maksymilian Arciemowicz discovered that an integer overflow in the NumberFormatter::getSymbol function could allow an attacker to cause a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 10.10. (CVE-2010-4409)

Rick Regan discovered that when handing PHP textual representations of the largest subnormal double-precision floating-point number, the zend_strtod function could go into an infinite loop on 32bit x86 processors, allowing an attacker to cause a denial of service.
(CVE-2010-4645).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2011-0196 advisory.

    [5.3.3-1.1]
    - add security fixes for CVE-2010-3710, CVE-2010-4156,       CVE-2010-4645 (#670463)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.4.  Such versions may be affected by several security issues :

  - A crash in the zip extract method.

  - A stack-based buffer overflow in impagepstext()     of the GD extension.

  - An unspecified vulnerability related to     symbolic resolution when using a DFS share.

  - A security bypass vulnerability related     to using pathnames containing NULL bytes.
    (CVE-2006-7243)

  - Multiple format string vulnerabilities.
    (CVE-2010-2094, CVE-2010-2950)

  - An unspecified security bypass vulnerability     in open_basedir(). (CVE-2010-3436)

  - A NULL pointer dereference in     ZipArchive::getArchiveComment. (CVE-2010-3709)

  - Memory corruption in php_filter_validate_email().
    (CVE-2010-3710)

  - An input validation vulnerability in     xml_utf8_decode(). (CVE-2010-3870)

  - A possible double free in the IMAP extension.
    (CVE-2010-4150)

  - An information disclosure vulnerability in     'mb_strcut()'. (CVE-2010-4156)

  - An integer overflow vulnerability in 'getSymbol()'.
    (CVE-2010-4409)

  - A use-after-free vulnerability in the Zend engine when     a '__set()', '__get()', '__isset()' or '__unset()'     method is called can allow for a denial of service     attack. (Bug #52879 / CVE-2010-4697)

  - A stack-based buffer overflow exists in the     'imagepstext()' function in the GD extension. (Bug     #53492 / CVE-2010-4698)

  - The 'iconv_mime_decode_headers()' function in the iconv     extension fails to properly handle encodings that are     not recognized by the iconv and mbstring     implementations. (Bug #52941 / CVE-2010-4699)

  - The 'set_magic_quotes_runtime()' function when the     MySQLi extension is used does not properly interact     with the 'mysqli_fetch_assoc()' function. (Bug #52221 /     CVE-2010-4700)

  - A race condition exists in the PCNTL extension.
    (CVE-2011-0753)

  - The SplFileInfo::getType function in the Standard PHP     Library extension does not properly detect symbolic     links. (CVE-2011-0754)

  - An integer overflow exists in the mt_rand function.
    (CVE-2011-0755)

Updated php53 packages that fix three security issues are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

A flaw was found in the way PHP converted certain floating point values from string representation to a number. If a PHP script evaluated an attacker's input in a numeric context, the PHP interpreter could cause high CPU usage until the script execution time limit is reached. This issue only affected i386 systems.
(CVE-2010-4645)

A stack memory exhaustion flaw was found in the way the PHP filter_var() function validated email addresses. An attacker could use this flaw to crash the PHP interpreter by providing excessively long input to be validated as an email address. (CVE-2010-3710)

A memory disclosure flaw was found in the PHP multi-byte string extension. If the mb_strcut() function was called with a length argument exceeding the input string size, the function could disclose a portion of the PHP interpreter's memory. (CVE-2010-4156)

All php53 users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

Security Enhancements and Fixes in PHP 5.3.4 :

  - Fixed crash in zip extract method (possible CWE-170).

    - Paths with NULL in them (foo\0bar.txt) are now       considered as invalid (CVE-2006-7243).

    - Fixed a possible double free in imap extension       (Identified by Mateusz Kocielski). (CVE-2010-4150).

    - Fixed NULL pointer dereference in       ZipArchive::getArchiveComment. (CVE-2010-3709).

    - Fixed possible flaw in open_basedir (CVE-2010-3436).

    - Fixed MOPS-2010-24, fix string validation.
      (CVE-2010-2950).

    - Fixed symbolic resolution support when the target is a       DFS share.

    - Fixed bug #52929 (Segfault in filter_var with       FILTER_VALIDATE_EMAIL with large amount of data)       (CVE-2010-3710).

Key Bug Fixes in PHP 5.3.4 include :

  - Added stat support for zip stream.

    - Added follow_location (enabled by default) option for       the http stream support.

    - Added a 3rd parameter to get_html_translation_table.
      It now takes a charset hint, like htmlentities et al.

    - Implemented FR #52348, added new constant       ZEND_MULTIBYTE to detect zend multibyte at runtime.

Full upstream Changelog : http://www.php.net/ChangeLog-5.php#5.3.4

This update also provides php-eaccelerator and maniadrive packages rebuild against update php.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability was discovered and corrected in libmbfl (php) :

  - Fix bug #53273 (mb_strcut() returns garbage with the     excessive length parameter) (CVE-2010-4156).

The updated packages have been patched to correct these issues.

Update :

The MDVSA-2010:225 advisory used the wrong patch to address the problem, however it did fix the issue. This advisory provides the correct upstream patch.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2011:0196 advisory.

  - php: DoS in filter_var() via long email string (CVE-2010-3710)

  - php information disclosure via mb_strcut() (CVE-2010-4156)

  - php: hang on numeric value 2.2250738585072011e-308 with x87 fpu (CVE-2010-4645)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote host is earlier than 6.3.  Such versions are reportedly affected by the following vulnerabilities :

  - An error exists in the function 'fnmatch' in the     bundled version of PHP that can lead to stack     exhaustion. (CVE-2010-1917)

  - An information disclosure vulnerability exists in the     'var_export' function in the bundled version of PHP     that can be triggered when handling certain error     conditions. (CVE-2010-2531)

  - A double free vulnerability in the     'ssl3_get_key_exchange()' function in the third-party     OpenSSL library could be abused to crash the     application. (CVE-2010-2939)

  - A format string vulnerability in the phar extension     in the bundled version of PHP could lead to the     disclosure of memory contents and possibly allow     execution of arbitrary code via a specially crafted     'phar://' URI. (CVE-2010-2950)

  - A NULL pointer dereference in     'ZipArchive::getArchiveComment' included with the     bundled version of PHP can be abused to crash the     application. (CVE-2010-3709)

  - The bundled version of libxml2 may read from invalid     memory locations when processing malformed XPath     expressions, resulting in an application crash.
    (CVE-2010-4008)

  - An error in the 'mb_strcut()' function in the bundled     version of PHP can be exploited by passing a large     'length' parameter to disclose potentially sensitive     information from the heap. (CVE-2010-4156)

  - An as-yet unspecified remote code execution     vulnerability could allow an authenticated user to     execute arbitrary code with system privileges.
    (CVE-2011-1540)

  - An as-yet unspecified, unauthorized access vulnerability     could lead to a complete system compromise.
    (CVE-2011-1541)

According to its banner the version of PHP installed on the remote host is 5.3.x earlier than 5.3.4.  Such versions are potentially affected by multiple vulnerabilities :

  - A crash in the zip extract method.
  - A stack buffer overflow in impagepstext() of the GD extension.
  - An unspecified vulnerability related to symbolic resolution when using a DFS share.
  - A security bypass vulnerability related to using pathnames containing NULL bytes. (CVE-2006-7243)
  - Multiple format string vulnerabilities. (CVE-2010-2094, CVE-2010-2950)
  - An unspecified security bypass vulnerability in open_basedir(). (CVE-2010-3436)
  - A NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709)
  - Memory corruption in php_filter_validate_email(). (CVE-2010-3710)
  - An input validation vulnerability in xml_utf8_decode(). (CVE-2010-3870)
  - A possible double free in the IMAP extension. (CVE-2010-4150)
  - An information disclosure vulnerability in 'mb_strcut()'. (CVE-2010-4156)
  - An integer overflow vulnerability in 'getSymbol()'. (CVE-2010-4409)
  - A use-after-free vulnerability in the Zend engine when a '__set()', '__get()', '__isset()' or '__unset()' method is called can allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)
  - A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 / CVE-2010-4698)
  - The 'iconv_mime_decode_headers()' function in the iconv extension fails to properly handle encodings that are not recognized by the iconv and mbstring implementations. (Bug #52941 / CVE-2010-4699)
  - The 'set_magic_quotes_runtime()' function when the MySQLi extension is used does not properly interact with the 'mysqli_fetch_assoc()' function. (Bug #52221 / CVE-2010-4700)
  - A race condition exists in the PCNTL extension. (CVE-2011-0753)
  - The SplFileInfo::getType function in the Standard PHP Library extension does not properly detect symbolic links. (CVE-2011-0754)
  - An integer overflow exists in the mt_rand function. (CVE-2011-0755)

According to its banner the version of PHP installed on the remote host is 5.3.x earlier than 5.3.4.  Such versions are potentially affected by multiple vulnerabilities :

  - A crash in the zip extract method.

  - A stack buffer overflow in impagepstext() of the GD extension.

  - An unspecified vulnerability related to symbolic resolution when using a DFS share.

  - A security bypass vulnerability related to using pathnames containing NULL bytes. (CVE-2006-7243)

  - Multiple format string vulnerabilities. (CVE-2010-2094, CVE-2010-2950)

  - An unspecified security bypass vulnerability in open_basedir(). (CVE-2010-3436)

  - A NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709)

  - Memory corruption in php_filter_validate_email(). (CVE-2010-3710)

  - An input validation vulnerability in xml_utf8_decode(). (CVE-2010-3870)

  - A possible double free in the IMAP extension. (CVE-2010-4150)
  - An information disclosure vulnerability in 'mb_strcut()'. (CVE-2010-4156)

  - An integer overflow vulnerability in 'getSymbol()'. (CVE-2010-4409)

  - A use-after-free vulnerability in the Zend engine when a '__set()', '__get()', '__isset()' or '__unset()' method is called can allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)

  - A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 / CVE-2010-4698)

  - The 'iconv_mime_decode_headers()' function in the iconv extension fails to properly handle encodings that are not recognized by the iconv and mbstring implementations. (Bug #52941 / CVE-2010-4699)

  - The 'set_magic_quotes_runtime()' function when the MySQLi extension is used does not properly interact with the 'mysqli_fetch_assoc()' function. (Bug #52221 / CVE-2010-4700)

  - A race condition exists in the PCNTL extension. (CVE-2011-0753)

  - The SplFileInfo::getType function in the Standard PHP Library extension does not properly detect symbolic links. (CVE-2011-0754)

  - An integer overflow exists in the mt_rand function. (CVE-2011-0755)

ID	Name	Product	Family	Published	Updated	Severity
60948	Scientific Linux Security Update : php53 on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	8/1/2012	1/14/2021	medium
51502	Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : php5 vulnerabilities (USN-1042-1)	Nessus	Ubuntu Local Security Checks	1/12/2011	9/19/2019	medium
68192	Oracle Linux 5 : php53 (ELSA-2011-0196)	Nessus	Oracle Linux Local Security Checks	7/12/2013	10/22/2024	high
51140	PHP 5.3 < 5.3.4 Multiple Vulnerabilities	Nessus	CGI abuses	12/13/2010	5/31/2024	medium
53416	CentOS 5 : php53 (CESA-2011:0196)	Nessus	CentOS Local Security Checks	4/15/2011	1/4/2021	medium
51413	Fedora 13 : maniadrive-1.2-23.fc13 / php-5.3.4-1.fc13.1 / php-eaccelerator-0.9.6.1-3.fc13 (2010-19011)	Nessus	Fedora Local Security Checks	1/5/2011	1/11/2021	medium
50536	Mandriva Linux Security Advisory : libmbfl (MDVSA-2010:225-1)	Nessus	Mandriva Local Security Checks	11/10/2010	1/6/2021	medium
51412	Fedora 14 : maniadrive-1.2-23.fc14 / php-5.3.4-1.fc14.1 / php-eaccelerator-0.9.6.1-3.fc14 (2010-18976)	Nessus	Fedora Local Security Checks	1/5/2011	1/11/2021	medium
51867	RHEL 5 : php53 (RHSA-2011:0196)	Nessus	Red Hat Local Security Checks	2/4/2011	4/21/2024	high
53532	HP System Management Homepage < 6.3 Multiple Vulnerabilities	Nessus	Web Servers	4/22/2011	4/11/2022	critical
5732	PHP 5.3.x < 5.3.4 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	12/10/2010	3/6/2019	high
801074	PHP 5.3 < 5.3.4 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	12/10/2010		high

Detections

Analytics

Plugins Search

medium

medium

high

medium

medium

medium

medium

medium

high

critical

high

high