Web application abuses : PHP 5.2.11, 5.3.x < 5.3.1 Multiple Vulnerabilities (Dec 2009)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.801060

Categoría: Web application abuses

Título: PHP 5.2.11, 5.3.x < 5.3.1 Multiple Vulnerabilities (Dec 2009)

Resumen: PHP is prone to multiple vulnerabilities.

Descripción: Summary:
PHP is prone to multiple vulnerabilities.

Vulnerability Insight:
The following flaws exist:

- CVE-2009-2626: Error in 'zend_restore_ini_entry_cb()' function in 'zend_ini.c', which allows
attackers to obtain sensitive information.

- CVE-2009-4018: Error in 'proc_open()' function in 'ext/standard/proc_open.c' that does not
enforce the 'safe_mode_allowed_env_vars' and 'safe_mode_protected_env_vars' directives, which
allows attackers to execute programs with an arbitrary environment via the env parameter.

Vulnerability Impact:
Successful exploitation could allow local attackers to bypass
certain security restrictions and cause denial of service.

Affected Software/OS:
PHP versions prior to 5.2.11 and 5.3.x prior to 5.3.1.

Solution:
Update to version 5.2.11, 5.3.1 or later.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2009-2626
BugTraq ID: 36009
http://www.securityfocus.com/bid/36009
Debian Security Information: DSA-1940 (Google Search)
http://www.debian.org/security/2009/dsa-1940
http://secunia.com/advisories/37482
http://securityreason.com/achievement_securityalert/65
Common Vulnerability Exposure (CVE) ID: CVE-2009-4018
37138
http://www.securityfocus.com/bid/37138
40262
http://secunia.com/advisories/40262
41480
http://secunia.com/advisories/41480
41490
http://secunia.com/advisories/41490
HPSBMA02568
http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995
HPSBUX02543
http://marc.info/?l=bugtraq&m=127680701405735&w=2
MDVSA-2009:303
http://www.mandriva.com/security/advisories?name=MDVSA-2009:303
SSRT100152
SSRT100219
[oss-security] 20091122 Re: CVE request: php 5.3.1 update
http://marc.info/?l=oss-security&m=125886770008678&w=2
[oss-security] 20091123 Re: CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026 [was: Re: CVE request: php 5.3.1 update]
http://marc.info/?l=oss-security&m=125897935330618&w=2
http://www.openwall.com/lists/oss-security/2009/11/23/15
http://bugs.php.net/bug.php?id=49026
http://svn.php.net/viewvc/?view=revision&revision=286360
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/standard/proc_open.c?r1=286360&r2=286359&pathrev=286360
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/standard/proc_open.c?r1=286360&r2=286359&pathrev=286360
http://www.php.net/ChangeLog-5.php
oval:org.mitre.oval:def:7256
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7256

Copyright Copyright (C) 2009 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.801060
Categoría:	Web application abuses
Título:	PHP 5.2.11, 5.3.x < 5.3.1 Multiple Vulnerabilities (Dec 2009)
Resumen:	PHP is prone to multiple vulnerabilities.
Descripción:	Summary: PHP is prone to multiple vulnerabilities. Vulnerability Insight: The following flaws exist: - CVE-2009-2626: Error in 'zend_restore_ini_entry_cb()' function in 'zend_ini.c', which allows attackers to obtain sensitive information. - CVE-2009-4018: Error in 'proc_open()' function in 'ext/standard/proc_open.c' that does not enforce the 'safe_mode_allowed_env_vars' and 'safe_mode_protected_env_vars' directives, which allows attackers to execute programs with an arbitrary environment via the env parameter. Vulnerability Impact: Successful exploitation could allow local attackers to bypass certain security restrictions and cause denial of service. Affected Software/OS: PHP versions prior to 5.2.11 and 5.3.x prior to 5.3.1. Solution: Update to version 5.2.11, 5.3.1 or later. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2009-2626 BugTraq ID: 36009 http://www.securityfocus.com/bid/36009 Debian Security Information: DSA-1940 (Google Search) http://www.debian.org/security/2009/dsa-1940 http://secunia.com/advisories/37482 http://securityreason.com/achievement_securityalert/65 Common Vulnerability Exposure (CVE) ID: CVE-2009-4018 37138 http://www.securityfocus.com/bid/37138 40262 http://secunia.com/advisories/40262 41480 http://secunia.com/advisories/41480 41490 http://secunia.com/advisories/41490 HPSBMA02568 http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995 HPSBUX02543 http://marc.info/?l=bugtraq&m=127680701405735&w=2 MDVSA-2009:303 http://www.mandriva.com/security/advisories?name=MDVSA-2009:303 SSRT100152 SSRT100219 [oss-security] 20091122 Re: CVE request: php 5.3.1 update http://marc.info/?l=oss-security&m=125886770008678&w=2 [oss-security] 20091123 Re: CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026 [was: Re: CVE request: php 5.3.1 update] http://marc.info/?l=oss-security&m=125897935330618&w=2 http://www.openwall.com/lists/oss-security/2009/11/23/15 http://bugs.php.net/bug.php?id=49026 http://svn.php.net/viewvc/?view=revision&revision=286360 http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/standard/proc_open.c?r1=286360&r2=286359&pathrev=286360 http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/standard/proc_open.c?r1=286360&r2=286359&pathrev=286360 http://www.php.net/ChangeLog-5.php oval:org.mitre.oval:def:7256 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7256
Copyright	Copyright (C) 2009 Greenbone AG