CVE-2004-0959
CVSS2.1
发布时间 :2004-11-03 00:00:00
修订时间 :2016-10-17 22:50:11
NMCOS    

[原文]rfc1867.c in PHP before 5.0.2 allows local users to upload files to arbitrary locations via a PHP script with a certain MIME header that causes the "$_FILES" array to be modified.


[CNNVD]PHP处理RFC1867 MIME格式导致数组错误漏洞(CNNVD-200411-019)

        
        PHP是一种流行的WEB服务器端编程语言。
        PHP在处理RFC1867 MIME数据的时候存在漏洞,远程攻击者可以利用这个漏洞覆盖一些内存数据。
        rfc1867.c中的SAPI_POST_HANDLER_FUNC()函数错误的数组解析,可导致覆盖$_FILES数组元素。如果Web程序信任上传的文件名的话,将导致恶意文件上传到任意目录。
        

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10961rfc1867.c in PHP before 5.0.2 allows local users to upload files to arbitrary locations via a PHP script with a certain MIME header that cau...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0959
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0959
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-019
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0054.html
(UNKNOWN)  VULNWATCH  20040915 Php Vulnerability N. 2
http://marc.info/?l=bugtraq&m=109534848430404&w=2
(UNKNOWN)  BUGTRAQ  20040915 Php Vulnerability N. 2
http://securitytracker.com/id?1011307
(UNKNOWN)  SECTRACK  1011307
http://www.redhat.com/support/errata/RHSA-2004-687.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:687
http://xforce.iss.net/xforce/xfdb/17392
(VENDOR_ADVISORY)  XF  php-mime-array-execute-code(17392)
https://bugzilla.fedora.us/show_bug.cgi?id=2344
(UNKNOWN)  FEDORA  FLSA:2344

- 漏洞信息

PHP处理RFC1867 MIME格式导致数组错误漏洞
低危 输入验证
2004-11-03 00:00:00 2005-10-20 00:00:00
远程  
        
        PHP是一种流行的WEB服务器端编程语言。
        PHP在处理RFC1867 MIME数据的时候存在漏洞,远程攻击者可以利用这个漏洞覆盖一些内存数据。
        rfc1867.c中的SAPI_POST_HANDLER_FUNC()函数错误的数组解析,可导致覆盖$_FILES数组元素。如果Web程序信任上传的文件名的话,将导致恶意文件上传到任意目录。
        

- 公告与补丁

        厂商补丁:
        PHP
        ---
        PHP 4.3.9和5.0.2已经修复此漏洞,绿盟科技建议用户下载使用:
        
        http://www.php.net

- 漏洞信息

12603
PHP rfc1867.c $_FILES Array Crafted MIME Header Arbitrary File Upload
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2004-09-15 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.3.9, 5.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PHP Remote Arbitrary Location File Upload Vulnerability
Input Validation Error 11190
Yes No
2004-09-15 12:00:00 2009-07-12 07:06:00
Discovery of this issue is credited to Stefano Di Paola <stefano.dipaola@wisec.it>.

- 受影响的程序版本

SGI ProPack 3.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
Red Hat Fedora Core1
PHP PHP 5.0.1
PHP PHP 5.0 .0
PHP PHP 4.3.8
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ S.u.S.E. Linux Personal 9.2
+ Turbolinux Turbolinux Server 10.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
PHP PHP 4.3.7
PHP PHP 4.3.6
PHP PHP 4.3.5
PHP PHP 4.3.4
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ S.u.S.E. Linux Personal 9.1
PHP PHP 4.3.3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
PHP PHP 4.3.2
PHP PHP 4.3.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ OpenPKG OpenPKG Current
+ S.u.S.E. Linux Personal 8.2
PHP PHP 4.3
PHP PHP 4.2.3
+ EnGarde Secure Linux 1.0.1
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
PHP PHP 4.2.2
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
+ OpenPKG OpenPKG 1.1
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
PHP PHP 4.2.1
- FreeBSD FreeBSD 4.6
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
+ Slackware Linux 8.1
PHP PHP 4.2 .0
PHP PHP 4.1.2
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.0.4
+ Apple Mac OS X 10.0.3
+ Apple Mac OS X 10.0.2
+ Apple Mac OS X 10.0.1
+ Apple Mac OS X 10.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ MandrakeSoft Multi Network Firewall 2.0
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
PHP PHP 4.1.1
+ Conectiva Linux 7.0
PHP PHP 4.1 .0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
PHP PHP 4.0.7
PHP PHP 4.0.6
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ HP Secure OS software for Linux 1.0
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- IBM AIX 4.3
- IBM AIX 5.1
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ Sun Cobalt RaQ 550
+ Sun LX50
+ Trustix Secure Linux 1.5
PHP PHP 4.0.5
PHP PHP 4.0.4
+ Compaq Compaq Secure Web Server PHP 1.0
+ Conectiva Linux 6.0
+ Guardian Digital Engarde Secure Linux 1.0.1
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
PHP PHP 4.0.3
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt Qube3 Japanese 4000WGJ
+ Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
+ Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ XTR Japanese 3500R-ja
PHP PHP 4.0.2
PHP PHP 4.0.1
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt Qube3 w/ Caching and RAID 4100WG
+ Sun Cobalt Qube3 w/Caching 4010WG
+ Sun Cobalt RaQ4 3001R
+ Sun Cobalt RaQ4 Japanese RAID 3100R-ja
+ Sun Cobalt RaQ4 RAID 3100R
PHP PHP 4.0 0
Gentoo Linux 1.4 _rc3
Gentoo Linux 1.4 _rc2
Gentoo Linux 1.4 _rc1
Gentoo Linux 1.4
Gentoo Linux 1.2
Gentoo Linux 1.1 a
Gentoo Linux 0.7
Gentoo Linux 0.5
PHP PHP 5.0.2

- 不受影响的程序版本

PHP PHP 5.0.2

- 漏洞讨论

Reportedly PHP is vulnerable to an arbitrary location file upload vulnerability. This issue is due to a failure of the PHP application to properly sanitize user-supplied file name input.

An attacker may exploit this issue to upload files to an arbitrary location on a computer running the affected software. This may facilitate arbitrary server-side script code execution as well as other attacks.

It is reported that this issue only affects PHP versions 4.2.0 and subsequent.

- 漏洞利用

No exploit is required to leverage this issue.

- 解决方案

The vendor has released an upgrade dealing with this issue.

Gentoo Linux has released an advisory (GLSA 200410-04) and an updated eBuild to address this vulnerability. Gentoo users are advised to run the following commands to apply the updates:
emerge sync

emerge -pv ">=dev-php/php-4.3.9"
emerge ">=dev-php/php-4.3.9"

emerge -pv ">=dev-php/mod_php-4.3.9"
emerge ">=dev-php/mod_php-4.3.9"

emerge -pv ">=dev-php/php-cgi-4.3.9"
emerge ">=dev-php/php-cgi-4.3.9"

Red Hat has released Red Hat Enterprise Linux advisory RHSA-2004:687-05 to address various issues in PHP. Please see the advisory in Web references for more information.

Fedora has released advisories FEDORA-2004-567 and FEDORA-2004-568 to address various PHP issues in Fedora Core 2 and Fedora Core 3. Please see the referenced advisories for more information.

SGI has released advisory 20050101-01-U to address various issues in SGI Advanced Linux Environment 3. This advisory includes updated SGI ProPack 3 Service Pack 3 packages. Please see the referenced advisory for more information.

Fedora has released Fedora Legacy advisory FLSA:2344 to address various issues in Red Hat Linux 7.3, Red Hat Linux 9.0 and Fedora Core 1 for the i386 architecture. Please see the referenced advisory for more information.


SGI ProPack 3.0

PHP PHP 4.0 0

PHP PHP 4.0.1

PHP PHP 4.0.2

PHP PHP 4.0.3

PHP PHP 4.0.4

PHP PHP 4.0.5

PHP PHP 4.0.6

PHP PHP 4.0.7

PHP PHP 4.1 .0

PHP PHP 4.1.1

PHP PHP 4.1.2

PHP PHP 4.2 .0

PHP PHP 4.2.1

PHP PHP 4.2.2

PHP PHP 4.2.3

PHP PHP 4.3

PHP PHP 4.3.1

PHP PHP 4.3.2

PHP PHP 4.3.3

PHP PHP 4.3.4

PHP PHP 4.3.5

PHP PHP 4.3.6

PHP PHP 4.3.7

PHP PHP 4.3.8

PHP PHP 5.0 .0

PHP PHP 5.0.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站