CVE-2005-3388
CVSS4.3
发布时间 :2005-11-01 07:47:00
修订时间 :2016-12-07 22:00:14
NMCOS    

[原文]Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a "stacked array assignment."


[CNNVD]PHP phpinfo()跨站脚本漏洞(CNNVD-200511-020)

        PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。
        PHP的phpinfo()函数可输出大量的有关PHP当前状态的信息,如PHP版本,服务器信息和环境等。
        由于phpinfo()会向浏览器泄漏很多信息,因此不建议在生产服务器中存在执行phpinfo()的脚本。但实际上很多服务器中都运行有phpinfo()脚本。攻击者可以通过包含有栈数组分配的特制URL向phpinfo()输出中注入HTML代码,导致泄漏域cookies,如会话标识符。

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:php:php:5.0.5PHP PHP 5.0.5
cpe:/a:php:php:5.0.4PHP PHP 5.0.4
cpe:/a:php:php:5.0.3PHP PHP 5.0.3
cpe:/a:php:php:5.0.0:beta2PHP PHP 5.0.0 Beta2
cpe:/a:php:php:5.0.0:beta1PHP PHP 5.0.0 Beta1
cpe:/a:php:php:5.0.0:beta4PHP PHP 5.0.0 Beta4
cpe:/a:php:php:5.0.0:beta3PHP PHP 5.0.0 Beta3
cpe:/a:php:php:4.3.7PHP PHP 4.3.7
cpe:/a:php:php:4.3.8PHP PHP 4.3.8
cpe:/a:php:php:4.3.5PHP PHP 4.3.5
cpe:/a:php:php:4.3.6PHP PHP 4.3.6
cpe:/a:php:php:5.0.2PHP PHP 5.0.2
cpe:/a:php:php:5.0.1PHP PHP 5.0.1
cpe:/a:php:php:4.2::dev
cpe:/a:php:php:4.3
cpe:/a:php:php:5.0.0PHP PHP 5.0.0
cpe:/a:php:php:4.3.9PHP PHP 4.3.9
cpe:/a:php:php:5.0.0:rc2PHP PHP 5.0.0 RC2
cpe:/a:php:php:5.0.0:rc3PHP PHP 5.0.0 RC3
cpe:/a:php:php:4.3.10PHP PHP 4.3.10
cpe:/a:php:php:4.3.11PHP PHP 4.3.11
cpe:/a:php:php:4.0.7:rc3
cpe:/a:php:php:4.0.7:rc2
cpe:/a:php:php:5.0.0:rc1PHP PHP 5.0.0 RC1
cpe:/a:php:php:4.0.7:rc1
cpe:/a:php:php:4.0.2PHP PHP 4.0.2
cpe:/a:php:php:4.1.1PHP PHP 4.1.1
cpe:/a:php:php:4.2.0PHP PHP 4.2.0
cpe:/a:php:php:4.0.3PHP PHP 4.0.3
cpe:/a:php:php:4.1.2PHP PHP 4.1.2
cpe:/a:php:php:4.2.1PHP PHP 4.2.1
cpe:/a:php:php:4.0.0PHP PHP 4.0.0
cpe:/a:php:php:4.0.1PHP PHP 4.0.1
cpe:/a:php:php:4.1.0PHP PHP 4.1.0
cpe:/a:php:php:4.0.1:patch1
cpe:/a:php:php:4.0.1:patch2
cpe:/a:php:php:4.0.3:patch1
cpe:/a:php:php:4.0.6PHP PHP 4.0.6
cpe:/a:php:php:4.3.3PHP PHP 4.3.3
cpe:/a:php:php:4.0.7PHP PHP 4.0.7
cpe:/a:php:php:4.3.4PHP PHP 4.3.4
cpe:/a:php:php:4.0.4PHP PHP 4.0.4
cpe:/a:php:php:4.2.2PHP PHP 4.2.2
cpe:/a:php:php:4.3.1PHP PHP 4.3.1
cpe:/a:php:php:4.4.0PHP PHP 4.4.0
cpe:/a:php:php:4.0.5PHP PHP 4.0.5
cpe:/a:php:php:4.2.3PHP PHP 4.2.3
cpe:/a:php:php:4.3.2PHP PHP 4.3.2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10542Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote attackers to injec...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3388
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3388
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-020
(官方数据源) CNNVD

- 其它链接及资源

http://itrc.hp.com/service/cki/docDisplay.do?docId=c00786522
(UNKNOWN)  HP  HPSBMA02159
http://rhn.redhat.com/errata/RHSA-2006-0549.html
(UNKNOWN)  REDHAT  RHSA-2006:0549
http://securityreason.com/securityalert/133
(UNKNOWN)  SREASON  133
http://securitytracker.com/id?1015130
(UNKNOWN)  SECTRACK  1015130
http://support.avaya.com/elmodocs2/security/ASA-2006-037.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-037.htm
http://www.fedoralegacy.org/updates/FC2/2005-11-28-FLSA_2005_166943__Updated_php_packages_fix_security_issues.html
(UNKNOWN)  FEDORA  FLSA:166943
http://www.gentoo.org/security/en/glsa/glsa-200511-08.xml
(UNKNOWN)  GENTOO  GLSA-200511-08
http://www.hardened-php.net/advisory_182005.77.html
(VENDOR_ADVISORY)  MISC  http://www.hardened-php.net/advisory_182005.77.html
http://www.mandriva.com/security/advisories?name=MDKSA-2005:213
(UNKNOWN)  MANDRIVA  MDKSA-2005:213
http://www.novell.com/linux/security/advisories/2005_27_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2005:027
http://www.openpkg.org/security/OpenPKG-SA-2005.027-php.html
(UNKNOWN)  OPENPKG  OpenPKG-SA-2005.027
http://www.php.net/release_4_4_1.php
(PATCH)  CONFIRM  http://www.php.net/release_4_4_1.php
http://www.redhat.com/support/errata/RHSA-2005-831.html
(UNKNOWN)  REDHAT  RHSA-2005:831
http://www.redhat.com/support/errata/RHSA-2005-838.html
(UNKNOWN)  REDHAT  RHSA-2005:838
http://www.securityfocus.com/archive/1/archive/1/415292
(UNKNOWN)  BUGTRAQ  20051031 Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
http://www.securityfocus.com/bid/15248
(PATCH)  BID  15248
http://www.turbolinux.com/security/2006/TLSA-2006-38.txt
(UNKNOWN)  TURBO  TLSA-2006-38
http://www.vupen.com/english/advisories/2005/2254
(UNKNOWN)  VUPEN  ADV-2005-2254
http://www.vupen.com/english/advisories/2006/4320
(UNKNOWN)  VUPEN  ADV-2006-4320
https://www.ubuntu.com/usn/usn-232-1/
(UNKNOWN)  UBUNTU  USN-232-1

- 漏洞信息

PHP phpinfo()跨站脚本漏洞
中危 跨站脚本
2005-11-01 00:00:00 2005-11-15 00:00:00
远程  
        PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。
        PHP的phpinfo()函数可输出大量的有关PHP当前状态的信息,如PHP版本,服务器信息和环境等。
        由于phpinfo()会向浏览器泄漏很多信息,因此不建议在生产服务器中存在执行phpinfo()的脚本。但实际上很多服务器中都运行有phpinfo()脚本。攻击者可以通过包含有栈数组分配的特制URL向phpinfo()输出中注入HTML代码,导致泄漏域cookies,如会话标识符。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://www.php.net/get/php-4.4.1.tar.gz

- 漏洞信息

20406
PHP phpinfo() Function Stacked Array Assignment XSS
Remote / Network Access Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

PHP contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate input (i.e. crafted URL with a stacked array assignment) passed to the phpinfo() function. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

- 时间线

2005-10-31 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.4.1, 5.1.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PHP PHPInfo Cross-Site Scripting Vulnerability
Input Validation Error 15248
Yes No
2005-10-31 12:00:00 2006-11-23 05:50:00
Stefan Esser <sesser@hardened-php.net> is credited with the discovery of this vulnerability.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Turbolinux Turbolinux Server 10.0 x86
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux 10 F...
TurboLinux Personal
TurboLinux Multimedia
Turbolinux Home
Turbolinux Appliance Server Workgroup Edition 1.0
Turbolinux Appliance Server Hosting Edition 1.0
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux Appliance Server 1.0 Hosting Edition
Turbolinux Appliance Server 2.0
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
TransSoft Broker FTP Server 8.0
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SGI ProPack 3.0 SP6
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Openexchange Server
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
RedHat Stronghold 4.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
PHP PHP 4.4 .0
PHP PHP 4.3.11
PHP PHP 4.3.10
PHP PHP 4.3.9
PHP PHP 4.3.8
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ S.u.S.E. Linux Personal 9.2
+ Turbolinux Turbolinux Server 10.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
PHP PHP 4.3.7
PHP PHP 4.3.6
PHP PHP 4.3.5
PHP PHP 4.3.4
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ S.u.S.E. Linux Personal 9.1
PHP PHP 4.3.3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
PHP PHP 4.3.2
PHP PHP 4.3.1
PHP PHP 4.3
PHP PHP 4.2.3
PHP PHP 4.2.2
PHP PHP 4.2.1
- FreeBSD FreeBSD 4.6
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
+ Slackware Linux 8.1
PHP PHP 4.2 .0
PHP PHP 4.2 -dev
PHP PHP 4.1.2
PHP PHP 4.1.1
PHP PHP 4.1 .0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
PHP PHP 4.0.7 RC3
PHP PHP 4.0.7 RC2
PHP PHP 4.0.7 RC1
PHP PHP 4.0.7
PHP PHP 4.0.6
PHP PHP 4.0.5
PHP PHP 4.0.4
PHP PHP 4.0.3 pl1
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
PHP PHP 4.0.3
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt Qube3 Japanese 4000WGJ
+ Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
+ Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ XTR Japanese 3500R-ja
PHP PHP 4.0.2
PHP PHP 4.0.1 pl2
PHP PHP 4.0.1 pl1
PHP PHP 4.0.1
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt Qube3 w/ Caching and RAID 4100WG
+ Sun Cobalt Qube3 w/Caching 4010WG
+ Sun Cobalt RaQ4 3001R
+ Sun Cobalt RaQ4 Japanese RAID 3100R-ja
+ Sun Cobalt RaQ4 RAID 3100R
PHP PHP 4.0 0
OpenPKG OpenPKG 2.5
OpenPKG OpenPKG 2.4
OpenPKG OpenPKG 2.3
OpenPKG OpenPKG Current
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
HP System Management Homepage 2.1.4
HP System Management Homepage 2.1.3 .132
HP System Management Homepage 2.1.3
HP System Management Homepage 2.1.2
HP System Management Homepage 2.1.1
HP System Management Homepage 2.1
HP System Management Homepage 2.0.2
HP System Management Homepage 2.0.1
HP System Management Homepage 2.0
Gentoo Linux
Avaya Messaging Storage Server
Avaya Message Networking
Avaya Intuity LX
ScriptSolutions PerlDiver 2.32
PHP PHP 5.1
PHP PHP 4.4.1
HP System Management Homepage 2.1.5

- 不受影响的程序版本

ScriptSolutions PerlDiver 2.32
PHP PHP 5.1
PHP PHP 4.4.1
HP System Management Homepage 2.1.5

- 漏洞讨论

PHP is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

- 漏洞利用

No exploit is required.

The following proof-of-concept URI is available:

http://www.example.com/phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script>

- 解决方案

Please see the referenced advisories for more information.

NOTE: The vendor has addressed this issue in PHP versions 4.4.1 and 5.1.


HP System Management Homepage 2.0.1

HP System Management Homepage 2.0.2

HP System Management Homepage 2.1

HP System Management Homepage 2.1.1

HP System Management Homepage 2.1.2

HP System Management Homepage 2.1.3 .132

HP System Management Homepage 2.1.4

PHP PHP 4.0 0

PHP PHP 4.0.1

PHP PHP 4.0.1 pl2

PHP PHP 4.0.2

PHP PHP 4.0.3 pl1

PHP PHP 4.0.3

PHP PHP 4.0.5

PHP PHP 4.0.7 RC1

PHP PHP 4.0.7 RC2

PHP PHP 4.0.7

PHP PHP 4.1 .0

PHP PHP 4.2 -dev

PHP PHP 4.2.1

PHP PHP 4.3

PHP PHP 4.3.2

PHP PHP 4.3.3

PHP PHP 4.3.4

PHP PHP 4.3.5

PHP PHP 4.3.6

PHP PHP 4.3.8

PHP PHP 4.3.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站