CVE-2005-3389
CVSS5.0
发布时间 :2005-11-01 07:47:00
修订时间 :2013-07-05 00:54:07
NMCOS    

[原文]The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the register_globals directive via inputs that cause a request to be terminated due to the memory_limit setting, which causes PHP to set an internal flag that enables register_globals and allows attackers to exploit vulnerabilities in PHP applications that would otherwise be protected.


[CNNVD]PHP parse_str()函数激活register_globals变量漏洞(CNNVD-200511-019)

        PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。
        PHP的parse_str()函数在处理参数时存在漏洞,攻击者可以利用这个漏洞启用register_globals,从而进一步利用其他PHP脚本中的漏洞。
        如果仅以一个参数调用parse_str()的话,该函数会认为该参数是通过URL传送的请求字符串那样解析所提供的字符串,但外部攻击者可以在调用parse_str()期间发送很多请求变量来触发memory_limit请求终止。如果在调用parse_str()期间执行了请求关闭的话,则在相关webserver进程的其余生命周期期间register_globals标签会一直打开。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:php:php:4.3.3PHP PHP 4.3.3
cpe:/a:php:php:5.0.0:rc1PHP PHP 5.0.0 RC1
cpe:/a:php:php:4.0.1:patch1
cpe:/a:php:php:5.0.0:beta3PHP PHP 5.0.0 Beta3
cpe:/a:php:php:4.0.1PHP PHP 4.0.1
cpe:/a:php:php:4.0.3:patch1
cpe:/a:php:php:5.0.0:beta2PHP PHP 5.0.0 Beta2
cpe:/a:php:php:5.0.5PHP PHP 5.0.5
cpe:/a:php:php:5.0.0:rc3PHP PHP 5.0.0 RC3
cpe:/a:php:php:4.3.10PHP PHP 4.3.10
cpe:/a:php:php:4.3.1PHP PHP 4.3.1
cpe:/a:php:php:4.0.0PHP PHP 4.0.0
cpe:/a:php:php:4.0.7:rc2
cpe:/a:php:php:4.3.7PHP PHP 4.3.7
cpe:/a:php:php:5.0.0PHP PHP 5.0.0
cpe:/a:php:php:4.2.0PHP PHP 4.2.0
cpe:/a:php:php:5.0.1PHP PHP 5.0.1
cpe:/a:php:php:4.2.2PHP PHP 4.2.2
cpe:/a:php:php:4.0.7:rc3
cpe:/a:php:php:5.0.2PHP PHP 5.0.2
cpe:/a:php:php:4.2.1PHP PHP 4.2.1
cpe:/a:php:php:4.0.2PHP PHP 4.0.2
cpe:/a:php:php:4.0.6PHP PHP 4.0.6
cpe:/a:php:php:4.1.2PHP PHP 4.1.2
cpe:/a:php:php:5.0.3PHP PHP 5.0.3
cpe:/a:php:php:4.1.1PHP PHP 4.1.1
cpe:/a:php:php:4.0.5PHP PHP 4.0.5
cpe:/a:php:php:4.0.7PHP PHP 4.0.7
cpe:/a:php:php:4.3.11PHP PHP 4.3.11
cpe:/a:php:php:4.2::dev
cpe:/a:php:php:4.3.6PHP PHP 4.3.6
cpe:/a:php:php:5.0.0:beta1PHP PHP 5.0.0 Beta1
cpe:/a:php:php:4.0.1:patch2
cpe:/a:php:php:4.3
cpe:/a:php:php:4.0.4PHP PHP 4.0.4
cpe:/a:php:php:4.0.7:rc1
cpe:/a:php:php:5.0.4PHP PHP 5.0.4
cpe:/a:php:php:5.0.0:rc2PHP PHP 5.0.0 RC2
cpe:/a:php:php:4.3.4PHP PHP 4.3.4
cpe:/a:php:php:5.0.0:beta4PHP PHP 5.0.0 Beta4
cpe:/a:php:php:4.3.8PHP PHP 4.3.8
cpe:/a:php:php:4.1.0PHP PHP 4.1.0
cpe:/a:php:php:4.4.0PHP PHP 4.4.0
cpe:/a:php:php:4.3.9PHP PHP 4.3.9
cpe:/a:php:php:4.0.3PHP PHP 4.0.3
cpe:/a:php:php:4.3.5PHP PHP 4.3.5
cpe:/a:php:php:4.2.3PHP PHP 4.2.3
cpe:/a:php:php:4.3.2PHP PHP 4.3.2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11481The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable th...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3389
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3389
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-019
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/15249
(PATCH)  BID  15249
http://www.php.net/release_4_4_1.php
(PATCH)  CONFIRM  http://www.php.net/release_4_4_1.php
http://secunia.com/advisories/17371
(VENDOR_ADVISORY)  SECUNIA  17371
http://www.vupen.com/english/advisories/2006/4320
(VENDOR_ADVISORY)  VUPEN  ADV-2006-4320
http://www.vupen.com/english/advisories/2005/2254
(VENDOR_ADVISORY)  VUPEN  ADV-2005-2254
http://www.ubuntulinux.org/usn/usn-232-1/document_view
(UNKNOWN)  UBUNTU  USN-232-1
http://www.turbolinux.com/security/2006/TLSA-2006-38.txt
(UNKNOWN)  TURBO  TLSA-2006-38
http://www.securityfocus.com/archive/1/archive/1/419504/100/0/threaded
(UNKNOWN)  SUSE  SUSE-SA:2005:069
http://www.securityfocus.com/archive/1/415291
(UNKNOWN)  BUGTRAQ  20051031 Advisory 19/2005: PHP register_globals Activation Vulnerability in parse_str()
http://www.redhat.com/support/errata/RHSA-2005-838.html
(UNKNOWN)  REDHAT  RHSA-2005:838
http://www.redhat.com/support/errata/RHSA-2005-831.html
(UNKNOWN)  REDHAT  RHSA-2005:831
http://www.openpkg.org/security/OpenPKG-SA-2005.027-php.html
(UNKNOWN)  OPENPKG  OpenPKG-SA-2005.027
http://www.novell.com/linux/security/advisories/2005_27_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2005:027
http://www.mandriva.com/security/advisories?name=MDKSA-2005:213
(UNKNOWN)  MANDRIVA  MDKSA-2005:213
http://www.hardened-php.net/advisory_192005.78.html
(VENDOR_ADVISORY)  MISC  http://www.hardened-php.net/advisory_192005.78.html
http://www.gentoo.org/security/en/glsa/glsa-200511-08.xml
(UNKNOWN)  GENTOO  GLSA-200511-08
http://www.fedoralegacy.org/updates/FC2/2005-11-28-FLSA_2005_166943__Updated_php_packages_fix_security_issues.html
(UNKNOWN)  FEDORA  FLSA:166943
http://support.avaya.com/elmodocs2/security/ASA-2006-037.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-037.htm
http://securitytracker.com/id?1015131
(UNKNOWN)  SECTRACK  1015131
http://securityreason.com/securityalert/134
(UNKNOWN)  SREASON  134
http://secunia.com/advisories/22691
(VENDOR_ADVISORY)  SECUNIA  22691
http://secunia.com/advisories/21252
(VENDOR_ADVISORY)  SECUNIA  21252
http://secunia.com/advisories/18669
(VENDOR_ADVISORY)  SECUNIA  18669
http://secunia.com/advisories/18198
(VENDOR_ADVISORY)  SECUNIA  18198
http://secunia.com/advisories/18054
(VENDOR_ADVISORY)  SECUNIA  18054
http://secunia.com/advisories/17559
(VENDOR_ADVISORY)  SECUNIA  17559
http://secunia.com/advisories/17557
(VENDOR_ADVISORY)  SECUNIA  17557
http://secunia.com/advisories/17531
(VENDOR_ADVISORY)  SECUNIA  17531
http://secunia.com/advisories/17510
(VENDOR_ADVISORY)  SECUNIA  17510
http://secunia.com/advisories/17490
(VENDOR_ADVISORY)  SECUNIA  17490
http://rhn.redhat.com/errata/RHSA-2006-0549.html
(UNKNOWN)  REDHAT  RHSA-2006:0549
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00786522
(UNKNOWN)  HP  SSRT061238
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00786522
(UNKNOWN)  HP  HPSBMA02159

- 漏洞信息

PHP parse_str()函数激活register_globals变量漏洞
中危 其他
2005-11-01 00:00:00 2006-06-12 00:00:00
远程  
        PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。
        PHP的parse_str()函数在处理参数时存在漏洞,攻击者可以利用这个漏洞启用register_globals,从而进一步利用其他PHP脚本中的漏洞。
        如果仅以一个参数调用parse_str()的话,该函数会认为该参数是通过URL传送的请求字符串那样解析所提供的字符串,但外部攻击者可以在调用parse_str()期间发送很多请求变量来触发memory_limit请求终止。如果在调用parse_str()期间执行了请求关闭的话,则在相关webserver进程的其余生命周期期间register_globals标签会一直打开。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://www.php.net/get/php-4.4.1.tar.gz

- 漏洞信息

20407
PHP parse_str() memory_limit Request Termination register_globals Manipulation

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-10-31 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PHP Parse_Str Register_Globals Activation Weakness
Failure to Handle Exceptional Conditions 15249
Yes No
2005-10-31 12:00:00 2006-11-23 05:50:00
Stefan Esser <sesser@hardened-php.net> of the Hardened-PHP Project discovered this issue.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Turbolinux Turbolinux Server 10.0 x86
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux 10 F...
TurboLinux Personal
TurboLinux Multimedia
Turbolinux Home
Turbolinux Appliance Server Workgroup Edition 1.0
Turbolinux Appliance Server Hosting Edition 1.0
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux Appliance Server 1.0 Hosting Edition
Turbolinux Appliance Server 2.0
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
TransSoft Broker FTP Server 8.0
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SGI ProPack 3.0 SP6
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Openexchange Server
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
RedHat Stronghold 4.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
PHP PHP 5.0.5
PHP PHP 5.0.4
PHP PHP 5.0.3
PHP PHP 5.0.2
PHP PHP 5.0.1
PHP PHP 5.0 candidate 3
PHP PHP 5.0 candidate 2
PHP PHP 5.0 candidate 1
PHP PHP 5.0 .0
PHP PHP 4.4 .0
PHP PHP 4.3.11
PHP PHP 4.3.10
PHP PHP 4.3.9
PHP PHP 4.3.8
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ S.u.S.E. Linux Personal 9.2
+ Turbolinux Turbolinux Server 10.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
PHP PHP 4.3.7
PHP PHP 4.3.6
PHP PHP 4.3.5
PHP PHP 4.3.4
PHP PHP 4.3.3
PHP PHP 4.3.2
PHP PHP 4.3.1
PHP PHP 4.3
PHP PHP 4.2.3
PHP PHP 4.2.2
PHP PHP 4.2.1
- FreeBSD FreeBSD 4.6
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
+ Slackware Linux 8.1
PHP PHP 4.2 .0
PHP PHP 4.2 -dev
PHP PHP 4.1.2
PHP PHP 4.1.1
PHP PHP 4.1 .0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
PHP PHP 4.0.7 RC3
PHP PHP 4.0.7 RC2
PHP PHP 4.0.7 RC1
PHP PHP 4.0.7
PHP PHP 4.0.6
PHP PHP 4.0.5
PHP PHP 4.0.4
PHP PHP 4.0.3 pl1
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
PHP PHP 4.0.3
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt Qube3 Japanese 4000WGJ
+ Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
+ Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ XTR Japanese 3500R-ja
PHP PHP 4.0.2
PHP PHP 4.0.1 pl2
PHP PHP 4.0.1 pl1
PHP PHP 4.0.1
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt Qube3 w/ Caching and RAID 4100WG
+ Sun Cobalt Qube3 w/Caching 4010WG
+ Sun Cobalt RaQ4 3001R
+ Sun Cobalt RaQ4 Japanese RAID 3100R-ja
+ Sun Cobalt RaQ4 RAID 3100R
PHP PHP 4.0 0
PHP PHP 3.0.18
PHP PHP 3.0.17
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
PHP PHP 3.0.16
PHP PHP 3.0.15
PHP PHP 3.0.14
PHP PHP 3.0.13
PHP PHP 3.0.12
PHP PHP 3.0.11
PHP PHP 3.0.10
PHP PHP 3.0.9
PHP PHP 3.0.8
PHP PHP 3.0.7
PHP PHP 3.0.6
PHP PHP 3.0.5
PHP PHP 3.0.4
PHP PHP 3.0.3
PHP PHP 3.0.2
PHP PHP 3.0.1
PHP PHP 3.0 0
PHP PHP 3.0 .16
PHP PHP 3.0 .13
PHP PHP 3.0 .12
PHP PHP 3.0 .11
PHP PHP 3.0 .10
OpenPKG OpenPKG 2.5
OpenPKG OpenPKG 2.4
OpenPKG OpenPKG 2.3
OpenPKG OpenPKG Current
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
HP System Management Homepage 2.1.4
HP System Management Homepage 2.1.3 .132
HP System Management Homepage 2.1.3
HP System Management Homepage 2.1.2
HP System Management Homepage 2.1.1
HP System Management Homepage 2.1
HP System Management Homepage 2.0.2
HP System Management Homepage 2.0.1
HP System Management Homepage 2.0
Gentoo Linux
Avaya Messaging Storage Server
Avaya Message Networking
Avaya Intuity LX
PHP PHP 5.1
PHP PHP 4.4.1
HP System Management Homepage 2.1.5

- 不受影响的程序版本

PHP PHP 5.1
PHP PHP 4.4.1
HP System Management Homepage 2.1.5

- 漏洞讨论

PHP is prone to a weakness that allows attackers to reenable the 'register_globals' directive. This issue is due to the application's failure to handle a memory-limit exception.

The 'register_globals' directive will remain enabled for the rest of the lifetime of the affected process. If PHP is being run as an Apache module, then the process handling the malicious request will have 'register_globals' enabled for the duration of the process's life. If PHP is being run as a CGI process, this issue is not likely exploitable.

By exploiting this issue, remote attackers may be able to enable 'register_globals'. This may allow attackers to further exploit latent vulnerabilities in PHP scripts.

- 漏洞利用

An exploit is not required.

- 解决方案

Please see the referenced advisories for more information.

NOTE: The vendor has addressed this issue in PHP versions 4.4.1 and 5.1.


HP System Management Homepage 2.0.2

HP System Management Homepage 2.1

HP System Management Homepage 2.1.1

HP System Management Homepage 2.1.2

HP System Management Homepage 2.1.4

PHP PHP 3.0 0

PHP PHP 3.0 .10

PHP PHP 3.0 .12

PHP PHP 3.0.11

PHP PHP 3.0.17

PHP PHP 3.0.2

PHP PHP 3.0.3

PHP PHP 3.0.4

PHP PHP 3.0.5

PHP PHP 3.0.9

PHP PHP 4.0 0

PHP PHP 4.0.1

PHP PHP 4.0.1 pl2

PHP PHP 4.0.2

PHP PHP 4.0.3 pl1

PHP PHP 4.0.3

PHP PHP 4.0.5

PHP PHP 4.0.7 RC1

PHP PHP 4.0.7 RC2

PHP PHP 4.1 .0

PHP PHP 4.2.1

PHP PHP 4.3

PHP PHP 4.3.2

PHP PHP 4.3.5

PHP PHP 4.3.6

PHP PHP 4.3.8

PHP PHP 4.3.9

PHP PHP 5.0 .0

PHP PHP 5.0.1

PHP PHP 5.0.2

PHP PHP 5.0.4

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站