CVE-2005-3390
CVSS7.5
发布时间 :2005-11-01 07:47:00
修订时间 :2016-12-07 22:00:16
NMCOS    

[原文]The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when register_globals is enabled, allows remote attackers to modify the GLOBALS array and bypass security protections of PHP applications via a multipart/form-data POST request with a "GLOBALS" fileupload field.


[CNNVD]PHP文件上传$GLOBALS变量覆盖漏洞(CNNVD-200511-006)

        PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。
        PHP在全局变量的保护上存在漏洞,攻击者可以通过发送包含有GLOBALS名称文件上传字段的POST请求覆盖$GLOBALS数组,导致可能远程执行PHP代码。PHP 4.3.11添加了一些代码禁止在打开register_globals时覆盖$GLOBALS数组,但这种保护中存在漏洞。引入的代码仅影响GET、POST和COOKIE变量的全局化,但忽略了PHP中的rfc1867文件上传代码也注册了全局变量。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:php:php:5.0.3PHP PHP 5.0.3
cpe:/a:php:php:5.0.4PHP PHP 5.0.4
cpe:/a:php:php:5.0.5PHP PHP 5.0.5
cpe:/a:php:php:5.0.0PHP PHP 5.0.0
cpe:/a:php:php:3.0PHP PHP 3.0
cpe:/a:php:php:5.0.1PHP PHP 5.0.1
cpe:/a:php:php:5.0.2PHP PHP 5.0.2
cpe:/a:php:php:4.1.0PHP PHP 4.1.0
cpe:/a:php:php:4.1.2PHP PHP 4.1.2
cpe:/a:php:php:4.1.1PHP PHP 4.1.1
cpe:/a:php:php:4.3.2PHP PHP 4.3.2
cpe:/a:php:php:4.3.1PHP PHP 4.3.1
cpe:/a:php:php:4.3.4PHP PHP 4.3.4
cpe:/a:php:php:4.3.3PHP PHP 4.3.3
cpe:/a:php:php:5.0:rc1
cpe:/a:php:php:5.0:rc2
cpe:/a:php:php:5.0:rc3
cpe:/a:php:php:4.2::dev
cpe:/a:php:php:4.0.1:patch2
cpe:/a:php:php:3.0.10PHP PHP 3.0.10
cpe:/a:php:php:3.0.8PHP PHP 3.0.8
cpe:/a:php:php:4.0.7:rc3
cpe:/a:php:php:3.0.11PHP PHP 3.0.11
cpe:/a:php:php:3.0.7PHP PHP 3.0.7
cpe:/a:php:php:3.0.12PHP PHP 3.0.12
cpe:/a:php:php:3.0.6PHP PHP 3.0.6
cpe:/a:php:php:4.0.7:rc1
cpe:/a:php:php:3.0.13PHP PHP 3.0.13
cpe:/a:php:php:3.0.5PHP PHP 3.0.5
cpe:/a:php:php:4.0.7:rc2
cpe:/a:php:php:3.0.14PHP PHP 3.0.14
cpe:/a:php:php:3.0.4PHP PHP 3.0.4
cpe:/a:php:php:3.0.15PHP PHP 3.0.15
cpe:/a:php:php:3.0.3PHP PHP 3.0.3
cpe:/a:php:php:3.0.16PHP PHP 3.0.16
cpe:/a:php:php:3.0.2PHP PHP 3.0.2
cpe:/a:php:php:3.0.1PHP PHP 3.0.1
cpe:/a:php:php:3.0.17PHP PHP 3.0.17
cpe:/a:php:php:4.3.6PHP PHP 4.3.6
cpe:/a:php:php:4.3.5PHP PHP 4.3.5
cpe:/a:php:php:4.3.8PHP PHP 4.3.8
cpe:/a:php:php:4.3.7PHP PHP 4.3.7
cpe:/a:php:php:4.3.9PHP PHP 4.3.9
cpe:/a:php:php:4.0.1PHP PHP 4.0.1
cpe:/a:php:php:4.0.0PHP PHP 4.0.0
cpe:/a:php:php:4.0.3PHP PHP 4.0.3
cpe:/a:php:php:4.2.1PHP PHP 4.2.1
cpe:/a:php:php:4.0.2PHP PHP 4.0.2
cpe:/a:php:php:4.2.0PHP PHP 4.2.0
cpe:/a:php:php:4.0.5PHP PHP 4.0.5
cpe:/a:php:php:4.2.3PHP PHP 4.2.3
cpe:/a:php:php:4.0.4PHP PHP 4.0.4
cpe:/a:php:php:4.2.2PHP PHP 4.2.2
cpe:/a:php:php:4.4.0PHP PHP 4.4.0
cpe:/a:php:php:4.0.7PHP PHP 4.0.7
cpe:/a:php:php:4.0.6PHP PHP 4.0.6
cpe:/a:php:php:4.0.3:patch1
cpe:/a:php:php:4.0.1:patch1
cpe:/a:php:php:4.3
cpe:/a:php:php:3.0.18PHP PHP 3.0.18
cpe:/a:php:php:3.0.9PHP PHP 3.0.9
cpe:/a:php:php:4.3.11PHP PHP 4.3.11
cpe:/a:php:php:4.3.10PHP PHP 4.3.10

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10537The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when register_globals is enabled, allows remote attackers to mod...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3390
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3390
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-006
(官方数据源) CNNVD

- 其它链接及资源

http://itrc.hp.com/service/cki/docDisplay.do?docId=c00786522
(UNKNOWN)  HP  HPSBMA02159
http://rhn.redhat.com/errata/RHSA-2006-0549.html
(UNKNOWN)  REDHAT  RHSA-2006:0549
http://securityreason.com/securityalert/132
(UNKNOWN)  SREASON  132
http://securitytracker.com/id?1015129
(UNKNOWN)  SECTRACK  1015129
http://support.avaya.com/elmodocs2/security/ASA-2006-037.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-037.htm
http://www.fedoralegacy.org/updates/FC2/2005-11-28-FLSA_2005_166943__Updated_php_packages_fix_security_issues.html
(UNKNOWN)  FEDORA  FLSA:166943
http://www.gentoo.org/security/en/glsa/glsa-200511-08.xml
(UNKNOWN)  GENTOO  GLSA-200511-08
http://www.hardened-php.net/advisory_202005.79.html
(VENDOR_ADVISORY)  MISC  http://www.hardened-php.net/advisory_202005.79.html
http://www.hardened-php.net/globals-problem
(UNKNOWN)  MISC  http://www.hardened-php.net/globals-problem
http://www.mandriva.com/security/advisories?name=MDKSA-2005:213
(UNKNOWN)  MANDRIVA  MDKSA-2005:213
http://www.novell.com/linux/security/advisories/2005_27_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2005:027
http://www.openpkg.org/security/OpenPKG-SA-2005.027-php.html
(UNKNOWN)  OPENPKG  OpenPKG-SA-2005.027
http://www.php.net/release_4_4_1.php
(PATCH)  CONFIRM  http://www.php.net/release_4_4_1.php
http://www.redhat.com/support/errata/RHSA-2005-831.html
(UNKNOWN)  REDHAT  RHSA-2005:831
http://www.redhat.com/support/errata/RHSA-2005-838.html
(UNKNOWN)  REDHAT  RHSA-2005:838
http://www.securityfocus.com/archive/1/archive/1/415290/30/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20051031 Advisory 20/2005: PHP File-Upload $GLOBALS Overwrite Vulnerability
http://www.securityfocus.com/archive/1/archive/1/419504/100/0/threaded
(UNKNOWN)  SUSE  SUSE-SA:2005:069
http://www.securityfocus.com/bid/15250
(PATCH)  BID  15250
http://www.vupen.com/english/advisories/2005/2254
(UNKNOWN)  VUPEN  ADV-2005-2254
http://www.vupen.com/english/advisories/2006/4320
(UNKNOWN)  VUPEN  ADV-2006-4320
https://www.ubuntu.com/usn/usn-232-1/
(UNKNOWN)  UBUNTU  USN-232-1

- 漏洞信息

PHP文件上传$GLOBALS变量覆盖漏洞
高危 设计错误
2005-11-01 00:00:00 2005-11-15 00:00:00
远程  
        PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。
        PHP在全局变量的保护上存在漏洞,攻击者可以通过发送包含有GLOBALS名称文件上传字段的POST请求覆盖$GLOBALS数组,导致可能远程执行PHP代码。PHP 4.3.11添加了一些代码禁止在打开register_globals时覆盖$GLOBALS数组,但这种保护中存在漏洞。引入的代码仅影响GET、POST和COOKIE变量的全局化,但忽略了PHP中的rfc1867文件上传代码也注册了全局变量。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        PHP Upgrade php-4.4.1.tar.gz
        http://www.php.net/get/php-4.4.1.tar.gz

- 漏洞信息

20408
PHP File-Upload $GLOBALS Array Overwrite
Remote / Network Access Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

- 时间线

2005-10-31 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PHP File Upload GLOBAL Variable Overwrite Vulnerability
Design Error 15250
Yes No
2005-10-31 12:00:00 2006-11-02 10:52:00
Stefan Esser <sesser@hardened-php.net> of the Hardened-PHP Project discovered this issue.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Server 7.0
Turbolinux Appliance Server Workgroup Edition 1.0
Turbolinux Appliance Server Hosting Edition 1.0
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux Appliance Server 1.0 Hosting Edition
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SGI ProPack 3.0 SP6
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Openexchange Server
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
RedHat Stronghold 4.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
PHP PHP 5.0.5
PHP PHP 5.0.4
PHP PHP 5.0.3
PHP PHP 5.0.2
PHP PHP 5.0.1
PHP PHP 5.0 candidate 3
PHP PHP 5.0 candidate 2
PHP PHP 5.0 candidate 1
PHP PHP 5.0 .0
PHP PHP 4.4 .0
PHP PHP 4.3.11
PHP PHP 4.3.10
PHP PHP 4.3.9
PHP PHP 4.3.8
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ S.u.S.E. Linux Personal 9.2
+ Turbolinux Turbolinux Server 10.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
PHP PHP 4.3.7
PHP PHP 4.3.6
PHP PHP 4.3.5
PHP PHP 4.3.4
PHP PHP 4.3.3
PHP PHP 4.3.2
PHP PHP 4.3.1
PHP PHP 4.3
PHP PHP 4.2.3
PHP PHP 4.2.2
PHP PHP 4.2.1
- FreeBSD FreeBSD 4.6
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
+ Slackware Linux 8.1
PHP PHP 4.2 .0
PHP PHP 4.2 -dev
PHP PHP 4.1.2
PHP PHP 4.1.1
PHP PHP 4.1 .0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
PHP PHP 4.0.7 RC3
PHP PHP 4.0.7 RC2
PHP PHP 4.0.7 RC1
PHP PHP 4.0.7
PHP PHP 4.0.6
PHP PHP 4.0.5
PHP PHP 4.0.4
PHP PHP 4.0.3 pl1
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
PHP PHP 4.0.3
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt Qube3 Japanese 4000WGJ
+ Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
+ Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ XTR Japanese 3500R-ja
PHP PHP 4.0.2
PHP PHP 4.0.1 pl2
PHP PHP 4.0.1 pl1
PHP PHP 4.0.1
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt Qube3 w/ Caching and RAID 4100WG
+ Sun Cobalt Qube3 w/Caching 4010WG
+ Sun Cobalt RaQ4 3001R
+ Sun Cobalt RaQ4 Japanese RAID 3100R-ja
+ Sun Cobalt RaQ4 RAID 3100R
PHP PHP 4.0 0
PHP PHP 3.0.18
PHP PHP 3.0.17
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
PHP PHP 3.0.16
PHP PHP 3.0.15
PHP PHP 3.0.14
PHP PHP 3.0.13
PHP PHP 3.0.12
PHP PHP 3.0.11
PHP PHP 3.0.10
PHP PHP 3.0.9
PHP PHP 3.0.8
PHP PHP 3.0.7
PHP PHP 3.0.6
PHP PHP 3.0.5
PHP PHP 3.0.4
PHP PHP 3.0.3
PHP PHP 3.0.2
PHP PHP 3.0.1
PHP PHP 3.0 0
PHP PHP 3.0 .16
PHP PHP 3.0 .13
PHP PHP 3.0 .12
PHP PHP 3.0 .11
PHP PHP 3.0 .10
OpenPKG OpenPKG 2.5
OpenPKG OpenPKG 2.4
OpenPKG OpenPKG 2.3
OpenPKG OpenPKG Current
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
HP System Management Homepage 2.1.4
HP System Management Homepage 2.1.3 .132
HP System Management Homepage 2.1.3
HP System Management Homepage 2.1.2
HP System Management Homepage 2.1.1
HP System Management Homepage 2.1
HP System Management Homepage 2.0.2
HP System Management Homepage 2.0.1
HP System Management Homepage 2.0
Gentoo Linux
e107 e107 website system 0.7.5
Avaya Messaging Storage Server
Avaya Message Networking
Avaya Intuity LX
PHP PHP 5.1
PHP PHP 4.4.1
HP System Management Homepage 2.1.5

- 不受影响的程序版本

PHP PHP 5.1
PHP PHP 4.4.1
HP System Management Homepage 2.1.5

- 漏洞讨论

PHP is prone to a vulnerability that allows attackers to overwrite the GLOBAL variable via HTTP POST requests.

By exploiting this issue, remote attackers may be able to overwrite the GLOBAL variable. This may allow attackers to further exploit latent vulnerabilities in PHP scripts.

- 漏洞利用

An exploit released for the e107 PHP CMS demonstrates this vulnerability.

Note, however, that an exploit is not required to take advantage of this vulnerability.

- 解决方案

Please see the referenced advisories for more information.

NOTE: The vendor has addressed this issue in PHP versions 4.4.1 and 5.1.


HP System Management Homepage 2.0.2

HP System Management Homepage 2.1

HP System Management Homepage 2.1.1

HP System Management Homepage 2.1.2

HP System Management Homepage 2.1.4

PHP PHP 3.0 0

PHP PHP 3.0 .10

PHP PHP 3.0 .12

PHP PHP 3.0.11

PHP PHP 3.0.17

PHP PHP 3.0.2

PHP PHP 3.0.3

PHP PHP 3.0.4

PHP PHP 3.0.5

PHP PHP 3.0.9

PHP PHP 4.0 0

PHP PHP 4.0.1

PHP PHP 4.0.1 pl2

PHP PHP 4.0.2

PHP PHP 4.0.3 pl1

PHP PHP 4.0.3

PHP PHP 4.0.5

PHP PHP 4.0.7 RC1

PHP PHP 4.0.7 RC2

PHP PHP 4.1 .0

PHP PHP 4.2.1

PHP PHP 4.3

PHP PHP 4.3.2

PHP PHP 4.3.5

PHP PHP 4.3.6

PHP PHP 4.3.8

PHP PHP 4.3.9

PHP PHP 5.0 .0

PHP PHP 5.0.1

PHP PHP 5.0.2

PHP PHP 5.0.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站