CVE-2005-3390
CVSS7.5
发布时间 :2005-11-01 07:47:00
修订时间 :2011-03-07 21:26:27
NMCOS    

[原文]The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when register_globals is enabled, allows remote attackers to modify the GLOBALS array and bypass security protections of PHP applications via a multipart/form-data POST request with a "GLOBALS" fileupload field.


[CNNVD]PHP文件上传$GLOBALS变量覆盖漏洞(CNNVD-200511-006)

        PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。
        PHP在全局变量的保护上存在漏洞,攻击者可以通过发送包含有GLOBALS名称文件上传字段的POST请求覆盖$GLOBALS数组,导致可能远程执行PHP代码。PHP 4.3.11添加了一些代码禁止在打开register_globals时覆盖$GLOBALS数组,但这种保护中存在漏洞。引入的代码仅影响GET、POST和COOKIE变量的全局化,但忽略了PHP中的rfc1867文件上传代码也注册了全局变量。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:php:php:3.0.17PHP PHP 3.0.17
cpe:/a:php:php:3.0.13PHP PHP 3.0.13
cpe:/a:php:php:4.0.1PHP PHP 4.0.1
cpe:/a:php:php:5.0.5PHP PHP 5.0.5
cpe:/a:php:php:4.3.1PHP PHP 4.3.1
cpe:/a:php:php:4.3.10PHP PHP 4.3.10
cpe:/a:php:php:4.0.0PHP PHP 4.0.0
cpe:/a:php:php:4.3.7PHP PHP 4.3.7
cpe:/a:php:php:3.0.1PHP PHP 3.0.1
cpe:/a:php:php:4.2.0PHP PHP 4.2.0
cpe:/a:php:php:5.0.1PHP PHP 5.0.1
cpe:/a:php:php:3.0.14PHP PHP 3.0.14
cpe:/a:php:php:4.2.2PHP PHP 4.2.2
cpe:/a:php:php:5.0:rc1
cpe:/a:php:php:4.0.7:rc3
cpe:/a:php:php:4.0.2PHP PHP 4.0.2
cpe:/a:php:php:4.0.6PHP PHP 4.0.6
cpe:/a:php:php:5.0:rc3
cpe:/a:php:php:4.1.2PHP PHP 4.1.2
cpe:/a:php:php:4.0.5PHP PHP 4.0.5
cpe:/a:php:php:4.2::dev
cpe:/a:php:php:4.3.6PHP PHP 4.3.6
cpe:/a:php:php:4.0.1:patch2
cpe:/a:php:php:4.3
cpe:/a:php:php:4.0.4PHP PHP 4.0.4
cpe:/a:php:php:3.0.15PHP PHP 3.0.15
cpe:/a:php:php:5.0.4PHP PHP 5.0.4
cpe:/a:php:php:4.3.4PHP PHP 4.3.4
cpe:/a:php:php:3.0.9PHP PHP 3.0.9
cpe:/a:php:php:4.0.3PHP PHP 4.0.3
cpe:/a:php:php:5.0:rc2
cpe:/a:php:php:4.3.2PHP PHP 4.3.2
cpe:/a:php:php:4.3.3PHP PHP 4.3.3
cpe:/a:php:php:3.0.16PHP PHP 3.0.16
cpe:/a:php:php:4.0.1:patch1
cpe:/a:php:php:3.0.2PHP PHP 3.0.2
cpe:/a:php:php:4.0.3:patch1
cpe:/a:php:php:3.0.5PHP PHP 3.0.5
cpe:/a:php:php:3.0.7PHP PHP 3.0.7
cpe:/a:php:php:4.0.7:rc2
cpe:/a:php:php:5.0.0PHP PHP 5.0.0
cpe:/a:php:php:5.0.2PHP PHP 5.0.2
cpe:/a:php:php:4.2.1PHP PHP 4.2.1
cpe:/a:php:php:5.0.3PHP PHP 5.0.3
cpe:/a:php:php:3.0.11PHP PHP 3.0.11
cpe:/a:php:php:4.1.1PHP PHP 4.1.1
cpe:/a:php:php:3.0.6PHP PHP 3.0.6
cpe:/a:php:php:4.0.7PHP PHP 4.0.7
cpe:/a:php:php:3.0.10PHP PHP 3.0.10
cpe:/a:php:php:3.0.12PHP PHP 3.0.12
cpe:/a:php:php:4.3.11PHP PHP 4.3.11
cpe:/a:php:php:4.0.7:rc1
cpe:/a:php:php:3.0.8PHP PHP 3.0.8
cpe:/a:php:php:3.0.18PHP PHP 3.0.18
cpe:/a:php:php:4.3.8PHP PHP 4.3.8
cpe:/a:php:php:3.0.3PHP PHP 3.0.3
cpe:/a:php:php:4.1.0PHP PHP 4.1.0
cpe:/a:php:php:3.0PHP PHP 3.0
cpe:/a:php:php:4.4.0PHP PHP 4.4.0
cpe:/a:php:php:4.3.9PHP PHP 4.3.9
cpe:/a:php:php:3.0.4PHP PHP 3.0.4
cpe:/a:php:php:4.3.5PHP PHP 4.3.5
cpe:/a:php:php:4.2.3PHP PHP 4.2.3

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10537The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when register_globals is enabled, allows remote attackers to mod...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3390
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3390
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-006
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/15250
(PATCH)  BID  15250
http://www.php.net/release_4_4_1.php
(PATCH)  CONFIRM  http://www.php.net/release_4_4_1.php
http://secunia.com/advisories/17371
(VENDOR_ADVISORY)  SECUNIA  17371
http://www.vupen.com/english/advisories/2006/4320
(UNKNOWN)  VUPEN  ADV-2006-4320
http://www.vupen.com/english/advisories/2005/2254
(UNKNOWN)  VUPEN  ADV-2005-2254
http://www.securityfocus.com/archive/1/archive/1/415290/30/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20051031 Advisory 20/2005: PHP File-Upload $GLOBALS Overwrite Vulnerability
http://www.hardened-php.net/globals-problem
(UNKNOWN)  MISC  http://www.hardened-php.net/globals-problem
http://www.hardened-php.net/advisory_202005.79.html
(VENDOR_ADVISORY)  MISC  http://www.hardened-php.net/advisory_202005.79.html
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00786522
(UNKNOWN)  HP  HPSBMA02159
http://www.ubuntulinux.org/usn/usn-232-1/document_view
(UNKNOWN)  UBUNTU  USN-232-1
http://www.securityfocus.com/archive/1/archive/1/419504/100/0/threaded
(UNKNOWN)  SUSE  SUSE-SA:2005:069
http://www.redhat.com/support/errata/RHSA-2005-838.html
(UNKNOWN)  REDHAT  RHSA-2005:838
http://www.redhat.com/support/errata/RHSA-2005-831.html
(UNKNOWN)  REDHAT  RHSA-2005:831
http://www.openpkg.org/security/OpenPKG-SA-2005.027-php.html
(UNKNOWN)  OPENPKG  OpenPKG-SA-2005.027
http://www.novell.com/linux/security/advisories/2005_27_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2005:027
http://www.mandriva.com/security/advisories?name=MDKSA-2005:213
(UNKNOWN)  MANDRIVA  MDKSA-2005:213
http://www.gentoo.org/security/en/glsa/glsa-200511-08.xml
(UNKNOWN)  GENTOO  GLSA-200511-08
http://www.fedoralegacy.org/updates/FC2/2005-11-28-FLSA_2005_166943__Updated_php_packages_fix_security_issues.html
(UNKNOWN)  FEDORA  FLSA:166943
http://support.avaya.com/elmodocs2/security/ASA-2006-037.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-037.htm
http://securitytracker.com/id?1015129
(UNKNOWN)  SECTRACK  1015129
http://securityreason.com/securityalert/132
(UNKNOWN)  SREASON  132
http://secunia.com/advisories/22691
(UNKNOWN)  SECUNIA  22691
http://secunia.com/advisories/21252
(UNKNOWN)  SECUNIA  21252
http://secunia.com/advisories/18669
(UNKNOWN)  SECUNIA  18669
http://secunia.com/advisories/18198
(UNKNOWN)  SECUNIA  18198
http://secunia.com/advisories/18054
(UNKNOWN)  SECUNIA  18054
http://secunia.com/advisories/17559
(UNKNOWN)  SECUNIA  17559
http://secunia.com/advisories/17557
(UNKNOWN)  SECUNIA  17557
http://secunia.com/advisories/17531
(UNKNOWN)  SECUNIA  17531
http://secunia.com/advisories/17510
(UNKNOWN)  SECUNIA  17510
http://secunia.com/advisories/17490
(UNKNOWN)  SECUNIA  17490
http://rhn.redhat.com/errata/RHSA-2006-0549.html
(UNKNOWN)  REDHAT  RHSA-2006:0549
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00786522
(UNKNOWN)  HP  SSRT061238

- 漏洞信息

PHP文件上传$GLOBALS变量覆盖漏洞
高危 设计错误
2005-11-01 00:00:00 2005-11-15 00:00:00
远程  
        PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。
        PHP在全局变量的保护上存在漏洞,攻击者可以通过发送包含有GLOBALS名称文件上传字段的POST请求覆盖$GLOBALS数组,导致可能远程执行PHP代码。PHP 4.3.11添加了一些代码禁止在打开register_globals时覆盖$GLOBALS数组,但这种保护中存在漏洞。引入的代码仅影响GET、POST和COOKIE变量的全局化,但忽略了PHP中的rfc1867文件上传代码也注册了全局变量。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        PHP Upgrade php-4.4.1.tar.gz
        http://www.php.net/get/php-4.4.1.tar.gz

- 漏洞信息

20408
PHP File-Upload $GLOBALS Array Overwrite
Remote / Network Access Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

- 时间线

2005-10-31 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PHP File Upload GLOBAL Variable Overwrite Vulnerability
Design Error 15250
Yes No
2005-10-31 12:00:00 2006-11-02 10:52:00
Stefan Esser <sesser@hardened-php.net> of the Hardened-PHP Project discovered this issue.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Server 7.0
Turbolinux Appliance Server Workgroup Edition 1.0
Turbolinux Appliance Server Hosting Edition 1.0
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux Appliance Server 1.0 Hosting Edition
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SGI ProPack 3.0 SP6
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Openexchange Server
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
RedHat Stronghold 4.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
PHP PHP 5.0.5
PHP PHP 5.0.4
PHP PHP 5.0.3
PHP PHP 5.0.2
PHP PHP 5.0.1
PHP PHP 5.0 candidate 3
PHP PHP 5.0 candidate 2
PHP PHP 5.0 candidate 1
PHP PHP 5.0 .0
PHP PHP 4.4 .0
PHP PHP 4.3.11
PHP PHP 4.3.10
PHP PHP 4.3.9
PHP PHP 4.3.8
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ S.u.S.E. Linux Personal 9.2
+ Turbolinux Turbolinux Server 10.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
PHP PHP 4.3.7
PHP PHP 4.3.6
PHP PHP 4.3.5
PHP PHP 4.3.4
PHP PHP 4.3.3
PHP PHP 4.3.2
PHP PHP 4.3.1
PHP PHP 4.3
PHP PHP 4.2.3
PHP PHP 4.2.2
PHP PHP 4.2.1
- FreeBSD FreeBSD 4.6
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
+ Slackware Linux 8.1
PHP PHP 4.2 .0
PHP PHP 4.2 -dev
PHP PHP 4.1.2
PHP PHP 4.1.1
PHP PHP 4.1 .0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
PHP PHP 4.0.7 RC3
PHP PHP 4.0.7 RC2
PHP PHP 4.0.7 RC1
PHP PHP 4.0.7
PHP PHP 4.0.6
PHP PHP 4.0.5
PHP PHP 4.0.4
PHP PHP 4.0.3 pl1
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
PHP PHP 4.0.3
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt Qube3 Japanese 4000WGJ
+ Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
+ Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ XTR Japanese 3500R-ja
PHP PHP 4.0.2
PHP PHP 4.0.1 pl2
PHP PHP 4.0.1 pl1
PHP PHP 4.0.1
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt Qube3 w/ Caching and RAID 4100WG
+ Sun Cobalt Qube3 w/Caching 4010WG
+ Sun Cobalt RaQ4 3001R
+ Sun Cobalt RaQ4 Japanese RAID 3100R-ja
+ Sun Cobalt RaQ4 RAID 3100R
PHP PHP 4.0 0
PHP PHP 3.0.18
PHP PHP 3.0.17
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
PHP PHP 3.0.16
PHP PHP 3.0.15
PHP PHP 3.0.14
PHP PHP 3.0.13
PHP PHP 3.0.12
PHP PHP 3.0.11
PHP PHP 3.0.10
PHP PHP 3.0.9
PHP PHP 3.0.8
PHP PHP 3.0.7
PHP PHP 3.0.6
PHP PHP 3.0.5
PHP PHP 3.0.4
PHP PHP 3.0.3
PHP PHP 3.0.2
PHP PHP 3.0.1
PHP PHP 3.0 0
PHP PHP 3.0 .16
PHP PHP 3.0 .13
PHP PHP 3.0 .12
PHP PHP 3.0 .11
PHP PHP 3.0 .10
OpenPKG OpenPKG 2.5
OpenPKG OpenPKG 2.4
OpenPKG OpenPKG 2.3
OpenPKG OpenPKG Current
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
HP System Management Homepage 2.1.4
HP System Management Homepage 2.1.3 .132
HP System Management Homepage 2.1.3
HP System Management Homepage 2.1.2
HP System Management Homepage 2.1.1
HP System Management Homepage 2.1
HP System Management Homepage 2.0.2
HP System Management Homepage 2.0.1
HP System Management Homepage 2.0
Gentoo Linux
e107 e107 website system 0.7.5
Avaya Messaging Storage Server
Avaya Message Networking
Avaya Intuity LX
PHP PHP 5.1
PHP PHP 4.4.1
HP System Management Homepage 2.1.5

- 不受影响的程序版本

PHP PHP 5.1
PHP PHP 4.4.1
HP System Management Homepage 2.1.5

- 漏洞讨论

PHP is prone to a vulnerability that allows attackers to overwrite the GLOBAL variable via HTTP POST requests.

By exploiting this issue, remote attackers may be able to overwrite the GLOBAL variable. This may allow attackers to further exploit latent vulnerabilities in PHP scripts.

- 漏洞利用

An exploit released for the e107 PHP CMS demonstrates this vulnerability.

Note, however, that an exploit is not required to take advantage of this vulnerability.

- 解决方案

Please see the referenced advisories for more information.

NOTE: The vendor has addressed this issue in PHP versions 4.4.1 and 5.1.


HP System Management Homepage 2.0.2

HP System Management Homepage 2.1

HP System Management Homepage 2.1.1

HP System Management Homepage 2.1.2

HP System Management Homepage 2.1.4

PHP PHP 3.0 0

PHP PHP 3.0 .10

PHP PHP 3.0 .12

PHP PHP 3.0.11

PHP PHP 3.0.17

PHP PHP 3.0.2

PHP PHP 3.0.3

PHP PHP 3.0.4

PHP PHP 3.0.5

PHP PHP 3.0.9

PHP PHP 4.0 0

PHP PHP 4.0.1

PHP PHP 4.0.1 pl2

PHP PHP 4.0.2

PHP PHP 4.0.3 pl1

PHP PHP 4.0.3

PHP PHP 4.0.5

PHP PHP 4.0.7 RC1

PHP PHP 4.0.7 RC2

PHP PHP 4.1 .0

PHP PHP 4.2.1

PHP PHP 4.3

PHP PHP 4.3.2

PHP PHP 4.3.5

PHP PHP 4.3.6

PHP PHP 4.3.8

PHP PHP 4.3.9

PHP PHP 5.0 .0

PHP PHP 5.0.1

PHP PHP 5.0.2

PHP PHP 5.0.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站