Miembros de
Boletines de Vulnerabilidades |
Denegación de servicio en mod_php para Apache2 |
|
Clasificación de la vulnerabilidad |
|
| Propiedad | Valor |
| Nivel de Confianza | Oficial |
| Impacto | Denegación de Servicio |
| Dificultad | Experto |
| Requerimientos del atacante | Acceso remoto sin cuenta a un servicio exotico |
Información sobre el sistema |
|
| Propiedad | Valor |
| Fabricante afectado | GNU/Linux |
| Software afectado |
mod_php PHP 5.x < 5.1.0 mod_php PHP 4.4 < 4.4.1 |
Descripción |
|
|
Se ha descubierto una vulnerabilidad en PHP 4.4 versión anterior a 4.4.1 y PHP 5.x versión anterior a 5.1.0. La vulnerabilidad reside en la función "sapi_apache2.c" del módulo para Apache2 mod_php que tiene un error al manejar la opción "session.save_path" de un fichero ".htaccess". Un atacante remoto podría causar una denegación de servicio, para que esto ocurra es necesario que la opción "safe_mode" de "php.ini" esté activada. |
|
Solución |
|
|
Actualización de software Mandriva Mandrakelinux 10.1 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/libphp_common432-4.3.8-3.6.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/php432-devel-4.3.8-3.6.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/php-cgi-4.3.8-3.6.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/php-cli-4.3.8-3.6.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/SRPMS/php-4.3.8-3.6.101mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/lib64php_common432-4.3.8-3.6.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/php432-devel-4.3.8-3.6.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/php-cgi-4.3.8-3.6.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/php-cli-4.3.8-3.6.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/SRPMS/php-4.3.8-3.6.101mdk.src.rpm Corporate Server 2.1 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/php-4.2.3-4.6.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/php-common-4.2.3-4.6.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/php-devel-4.2.3-4.6.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/php-pear-4.2.3-4.6.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/SRPMS/php-4.2.3-4.6.C21mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/php-4.2.3-4.6.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/php-common-4.2.3-4.6.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/php-devel-4.2.3-4.6.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/php-pear-4.2.3-4.6.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/SRPMS/php-4.2.3-4.6.C21mdk.src.rpm Corporate Server 3.0 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/libphp_common432-4.3.4-4.8.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/php432-devel-4.3.4-4.8.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/php-cgi-4.3.4-4.8.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/php-cli-4.3.4-4.8.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/SRPMS/php-4.3.4-4.8.C30mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/lib64php_common432-4.3.4-4.8.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/php432-devel-4.3.4-4.8.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/php-cgi-4.3.4-4.8.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/php-cli-4.3.4-4.8.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/SRPMS/php-4.3.4-4.8.C30mdk.src.rpm Multi Network Firewall 2.0 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/libphp_common432-4.3.4-4.8.M20mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/php432-devel-4.3.4-4.8.M20mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/php-cgi-4.3.4-4.8.M20mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/php-cli-4.3.4-4.8.M20mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/SRPMS/php-4.3.4-4.8.M20mdk.src.rpm Mandrivalinux LE2005 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/libphp_common432-4.3.10-7.4.102mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/php432-devel-4.3.10-7.4.102mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/php-cgi-4.3.10-7.4.102mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/php-cli-4.3.10-7.4.102mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/SRPMS/php-4.3.10-7.4.102mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/lib64php_common432-4.3.10-7.4.102mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/php432-devel-4.3.10-7.4.102mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/php-cgi-4.3.10-7.4.102mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/php-cli-4.3.10-7.4.102mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/SRPMS/php-4.3.10-7.4.102mdk.src.rpm Mandrivalinux 2006 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/libphp5_common5-5.0.4-9.1.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/php-cgi-5.0.4-9.1.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/php-cli-5.0.4-9.1.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/php-devel-5.0.4-9.1.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/php-exif-5.0.4-1.1.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/php-fcgi-5.0.4-9.1.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/SRPMS/php-5.0.4-9.1.20060mdk.src.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/SRPMS/php-exif-5.0.4-1.1.20060mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/lib64php5_common5-5.0.4-9.1.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/php-cgi-5.0.4-9.1.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/php-cli-5.0.4-9.1.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/php-devel-5.0.4-9.1.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/php-exif-5.0.4-1.1.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/php-fcgi-5.0.4-9.1.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/SRPMS/php-5.0.4-9.1.20060mdk.src.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/SRPMS/php-exif-5.0.4-1.1.20060mdk.src.rpm Apple Mac OS X 10.3.9 Client http://www.apple.com/support/downloads/securityupdate20060011039client.html Mac OS X 10.3.9 Server http://www.apple.com/support/downloads/securityupdate20060011039server.html Mac OS X 10.4.5 (PPC) http://www.apple.com/support/downloads/securityupdate2006001macosx1045ppc.html Mac OS X 10.4.5 Client (Intel) http://www.apple.com/support/downloads/securityupdate2006001macosx1045clientintel.html Hewlett-Packard (HPSBMA02159) HP System Management Homepage / Linux (x86) / patch 2.1.5-146 http://h18023.www1.hp.com/support/files/server/us/download/24193.html HP System Management Homepage / Linux (AMD64/EM64T) / patch 2.1.5-146 http://h18023.www1.hp.com/support/files/server/us/download/24172.html HP System Management Homepage / Windows / patch 2.1.5-146 http://h18007.www1.hp.com/support/files/server/us/download/23883.html |
|
Identificadores estándar |
|
| Propiedad | Valor |
| CVE | CVE-2005-3319 |
| BID |
15177 16907 |
Recursos adicionales |
|
|
Mandriva Security Advisory (MDKSA-2005:213) http://www.mandriva.com/security/advisories?name=MDKSA-2005:213 Apple Security Update (2006-001) http://docs.info.apple.com/article.html?artnum=303382 HP SECURITY BULLETIN (HPSBMA02159) http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=c00786522 |
|
Histórico de versiones |
||
| Versión | Comentario | Fecha |
| 1.0 | Aviso emitido | 2005-11-21 |
| 1.1 | Aviso emitido por Apple (2006-001) | 2006-03-06 |
| 1.2 | Aviso emitido por HP (HPSBMA02159) | 2006-11-02 |