ID CVE-2009-0754
Summary PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server.
References
Vulnerable Configurations
  • cpe:2.3:a:php:php:4.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.1.6:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:apache:*:*:*:*:*:*:*:*
    cpe:2.3:a:apache:apache:*:*:*:*:*:*:*:*
CVSS
Base: 2.1 (as of 03-10-2018 - 21:58)
Impact:
Exploitability:
CWE CWE-134
CAPEC
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
  • Format String Injection
    An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:L/AC:L/Au:N/C:N/I:P/A:N
oval via4
accepted 2013-04-29T04:10:56.367-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server.
family unix
id oval:org.mitre.oval:def:11035
status accepted
submitted 2010-07-09T03:56:16-04:00
title PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server.
version 30
redhat via4
advisories
  • bugzilla
    id 479272
    title CVE-2009-0754 PHP mbstring.func_overload web server denial of service
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhba:tst:20070304025
      • OR
        • AND
          • comment php is earlier than 0:4.3.9-3.22.15
            oval oval:com.redhat.rhsa:tst:20090337001
          • comment php is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060276002
        • AND
          • comment php-devel is earlier than 0:4.3.9-3.22.15
            oval oval:com.redhat.rhsa:tst:20090337003
          • comment php-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060276004
        • AND
          • comment php-domxml is earlier than 0:4.3.9-3.22.15
            oval oval:com.redhat.rhsa:tst:20090337005
          • comment php-domxml is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060276006
        • AND
          • comment php-gd is earlier than 0:4.3.9-3.22.15
            oval oval:com.redhat.rhsa:tst:20090337007
          • comment php-gd is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060276008
        • AND
          • comment php-imap is earlier than 0:4.3.9-3.22.15
            oval oval:com.redhat.rhsa:tst:20090337009
          • comment php-imap is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060276010
        • AND
          • comment php-ldap is earlier than 0:4.3.9-3.22.15
            oval oval:com.redhat.rhsa:tst:20090337011
          • comment php-ldap is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060276012
        • AND
          • comment php-mbstring is earlier than 0:4.3.9-3.22.15
            oval oval:com.redhat.rhsa:tst:20090337013
          • comment php-mbstring is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060276014
        • AND
          • comment php-mysql is earlier than 0:4.3.9-3.22.15
            oval oval:com.redhat.rhsa:tst:20090337015
          • comment php-mysql is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060276016
        • AND
          • comment php-ncurses is earlier than 0:4.3.9-3.22.15
            oval oval:com.redhat.rhsa:tst:20090337017
          • comment php-ncurses is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060276018
        • AND
          • comment php-odbc is earlier than 0:4.3.9-3.22.15
            oval oval:com.redhat.rhsa:tst:20090337019
          • comment php-odbc is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060276020
        • AND
          • comment php-pear is earlier than 0:4.3.9-3.22.15
            oval oval:com.redhat.rhsa:tst:20090337021
          • comment php-pear is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060276022
        • AND
          • comment php-pgsql is earlier than 0:4.3.9-3.22.15
            oval oval:com.redhat.rhsa:tst:20090337023
          • comment php-pgsql is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060276024
        • AND
          • comment php-snmp is earlier than 0:4.3.9-3.22.15
            oval oval:com.redhat.rhsa:tst:20090337025
          • comment php-snmp is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060276026
        • AND
          • comment php-xmlrpc is earlier than 0:4.3.9-3.22.15
            oval oval:com.redhat.rhsa:tst:20090337027
          • comment php-xmlrpc is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060276028
    rhsa
    id RHSA-2009:0337
    released 2009-04-06
    severity Moderate
    title RHSA-2009:0337: php security update (Moderate)
  • bugzilla
    id 480167
    title CVE-2008-5814 php: XSS via PHP error messages
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhba:tst:20070331005
      • OR
        • AND
          • comment php is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338001
          • comment php is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082002
        • AND
          • comment php-bcmath is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338003
          • comment php-bcmath is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082004
        • AND
          • comment php-cli is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338005
          • comment php-cli is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082006
        • AND
          • comment php-common is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338007
          • comment php-common is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082008
        • AND
          • comment php-dba is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338009
          • comment php-dba is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082010
        • AND
          • comment php-devel is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338011
          • comment php-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082012
        • AND
          • comment php-gd is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338013
          • comment php-gd is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082014
        • AND
          • comment php-imap is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338015
          • comment php-imap is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082016
        • AND
          • comment php-ldap is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338017
          • comment php-ldap is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082018
        • AND
          • comment php-mbstring is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338019
          • comment php-mbstring is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082020
        • AND
          • comment php-mysql is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338021
          • comment php-mysql is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082022
        • AND
          • comment php-ncurses is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338023
          • comment php-ncurses is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082024
        • AND
          • comment php-odbc is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338025
          • comment php-odbc is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082026
        • AND
          • comment php-pdo is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338027
          • comment php-pdo is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082028
        • AND
          • comment php-pgsql is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338029
          • comment php-pgsql is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082030
        • AND
          • comment php-snmp is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338031
          • comment php-snmp is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082032
        • AND
          • comment php-soap is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338033
          • comment php-soap is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082034
        • AND
          • comment php-xml is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338035
          • comment php-xml is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082036
        • AND
          • comment php-xmlrpc is earlier than 0:5.1.6-23.2.el5_3
            oval oval:com.redhat.rhsa:tst:20090338037
          • comment php-xmlrpc is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070082038
    rhsa
    id RHSA-2009:0338
    released 2009-04-06
    severity Moderate
    title RHSA-2009:0338: php security update (Moderate)
  • rhsa
    id RHSA-2009:0350
rpms
  • php-0:4.3.2-51.ent
  • php-0:4.3.9-3.22.15
  • php-debuginfo-0:4.3.2-51.ent
  • php-debuginfo-0:4.3.9-3.22.15
  • php-devel-0:4.3.2-51.ent
  • php-devel-0:4.3.9-3.22.15
  • php-domxml-0:4.3.9-3.22.15
  • php-gd-0:4.3.9-3.22.15
  • php-imap-0:4.3.2-51.ent
  • php-imap-0:4.3.9-3.22.15
  • php-ldap-0:4.3.2-51.ent
  • php-ldap-0:4.3.9-3.22.15
  • php-mbstring-0:4.3.9-3.22.15
  • php-mysql-0:4.3.2-51.ent
  • php-mysql-0:4.3.9-3.22.15
  • php-ncurses-0:4.3.9-3.22.15
  • php-odbc-0:4.3.2-51.ent
  • php-odbc-0:4.3.9-3.22.15
  • php-pear-0:4.3.9-3.22.15
  • php-pgsql-0:4.3.2-51.ent
  • php-pgsql-0:4.3.9-3.22.15
  • php-snmp-0:4.3.9-3.22.15
  • php-xmlrpc-0:4.3.9-3.22.15
  • php-0:5.1.6-23.2.el5_3
  • php-bcmath-0:5.1.6-23.2.el5_3
  • php-cli-0:5.1.6-23.2.el5_3
  • php-common-0:5.1.6-23.2.el5_3
  • php-dba-0:5.1.6-23.2.el5_3
  • php-debuginfo-0:5.1.6-23.2.el5_3
  • php-gd-0:5.1.6-23.2.el5_3
  • php-imap-0:5.1.6-23.2.el5_3
  • php-ldap-0:5.1.6-23.2.el5_3
  • php-mbstring-0:5.1.6-23.2.el5_3
  • php-mysql-0:5.1.6-23.2.el5_3
  • php-ncurses-0:5.1.6-23.2.el5_3
  • php-odbc-0:5.1.6-23.2.el5_3
  • php-pdo-0:5.1.6-23.2.el5_3
  • php-pgsql-0:5.1.6-23.2.el5_3
  • php-snmp-0:5.1.6-23.2.el5_3
  • php-soap-0:5.1.6-23.2.el5_3
  • php-xml-0:5.1.6-23.2.el5_3
  • php-xmlrpc-0:5.1.6-23.2.el5_3
  • php-0:5.2.6-4.el5s2
  • php-bcmath-0:5.2.6-4.el5s2
  • php-cli-0:5.2.6-4.el5s2
  • php-common-0:5.2.6-4.el5s2
  • php-dba-0:5.2.6-4.el5s2
  • php-debuginfo-0:5.2.6-4.el5s2
  • php-devel-0:5.2.6-4.el5s2
  • php-gd-0:5.2.6-4.el5s2
  • php-imap-0:5.2.6-4.el5s2
  • php-ldap-0:5.2.6-4.el5s2
  • php-mbstring-0:5.2.6-4.el5s2
  • php-mysql-0:5.2.6-4.el5s2
  • php-ncurses-0:5.2.6-4.el5s2
  • php-odbc-0:5.2.6-4.el5s2
  • php-pdo-0:5.2.6-4.el5s2
  • php-pgsql-0:5.2.6-4.el5s2
  • php-snmp-0:5.2.6-4.el5s2
  • php-soap-0:5.2.6-4.el5s2
  • php-xml-0:5.2.6-4.el5s2
  • php-xmlrpc-0:5.2.6-4.el5s2
refmap via4
confirm http://bugs.php.net/bug.php?id=27421
debian DSA-1789
fedora
  • FEDORA-2009-3768
  • FEDORA-2009-3848
mlist
  • [oss-security] 20090130 CVE Request - php (PHP BZ#27421)
  • [oss-security] 20090203 Re: CVE Request - php (PHP BZ#27421)
  • [oss-security] 20090225 Re: CVE Request - php (PHP BZ#27421)
sectrack 1021979
secunia
  • 34642
  • 34830
  • 35003
  • 35007
  • 35306
suse SUSE-SR:2009:008
ubuntu USN-761-1
Last major update 03-10-2018 - 21:58
Published 03-03-2009 - 16:30
Last modified 03-10-2018 - 21:58
Back to Top