漏洞信息详情
PHP PHPInfo phpinfo (info.c) 跨站脚本攻击漏洞
- CNNVD编号:CNNVD-200604-117
- 危害等级: 低危
- CVE编号: CVE-2006-0996
- 漏洞类型: 跨站脚本
- 发布时间: 2006-04-10
- 威胁类型: 远程
- 更新时间: 2006-04-10
- 厂 商: php
- 漏洞来源: This issue was dis...
漏洞简介
PHP 5.1.2和4.4.2中的phpinfo (info.c) 存在跨站脚本攻击(XSS)漏洞。这使得远程攻击者可以借助于长的数组变量注入任意Web脚本或HTML。所述长整型数组变量包括(1)大量的数值或(2)长整型值。该漏洞阻止删除HTML 标记。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
S.u.S.E. Linux Professional 10.0
SuSE apache2-mod_php4-4.4.0-6.10.i586.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-mod_php4 -4.4.0-6.10.i586.rpm
SuSE apache2-mod_php4-4.4.0-6.10.ppc.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/apache2-mod_php4- 4.4.0-6.10.ppc.rpm
SuSE apache2-mod_php4-4.4.0-6.10.x86_64.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/apache2-mod_ph p4-4.4.0-6.10.x86_64.rpm
SuSE apache2-mod_php5-5.0.4-9.10.ppc.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/apache2-mod_php5- 5.0.4-9.10.ppc.rpm
SuSE apache2-mod_php5-5.0.4-9.10.x86_64.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/apache2-mod_ph p5-5.0.4-9.10.x86_64.rpm
SuSE php4-32bit-4.4.0-6.10.x86_64.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-32bit-4.4 .0-6.10.x86_64.rpm
SuSE php4-4.4.0-6.10.i586.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-4.4.0-6.10. i586.rpm
SuSE php4-4.4.0-6.10.ppc.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-4.4.0-6.10.p pc.rpm
SuSE php4-4.4.0-6.10.x86_64.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-4.4.0-6.1 0.x86_64.rpm
SuSE php4-exif-4.4.0-6.10.i586.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-exif-4.4.0- 6.10.i586.rpm
SuSE php4-exif-4.4.0-6.10.ppc.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-exif-4.4.0-6 .10.ppc.rpm
SuSE php4-exif-4.4.0-6.10.x86_64.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-exif-4.4. 0-6.10.x86_64.rpm
SuSE php4-fastcgi-4.4.0-6.10.i586.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-fastcgi-4.4 .0-6.10.i586.rpm
SuSE php4-fastcgi-4.4.0-6.10.ppc.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-fastcgi-4.4. 0-6.10.ppc.rpm
SuSE php4-fastcgi-4.4.0-6.10.x86_64.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-fastcgi-4 .4.0-6.10.x86_64.rpm
SuSE php4-mbstring-4.4.0-6.10.i586.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-mbstring-4. 4.0-6.10.i586.rpm
SuSE php4-mbstring-4.4.0-6.10.ppc.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-mbstring-4.4 .0-6.10.ppc.rpm
SuSE php4-mbstring-4.4.0-6.10.x86_64.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-mbstring- 4.4.0-6.10.x86_64.rpm
SuSE php4-servlet-4.4.0-6.10.i586.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-servlet-4.4 .0-6.10.i586.rpm
SuSE php4-servlet-4.4.0-6.10.x86_64.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-servlet-4 .4.0-6.10.x86_64.rpm
SuSE php4-unixODBC-4.4.0-6.10.i586.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php4-unixODBC-4. 4.0-6.10.i586.rpm
SuSE php4-unixODBC-4.4.0-6.10.ppc.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php4-unixODBC-4.4 .0-6.10.ppc.rpm
SuSE php4-unixODBC-4.4.0-6.10.x86_64.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php4-unixODBC- 4.4.0-6.10.x86_64.rpm
SuSE php5-5.0.4-9.10.i586.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-5.0.4-9.10. i586.rpm
SuSE php5-5.0.4-9.10.ppc.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-5.0.4-9.10.p pc.rpm
SuSE php5-5.0.4-9.10.x86_64.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/php5-5.0.4-9.1 0.x86_64.rpm
SuSE php5-exif-5.0.4-9.10.i586.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/php5-exif-5.0.4- 9.10.i586.rpm
SuSE php5-exif-5.0.4-9.10.ppc.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/php5-exif-5.0.4-9
参考网址
来源: MLIST
名称: [php-cvs] 20060330 cvs: php-src /ext/standard info.c
链接:http://marc.theaimsgroup.com/?l=php-cvs&m=114374620416389&w=2
来源: cvs.php.net
链接:http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/info.c?r1=1.260&r2=1.261
来源: XF
名称: php-phpinfo-long-array-xss(25702)
链接:http://xforce.iss.net/xforce/xfdb/25702
来源: UBUNTU
名称: USN-320-1
链接:http://www.ubuntu.com/usn/usn-320-1
来源: BID
名称: 17362
链接:http://www.securityfocus.com/bid/17362
来源: REDHAT
名称: RHSA-2006:0501
链接:http://www.redhat.com/support/errata/RHSA-2006-0501.HTML
来源: www.php.net
链接:http://www.php.net/ChangeLog-4.php#4.4.3
来源: OSVDB
名称: 24484
链接:http://www.osvdb.org/24484
来源: SUSE
名称: SUSE-SA:2006:024
链接:http://www.novell.com/linux/security/advisories/05-05-2006.HTML
来源: MANDRIVA
名称: MDKSA-2006:074
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2006:074
来源: VUPEN
名称: ADV-2006-2685
链接:http://www.frsirt.com/english/advisories/2006/2685
来源: VUPEN
名称: ADV-2006-1290
链接:http://www.frsirt.com/english/advisories/2006/1290
来源: support.avaya.com
链接:http://support.avaya.com/elmodocs2/security/ASA-2006-160.htm
来源: support.avaya.com
链接:http://support.avaya.com/elmodocs2/security/ASA-2006-129.htm
来源: SECTRACK
名称: 1015879
链接:http://securitytracker.com/id?1015879
来源: SREASON
名称: 675
链接:http://securityreason.com/securityalert/675
来源: SREASONRES
名称: 20060408 phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2
链接:http://securityreason.com/achievement_securityalert/34
来源: GENTOO
名称: GLSA-200605-08
链接:http://security.gentoo.org/glsa/glsa-200605-08.xml
来源: SECUNIA
名称: 21564
链接:http://secunia.com/advisories/21564
来源: SECUNIA
名称: 21252
链接:http://secunia.com/advisories/21252
来源: SECUNIA
名称: 21125
链接:http://secunia.com/advisories/21125
来源: SECUNIA
名称: 20951
链接:http://secunia.com/advisories/20951
来源: SECUNIA
名称: 20222
链接:http://secunia.com/advisories/20222
来源: SECUNIA
名称: 20210
链接:http://secunia.com/advisories/20210
来源: SECUNIA
名称: 20052
链接:http://secunia.com/advisories/20052
来源: SECUNIA
名称: 19979
链接:http://secunia.com/advisories/19979
来源: SECUNIA
名称: 19832
链接:http://secunia.com/advisories/19832
来源: SECUNIA
名称: 19775
链接:http://secunia.com/advisories/19775
来源: SECUNIA
名称: 19599
链接:http://secunia.com/advisories/19599
来源: REDHAT
名称: RHSA-2006:0549
链接:http://rhn.redhat.com/errata/RHSA-2006-0549.HTML
来源: REDHAT
名称: RHSA-2006:0276
链接:http://rhn.redhat.com/errata/RHSA-2006-0276.HTML
来源: MANDRIVA
名称: MDKSA-2006:074
链接:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:074
来源: cvs.php.net
链接:http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/info.c
来源: SGI
名称: 20060501-01-U
链接:ftp://patches.sgi.com/support/free/security/advisories/20060501-01-U.asc
受影响实体
- Php Php:4.4.2
- Php Php:5.1.2
补丁
暂无
![weinxin](http://zone.ci/zone_ci_images/zone.ci.png)
评论