ID CVE-2005-1751
Summary Race condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file, a different vulnerability than CVE-2005-1759.
References
Vulnerable Configurations
  • cpe:2.3:a:shtool:shtool:2.0.1
    cpe:2.3:a:shtool:shtool:2.0.1
CVSS
Base: 3.7 (as of 25-05-2005 - 16:35)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL HIGH NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-789.NASL
    description Several security related problems have been found in PHP4, the server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-1751 Eric Romang discovered insecure temporary files in the shtool utility shipped with PHP that can exploited by a local attacker to overwrite arbitrary files. Only this vulnerability affects packages in oldstable. - CAN-2005-1921 GulfTech has discovered that PEAR XML_RPC is vulnerable to a remote PHP code execution vulnerability that may allow an attacker to compromise a vulnerable server. - CAN-2005-2498 Stefan Esser discovered another vulnerability in the XML-RPC libraries that allows injection of arbitrary PHP code into eval() statements.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 19532
    published 2005-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19532
    title Debian DSA-789-1 : php4 - several vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_6596BB80D02611D99AED000E0C2E438A.NASL
    description A Zataz advisory reports that shtool contains a security flaw which could allow a malicious local user to create or overwrite the contents of arbitrary files. The attacker could fool a user into executing the arbitrary file possibly executing arbitrary code.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 18964
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18964
    title FreeBSD : shtool -- insecure temporary file creation (6596bb80-d026-11d9-9aed-000e0c2e438a)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-564.NASL
    description Updated PHP packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1921 to this issue. When using the default SELinux 'targeted' policy on Red Hat Enterprise Linux 4, the impact of this issue is reduced since the scripts executed by PHP are constrained within the httpd_sys_script_t security context. A race condition in temporary file handling was discovered in the shtool script installed by PHP. If a third-party PHP module which uses shtool was compiled as root, a local user may be able to modify arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1751 to this issue. Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21841
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21841
    title CentOS 3 / 4 : php (CESA-2005:564)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-171-1.NASL
    description CAN-2005-1751 : The php4-dev package ships a copy of the 'shtool' utility in /usr/lib/php4/build/, which provides useful functionality for developers of software packages. Eric Romang discovered that shtool created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the shtool program. CAN-1005-1759 : The creation of temporary files in shtool was also vulnerable to a race condition which allowed a local user to read the contents of the temporary file. However, this file does not usually contain sensitive information since shtool is usually used for building software packages. CAN-2005-2498 : Stefan Esser discovered another remote code execution vulnerability in the XMLRPC module of the PEAR (PHP Extension and Application Repository) extension of PHP. By sending specially crafted XMLRPC requests to an affected web server, a remote attacker could exploit this to execute arbitrary code with the web server's privileges. In Ubuntu, the PEAR extension is unsupported (it is contained in the php4-pear package which is part of universe). However, since this is a highly critical vulnerability, that package was fixed anyway. Please note that many applications contain a copy of the affected XMLRPC code, which must be fixed separately. The following packages may also be affected, but are unsupported in Ubuntu : - drupal - wordpress - phpwiki - horde3 - ewiki - egroupware - phpgroupware These packages might be fixed by the community later. The following common third-party applications might be affected as well, but not packaged for Ubuntu : - Serendipity - Postnuke - tikiwiki - phpwebsite If you run any affected software, please check whether you are affected and upgrade it as soon as possible to protect your server. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-05-27
    plugin id 20578
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20578
    title Ubuntu 4.10 / 5.04 : php4 vulnerabilities (USN-171-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200506-08.NASL
    description The remote host is affected by the vulnerability described in GLSA-200506-08 (GNU shtool, ocaml-mysql: Insecure temporary file creation) Eric Romang has discovered that GNU shtool insecurely creates temporary files with predictable filenames (CAN-2005-1751). On closer inspection, Gentoo Security discovered that the shtool temporary file, once created, was being reused insecurely (CAN-2005-1759). Impact : A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When a GNU shtool script is executed, this would result in the file being overwritten with the rights of the user running the script, which could be the root user. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 18465
    published 2005-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18465
    title GLSA-200506-08 : GNU shtool, ocaml-mysql: Insecure temporary file creation
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-564.NASL
    description Updated PHP packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1921 to this issue. When using the default SELinux 'targeted' policy on Red Hat Enterprise Linux 4, the impact of this issue is reduced since the scripts executed by PHP are constrained within the httpd_sys_script_t security context. A race condition in temporary file handling was discovered in the shtool script installed by PHP. If a third-party PHP module which uses shtool was compiled as root, a local user may be able to modify arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1751 to this issue. Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 18648
    published 2005-07-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18648
    title RHEL 3 / 4 : php (RHSA-2005:564)
oval via4
  • accepted 2005-09-21T01:33:00.000-04:00
    class vulnerability
    contributors
    name Jay Beale
    organization Bastille Linux
    description Race condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file, a different vulnerability than CVE-2005-1759.
    family unix
    id oval:org.mitre.oval:def:345
    status accepted
    submitted 2005-07-19T12:00:00.000-04:00
    title shtool Race Condition
    version 4
  • accepted 2013-04-29T04:20:56.852-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    description Race condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file, a different vulnerability than CVE-2005-1759.
    family unix
    id oval:org.mitre.oval:def:9639
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Race condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file, a different vulnerability than CVE-2005-1759.
    version 23
redhat via4
advisories
rhsa
id RHSA-2005:564
refmap via4
bid 13767
debian DSA-789
gentoo GLSA-200506-08
misc
openpkg OpenPKG-SA-2005.011
sectrack 1014059
secunia
  • 15496
  • 15668
vulnwatch 20050525 shtool insecure temporary file creation
statements via4
contributor Mark J Cox
lastmodified 2006-09-19
organization Red Hat
statement Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=158995 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
Last major update 17-10-2016 - 23:22
Published 25-05-2005 - 00:00
Last modified 02-05-2018 - 21:29
Back to Top