ID CVE-2006-5465
Summary Buffer overflow in PHP before 5.2.0 allows remote attackers to execute arbitrary code via crafted UTF-8 inputs to the (1) htmlentities or (2) htmlspecialchars functions.
References
Vulnerable Configurations
  • cpe:2.3:a:php:php:5.0:rc1
    cpe:2.3:a:php:php:5.0:rc1
  • cpe:2.3:a:php:php:5.0:rc2
    cpe:2.3:a:php:php:5.0:rc2
  • cpe:2.3:a:php:php:5.0:rc3
    cpe:2.3:a:php:php:5.0:rc3
  • PHP 5.0.0 -
    cpe:2.3:a:php:php:5.0.0
  • PHP 5.0.1 -
    cpe:2.3:a:php:php:5.0.1
  • PHP 5.0.2 -
    cpe:2.3:a:php:php:5.0.2
  • PHP 5.0.3 -
    cpe:2.3:a:php:php:5.0.3
  • PHP 5.0.4 -
    cpe:2.3:a:php:php:5.0.4
  • PHP 5.0.5 -
    cpe:2.3:a:php:php:5.0.5
  • PHP 5.1.0 -
    cpe:2.3:a:php:php:5.1.0
  • PHP PHP 5.1.1
    cpe:2.3:a:php:php:5.1.1
  • PHP 5.1.2 -
    cpe:2.3:a:php:php:5.1.2
  • PHP PHP 5.1.3
    cpe:2.3:a:php:php:5.1.3
  • PHP 5.1.4
    cpe:2.3:a:php:php:5.1.4
  • PHP 5.1.5 -
    cpe:2.3:a:php:php:5.1.5
  • PHP PHP 5.1.6
    cpe:2.3:a:php:php:5.1.6
CVSS
Base: 7.5 (as of 07-11-2006 - 09:43)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-2238.NASL
    description This update fixes the following security problems in the PHP scripting language : - CVE-2006-5465: Various buffer overflows in htmlentities/htmlspecialchars internal routines could be used to crash the PHP interpreter or potentially execute code, depending on the PHP application used. - A missing open_basedir check inside chdir() function was added. - A tempnam() openbasedir bypass was fixed. - A possible buffer overflow in stream_socket_client() when using 'bindto' + IPv6 was fixed. - Do not build php5 with --enable-sigchld.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27148
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27148
    title openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-2238)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2006-0730.NASL
    description Updated PHP packages that fix a security issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. These packages also contain a fix for a bug where certain input strings to the metaphone() function could cause memory corruption. From Red Hat Security Advisory 2006:0730 : The Hardened-PHP Project discovered an overflow in the PHP htmlentities() and htmlspecialchars() routines. If a PHP script used the vulnerable functions to parse UTF-8 data, a remote attacker sending a carefully crafted request could trigger the overflow and potentially execute arbitrary code as the 'apache' user. (CVE-2006-5465) From Red Hat Security Advisory 2006:0669 : A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the 'apache' user. (CVE-2006-4020) An integer overflow was discovered in the PHP wordwrap() and str_repeat() functions. If a script running on a 64-bit server used either of these functions on untrusted user data, a remote attacker sending a carefully crafted request might be able to cause a heap overflow. (CVE-2006-4482) A buffer overflow was discovered in the PHP gd extension. If a script was set up to process GIF images from untrusted sources using the gd extension, a remote attacker could cause a heap overflow. (CVE-2006-4484) An integer overflow was discovered in the PHP memory allocation handling. On 64-bit platforms, the 'memory_limit' setting was not enforced correctly, which could allow a denial of service attack by a remote user. (CVE-2006-4486)
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 67421
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67421
    title Oracle Linux 4 : php (ELSA-2006-0730 / ELSA-2006-0669)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-375-1.NASL
    description Stefan Esser discovered two buffer overflows in the htmlentities() and htmlspecialchars() functions. By supplying specially crafted input to PHP applications which process that input with these functions, a remote attacker could potentially exploit this to execute arbitrary code with the privileges of the application. (CVE-2006-5465) This update also fixes bugs in the chdir() and tempnam() functions, which did not perform proper open_basedir checks. This could allow local scripts to bypass intended restrictions. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27956
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27956
    title Ubuntu 5.10 / 6.06 LTS / 6.10 : php5 vulnerability (USN-375-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0730.NASL
    description Updated PHP packages that fix a security issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. The Hardened-PHP Project discovered an overflow in the PHP htmlentities() and htmlspecialchars() routines. If a PHP script used the vulnerable functions to parse UTF-8 data, a remote attacker sending a carefully crafted request could trigger the overflow and potentially execute arbitrary code as the 'apache' user. (CVE-2006-5465) Users of PHP should upgrade to these updated packages which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 37281
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37281
    title CentOS 3 / 4 : php (CESA-2006:0730)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-196.NASL
    description The Hardened-PHP Project discovered buffer overflows in htmlentities/htmlspecialchars internal routines to the PHP Project. The purpose of these functions is to be filled with user input. (The overflow can only be when UTF-8 is used) (CVE-2006-5465) Unspecified vulnerabilities in PHP, probably before 5.2.0, allow local users to bypass open_basedir restrictions and perform unspecified actions via unspecified vectors involving the (1) chdir and (2) tempnam functions. NOTE: the tempnam vector might overlap CVE-2006-1494. (CVE-2006-5706) Updated packages have been patched to correct these issues. Users must restart Apache for the changes to take effect.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24581
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24581
    title Mandrake Linux Security Advisory : php (MDKSA-2006:196)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-2236.NASL
    description This update fixes the following security problems in the PHP scripting language : - Various buffer overflows in htmlentities/htmlspecialchars internal routines could be used to crash the PHP interpreter or potentially execute code, depending on the PHP application used. (CVE-2006-5465) - A missing open_basedir check inside chdir() function was added. - A tempnam() openbasedir bypass was fixed. - A possible buffer overflow in stream_socket_client() when using 'bindto' + IPv6 was fixed. - Do not build php5 with --enable-sigchld.
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29376
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29376
    title SuSE 10 Security Update : PHP (ZYPP Patch Number 2236)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1206.NASL
    description Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3353 Tim Starling discovered that missing input sanitising in the EXIF module could lead to denial of service. - CVE-2006-3017 Stefan Esser discovered a security-critical programming error in the hashtable implementation of the internal Zend engine. - CVE-2006-4482 It was discovered that str_repeat() and wordwrap() functions perform insufficient checks for buffer boundaries on 64 bit systems, which might lead to the execution of arbitrary code. - CVE-2006-5465 Stefan Esser discovered a buffer overflow in the htmlspecialchars() and htmlentities(), which might lead to the execution of arbitrary code.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 23655
    published 2006-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23655
    title Debian DSA-1206-1 : php4 - several vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0730.NASL
    description Updated PHP packages that fix a security issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. The Hardened-PHP Project discovered an overflow in the PHP htmlentities() and htmlspecialchars() routines. If a PHP script used the vulnerable functions to parse UTF-8 data, a remote attacker sending a carefully crafted request could trigger the overflow and potentially execute arbitrary code as the 'apache' user. (CVE-2006-5465) Users of PHP should upgrade to these updated packages which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 23631
    published 2006-11-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23631
    title RHEL 2.1 / 3 / 4 : php (RHSA-2006:0730)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2006-307-01.NASL
    description New php packages are available for Slackware 10.2 and 11.0 to fix security issues.
    last seen 2019-02-21
    modified 2014-07-01
    plugin id 23653
    published 2006-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23653
    title Slackware 10.2 / 11.0 : php (SSA:2006-307-01)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200703-21.NASL
    description The remote host is affected by the vulnerability described in GLSA-200703-21 (PHP: Multiple vulnerabilities) Several vulnerabilities were found in PHP by the Hardened-PHP Project and other researchers. These vulnerabilities include a heap-based buffer overflow in htmlentities() and htmlspecialchars() if called with UTF-8 parameters, and an off-by-one error in str_ireplace(). Other vulnerabilities were also found in the PHP4 branch, including possible overflows, stack corruptions and a format string vulnerability in the *print() functions on 64 bit systems. Impact : Remote attackers might be able to exploit these issues in PHP applications making use of the affected functions, potentially resulting in the execution of arbitrary code, Denial of Service, execution of scripted contents in the context of the affected site, security bypass or information leak. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 24887
    published 2007-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24887
    title GLSA-200703-21 : PHP: Multiple vulnerabilities
  • NASL family CGI abuses
    NASL id PHP_5_2_0.NASL
    description According to its banner, the version of PHP 5.x installed on the remote host is older than 5.2. Such versions may be affected by several buffer overflows. To exploit these issues, an attacker would need the ability to upload an arbitrary PHP script on the remote server or to manipulate several variables processed by some PHP functions such as 'htmlentities().'
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 31649
    published 2008-03-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31649
    title PHP 5.x < 5.2 Multiple Vulnerabilities
oval via4
accepted 2013-04-29T04:03:53.576-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Buffer overflow in PHP before 5.2.0 allows remote attackers to execute arbitrary code via crafted UTF-8 inputs to the (1) htmlentities or (2) htmlspecialchars functions.
family unix
id oval:org.mitre.oval:def:10240
status accepted
submitted 2010-07-09T03:56:16-04:00
title Buffer overflow in PHP before 5.2.0 allows remote attackers to execute arbitrary code via crafted UTF-8 inputs to the (1) htmlentities or (2) htmlspecialchars functions.
version 23
redhat via4
advisories
  • bugzilla
    id 213543
    title CVE-2006-5465 PHP buffer overflow
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 3 is installed
        oval oval:com.redhat.rhba:tst:20070026001
      • OR
        • AND
          • comment php is earlier than 0:4.3.2-37.ent
            oval oval:com.redhat.rhsa:tst:20060730002
          • comment php is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730003
        • AND
          • comment php-devel is earlier than 0:4.3.2-37.ent
            oval oval:com.redhat.rhsa:tst:20060730006
          • comment php-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730007
        • AND
          • comment php-imap is earlier than 0:4.3.2-37.ent
            oval oval:com.redhat.rhsa:tst:20060730008
          • comment php-imap is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730009
        • AND
          • comment php-ldap is earlier than 0:4.3.2-37.ent
            oval oval:com.redhat.rhsa:tst:20060730014
          • comment php-ldap is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730015
        • AND
          • comment php-mysql is earlier than 0:4.3.2-37.ent
            oval oval:com.redhat.rhsa:tst:20060730004
          • comment php-mysql is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730005
        • AND
          • comment php-odbc is earlier than 0:4.3.2-37.ent
            oval oval:com.redhat.rhsa:tst:20060730012
          • comment php-odbc is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730013
        • AND
          • comment php-pgsql is earlier than 0:4.3.2-37.ent
            oval oval:com.redhat.rhsa:tst:20060730010
          • comment php-pgsql is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730011
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhba:tst:20070304001
      • OR
        • AND
          • comment php is earlier than 0:4.3.9-3.22
            oval oval:com.redhat.rhsa:tst:20060730017
          • comment php is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730003
        • AND
          • comment php-devel is earlier than 0:4.3.9-3.22
            oval oval:com.redhat.rhsa:tst:20060730033
          • comment php-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730007
        • AND
          • comment php-domxml is earlier than 0:4.3.9-3.22
            oval oval:com.redhat.rhsa:tst:20060730020
          • comment php-domxml is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730021
        • AND
          • comment php-gd is earlier than 0:4.3.9-3.22
            oval oval:com.redhat.rhsa:tst:20060730031
          • comment php-gd is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730032
        • AND
          • comment php-imap is earlier than 0:4.3.9-3.22
            oval oval:com.redhat.rhsa:tst:20060730036
          • comment php-imap is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730009
        • AND
          • comment php-ldap is earlier than 0:4.3.9-3.22
            oval oval:com.redhat.rhsa:tst:20060730028
          • comment php-ldap is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730015
        • AND
          • comment php-mbstring is earlier than 0:4.3.9-3.22
            oval oval:com.redhat.rhsa:tst:20060730024
          • comment php-mbstring is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730025
        • AND
          • comment php-mysql is earlier than 0:4.3.9-3.22
            oval oval:com.redhat.rhsa:tst:20060730029
          • comment php-mysql is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730005
        • AND
          • comment php-ncurses is earlier than 0:4.3.9-3.22
            oval oval:com.redhat.rhsa:tst:20060730026
          • comment php-ncurses is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730027
        • AND
          • comment php-odbc is earlier than 0:4.3.9-3.22
            oval oval:com.redhat.rhsa:tst:20060730037
          • comment php-odbc is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730013
        • AND
          • comment php-pear is earlier than 0:4.3.9-3.22
            oval oval:com.redhat.rhsa:tst:20060730034
          • comment php-pear is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730035
        • AND
          • comment php-pgsql is earlier than 0:4.3.9-3.22
            oval oval:com.redhat.rhsa:tst:20060730030
          • comment php-pgsql is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730011
        • AND
          • comment php-snmp is earlier than 0:4.3.9-3.22
            oval oval:com.redhat.rhsa:tst:20060730022
          • comment php-snmp is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730023
        • AND
          • comment php-xmlrpc is earlier than 0:4.3.9-3.22
            oval oval:com.redhat.rhsa:tst:20060730018
          • comment php-xmlrpc is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060730019
    rhsa
    id RHSA-2006:0730
    released 2006-11-06
    severity Important
    title RHSA-2006:0730: php security update (Important)
  • rhsa
    id RHSA-2006:0731
  • rhsa
    id RHSA-2006:0736
rpms
  • php-0:4.3.2-37.ent
  • php-devel-0:4.3.2-37.ent
  • php-imap-0:4.3.2-37.ent
  • php-ldap-0:4.3.2-37.ent
  • php-mysql-0:4.3.2-37.ent
  • php-odbc-0:4.3.2-37.ent
  • php-pgsql-0:4.3.2-37.ent
  • php-0:4.3.9-3.22
  • php-devel-0:4.3.9-3.22
  • php-domxml-0:4.3.9-3.22
  • php-gd-0:4.3.9-3.22
  • php-imap-0:4.3.9-3.22
  • php-ldap-0:4.3.9-3.22
  • php-mbstring-0:4.3.9-3.22
  • php-mysql-0:4.3.9-3.22
  • php-ncurses-0:4.3.9-3.22
  • php-odbc-0:4.3.9-3.22
  • php-pear-0:4.3.9-3.22
  • php-pgsql-0:4.3.9-3.22
  • php-snmp-0:4.3.9-3.22
  • php-xmlrpc-0:4.3.9-3.22
refmap via4
apple APPLE-SA-2006-11-28
bid 20879
bugtraq
  • 20061102 Advisory 13/2006: PHP HTML Entity Encoder Heap Overflow Vulnerability
  • 20061109 rPSA-2006-0205-1 php php-mysql php-pgsql
  • 20061129 SYM06-023, Symantec NetBackup PureDisk: PHP update to Address Reported Security Vulnerability
cert TA06-333A
cisco
  • 20070425 Cisco Applied Intelligence Response: Identifying and Mitigating Exploitation of the PHP HTML Entity Encoder Heap Overflow Vulnerability in Multiple Web-Based Management Interfaces
  • 20070425 PHP HTML Entity Encoder Heap Overflow Vulnerability in Multiple Web-Based Management Interfaces
confirm
debian DSA-1206
gentoo GLSA-200703-21
mandriva MDKSA-2006:196
misc http://www.hardened-php.net/advisory_132006.138.html
openpkg OpenPKG-SA-2006.028
sectrack
  • 1017152
  • 1017296
secunia
  • 22653
  • 22685
  • 22688
  • 22693
  • 22713
  • 22753
  • 22759
  • 22779
  • 22881
  • 22929
  • 23139
  • 23155
  • 23247
  • 24606
  • 25047
sgi 20061101-01-P
suse SUSE-SA:2006:067
trustix 2006-0061
turbo TLSA-2006-38
ubuntu USN-375-1
vupen
  • ADV-2006-4317
  • ADV-2006-4749
  • ADV-2006-4750
  • ADV-2007-1546
xf php-htmlentities-bo(29971)
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 07-03-2011 - 21:43
Published 03-11-2006 - 19:07
Last modified 30-10-2018 - 12:25
Back to Top