Category Archives: My CVE’s

CVE-2005-3319 PHP mod_php apache2handler SAPI Crafted .htaccess DoS

Timeline :

Vulnerability discovered by Eric Romang
Public release of the vulnerability the 2005-10-24
Exploit provided the 2005-10-24

PoC provided by :

Eric Romang

Reference(s) :

CVE-2005-3319
GLSA 200511-08
OSVDB-20491

Affected version(s) :

PHP versions 4.0.x to 4.4.0 and versions 5.0.0 to 5.0.5

Tested on Gentoo 2005.0 with :

PHP 4.3.11

Description :

The apache2handler SAPI (sapi_apache2.c) in the Apache module (mod_php) contains a flaw that may allow a local denial of service. The issue is triggered when a malicious user places a specially crafted .htaccess file in a root directory while safe mode is active. This will cause a segmentation fault, resulting in loss of availability for the service.

Commands :

Simply put a .htaccess file on the root directory of your website with this content :
php_value session.save_path /var/www/somewherehowexist

CVE-2005-2995 Bacula Insecure Temporary Files Creations

Timeline :

Vulnerabilities discovered by Eric Romang the 2005-09-06
Vendor notified the 2005-09-19
Coordinated vulnerabilities disclosure the 2005-09-20

Reference(s) :

CVE-2005-2995
OSVDB-19514

Affected version(s) :

bacula equal or under version 1.36.3

Description :

Bacula contains flaws that may allow a malicious local user to create or overwrite arbitrary files on the system.

The issue is due to scripts/mtx-changer.in creating temporary files in /tmp insecurely. It is possible for a user to use a symlink style attack to manipulate arbitrary files, resulting in a loss of integrity.

The issue is due to /autoconf/randpass creating temporary files in /tmp insecurely. It is possible for a user to use a symlink style attack to manipulate arbitrary files, resulting in a loss of integrity.

The issue is due to /rescue/linux/getdiskinfo creating temporary files in /tmp insecurely. It is possible for a user to use a symlink style attack to manipulate arbitrary files, resulting in a loss of integrity.

CVE-2005-2809 SILC Server and Toolkit silcd.c Symlink Arbitrary File Overwrite

Timeline :

Vulnerability discovered by Eric Romang the 2005-05-31
Vendor notified the 2005-06-15
Vulnerability disclosure the 2005-09-01

Reference(s) :

CVE-2005-2809
OSVDB-19121

Affected version(s) :

silc-server before or equal to 1.0
silc-toolkit before or equal to 0.9.12-r3

Description :

SILC Server and Toolkit contains a flaw that may allow a malicious local user to overwrite arbitrary files on the system. The issue is due to the program creating temporary files insecurely. It is possible for a user to use a symlink style attack to manipulate arbitrary files, resulting in a loss of integrity.