Detections
Analytics

PHP 5.4.x < 5.4.40 / 5.5.x < 5.5.24 / 5.6.x < 5.6.8 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 8784

Synopsis

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

Description

Versions of PHP 5.4.x earlier than 5.4.40, 5.5.x earlier than 5.5.24, or 5.6.x earlier than 5.6.8 are exposed to the following issues :

 - An out-of-bounds read overflow error exists in the function 'GetCode_()' in file 'gd_gif_in.c' that allows denial of service attacks or disclosure of memory contents. (CVE-2014-9709)
 - A use-after-free error exists in the OPcache extension in the '_zend_shared_memdup()' function within the file 'zend_shared_alloc.c'. A remote attacker can exploit this to cause a denial of service or possibly have other unspecified impact. (CVE-2015-1351)
 - The function 'build_tablename()' in file 'pgsql.c' in the PostgreSQL extension does not properly validate token extraction for table names. A remote attacker, using a crafted name, can exploit this to cause a NULL pointer deference, leading to a denial of service. (CVE-2015-1352)
 - A use-after-free error exists in the function 'phar_rename_archive()' in file 'phar_object.c'. A remote attacker, by attempting to rename a phar archive to an already existing file name, can exploit this to cause a denial of service. (CVE-2015-2301)
 - A buffer read overflow error exists in the Phar component due to user-supplied input not being validated properly when handling phar parsing during 'unserialize()' function calls. An attacker can exploit this to execute arbitrary code or cause a denial of service. (CVE-2015-2783)
 - A buffer overflow flaw exists in the 'phar_set_inode()' function in file 'phar_internal.h' when handling archive files, such as tar, zip, or phar files. A remote attacker can exploit this to execute arbitrary code or cause a denial of service. (CVE-2015-3329)
 - A flaw exists in the Apache2handler SAPI component, when handling pipelined HTTP requests, that a remote attacker can exploit to execute arbitrary code. (CVE-2015-3330)
 - An information disclosure vulnerability exists because of a type confusion error. Specifically, this issue occurs when the 'unserialize()' function is used with SoapFault object's '__toString()' function. An attacker can exploit this issue to leak arbitrary memory blocks.
 - A flaw exists in the 'phar_parse_metadata()' function in 'ext/phar/phar.c'. The issue is triggered as user-supplied input is not properly validated when parsing a specially crafted TAR file. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2015-3307)
 - A type confusion flaw exists in the '__toString()' method in 'incomplete_class.c' that may allow a context-dependent attacker to leak arbitrary memory blocks or potentially cause a denial of service. (CVE-2015-4602)
 - Multiple unspecified issues exist in '/soap/php_http.c' and '/soap/php_encoding.c'. This may allow an attacker to have an unspecified impact. (CVE-2015-4601)
 - A denial of service vulnerability affects Fine Free File, a common component used in PHP known as 'file'. Specifically, this issue affects the source file 'libmagic/softmagic.c' because it fails to properly handle offsets that exceed 'bytecnt' or vice versa. (CVE-2015-4605)

Solution

Apply the vendor patch or upgrade to PHP version 5.6.8 or later. If 5.6.x cannot be installed, 5.4.40 and 5.5.24 are also patched for these vulnerabilities.

See Also

http://php.net/ChangeLog-5.php#5.6.8

http://seclists.org/fulldisclosure/2015/Apr/104

http://php.net/ChangeLog-5.php#5.5.24

http://php.net/ChangeLog-5.php#5.4.40

Plugin Details

Severity: Critical

ID: 8784

Family: Web Servers

Published: 6/18/2015

Updated: 3/6/2019

Nessus ID: 83033, 83034, 83035

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Patch Publication Date: 4/16/2015

Vulnerability Publication Date: 4/14/2015

Reference Information

CVE: CVE-2014-9709, CVE-2015-1351, CVE-2015-1352, CVE-2015-2301, CVE-2015-2783, CVE-2015-3307, CVE-2015-3329, CVE-2015-3330, CVE-2015-3411, CVE-2015-3412, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603, CVE-2015-4604, CVE-2015-4605

BID: 71929, 73037, 73306, 74239, 74240, 74413, 75246, 75249, 75250, 75255, 71932, 74204, 74703, 75233, 74417