Detections
Analytics

PHP 5.6.x < 5.6.27 / 7.0.x < 7.0.12 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 9706

Synopsis

The remote web server uses a version of PHP that is affected by multiple attack vectors.

Description

Versions of PHP 5.6.x prior to 5.6.27 and 7.0.x prior to 7.0.12 are vulnerable to the following issues :

 - A NULL pointer dereference flaw exists in the 'SimpleXMLElement::asXML()' function in 'ext/simplexml/simplexml.c'. This may allow a remote attacker to crash a process utilizing the language.
 - An overflow condition exists in the 'php_ereg_replace()' function in 'ext/ereg/ereg.c'. The issue is triggered as certain input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, crashing a process utilizing the language or potentially allowing the execution of arbitrary code.
 - A flaw exists in the 'openssl_random_pseudo_bytes()' function in 'ext/openssl/openssl.c' that is triggered when handling strings larger than 2GB. This may allow a remote attacker to crash a process utilizing the language.
 - A flaw exists in the 'openssl_encrypt()' function in 'ext/openssl/openssl.c' that is triggered when handling strings larger than 2GB. This may allow a remote attacker to crash a process utilizing the language.
 - An integer overflow flaw exists in the 'imap_8bit()' function in 'ext/imap/php_imap.c'. The issue is triggered as certain input is not properly validated. This may allow a remote attacker to corrupt memory and crash a process utilizing the language or potentially execute arbitrary code.
 - A flaw exists in the '_bc_new_num_ex()' function in 'ext/bcmath/libbcmath/src/init.c' that is triggered during the handling of values passed via the 'scale' parameter. This may allow a remote attacker to crash a process utilizing the language.
 - A flaw exists in the 'php_resolve_path()' function in 'main/fopen_wrappers.c' that is triggered during the handling of negative size values passed via the 'filename' parameter. This may allow a remote attacker to crash a process utilizing the language.
 - A flaw exists in the 'dom_document_save_html()' function in 'ext/dom/document.c' that is due to missing NULL checks. This may allow a remote attacker to crash a process utilizing the language.
 - A use-after-free error exists in the 'unserialize()' function. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
 - An integer overflow flaw exists in the 'mb_encode_*()' function in 'ext/mbstring/mbstring.c'. The issue is triggered as the length of encoded data is not properly validated. This may allow a remote attacker to corrupt memory and crash a process utilizing the language or potentially execute arbitrary code.
 - A NULL pointer dereference flaw exists in the 'CachingIterator()' method in 'ext/spl/spl_iterators.c' that is triggered during the handling of string conversion. This may allow a remote attacker to crash a process utilizing the language.
 - An integer overflow condition exists in the 'number_format()' function in 'ext/standard/math.c'. The issue is triggered when handling 'decimals' and 'dec_point' parameters with values that are equal or close to 0x7fffffff. This may allow a remote attacker to cause a heap-based buffer overflow, crashing a process utilizing the language or potentially allowing the execution of arbitrary code.
 - An overflow condition exists in the 'ResourceBundle::create' and 'ResourceBundle::getLocales' methods and their respective functions in 'ext/intl/resourcebundle/resourcebundle_class.c'. The issue is triggered as certain input is not properly validated when passed via the 'bundlename' parameter. This may allow a remote attacker to cause a stack-based buffer overflow, crashing a process utilizing the language or potentially allowing the execution of arbitrary code.
 - An integer overflow condition exists in the 'php_pcre_replace_impl()' function in 'ext/pcre/php_pcre.c'. The issue is triggered as certain input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, crashing a process utilizing the language or potentially allowing the execution of arbitrary code.
 - A flaw exists in the 'php_date_interval_initialize_from_hash()' function in 'ext/date/php_date.c' that is triggered when unserializing DateInterval objects. This may allow a remote attacker to have an unspecified impact.
 - An unspecified flaw exists in the 'SplObjectStorage::unserialize()' method in 'ext/spl/spl_observer.c' that is triggered as it allows the use of non-objects as keys. This may allow a remote attacker to have an unspecified impact.
 - A NULL pointer dereference flaw exists in the 'php_wddx_serialize_object()' function in 'ext/wddx/wddx.c' that is triggered during the creation of PDORow objects. This may allow a remote attacker to crash a process utilizing the language.

Solution

Upgrade to PHP version 7.0.12 or later. If 7.x cannot be obtained, 5.6.27 has also been patched for these vulnerabilities.

See Also

http://php.net/ChangeLog-5.php#5.6.27

http://php.net/ChangeLog-7.php#7.0.12

Plugin Details

Severity: Critical

ID: 9706

Family: Web Servers

Published: 9/21/2016

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Patch Publication Date: 10/13/2016

Vulnerability Publication Date: 10/11/2016