The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not validate token extraction for table names, which might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1352.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2015-1186 advisory.

  - ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers     to obtain sensitive information from process memory or cause a denial of service (buffer over-read and     application crash) via a crafted length value in conjunction with crafted serialized data in a phar     archive, related to the phar_parse_metadata and phar_parse_pharfile functions. (CVE-2015-2783)

  - The phar_parse_metadata function in ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x     before 5.6.8 allows remote attackers to cause a denial of service (heap metadata corruption) or possibly     have unspecified other impact via a crafted tar archive. (CVE-2015-3307)

  - Multiple stack-based buffer overflows in the phar_set_inode function in phar_internal.h in PHP before     5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allow remote attackers to execute arbitrary code via a     crafted length value in a (1) tar, (2) phar, or (3) ZIP archive. (CVE-2015-3329)

  - The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP before 5.4.40, 5.5.x before 5.5.24,     and 5.6.x before 5.6.8, when the Apache HTTP Server 2.4.x is used, allows remote attackers to cause a     denial of service (application crash) or possibly execute arbitrary code via pipelined HTTP requests that     result in a deconfigured interpreter. (CVE-2015-3330)

  - PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00     sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an     application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the     finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename\0.xml attack that     bypasses an intended configuration in which client users may read only .xml files. (CVE-2015-3411)

  - PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00     sequences, which might allow remote attackers to read arbitrary files via crafted input to an application     that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a     filename\0.extension attack that bypasses an intended configuration in which client users may read files     with only one specific extension. (CVE-2015-3412)

  - The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x     before 5.6.9 does not verify that the first character of a filename is different from the \0 character,     which allows remote attackers to cause a denial of service (integer underflow and memory corruption) via a     crafted entry in a tar archive. (CVE-2015-4021)

  - Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25,     and 5.6.x before 5.6.9 allows remote FTP servers to execute arbitrary code via a long reply to a LIST     command, leading to a heap-based buffer overflow. (CVE-2015-4022)

  - Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP     before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote attackers to cause a denial of     service (CPU consumption) via crafted form data that triggers an improper order-of-growth outcome.
    (CVE-2015-4024)

  - PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a     \x00 character in certain situations, which allows remote attackers to bypass intended extension     restrictions and access files or directories with unexpected names via a crafted argument to (1)     set_include_path, (2) tempnam, (3) rmdir, or (4) readlink. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2006-7243. (CVE-2015-4025)

  - The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates     a pathname upon encountering a \x00 character, which might allow remote attackers to bypass intended     extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this     vulnerability exists because of an incomplete fix for CVE-2006-7243. (CVE-2015-4026)

  - PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00     sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an     application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as     demonstrated by a filename\0.html attack that bypasses an intended configuration in which client users may     write to only .html files. (CVE-2015-4598)

  - The __PHP_Incomplete_Class function in ext/standard/incomplete_class.c in PHP before 5.4.40, 5.5.x before     5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or     possibly execute arbitrary code via an unexpected data type, related to a type confusion issue.
    (CVE-2015-4602)

  - The exception::getTraceAsString function in Zend/zend_exceptions.c in PHP before 5.4.40, 5.5.x before     5.5.24, and 5.6.x before 5.6.8 allows remote attackers to execute arbitrary code via an unexpected data     type, related to a type confusion issue. (CVE-2015-4603)

  - The mget function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40,     5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly maintain a certain pointer relationship,     which allows remote attackers to cause a denial of service (application crash) or possibly execute     arbitrary code via a crafted string that is mishandled by a Python script text executable rule.
    (CVE-2015-4604)

  - The mcopy function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40,     5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly restrict a certain offset value, which     allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary     code via a crafted string that is mishandled by a Python script text executable rule. (CVE-2015-4605)

  - Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.42, 5.5.x before 5.5.26,     and 5.6.x before 5.6.10 allows remote FTP servers to execute arbitrary code via a long reply to a LIST     command, leading to a heap-based buffer overflow. NOTE: this vulnerability exists because of an incomplete     fix for CVE-2015-4022. (CVE-2015-4643)

  - The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP before 5.4.42,     5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not validate token extraction for table names, which     might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash)     via a crafted name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1352.
    (CVE-2015-4644)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2015-1219 advisory.

  - The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x     before 5.6.9 does not verify that the first character of a filename is different from the \0 character,     which allows remote attackers to cause a denial of service (integer underflow and memory corruption) via a     crafted entry in a tar archive. (CVE-2015-4021)

  - Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25,     and 5.6.x before 5.6.9 allows remote FTP servers to execute arbitrary code via a long reply to a LIST     command, leading to a heap-based buffer overflow. (CVE-2015-4022)

  - Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP     before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote attackers to cause a denial of     service (CPU consumption) via crafted form data that triggers an improper order-of-growth outcome.
    (CVE-2015-4024)

  - PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a     \x00 character in certain situations, which allows remote attackers to bypass intended extension     restrictions and access files or directories with unexpected names via a crafted argument to (1)     set_include_path, (2) tempnam, (3) rmdir, or (4) readlink. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2006-7243. (CVE-2015-4025)

  - The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates     a pathname upon encountering a \x00 character, which might allow remote attackers to bypass intended     extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this     vulnerability exists because of an incomplete fix for CVE-2006-7243. (CVE-2015-4026)

  - PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00     sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an     application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as     demonstrated by a filename\0.html attack that bypasses an intended configuration in which client users may     write to only .html files. (CVE-2015-4598)

  - Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.42, 5.5.x before 5.5.26,     and 5.6.x before 5.6.10 allows remote FTP servers to execute arbitrary code via a long reply to a LIST     command, leading to a heap-based buffer overflow. NOTE: this vulnerability exists because of an incomplete     fix for CVE-2015-4022. (CVE-2015-4643)

  - The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP before 5.4.42,     5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not validate token extraction for table names, which     might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash)     via a crafted name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1352.
    (CVE-2015-4644)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP 5.6.x running on the remote web server is prior to 5.6.10. It is, therefore, affected by multiple vulnerabilities :

 - Multiple heap buffer overflow conditions exist in the bundled Perl-Compatible Regular Expression (PCRE) library due to improper validation of user-supplied input to the compile_branch() and pcre_compile2() functions. A remote attacker can exploit these conditions to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-2325, CVE-2015-2326)

 - A denial of service vulnerability exists in the bundled SQLite component due to improper handling of quotes in collation sequence names. A remote attacker can exploit this to cause uninitialized memory access, resulting in denial of service condition. (CVE-2015-3414)

 - A denial of service vulnerability exists in the bundled SQLite component due to an improper implementation of comparison operators in the sqlite3VdbeExec() function in vdbe.c. A remote attacker can exploit this to cause an invalid free operation, resulting in a denial of service condition. (CVE-2015-3415)

 - A denial of service vulnerability exists in the bundled SQLite component due to improper handling of precision and width values during floating-point conversions in the sqlite3VXPrintf() function in printf.c. A remote attacker can exploit this to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-3416)

 - A security bypass vulnerability exists due to a failure in multiple extensions to check for NULL bytes in a path when processing or reading a file. A remote attacker can exploit this, by combining the '\\0' character with a safe file extension, to bypass access restrictions. (CVE-2015-4598)

 - An arbitrary command injection vulnerability exists due to a flaw in the php_escape_shell_arg() function in exec.c. A remote attacker can exploit this, via the escapeshellarg() PHP method, to inject arbitrary operating system commands. (CVE-2015-4642)

 - A heap buffer overflow condition exists in the ftp_genlist() function in ftp.c. due to improper validation of user-supplied input. A remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4643) - A denial of service vulnerability exists due to a NULL pointer dereference flaw in the build_tablename() function in pgsql.c. An authenticated, remote attacker can exploit this to cause an application crash. (CVE-2015-4644)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This security update of PHP fixes the following issues :

Security issues fixed :

  - CVE-2015-4024 [bnc#931421]: Fixed multipart/form-data     remote DOS Vulnerability.

  - CVE-2015-4026 [bnc#931776]: pcntl_exec() did not check     path validity.

  - CVE-2015-4022 [bnc#931772]: Fixed and overflow in     ftp_genlist() that resulted in a heap overflow.

  - CVE-2015-4021 [bnc#931769]: Fixed memory corruption in     phar_parse_tarfile when entry filename starts with NULL.

  - CVE-2015-4148 [bnc#933227]: Fixed SoapClient's     do_soap_call() type confusion after unserialize()     information disclosure.

  - CVE-2015-4602 [bnc#935224]: Fixed an incomplete Class     unserialization type confusion.

  - CVE-2015-4599, CVE-2015-4600, CVE-2015-4601     [bnc#935226]: Fixed type confusion issues in     unserialize() with various SOAP methods.

  - CVE-2015-4603 [bnc#935234]: Fixed     exception::getTraceAsString type confusion issue after     unserialize.

  - CVE-2015-4644 [bnc#935274]: Fixed a crash in     php_pgsql_meta_data.

  - CVE-2015-4643 [bnc#935275]: Fixed an integer overflow in     ftp_genlist() that could result in a heap overflow.

  - CVE-2015-3411, CVE-2015-3412, CVE-2015-4598     [bnc#935227], [bnc#935232]: Added missing null byte     checks for paths in various PHP extensions.

Bugs fixed :

  - configure php-fpm with --localstatedir=/var [bnc#927147]

  - fix timezone map [bnc#919080]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the remote pfSense install is prior to 2.2.3. It is, therefore, affected by multiple vulnerabilities as stated in the referenced vendor advisories.

The remote host is affected by the vulnerability described in GLSA-201606-10 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    An attacker can possibly execute arbitrary code or create a Denial of       Service condition.
  Workaround :

    There is no known workaround at this time.

- CVE-2015-3307 The phar_parse_metadata function in     ext/phar/phar.c in PHP before 5.4.40, 5.5.x before     5.5.24, and 5.6.x before 5.6.8 allows remote attackers     to cause a denial of service (heap metadata corruption)     or possibly have unspecified other impact via a crafted     tar archive.

  - CVE-2015-3411 + CVE-2015-3412 Fixed bug #69353 (Missing     null byte checks for paths in various PHP extensions)

  - CVE-2015-4021 The phar_parse_tarfile function in     ext/phar/tar.c in PHP before 5.4.41, 5.5.x before     5.5.25, and 5.6.x before 5.6.9 does not verify that the     first character of a filename is different from the \0     character, which allows remote attackers to cause a     denial of service (integer underflow and memory     corruption) via a crafted entry in a tar archive.

  - CVE-2015-4022 Integer overflow in the ftp_genlist     function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x     before 5.5.25, and 5.6.x before 5.6.9 allows remote FTP     servers to execute arbitrary code via a long reply to a     LIST command, leading to a heap-based buffer overflow.

  - CVE-2015-4025 PHP before 5.4.41, 5.5.x before 5.5.25,     and 5.6.x before 5.6.9 truncates a pathname upon     encountering a \x00 character in certain situations,     which allows remote attackers to bypass intended     extension restrictions and access files or directories     with unexpected names via a crafted argument to (1)     set_include_path, (2) tempnam, (3) rmdir, or (4)     readlink. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2006-7243.

  - CVE-2015-4026 The pcntl_exec implementation in PHP     before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before     5.6.9 truncates a pathname upon encountering a \x00     character, which might allow remote attackers to bypass     intended extension restrictions and execute files with     unexpected names via a crafted first argument. NOTE:
    this vulnerability exists because of an incomplete fix     for CVE-2006-7243.

  - CVE-2015-4147 The SoapClient::__call method in     ext/soap/soap.c in PHP before 5.4.39, 5.5.x before     5.5.23, and 5.6.x before 5.6.7 does not verify that
    __default_headers is an array, which allows remote     attackers to execute arbitrary code by providing crafted     serialized data with an unexpected data type, related to     a 'type confusion' issue.

  - CVE-2015-4148 The do_soap_call function in     ext/soap/soap.c in PHP before 5.4.39, 5.5.x before     5.5.23, and 5.6.x before 5.6.7 does not verify that the     uri property is a string, which allows remote attackers     to obtain sensitive information by providing crafted     serialized data with an int data type, related to a     'type confusion' issue.

  - CVE-2015-4598 Incorrect handling of paths with NULs

  - CVE-2015-4599 Type confusion vulnerability in     exception::getTraceAsString

  - CVE-2015-4600 + CVE-2015-4601 Added type checks

  - CVE-2015-4602 Type Confusion Infoleak Vulnerability in     unserialize() with SoapFault

  - CVE-2015-4604 + CVE-2015-4605 denial of service when     processing a crafted file with Fileinfo (already fixed     in CVE-2015-temp-68819.patch)

  - CVE-2015-4643 Improved fix for bug #69545 (Integer     overflow in ftp_genlist() resulting in heap overflow)

  - CVE-2015-4644 Fixed bug #69667 (segfault in     php_pgsql_meta_data)

  - CVE-2015-5589 Segfault in Phar::convertToData on invalid     file

  - CVE-2015-5590 Buffer overflow and stack smashing error     in phar_fix_filepath

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the PHP language :

  - CVE-2015-4598     thoger at redhat dot com discovered that paths     containing a NUL character were improperly handled, thus     allowing an attacker to manipulate unexpected files on     the server.

  - CVE-2015-4643     Max Spelsberg discovered an integer overflow flaw     leading to a heap-based buffer overflow in PHP's FTP     extension, when parsing listings in FTP server     responses. This could lead to a a crash or execution of     arbitrary code.

  - CVE-2015-4644     A denial of service through a crash could be caused by a     segfault in the php_pgsql_meta_data function.

  - CVE-2015-5589     kwrnel at hotmail dot com discovered that PHP could     crash when processing an invalid phar file, thus leading     to a denial of service.

  - CVE-2015-5590     jared at enhancesoft dot com discovered a buffer     overflow in the phar_fix_filepath function, that could     causes a crash or execution of arbitrary code.

  - Additionally, several other vulnerabilites were fixed :

    sean dot heelan at gmail dot com discovered a problem in     the unserialization of some items, that could lead to     arbitrary code execution.

  stewie at mail dot ru discovered that the phar extension improperly   handled zip archives with relative paths, which would allow an   attacker to overwrite files outside of the destination directory.

  taoguangchen at icloud dot com discovered several use-after-free   vulnerabilities that could lead to arbitrary code execution.

The PHP script interpreter was updated to fix various security issues :

CVE-2015-4602 [bnc#935224]: Fixed an incomplete Class unserialization type confusion.

CVE-2015-4599, CVE-2015-4600, CVE-2015-4601 [bnc#935226]: Fixed type confusion issues in unserialize() with various SOAP methods.

CVE-2015-4603 [bnc#935234]: Fixed exception::getTraceAsString type confusion issue after unserialize.

CVE-2015-4644 [bnc#935274]: Fixed a crash in php_pgsql_meta_data.

CVE-2015-4643 [bnc#935275]: Fixed an integer overflow in ftp_genlist() that could result in a heap overflow.

CVE-2015-3411, CVE-2015-3412, CVE-2015-4598 [bnc#935227], [bnc#935232]: Added missing null byte checks for paths in various PHP extensions.

CVE-2015-4148 [bnc#933227]: Fixed a SoapClient's do_soap_call() type confusion after unserialize() information disclosure.

Also the following bug were fixed :

fix a segmentation fault in odbc_fetch_array [bnc#935074]

fix timezone map [bnc#919080]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues.

Upstream reports that several bugs have been fixed as well as several security issues into some bundled libraries (CVE-2015-3414 , CVE-2015-3415 , CVE-2015-3416 , CVE-2015-2325 and CVE-2015-2326). All PHP 5.6 users are encouraged to upgrade to this version. Please see the upstream release notes for full details.

Upstream reports that several bugs have been fixed as well as several security issues into some bundled libraries (CVE-2015-3414 , CVE-2015-3415 , CVE-2015-3416 , CVE-2015-2325 and CVE-2015-2326). All PHP 5.5 users are encouraged to upgrade to this version. Please see the upstream release notes for full details.

Upstream reports that six security-related issues in PHP were fixed in this release, as well as several security issues in bundled sqlite library (CVE-2015-3414 , CVE-2015-3415 , CVE-2015-3416). All PHP 5.4 users are encouraged to upgrade to this version. Please see the upstream release notes for full details.

Neal Poole and Tomas Hoger discovered that PHP incorrectly handled NULL bytes in file paths. A remote attacker could possibly use this issue to bypass intended restrictions and create or obtain access to sensitive files. (CVE-2015-3411, CVE-2015-3412, CVE-2015-4025, CVE-2015-4026, CVE-2015-4598)

Emmanuel Law discovered that the PHP phar extension incorrectly handled filenames starting with a NULL byte. A remote attacker could use this issue with a crafted tar archive to cause a denial of service. (CVE-2015-4021)

Max Spelsberg discovered that PHP incorrectly handled the LIST command when connecting to remote FTP servers. A malicious FTP server could possibly use this issue to execute arbitrary code. (CVE-2015-4022, CVE-2015-4643)

Shusheng Liu discovered that PHP incorrectly handled certain malformed form data. A remote attacker could use this issue with crafted form data to cause CPU consumption, leading to a denial of service.
(CVE-2015-4024)

Andrea Palazzo discovered that the PHP Soap client incorrectly validated data types. A remote attacker could use this issue with crafted serialized data to possibly execute arbitrary code.
(CVE-2015-4147)

Andrea Palazzo discovered that the PHP Soap client incorrectly validated that the uri property is a string. A remote attacker could use this issue with crafted serialized data to possibly obtain sensitive information. (CVE-2015-4148)

Taoguang Chen discovered that PHP incorrectly validated data types in multiple locations. A remote attacker could possibly use these issues to obtain sensitive information or cause a denial of service.
(CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603)

It was discovered that the PHP Fileinfo component incorrectly handled certain files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 15.04. (CVE-2015-4604, CVE-2015-4605)

It was discovered that PHP incorrectly handled table names in php_pgsql_meta_data. A local attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2015-4644).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The PHP script interpreter was updated to receive various security fixes :

  - CVE-2015-4602 [bnc#935224]: Fixed an incomplete Class     unserialization type confusion.

  - CVE-2015-4599, CVE-2015-4600, CVE-2015-4601     [bnc#935226]: Fixed type confusion issues in     unserialize() with various SOAP methods.

  - CVE-2015-4603 [bnc#935234]: Fixed     exception::getTraceAsString type confusion issue after     unserialize.

  - CVE-2015-4644 [bnc#935274]: Fixed a crash in     php_pgsql_meta_data.

  - CVE-2015-4643 [bnc#935275]: Fixed an integer overflow in     ftp_genlist() that could result in a heap overflow.

  - CVE-2015-3411, CVE-2015-3412, CVE-2015-4598     [bnc#935227], [bnc#935232]: Added missing null byte     checks for paths in various PHP extensions.

According to its banner, the version of PHP 5.6.x running on the remote web server is prior to 5.6.10. It is, therefore, affected by multiple vulnerabilities :

  - Multiple heap buffer overflow conditions exist in the     bundled Perl-Compatible Regular Expression (PCRE)     library due to improper validation of user-supplied     input to the compile_branch() and pcre_compile2()     functions. A remote attacker can exploit these     conditions to cause a heap-based buffer overflow,     resulting in a denial of service condition or the     execution of arbitrary code. (CVE-2015-2325,     CVE-2015-2326)

  - A denial of service vulnerability exists in the bundled     SQLite component due to improper handling of quotes     in collation sequence names. A remote attacker can     exploit this to cause uninitialized memory access,     resulting in denial of service condition.
    (CVE-2015-3414)

  - A denial of service vulnerability exists in the bundled     SQLite component due to an improper implementation of     comparison operators in the sqlite3VdbeExec() function     in vdbe.c. A remote attacker can exploit this to cause     an invalid free operation, resulting in a denial of     service condition. (CVE-2015-3415)

  - A denial of service vulnerability exists in the bundled     SQLite component due to improper handling of precision     and width values during floating-point conversions in     the sqlite3VXPrintf() function in printf.c. A remote     attacker can exploit this to cause a stack-based buffer     overflow, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2015-3416)

  - A security bypass vulnerability exists due to a failure     in multiple extensions to check for NULL bytes in a path     when processing or reading a file. A remote attacker can     exploit this, by combining the '\0' character with a     safe file extension, to bypass access restrictions.
    (CVE-2015-4598)

  - An arbitrary command injection vulnerability exists due     to a flaw in the php_escape_shell_arg() function in     exec.c. A remote attacker can exploit this, via the     escapeshellarg() PHP method, to inject arbitrary     operating system commands. (CVE-2015-4642)

  - A heap buffer overflow condition exists in the     ftp_genlist() function in ftp.c. due to improper     validation of user-supplied input. A remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2015-4643)     
  - A denial of service vulnerability exists due to a NULL     pointer dereference flaw in the build_tablename()     function in pgsql.c. An authenticated, remote attacker     can exploit this to cause an application crash.
    (CVE-2015-4644)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP 5.5.x running on the remote web server is prior to 5.5.26. It is, therefore, affected by multiple vulnerabilities :    

  - Multiple heap buffer overflow conditions exist in the     bundled Perl-Compatible Regular Expression (PCRE)     library due to improper validation of user-supplied     input to the compile_branch() and pcre_compile2()     functions. A remote attacker can exploit these     conditions to cause a heap-based buffer overflow,     resulting in a denial of service condition or the     execution of arbitrary code. (CVE-2015-2325,     CVE-2015-2326)

  - A denial of service vulnerability exists in the bundled     SQLite component due to improper handling of quotes     in collation sequence names. A remote attacker can     exploit this to cause uninitialized memory access,     resulting in denial of service condition.
    (CVE-2015-3414)

  - A denial of service vulnerability exists in the bundled     SQLite component due to an improper implementation of     comparison operators in the sqlite3VdbeExec() function     in vdbe.c. A remote attacker can exploit this to cause     an invalid free operation, resulting in a denial of     service condition. (CVE-2015-3415)

  - A denial of service vulnerability exists in the bundled     SQLite component due to improper handling of precision     and width values during floating-point conversions in     the sqlite3VXPrintf() function in printf.c. A remote     attacker can exploit this to cause a stack-based buffer     overflow, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2015-3416)

  - A security bypass vulnerability exists due to a failure     in multiple extensions to check for NULL bytes in a path     when processing or reading a file. A remote attacker can     exploit this, by combining the '\0' character with a     safe file extension, to bypass access restrictions.
    (CVE-2015-4598)

  - An arbitrary command injection vulnerability exists due     to a flaw in the php_escape_shell_arg() function in     exec.c. A remote attacker can exploit this, via the     escapeshellarg() PHP method, to inject arbitrary     operating system commands. (CVE-2015-4642)

  - A heap buffer overflow condition exists in the     ftp_genlist() function in ftp.c. due to improper     validation of user-supplied input. A remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2015-4643)     
  - A denial of service vulnerability exists due to a NULL     pointer dereference flaw in the build_tablename()     function in pgsql.c. An authenticated, remote attacker     can exploit this to cause an application crash.
    (CVE-2015-4644)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP 5.4.x running on the remote web server is prior to 5.4.42. It is, therefore, affected by multiple vulnerabilities :

  - Multiple heap buffer overflow conditions exist in the     bundled Perl-Compatible Regular Expression (PCRE)     library due to improper validation of user-supplied     input to the compile_branch() and pcre_compile2()     functions. A remote attacker can exploit these     conditions to cause a heap-based buffer overflow,     resulting in a denial of service condition or the     execution of arbitrary code. (CVE-2015-2325,     CVE-2015-2326)

  - A denial of service vulnerability exists in the bundled     SQLite component due to improper handling of quotes     in collation sequence names. A remote attacker can     exploit this to cause uninitialized memory access,     resulting in denial of service condition.
    (CVE-2015-3414)

  - A denial of service vulnerability exists in the bundled     SQLite component due to an improper implementation of     comparison operators in the sqlite3VdbeExec() function     in vdbe.c. A remote attacker can exploit this to cause     an invalid free operation, resulting in a denial of     service condition. (CVE-2015-3415)

  - A denial of service vulnerability exists in the bundled     SQLite component due to improper handling of precision     and width values during floating-point conversions in     the sqlite3VXPrintf() function in printf.c. A remote     attacker can exploit this to cause a stack-based buffer     overflow, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2015-3416)

  - A security bypass vulnerability exists due to a failure     in multiple extensions to check for NULL bytes in a path     when processing or reading a file. A remote attacker can     exploit this, by combining the '\0' character with a     safe file extension, to bypass access restrictions.
    (CVE-2015-4598)

  - An arbitrary command injection vulnerability exists due     to a flaw in the php_escape_shell_arg() function in     exec.c. A remote attacker can exploit this, via the     escapeshellarg() PHP method, to inject arbitrary     operating system commands. (CVE-2015-4642)

  - A heap buffer overflow condition exists in the     ftp_genlist() function in ftp.c. due to improper     validation of user-supplied input. A remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2015-4643)     
  - A denial of service vulnerability exists due to a NULL     pointer dereference flaw in the build_tablename()     function in pgsql.c. An authenticated, remote attacker     can exploit this to cause an application crash.
    (CVE-2015-4644)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The PHP project reports :

DOM and GD :

- Fixed bug #69719 (Incorrect handling of paths with NULs).

FTP :

- Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4643)

Postgres :

- Fixed bug #69667 (segfault in php_pgsql_meta_data). (CVE-2015-4644)

Versions of PHP 5.5.x prior to 5.5.26, or 5.6.x prior to 5.6.10 are exposed to the following vulnerabilities :

 - Multiple heap buffer overflow conditions exist in the bundled Perl-Compatible Regular Expression (PCRE) library due to improper validation of user-supplied input to the 'compile_branch()' and 'pcre_compile2()' functions. A remote attacker can exploit these conditions to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-2325, CVE-2015-2326)
 - A denial of service vulnerability exists in the bundled SQLite component due to improper handling of quotes in collation sequence names. A remote attacker can exploit this to cause uninitialized memory access, resulting in denial of service condition. (CVE-2015-3414)
 - A denial of service vulnerability exists in the bundled SQLite component due to an improper implementation of comparison operators in the 'sqlite3VdbeExec()' function in 'vdbe.c'. A remote attacker can exploit this to cause an invalid free operation, resulting in a denial of service condition. (CVE-2015-3415)
 - A denial of service vulnerability exists in the bundled SQLite component due to improper handling of precision and width values during floating-point conversions in the 'sqlite3VXPrintf()' function in 'printf.c'. A remote attacker can exploit this to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-3416)
 - A security bypass vulnerability exists due to a failure in multiple extensions to check for NULL bytes in a path when processing or reading a file. A remote attacker can exploit this, by combining the '\0' character with a safe file extension, to bypass access restrictions. (CVE-2015-4598)
 - An arbitrary command injection vulnerability exists due to a flaw in the 'php_escape_shell_arg()' function in 'exec.c'. A remote attacker can exploit this, via the 'escapeshellarg()' PHP method, to inject arbitrary operating system commands. (CVE-2015-4642)
 - A heap buffer overflow condition exists in the 'ftp_genlist()' function in 'ftp.c'. due to improper validation of user-supplied input. A remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4643)
 - A denial of service vulnerability exists due to a NULL pointer dereference flaw in the 'build_tablename()' function in 'pgsql.c'. An authenticated, remote attacker can exploit this to cause an application crash. (CVE-2015-4644)

ID	Name	Product	Family	Severity
181083	Oracle Linux 7 : php55-php (ELSA-2015-1186)	Nessus	Oracle Linux Local Security Checks	critical
181016	Oracle Linux 6 / 7 : php54-php (ELSA-2015-1219)	Nessus	Oracle Linux Local Security Checks	critical
98802	PHP 5.6.x < 5.6.10 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
119968	SUSE SLES12 Security Update : php5 (SUSE-SU-2015:1253-1)	Nessus	SuSE Local Security Checks	critical
106495	pfSense < 2.2.3 Multiple Vulnerabilities (SA-15_07) (Logjam)	Nessus	Firewalls	critical
93161	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1638-1) (BACKRONYM)	Nessus	SuSE Local Security Checks	critical
91704	GLSA-201606-10 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
85808	Debian DLA-307-1 : php5 security update	Nessus	Debian Local Security Checks	critical
85664	Debian DSA-3344-1 : php5 - security update	Nessus	Debian Local Security Checks	critical
84897	SUSE SLES11 Security Update : PHP (SUSE-SU-2015:1265-1)	Nessus	SuSE Local Security Checks	critical
84830	Slackware 14.0 / 14.1 / current : php (SSA:2015-198-02) (BACKRONYM)	Nessus	Slackware Local Security Checks	critical
84625	Amazon Linux AMI : php56 (ALAS-2015-563)	Nessus	Amazon Linux Local Security Checks	critical
84624	Amazon Linux AMI : php55 (ALAS-2015-562)	Nessus	Amazon Linux Local Security Checks	critical
84623	Amazon Linux AMI : php54 (ALAS-2015-561)	Nessus	Amazon Linux Local Security Checks	critical
84563	Ubuntu 14.04 LTS : PHP vulnerabilities (USN-2658-1)	Nessus	Ubuntu Local Security Checks	critical
84557	openSUSE Security Update : php5 (openSUSE-2015-471)	Nessus	SuSE Local Security Checks	critical
84364	PHP 5.6.x < 5.6.10 Multiple Vulnerabilities	Nessus	CGI abuses	critical
84363	PHP 5.5.x < 5.5.26 Multiple Vulnerabilities	Nessus	CGI abuses	critical
84362	PHP 5.4.x < 5.4.42 Multiple Vulnerabilities	Nessus	CGI abuses	critical
84326	FreeBSD : php5 -- multiple vulnerabilities (cdff0af2-1492-11e5-a1cf-002590263bf5)	Nessus	FreeBSD Local Security Checks	critical
8787	PHP 5.5.x < 5.5.26 / 5.6.x < 5.6.10 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium

Detections

Analytics

CVE-2015-4644

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

medium