openSUSE-SU-2016:1357

http://php.net/ChangeLog-5.php

http://php.net/ChangeLog-7.php

RHSA-2016:2750

[oss-security] 20160428 [CVE Requests] PHP issues

89179

https://bugs.php.net/bug.php?id=71331

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722

According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Zend/zend_exceptions.c in PHP, possibly 5.x before     5.6.28 and 7.x before 7.0.13, allows remote attackers     to cause a denial of service (infinite loop) via a     crafted Exception object in serialized data, a related     issue to CVE-2015-8876.(CVE-2016-7478)

  - ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before     7.0.11 proceeds with SplArray unserialization without     validating a return value and data type, which allows     remote attackers to cause a denial of service or     possibly have unspecified other impact via crafted     serialized data.(CVE-2016-7417)

  - ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x     before 5.6.18, and 7.x before 7.0.3 mishandles     zero-length uncompressed data, which allows remote     attackers to cause a denial of service (heap memory     corruption) or possibly have unspecified other impact     via a crafted (1) TAR, (2) ZIP, or (3) PHAR     archive.(CVE-2016-4342)

  - The php_wddx_process_data function in ext/wddx/wddx.c     in PHP before 5.6.25 and 7.x before 7.0.10 allows     remote attackers to cause a denial of service     (segmentation fault) or possibly have unspecified other     impact via an invalid ISO 8601 time value, as     demonstrated by a wddx_deserialize call that mishandles     a dateTime element in a wddxPacket XML     document.(CVE-2016-7129)

  - Integer signedness error in the simplestring_addn     function in simplestring.c in xmlrpc-epi through     0.54.2, as used in PHP before 5.5.38, 5.6.x before     5.6.24, and 7.x before 7.0.9, allows remote attackers     to cause a denial of service (heap-based buffer     overflow) or possibly have unspecified other impact via     a long first argument to the PHP xmlrpc_encode_request     function.(CVE-2016-6296)

  - ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before     5.6.24, and 7.x before 7.0.9 improperly interacts with     the unserialize implementation and garbage collection,     which allows remote attackers to cause a denial of     service (use-after-free and application crash) or     possibly have unspecified other impact via crafted     serialized data, a related issue to     CVE-2016-5773.(CVE-2016-6295)

  - ext/session/session.c in PHP before 5.5.38, 5.6.x     before 5.6.24, and 7.x before 7.0.9 does not properly     maintain a certain hash data structure, which allows     remote attackers to cause a denial of service     (use-after-free) or possibly have unspecified other     impact via vectors related to session     deserialization.(CVE-2016-6290)

  - Integer overflow in the php_stream_zip_opener function     in ext/zip/zip_stream.c in PHP before 5.5.38, 5.6.x     before 5.6.24, and 7.x before 7.0.9 allows remote     attackers to cause a denial of service (stack-based     buffer overflow) or possibly have unspecified other     impact via a crafted zip:// URL.(CVE-2016-6297)

  - The phar_make_dirstream function in     ext/phar/dirstream.c in PHP before 5.6.18 and 7.x     before 7.0.3 mishandles zero-size ././@LongLink files,     which allows remote attackers to cause a denial of     service (uninitialized pointer dereference) or possibly     have unspecified other impact via a crafted TAR     archive.(CVE-2016-4343)

  - ext/intl/msgformat/msgformat_format.c in PHP before     5.6.26 and 7.x before 7.0.11 does not properly restrict     the locale length provided to the Locale class in the     ICU library, which allows remote attackers to cause a     denial of service (application crash) or possibly have     unspecified other impact via a     MessageFormatter::formatMessage call with a long first     argument.(CVE-2016-7416)

  - ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before     7.0.10 allows remote attackers to cause a denial of     service (NULL pointer dereference and application     crash) or possibly have unspecified other impact via a     malformed wddxPacket XML document that is mishandled in     a wddx_deserialize call, as demonstrated by a tag that     lacks a < (less than) character.(CVE-2016-7131)

  - ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before     7.0.10 allows remote attackers to cause a denial of     service (NULL pointer dereference and application     crash) or possibly have unspecified other impact via an     invalid wddxPacket XML document that is mishandled in a     wddx_deserialize call, as demonstrated by a stray     element inside a boolean element, leading to incorrect     pop processing.(CVE-2016-7132)

  - The php_wddx_pop_element function in ext/wddx/wddx.c in     PHP before 5.6.25 and 7.x before 7.0.10 allows remote     attackers to cause a denial of service (NULL pointer     dereference and application crash) or possibly have     unspecified other impact via an invalid base64 binary     value, as demonstrated by a wddx_deserialize call that     mishandles a binary element in a wddxPacket XML     document.( CVE-2016-7130)

  - The imagegammacorrect function in ext/gd/gd.c in PHP     before 5.6.25 and 7.x before 7.0.10 does not properly     validate gamma values, which allows remote attackers to     cause a denial of service (out-of-bounds write) or     possibly have unspecified other impact by providing     different signs for the second and third     arguments.(CVE-2016-7127)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of HP System Management Homepage (SMH) hosted on the remote web server is prior to 7.6. It is, therefore, affected by the following vulnerabilities :

  - A heap buffer overflow condition exists in OpenSSL in     the EVP_EncodeUpdate() function within file     crypto/evp/encode.c that is triggered when handling     a large amount of input data. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition. (CVE-2016-2105)

  - A heap buffer overflow condition exists in OpenSSL in     the EVP_EncryptUpdate() function within file     crypto/evp/evp_enc.c that is triggered when handling a     large amount of input data after a previous call occurs     to the same function with a partial block. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-2106)

  - Multiple flaws exist OpenSSL in the     aesni_cbc_hmac_sha1_cipher() function in file     crypto/evp/e_aes_cbc_hmac_sha1.c and the     aesni_cbc_hmac_sha256_cipher() function in file     crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered     when the connection uses an AES-CBC cipher and AES-NI     is supported by the server. A man-in-the-middle attacker     can exploit these to conduct a padding oracle attack,     resulting in the ability to decrypt the network traffic.
    (CVE-2016-2107)

  - Multiple unspecified flaws exist in OpenSSL in the d2i     BIO functions when reading ASN.1 data from a BIO due to     invalid encoding causing a large allocation of memory.
    An unauthenticated, remote attacker can exploit these to     cause a denial of service condition through resource     exhaustion. (CVE-2016-2109)

  - A certificate validation bypass vulnerability exists in     cURL and libcurl due to improper validation of TLS     certificates. A man-in-the-middle attacker can exploit     this, via a spoofed certificate that appears valid, to     disclose or manipulate transmitted data. (CVE-2016-3739)

  - An integer overflow condition exists in PHP in the     php_raw_url_encode() function within file     ext/standard/url.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to have an unspecified impact.
    (CVE-2016-4070)     
  - A flaw exists in PHP in the php_snmp_error() function     within file ext/snmp/snmp.c that is triggered when     handling format string specifiers. An unauthenticated,     remote attacker can exploit this, via a crafted SNMP     object, to cause a denial of service or to execute     arbitrary code. (CVE-2016-4071)

  - An invalid memory write error exists in PHP when     handling the path of phar file names that allows an     attacker to have an unspecified impact. (CVE-2016-4072)

  - A remote code execution vulnerability exists in PHP in     phar_object.c due to improper handling of zero-length     uncompressed data. An unauthenticated, remote attacker     can exploit this, via a specially crafted TAR, ZIP, or     PHAR file, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2016-4342)

  - A remote code execution vulnerability exists in PHP in     the phar_make_dirstream() function within file     ext/phar/dirstream.c due to improper handling of     ././@LongLink files. An unauthenticated, remote attacker     can exploit this, via a specially crafted TAR file, to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-4343)

  - A cross-site scripting (XSS) vulnerability exists due to     improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to execute arbitrary script     code in a user's browser session. (CVE-2016-4393)

  - An unspecified HTTP Strict Transport Security (HSTS)     bypass vulnerability exists that allows authenticated,     remote attackers to disclose sensitive information.
    (CVE-2016-4394)

  - A remote code execution vulnerability exists due to an     overflow condition in the mod_smh_config.so library     caused by improper validation of user-supplied input     when parsing the admin-group parameter supplied to the     /proxy/SetSMHData endpoint. An unauthenticated, remote     attacker can exploit this, via a specially crafted     request, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2016-4395)

  - A remote code execution vulnerability exists due to an     overflow condition in the mod_smh_config.so library     caused by improper validation of user-supplied input     when parsing the TKN parameter supplied to the     /Proxy/SSO endpoint. An unauthenticated, remote     attacker can exploit this, via a specially crafted     request, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2016-4396)

  - An out-of-bounds read error exists in PHP in the     php_str2num() function in bcmath.c when handling     negative scales. An unauthenticated, remote attacker can     exploit this, via a crafted call, to cause a denial of     service condition or the disclosure of memory contents.
    (CVE-2016-4537)

  - A flaw exists in PHP the bcpowmod() function in bcmath.c     due to modifying certain data structures without     considering whether they are copies of the _zero_,
    _one_, or _two_ global variables. An unauthenticated,     remote attacker can exploit this, via a crafted call, to     cause a denial of service condition. (CVE-2016-4538)

  - A flaw exists in PHP in the xml_parse_into_struct()     function in xml.c when handling specially crafted XML     contents. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.
    (CVE-2016-4539)

  - Multiple out-of-bounds read errors exist in PHP within     file ext/intl/grapheme/grapheme_string.c when handling     negative offsets in the zif_grapheme_stripos() and     zif_grapheme_strpos() functions. An unauthenticated,     remote attacker can exploit these issues to cause a     denial of service condition or disclose memory contents.
    (CVE-2016-4540, CVE-2016-4541)

  - A flaw exists in PHP in the exif_process_IFD_TAG()     function in exif.c due to improper construction of     spprintf arguments. An unauthenticated, remote attacker     can exploit this, via crafted header data, to cause an     out-of-bounds read error, resulting in a denial of     service condition or the disclosure of memory contents.
    (CVE-2016-4542)

  - A flaw exists in PHP in the exif_process_IFD_in_JPEG()     function in exif.c due to improper validation of IFD     sizes. An unauthenticated, remote attacker can exploit     this, via crafted header data, to cause an out-of-bounds     read error, resulting in a denial of service condition     or the disclosure of memory contents. (CVE-2016-4543)

  - A man-in-the-middle vulnerability exists, known as     'httpoxy', in the Apache Tomcat, Apache HTTP Server, and     PHP components due to a failure to properly resolve     namespace conflicts in accordance with RFC 3875 section     4.1.18. The HTTP_PROXY environment variable is set based     on untrusted user data in the 'Proxy' header of HTTP     requests. The HTTP_PROXY environment variable is used by     some web client libraries to specify a remote proxy     server. A remote attacker can exploit this, via a     crafted 'Proxy' header in an HTTP request, to redirect     an application's internal HTTP traffic to an arbitrary     proxy server where it may be observed or manipulated.
    (CVE-2016-5385, CVE-2016-5387, CVE-2016-5388)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The following security-related issues were resolved :

Out-of-bounds read in imagescale (CVE-2013-7456)

Integer underflow causing arbitrary null write in fread/gzread (CVE-2016-5096)

The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive. (CVE-2016-4343)

Integer overflow in php_html_entities() (CVE-2016-5094)

Integer overflow in php_filter_full_special_chars() (CVE-2016-5095)

Out-of-bounds heap read in get_icu_value_internal (CVE-2016-5093)

(Updated 2016-06-15: CVE-2016-5095 was fixed in this version, but was not previously listed in this errata.)

According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.36. It is, therefore, affected by multiple vulnerabilities :

  - An out-of-bounds read error exists in the
    _gdContributionsCalc() function within file     ext/gd/libgd/gd_interpolation.c. An unauthenticated,     remote attacker can exploit this to disclose sensitive     information or crash the process linked against the     library. (CVE-2013-7456)

  - An uninitialized pointer flaw exists in the     phar_make_dirstream() function within file     ext/phar/dirstream.c due to improper handling of     ././@LongLink files. An unauthenticated, remote attacker     can exploit this, via a specially crafted TAR file, to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-4343)

  - An out-of-bounds read error exists in the     get_icu_value_internal() function within file     ext/intl/locale/locale_methods.c due to improper     handling of user-supplied input. An unauthenticated,     remote attacker can exploit this to disclose sensitive     information or crash the process linked against the     library. (CVE-2016-5093)

  - An integer overflow condition exists in the     php_html_entities() and php_filter_full_special_chars()     functions within file ext/standard/html.c due to     improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     have an unspecified impact. (CVE-2016-5094)

  - An integer underflow condition exists in file     ext/standard/file.c due to improper validation of     user-supplied input. An unauthenticated, remote     attacker can exploit this to cause a NULL write,     resulting in crashing the process linked against the     library. (CVE-2016-5096)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

- CVE-2015-8865 The file_check_mem function in funcs.c in     file before 5.23, as used in the Fileinfo component in     PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before     7.0.5, mishandles continuation-level jumps, which allows     context-dependent attackers to cause a denial of service     (buffer overflow and application crash) or possibly     execute arbitrary code via a crafted magic file.

  - CVE-2015-8866 libxml_disable_entity_loader setting is     shared between threads ext/libxml/libxml.c in PHP before     5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used,     does not isolate each thread from     libxml_disable_entity_loader changes in other threads,     which allows remote attackers to conduct XML External     Entity (XXE) and XML Entity Expansion (XEE) attacks via     a crafted XML document, a related issue to     CVE-2015-5161.

  - CVE-2015-8878 main/php_open_temporary_file.c in PHP     before 5.5.28 and 5.6.x before 5.6.12 does not ensure     thread safety, which allows remote attackers to cause a     denial of service (race condition and heap memory     corruption) by leveraging an application that performs     many temporary-file accesses.

  - CVE-2015-8879 The odbc_bindcols function in     ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles     driver behavior for SQL_WVARCHAR columns, which allows     remote attackers to cause a denial of service     (application crash) in opportunistic circumstances by     leveraging use of the odbc_fetch_array function to     access a certain type of Microsoft SQL Server table.

  - CVE-2016-4070 Integer overflow in the php_raw_url_encode     function in ext/standard/url.c in PHP before 5.5.34,     5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote     attackers to cause a denial of service (application     crash) via a long string to the rawurlencode function.

  - CVE-2016-4071 Format string vulnerability in the     php_snmp_error function in ext/snmp/snmp.c in PHP before     5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows     remote attackers to execute arbitrary code via format     string specifiers in an SNMP::get call.

  - CVE-2016-4072 The Phar extension in PHP before 5.5.34,     5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote     attackers to execute arbitrary code via a crafted     filename, as demonstrated by mishandling of \0     characters by the phar_analyze_path function in     ext/phar/phar.c.

  - CVE-2016-4073 Multiple integer overflows in the     mbfl_strcut function in     ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before     5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow     remote attackers to cause a denial of service     (application crash) or possibly execute arbitrary code     via a crafted mb_strcut call.

  - CVE-2016-4343 The phar_make_dirstream function in     ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before     7.0.3 mishandles zero-size ././@LongLink files, which     allows remote attackers to cause a denial of service     (uninitialized pointer dereference) or possibly have     unspecified other impact via a crafted TAR archive.

  - CVE-2016-4537 The bcpowmod function in     ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before     5.6.21, and 7.x before 7.0.6 accepts a negative integer     for the scale argument, which allows remote attackers to     cause a denial of service or possibly have unspecified     other impact via a crafted call.

  - CVE-2016-4539 The xml_parse_into_struct function in     ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21,     and 7.x before 7.0.6 allows remote attackers to cause a     denial of service (buffer under-read and segmentation     fault) or possibly have unspecified other impact via     crafted XML data in the second argument, leading to a     parser level of zero.

  - CVE-2016-4540

  - CVE-2016-4541 The grapheme_strpos function in     ext/intl/grapheme/grapheme_string.c in before 5.5.35,     5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote     attackers to cause a denial of service (out-of-bounds     read) or possibly have unspecified other impact via a     negative offset.

  - CVE-2016-4542

  - CVE-2016-4543

  - CVE-2016-4544 The exif_process_* function in     ext/exif/exif.c in PHP before 5.5.35, 5.6.x before     5.6.21, and 7.x before 7.0.6 does not validate IFD     sizes, which allows remote attackers to cause a denial     of service (out-of-bounds read) or possibly have     unspecified other impact via crafted header data.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The PHP Group reports :

- Core :

- Fixed bug #72114 (Integer underflow / arbitrary null write in fread/gzread). (CVE-2016-5096) (PHP 5.5/5.6 only)

- Fixed bug #72135 (Integer Overflow in php_html_entities).
(CVE-2016-5094) (PHP 5.5/5.6 only)

- GD :

- Fixed bug #72227 (imagescale out-of-bounds read). (CVE-2013-7456)

- Intl :

- Fixed bug #72241 (get_icu_value_internal out-of-bounds read).
(CVE-2016-5093)

- Phar :

- Fixed bug #71331 (Uninitialized pointer in phar_make_dirstream()).
(CVE-2016-4343) (PHP 5.5 only)

It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-8865)

Hans Jerry Illikainen discovered that the PHP Zip extension incorrectly handled certain malformed Zip archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-3078)

It was discovered that PHP incorrectly handled invalid indexes in the SplDoublyLinkedList class. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-3132)

It was discovered that the PHP rawurlencode() function incorrectly handled large strings. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4070)

It was discovered that the PHP php_snmp_error() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-4071)

It was discovered that the PHP phar extension incorrectly handled certain filenames in archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-4072)

It was discovered that the PHP mb_strcut() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-4073)

It was discovered that the PHP phar extension incorrectly handled certain archive files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-4342, CVE-2016-4343)

It was discovered that the PHP bcpowmod() function incorrectly handled memory. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-4537, CVE-2016-4538)

It was discovered that the PHP XML parser incorrectly handled certain malformed XML data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-4539)

It was discovered that certain PHP grapheme functions incorrectly handled negative offsets. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service.
(CVE-2016-4540, CVE-2016-4541)

It was discovered that PHP incorrectly handled certain malformed EXIF tags. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libqt5-qtbase fixes the following issues :

  - boo#865241: disable RC4 based ciphers which are now     considered insecure

The following non-security bugs were fixed :

  - boo#957006: dolphin freeze when opening a folder     containing symlinks to special files

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.3. It is, therefore, affected by multiple vulnerabilities :

  - The Perl-Compatible Regular Expressions (PCRE) library     is affected by multiple vulnerabilities related to the     handling of regular expressions, subroutine calls, and     binary files. A remote attacker can exploit these to     cause a denial of service, obtain sensitive information,     or have other unspecified impact. (CVE-2015-8383,     CVE-2015-8386, CVE-2015-8387, CVE-2015-8389,     CVE-2015-8390, CVE-2015-8391, CVE-2015-8393,     CVE-2015-8394)

  - A flaw exists in file ext/standard/exec.c in the     escapeshellcmd() and escapeshellarg() functions due to     the program truncating NULL bytes in strings. A remote     attacker can exploit this to bypass restrictions.

  - A flaw exists in file ext/standard/streamsfuncs.c in the     stream_get_meta_data() function due to a failure to     restrict writing user-supplied data to fields not     already set. A remote attacker can exploit this to     falsify the output of the function, resulting in the     insertion of malicious metadata.

  - A type confusion error exists in file ext/wddx/wddx.c in     the php_wddx_pop_element() function when deserializing     WDDX packets. A remote attacker can exploit this to have     an unspecified impact.

  - A flaw exists in file ext/phar/phar_object.c in the     PharFileInfo::getContent() method due to the use of     uninitialized memory causing improper validation of     user-supplied input. A remote attacker can exploit this     to corrupt memory, resulting in a denial of service or     the execution of arbitrary code.

  - A NULL pointer dereference flaw exists in file     ext/phar/tar.c in the phar_tar_setupmetadata() function     when parsing metadata from a crafted TAR file. A remote     attacker can exploit this to cause a denial of service.

  - An integer overflow condition exists in file     ext/standard/iptc.c in the iptcembed() function due to     improper validation of user-supplied input. A remote     attacker can exploit this to cause a heap-based buffer     overflow, resulting in a denial of service or the     execution of arbitrary code.

  - An overflow condition exists in file ext/phar/tar.c in     the phar_parse_tarfile() function due to improper     validation of user-supplied input when decompressing     TAR files. A remote attacker can exploit this to cause     a stack-based buffer overflow, resulting in a denial of     service or the execution of arbitrary code.
    (CVE-2016-2554)

  - An uninitialized pointer flaw exists in the     phar_make_dirstream() function within file     ext/phar/dirstream.c due to improper handling of     ././@LongLink files. An unauthenticated, remote attacker     can exploit this, via a specially crafted TAR file, to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-4343)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.18. It is, therefore, affected by multiple vulnerabilities :

  - The Perl-Compatible Regular Expressions (PCRE) library     is affected by multiple vulnerabilities related to the     handling of regular expressions, subroutine calls, and     binary files. A remote attacker can exploit these to     cause a denial of service, obtain sensitive information,     or have other unspecified impact. (CVE-2015-8383,     CVE-2015-8386, CVE-2015-8387, CVE-2015-8389,     CVE-2015-8390, CVE-2015-8391, CVE-2015-8393,     CVE-2015-8394)

  - A flaw exists in file ext/standard/exec.c in the     escapeshellcmd() and escapeshellarg() functions due to     the program truncating NULL bytes in strings. A remote     attacker can exploit this to bypass restrictions.

  - A flaw exists in file ext/standard/streamsfuncs.c in the     stream_get_meta_data() function due to a failure to     restrict writing user-supplied data to fields not     already set. A remote attacker can exploit this to     falsify the output of the function, resulting in the     insertion of malicious metadata.

  - A type confusion error exists in file ext/wddx/wddx.c in     the php_wddx_pop_element() function when deserializing     WDDX packets. A remote attacker can exploit this to have     an unspecified impact.

  - A flaw exists in file ext/phar/phar_object.c in the     PharFileInfo::getContent() method due to the use of     uninitialized memory causing improper validation of     user-supplied input. A remote attacker can exploit this     to corrupt memory, resulting in a denial of service or     the execution of arbitrary code.

  - A NULL pointer dereference flaw exists in file     ext/phar/tar.c in the phar_tar_setupmetadata() function     when parsing metadata from a crafted TAR file. A remote     attacker can exploit this to cause a denial of service.

  - An integer overflow condition exists in file     ext/standard/iptc.c in the iptcembed() function due to     improper validation of user-supplied input. A remote     attacker can exploit this to cause a heap-based buffer     overflow, resulting in a denial of service or the     execution of arbitrary code.

  - An overflow condition exists in file ext/phar/tar.c in     the phar_parse_tarfile() function due to improper     validation of user-supplied input when decompressing     TAR files. A remote attacker can exploit this to cause     a stack-based buffer overflow, resulting in a denial of     service or the execution of arbitrary code.
    (CVE-2016-2554)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
99915	EulerOS 2.0 SP2 : php (EulerOS-SA-2017-1068)	Nessus	Huawei Local Security Checks	high
99914	EulerOS 2.0 SP1 : php (EulerOS-SA-2017-1067)	Nessus	Huawei Local Security Checks	high
94654	HP System Management Homepage < 7.6 Multiple Vulnerabilities (HPSBMU03653) (httpoxy)	Nessus	Web Servers	high
91466	Amazon Linux AMI : php55 (ALAS-2016-707)	Nessus	Amazon Linux Local Security Checks	high
91441	PHP 5.5.x < 5.5.36 Multiple Vulnerabilities	Nessus	CGI abuses	high
91397	Debian DLA-499-1 : php5 security update	Nessus	Debian Local Security Checks	high
91373	FreeBSD : php -- multiple vulnerabilities (6b110175-246d-11e6-8dd3-002590263bf5)	Nessus	FreeBSD Local Security Checks	high
91320	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : php5, php7.0 vulnerabilities (USN-2984-1)	Nessus	Ubuntu Local Security Checks	high
89093	openSUSE Security Update : libqt5-qtbase (openSUSE-2016-613)	Nessus	SuSE Local Security Checks	high
88695	PHP 7.0.x < 7.0.3 Multiple Vulnerabilities	Nessus	CGI abuses	critical
88694	PHP 5.6.x < 5.6.18 Multiple Vulnerabilities	Nessus	CGI abuses	critical

CVE-2016-4343

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins