http://php.net/ChangeLog-7.php

[oss-security] 20160428 [CVE Requests] PHP issues

https://bugs.php.net/bug.php?id=71637

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.4. It is, therefore, affected by multiple vulnerabilities :

 - A type confusion error exists in file ext/soap/php_http.c in the make_http_soap_request() function when handling cookie data. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-3185)

 - Multiple integer overflow conditions exist in file ext/xml/xml.c in the xml_utf8_encode functions due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these to cause a heap-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-4344)

 - An integer overflow condition exists in the php_filter_encode_url() function due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service or th execution of arbitrary code. (CVE-2016-4345)

 - An overflow condition exists in the xml_utf8_encode functions due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-4346)

 - A flaw exists when handling the third call while running function.forward-static-call.php. An unauthenticated, remote attacker can exploit this to cause a denial of service by crashing the interpreter.

 - An integer overflow condition exists in file ext/standard/string.c in the php_implode() function due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service or the execution of arbitrary code.

 - An integer overflow condition exists in file ext/standard/string.c in the zend_string_alloc() function due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to execute arbitrary code.

 - A stack corruption issue exists when handling certain Magento2 commands that allows an unauthenticated, remote attacker to cause a denial of service.

 - A flaw exists in file sapi/cli/php_cli_server.c due to the built-in HTTP server not properly restricting file requests. An unauthenticated, remote attacker can exploit this to access arbitrary files.

 - A use-after-free error exists in Zend Opcache when updating cached directory names that have been cached in the current working directory. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code.

 - A NULL pointer dereference flaw exists in file ext/zip/php_zip.c in the Zip::ExtractTo() method that allows an unauthenticated, remote attacker to cause a denial of service.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The specific version of PHP that the system is running is reportedly affected by the following vulnerabilities:

- PHP contains an integer overflow condition in the php_filter_encode_url() function in ext/filter/sanitizing_filters.c. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-4345)

- PHP contains an integer overflow condition in ext/standard/string.c. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-4346)

Versions of PHP 5.5.x prior to 5.5.37, or 5.6.x prior to 5.6.23, or 7.0.x prior to 7.0.8 are vulnerable to the following issues :

 - PHP 'ext/mysqlnd/mysqlnd.c' contains a flaw that is due to the program failing to properly enforce the requirement of an SSL/TLS connection when the '--ssl client' option is used. This may allow a MitM (Man-in-the-Middle) attacker to downgrade the connection to plain HTTP when expected to be HTTPS. (CVE-2015-8838)
 - An integer overflow condition exists in the 'getFromIndex()'' and 'getFromName()' methods of 'ZipArchive'. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted ZIP file. This may allow an attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-3078)
 - An XXE (Xml eXternal Entity) injection and expansion flaw affects the 'libxml_disable_entity_loader()' function in the source file 'ext/libxml/libxml.c' in PHP-FPM that is triggered during the parsing of XML data. The issue is due to an incorrectly configured XML parser accepting XML external entities from an untrusted source. By sending specially crafted XML data, a remote attacker can gain access to sensitive information or cause a denial of service. (CVE-2015-8866)
 - An integer overflow condition exists in the 'php_filter_encode_url()' function in 'ext/filter/sanitizing_filters.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-4345)
 - An integer overflow condition exists in 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-4346)
 - The program contains an out-of-bounds read flaw in 'ext/intl/grapheme/grapheme_string.c' that is triggered when handling negative offsets in 'zif_grapheme_stripos'. This may allow a remote attacker to crash a process utilizing the language or potentially disclose memory contents. (CVE-2016-4540, CVE-2016-4541)
 - An out-of-bounds read flaw exists in the 'php_str2num()' function in 'ext/bcmath/bcmath.c' that is triggered when accepting negative scales. This may allow a remote attacker to crash a process utilizing the language or potentially disclose memory contents. (CVE-2016-4537, CVE-2016-4538)
 - An out-of-bounds read flaw exists in the 'exif_read_data()' function in 'ext/exif/exif.c' that is triggered when handling exif headers. This may allow a remote attacker to crash a process utilizing the language or potentially disclose memory contents. (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544)
 - A flaw in the 'xml_parse_into_struct()' function in 'ext/xml/xml.c' is triggered during the handling of a specially crafted XML content. This may allow a remote attacker to cause a denial of service. (CVE-2016-4539)
 - A double-free flaw exists in the 'php_formatted_print()' function in 'ext/standard/formatted_print.c'. This may allow an attacker to have an unspecified impact. (CVE-2015-8880)
 - A flaw exists in 'main/php_open_temporary_file.c' that is triggered as thread safety is not ensured during the handling of temporary directories. This may allow a remote attacker to cause a denial of service. (CVE-2015-8878)
 - An integer overflow flaw exists in the 'php_html_entities()' and 'php_filter_full_special_chars()' functions in 'ext/standard/html.c' that is triggered as input is not properly validated. This may allow a remote attacker to have an unspecified impact. No further details have been provided. (CVE-2016-5094, CVE-2016-5095)
 - An integer underflow issue exists in 'ext/standard/file.c' that is triggered as input is not properly validated. This may allow a remote attacker to cause a NULL write and cause a process linked against PHP to crash. (CVE-2016-5096)
 - An out-of-bounds read flaw exists in the '_gdContributionsCalc()' function in 'ext/gd/libgd/gd_interpolation.c'. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2013-7456)
 - An out-of-bounds read flaw exists in the 'get_icu_value_internal()' function within 'ext/intl/locale/locale_methods.c' that is triggered when handling user-supplied input. This may allow a remote attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-5093)
 - A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the 'header()' function does not filter input passed via HTTP headers before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2015-8935)
 - A use-after-free error exists in the garbage collection algorithm in 'ext/zip/php_zip.c'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-5773)
 - An integer overflow condition exists in the 'json_decode()' and 'json_utf8_to_utf16()' functions in 'ext/standard/php_smart_str.h'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, causing a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code.
 - An out-of-bounds read flaw exists within the 'pass2_no_dither()' function inside 'ext/gd/libgd/gd_topal.c' that may allow a remote attacker to crash a process utilizing PHP or potentially disclose memory contents.
 - An integer overflow condition exists in 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated when handling string lengths. This may allow a remote attacker to have an unspecified impact.
 - A double-free flaw exists within the '_php_mb_regex_ereg_replace_exec()' function inside 'ext/mbstring/php_mbregex.c' that is triggered when handling a failed callback execution. This may allow a remote attacker to potentially execute arbitrary code. (CVE-2016-5768)
 - An integer overflow condition exists in 'ext/spl/spl_directory.c'. The issue is triggered by an 'int/size_t' confusion issue. This may allow a remote attacker to have an unspecified impact. (CVE-2016-5770)
 - An integer overflow condition exists in 'ext/mcrypt/mcrypt.c'. The issue is triggered as user-supplied input is not properly validated when handling data values. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5769)
 - An integer overflow condition exists within the 'nl2br()' function inside 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated when handling new_length values. This may allow a remote attacker to have an unspecified impact.
 - An integer overflow condition exists within multiple functions in 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated when handling string values. This may allow a remote attacker to have an unspecified impact.
 - A double-free flaw within the 'php_wddx_process_data()' function inside 'ext/wddx/wddx.c' that is triggered during the handling of specially crafted XML content. This may allow a remote attacker to potentially execute arbitrary code. (CVE-2016-5772)
 - An integer overflow condition exists witin the 'gdImagePaletteToTrueColor()' function inside 'ext/gd/libgd/gd.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5767)
 - An invalid free flaw exists within the 'phar_extract_file()' function inside 'ext/phar/phar_object.c'. This may allow a remote attacker to have an unspecified impact. (CVE-2016-4473)
 - An integer overflow condition exists within the '_gd2GetHeader()' function inside 'ext/gd/libgd/gd_gd2.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5766)
 - A use-after-free error exists within the garbage collection algorithm inside 'ext/spl/spl_array.c'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-5771)

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.4. It is, therefore, affected by multiple vulnerabilities :

  - A type confusion error exists in file     ext/soap/php_http.c in the make_http_soap_request()     function when handling cookie data. An unauthenticated,     remote attacker can exploit this to execute arbitrary     code. (CVE-2016-3185)

  - Multiple integer overflow conditions exist in file     ext/xml/xml.c in the xml_utf8_encode functions due to     improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit these to     cause a heap-based buffer overflow, resulting in a     denial of service or the execution of arbitrary code.
    (CVE-2016-4344)

  - An integer overflow condition exists in the     php_filter_encode_url() function due to improper     validation of user-supplied input. A remote attacker can     exploit this to cause a heap-based buffer overflow,     resulting in a denial of service or th execution of     arbitrary code. (CVE-2016-4345)

  - An overflow condition exists in the xml_utf8_encode     functions due to improper validation of user-supplied     input. A remote attacker can exploit this to cause a     heap-based buffer overflow, resulting in a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-4346)

  - A flaw exists when handling the third call while running     function.forward-static-call.php. An unauthenticated,     remote attacker can exploit this to cause a denial of     service by crashing the interpreter.

  - An integer overflow condition exists in file     ext/standard/string.c in the php_implode() function due     to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a heap-based buffer overflow, resulting in a     denial of service or the execution of arbitrary code.

  - An integer overflow condition exists in file     ext/standard/string.c in the zend_string_alloc()     function due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     this to execute arbitrary code.

  - A stack corruption issue exists when handling certain     Magento2 commands that allows an unauthenticated,     remote attacker to cause a denial of service.

  - A flaw exists in file sapi/cli/php_cli_server.c due to     the built-in HTTP server not properly restricting file     requests. An unauthenticated, remote attacker can     exploit this to access arbitrary files.

  - A use-after-free error exists in Zend Opcache when     updating cached directory names that have been cached in     the current working directory. An unauthenticated,     remote attacker can exploit this to deference already     freed memory, resulting in the execution of arbitrary     code.

  - A NULL pointer dereference flaw exists in file     ext/zip/php_zip.c in the Zip::ExtractTo() method that     allows an unauthenticated, remote attacker to cause     a denial of service.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
98850	PHP 7.0.x < 7.0.4 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
802029	PHP 7.0.x < 7.0.4 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	critical
9393	PHP 5.5.x < 5.5.37 / 5.6.x < 5.6.23 / 7.0.x < 7.0.8 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
90009	PHP 7.0.x < 7.0.4 Multiple Vulnerabilities	Nessus	CGI abuses	high

CVE-2016-4345

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins