SynopsisThe remote web server uses a version of PHP that is affected by multiple vulnerabilities.
DescriptionAccording to its banner the version of PHP installed on the remote host is earlier than 5.3.3 / 5.2.14. Such version are potentially affected by multiple vulnerabilities :
- An information disclosure vulnerability in var_export() when a fatal error occurs.
- A resource destruction issue in shm_put_var().
- A possible information leak because of an interruption of XOR operator.
- A memory corruption issue caused by an unexpected call-time pass by reference and the following memory clobbering through callbacks.
- A memory corruption issue in ArrayObject::uasort().
- A memory corruption issue in parse_str().
- A memory corruption issue in pack().
- A memory corruption issue in substr_replace().
- A memory corruption issue in addcslashes().
- A stack exhaustion issue in fnmatch().
- A buffer overflow vulnerability in the dechunking filter.
- An arbitrary memory access issue in the sqlite extension.
- A string format validation issue in the phar extension.
- An unspecified issue relating to the handling of session variable serialization on certain prefix characters.
- A NULL pointer dereference issue when processing invalid XML-RPC requests.
- An unserialization issue in SplObjectStorage.
- Buffer overflow vulnerabilities in mysqlnd_list_fields and mysqlnd_change_user.
- Buffer overflows when handling error packets in mysqlnd.
SolutionUpgrade to PHP version 5.2.14, 5.3.3, or later.