PHP < 4.4.9 Multiple Vulnerabilities
High Nessus Plugin ID 33849
SynopsisThe remote web server uses a version of PHP that is affected by multiple issues.
DescriptionAccording to its banner, the version of PHP installed on the remote host is older than 4.4.9. Such versions may be affected by several security issues :
- There are unspecified issues in the bundled PCRE library fixed by version 7.7.
- A buffer overflow in the 'imageloadfont()' function in 'ext/gd/gd.c' can be triggered when a specially crafted font is given. (CVE-2008-3658)
- A buffer overflow exists in the internal 'memnstr()' function, which is exposed to userspace as 'explode()'.
- A denial of service vulnerability exists when a filename contains 2 dots. (CVE-2008-3660)
- An 'open_basedir' handling issue in the curl extension.
- 'mbstring.func_overload' set in '.htaccess' becomes global. (CVE-2009-0754)
Note that the release announcement states this will be the last release for the PHP 4.4 series.
SolutionUpgrade to PHP version 4.4.9 or later.