PHP 5.3 < 5.3.6 Multiple Vulnerabilities

High Nessus Plugin ID 52717

Synopsis

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

Description

According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.6.

- A NULL pointer can be dereferenced in the function '_zip_name_locate()' when processing empty archives and can lead to application crashes or code execution.
Exploitation requires the 'ZIPARCHIVE::FL_UNCHANGED' setting to be in use. (CVE-2011-0421)

- A variable casting error exists in the Exif extention, which can allow denial of service attacks when handling crafted 'Image File Directory' (IFD) header values in the PHP function 'exif_read_data()'. Exploitation requires a 64bit system and a config setting 'memory_limit' above 4GB or unlimited. (CVE-2011-0708)

- An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read()' and can allow arbitrary code execution. (CVE-2011-1092)

- Errors exist in the file 'phar/phar_object.c' in which calls to 'zend_throw_exception_ex()' pass data as a string format parameter. This can lead to memory corruption when handling PHP archives (phar).
(CVE-2011-1153)

- A buffer overflow error exists in the C function 'xbuf_format_converter' when the PHP configuration value for 'precision' is set to a large value and can lead to application crashes. (CVE-2011-1464)

- An integer overflow error exists in the C function 'SdnToJulian()' in the Calendar extension and can lead to application crashes. (CVE-2011-1466)

- An unspecified error exists in the implementation of the PHP function 'numfmt_set_symbol()' and PHP method 'NumberFormatter::setSymbol()' in the Intl extension.
This error can lead to application crashes.
(CVE-2011-1467)

- Multiple memory leaks exist in the OpenSSL extension in the PHP functions 'openssl_encrypt' and 'openssl_decrypt'. (CVE-2011-1468)

- An unspecified error exists in the Streams component when accessing FTP URLs with an HTTP proxy.
(CVE-2011-1469)

- An integer signedness error and an unspecified error exist in the Zip extension and can lead to denial of service via certain ziparchive streams. (CVE-2011-1470, CVE-2011-1471)

- An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGI Process Manager' (FPM) SAPI.

Solution

Upgrade to PHP 5.3.6 or later.

See Also

https://bugs.php.net/bug.php?id=54193

https://bugs.php.net/bug.php?id=54055

https://bugs.php.net/bug.php?id=53885

https://bugs.php.net/bug.php?id=53574

https://bugs.php.net/bug.php?id=53512

https://bugs.php.net/bug.php?id=54060

https://bugs.php.net/bug.php?id=54061

https://bugs.php.net/bug.php?id=54092

https://bugs.php.net/bug.php?id=53579

https://bugs.php.net/bug.php?id=49072

https://www.openwall.com/lists/oss-security/2011/02/14/1

http://www.php.net/releases/5_3_6.php

http://www.rooibo.com/2011/03/12/integer-overflow-en-php-2/

Plugin Details

Severity: High

ID: 52717

File Name: php_5_3_6.nasl

Version: 1.13

Type: remote

Family: CGI abuses

Published: 2011/03/18

Updated: 2018/11/15

Dependencies: 48243

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Required KB Items: www/PHP

Exploit Available: false

Exploit Ease: No exploit is required

Patch Publication Date: 2011/03/17

Vulnerability Publication Date: 2011/02/14

Reference Information

CVE: CVE-2011-0421, CVE-2011-0708, CVE-2011-1092, CVE-2011-1153, CVE-2011-1464, CVE-2011-1466, CVE-2011-1467, CVE-2011-1468, CVE-2011-1469, CVE-2011-1470

BID: 46354, 46365, 46786, 46854

EDB-ID: 16261

Secunia: 43328