SynopsisThe remote web server uses a version of PHP that is affected by multiple vulnerabilities.
DescriptionAccording to its banner, the version of PHP 5.5.x in use on the remote web server is a version prior to 5.5.15. It is, therefore, affected by the following vulnerabilities :
- A use-after-free error exists in the file 'ext/spl/spl_dllist.c' related to the Standard PHP Library (SPL). Using a specially crafted iterator, an attacker could cause a denial of service condition or other unspecified impacts. (CVE-2014-4670)
- A use-after-free error exists in the file 'ext/spl/spl_array.c' related to the Standard PHP Library (SPL). This could allow an attacker, using 'ArrayObjects' or 'ArrayIterator', to cause a denial of service condition or other unspecified impacts.
- The function 'sapi_cli_server_send_headers' in the file 'sapi/cli/php_cli_server.c' contains an error that does not properly handle an empty 'header' parameter and could allow denial of service attacks. Note that this issue affects only the built-in command line development server.
Note that Nessus has not attempted to exploit these issues, but has instead relied only on the application's self-reported version number.
SolutionUpgrade to PHP version 5.5.15 or later.