PHP 5.4.x < 5.4.43 Multiple Vulnerabilities (BACKRONYM)
Critical Nessus Plugin ID 84671
SynopsisThe remote web server uses a version of PHP that is affected by multiple vulnerabilities.
DescriptionAccording to its banner, the version of PHP 5.4.x running on the remote web server is prior to 5.4.43. It is, therefore, affected by multiple vulnerabilities :
- A security feature bypass vulnerability, known as 'BACKRONYM', exists due to a failure to properly enforce the requirement of an SSL/TLS connection when the --ssl client option is used. A man-in-the-middle attacker can exploit this flaw to coerce the client to downgrade to an unencrypted connection, allowing the attacker to disclose data from the database or manipulate database queries. (CVE-2015-3152)
- A flaw in the phar_convert_to_other function in ext/phar/phar_object.c could allow a remote attacker to cause a denial of service. (CVE-2015-5589)
- A Stack-based buffer overflow in the phar_fix_filepath function in ext/phar/phar.c could allow a remote attacker to cause a denial of service. (CVE-2015-5590)
- A flaw exists in the PHP Connector/C component due to a failure to properly enforce the requirement of an SSL/TLS connection when the --ssl client option is used.
A man-in-the-middle attacker can exploit this to downgrade the connection to plain HTTP when HTTPS is expected. (CVE-2015-8838)
- An unspecified flaw exists in the phar_convert_to_other() function in phar_object.c during the conversion of invalid TAR files. An attacker can exploit this flaw to crash a PHP application, resulting in a denial of service condition.
- A flaw exists in the parse_ini_file() and parse_ini_string() functions due to improper handling of strings that contain a line feed followed by an escape character. An attacker can exploit this to crash a PHP application, resulting in a denial of service condition.
- A user-after-free error exists in the object_custom() function in var_unserializer.c due to improper validation of user-supplied input. A remote attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to PHP version 5.4.43 or later.