PHP 5.5.x < 5.5.27 Multiple Vulnerabilities (BACKRONYM)

Medium Nessus Plugin ID 84672

Synopsis

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

Description

According to its banner, the version of PHP 5.5.x running on the remote web server is prior to 5.5.27. It is, therefore, affected by multiple vulnerabilities :

- A security feature bypass vulnerability, known as 'BACKRONYM', exists due to a failure to properly enforce the requirement of an SSL/TLS connection when the --ssl client option is used. A man-in-the-middle attacker can exploit this flaw to coerce the client to downgrade to an unencrypted connection, allowing the attacker to disclose data from the database or manipulate database queries. (CVE-2015-3152)

- A flaw exists in the PHP Connector/C component due to a failure to properly enforce the requirement of an SSL/TLS connection when the --ssl client option is used.
A man-in-the-middle attacker can exploit this to downgrade the connection to plain HTTP when HTTPS is expected. (CVE-2015-8838)

- An unspecified flaw exists in the phar_convert_to_other() function in phar_object.c during the conversion of invalid TAR files. An attacker can exploit this flaw to crash a PHP application, resulting in a denial of service condition. (VulnDB 124239)

- The '!' character is not treated as a special character when delayed variable substitution is enabled. The functions escapeshellcmd() and escapeshellarg() are unable to properly sanitize arguments containing '!'.
An attacker can exploit this to execute arbitrary commands. (VulnDB 124412)

- A double-free flaw exists in zend_vm_execute.h due to improper handling of certain code. An attacker can exploit this flaw to crash a PHP application, resulting in a denial of service condition. (VulnDB 124413)

- A flaw exists in the parse_ini_file() and parse_ini_string() functions due to improper handling of strings that contain a line feed followed by an escape character. An attacker can exploit this to crash a PHP application, resulting in a denial of service condition.
(VulnDB 124414)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to PHP version 5.5.27 or later.

See Also

http://php.net/ChangeLog-5.php#5.5.27

http://backronym.fail/

Plugin Details

Severity: Medium

ID: 84672

File Name: php_5_5_27.nasl

Version: 1.15

Type: remote

Family: CGI abuses

Published: 2015/07/10

Modified: 2018/09/17

Dependencies: 48243

Risk Information

Risk Factor: Medium

CVSS Score Source: CVE-2015-8838

CVSS v2.0

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Required KB Items: www/PHP

Exploit Available: false

Exploit Ease: No exploit is required

Patch Publication Date: 2015/07/10

Vulnerability Publication Date: 2013/12/03

Reference Information

CVE: CVE-2015-3152, CVE-2015-8838

BID: 74398