PHP 7.0.x < 7.0.10 Multiple Vulnerabilities

critical Nessus Plugin ID 93078

Synopsis

The version of PHP running on the remote web server is affected by multiple vulnerabilities.

Description

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.10. It is, therefore, affected by multiple vulnerabilities :

- An unspecified flaw exists in the object_common2() function in var_unserializer.c that occurs when handling objects during deserialization. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-7124)

- An unspecified flaw exists in session.c that occurs when handling session names. An unauthenticated, remote attacker can exploit this to inject arbitrary data into sessions. (CVE-2016-7125)

- An integer truncation flaw exists in the select_colors() function in gd_topal.c that is triggered when handling the number of colors. An unauthenticated, remote attacker can exploit to cause a heap-based buffer overflow, resulting in the execution of arbitrary code.
(CVE-2016-7126)

- An indexing flaw exists in the imagegammacorrect() function in gd.c that occurs when handling negative gamma values. An unauthenticated, remote attacker can exploit this to write a NULL to an arbitrary memory location, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-7127)

- A flaw exists in the exif_process_IFD_in_TIFF() function in exif.c that occurs when handling TIFF image content.
An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2016-7128)

- A flaw exists in the php_wddx_process_data() function in wddx.c that occurs when deserializing invalid dateTime values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.
(CVE-2016-7129)

- A NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c that is triggered during the handling of Base64 binary values.
An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7130)

- A NULL pointer dereference flaw exists in the php_wddx_deserialize_ex() function in wddx.c that occurs during the handling of invalid XML content. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7131)

- An unspecified NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7132)

- An integer overflow condition exists in the zend_mm_realloc_heap() function in zend_alloc.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.
(CVE-2016-7133)

- An overflow condition exists in the curl_escape() function in interface.c due to improper handling of overly long strings. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-7134)

Solution

Upgrade to PHP version 7.0.10 or later.

See Also

http://php.net/ChangeLog-7.php#7.0.10

Plugin Details

Severity: Critical

ID: 93078

File Name: php_7_0_10.nasl

Version: 1.13

Type: remote

Family: CGI abuses

Published: 8/23/2016

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2016-7134

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Required KB Items: www/PHP

Exploit Ease: No known exploits are available

Patch Publication Date: 8/18/2016

Vulnerability Publication Date: 8/3/2016

Reference Information

CVE: CVE-2016-7124, CVE-2016-7125, CVE-2016-7126, CVE-2016-7127, CVE-2016-7128, CVE-2016-7129, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132, CVE-2016-7133, CVE-2016-7134

BID: 92552, 92564, 92755, 92756, 92757, 92758, 92764, 92765, 92766, 92767, 92768