According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.1. It is, therefore, affected by the following vulnerabilities :

  - A use-after-free error exists that is triggered when     handling unserialized object properties. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to execute arbitrary code.
    (CVE-2016-7479)

  - An integer overflow condition exists in the
    _zend_hash_init() function in zend_hash.c due to     improper validation of unserialized objects. An     unauthenticated, remote attacker can exploit this to     execute arbitrary code. (CVE-2017-5340)

  - A floating pointer exception flaw exists in the     exif_convert_any_to_int() function in exif.c that is     triggered when handling TIFF and JPEG image tags. An     unauthenticated, remote attacker can exploit this to     cause a crash, resulting in a denial of service     condition. (CVE-2016-10158)

  - An out-of-bounds read error exists in the     finish_nested_data() function in var_unserializer.c due     to improper validation of unserialized data. An     unauthenticated, remote attacker can exploit this to     cause a crash, resulting in a denial of service     condition or the disclosure of memory contents.
    (CVE-2016-10161)

  - A NULL pointer dereference flaw exists in the     php_wddx_pop_element() function in wddx.c due to     improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a crash, resulting in a denial of service     condition. (CVE-2016-10162)

  - An signed integer overflow condition exists in gd_io.c     due to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     have an unspecified impact.

  - A denial of service vulnerability exists in the bundled     GD Graphics Library (LibGD) in the     gdImageCreateFromGd2Ctx() function in gd_gd2.c due to     improper validation of images. An unauthenticated,     remote attacker can exploit this, via a specially     crafted image, to crash the process. (CVE-2016-10167)

   - An integer overflow condition exists in the gd_io.c      script of the GD Graphics Library (libgd). An      unauthenticated, remote attacker can exploit this to      cause a denial of service condition or the execution of      arbitrary code. (CVE-2016-10168)

  - An out-of-bounds read error exists in the     phar_parse_pharfile() function in phar.c due to improper     parsing of phar archives. An unauthenticated, remote     attacker can exploit this to cause a crash, resulting in     a denial of service condition. (CVE-2017-11147)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

PHP 7.1.x < 7.1.1 Multiple Vulnerabilities

critical Nessus Plugin ID 96801

Version 1.14