PHP 5.4.x < 5.4.40 / 5.5.x < 5.5.24 / 5.6.x < 5.6.8 Multiple Vulnerabilities
High Nessus Network Monitor Plugin ID 8784
SynopsisThe remote web server uses a version of PHP that is affected by multiple vulnerabilities.
DescriptionVersions of PHP 5.4.x earlier than 5.4.40, 5.5.x earlier than 5.5.24, or 5.6.x earlier than 5.6.8 are exposed to the following issues :
- An out-of-bounds read overflow error exists in the function 'GetCode_()' in file 'gd_gif_in.c' that allows denial of service attacks or disclosure of memory contents. (CVE-2014-9709)
- A use-after-free error exists in the OPcache extension in the '_zend_shared_memdup()' function within the file 'zend_shared_alloc.c'. A remote attacker can exploit this to cause a denial of service or possibly have other unspecified impact. (CVE-2015-1351)
- The function 'build_tablename()' in file 'pgsql.c' in the PostgreSQL extension does not properly validate token extraction for table names. A remote attacker, using a crafted name, can exploit this to cause a NULL pointer deference, leading to a denial of service. (CVE-2015-1352)
- A use-after-free error exists in the function 'phar_rename_archive()' in file 'phar_object.c'. A remote attacker, by attempting to rename a phar archive to an already existing file name, can exploit this to cause a denial of service. (CVE-2015-2301)
- A buffer read overflow error exists in the Phar component due to user-supplied input not being validated properly when handling phar parsing during 'unserialize()' function calls. An attacker can exploit this to execute arbitrary code or cause a denial of service. (CVE-2015-2783)
- A buffer overflow flaw exists in the 'phar_set_inode()' function in file 'phar_internal.h' when handling archive files, such as tar, zip, or phar files. A remote attacker can exploit this to execute arbitrary code or cause a denial of service. (CVE-2015-3329)
- A flaw exists in the Apache2handler SAPI component, when handling pipelined HTTP requests, that a remote attacker can exploit to execute arbitrary code. (CVE-2015-3330)
- An information disclosure vulnerability exists because of a type confusion error. Specifically, this issue occurs when the 'unserialize()' function is used with SoapFault object's '__toString()' function. An attacker can exploit this issue to leak arbitrary memory blocks.
- A flaw exists in the 'phar_parse_metadata()' function in 'ext/phar/phar.c'. The issue is triggered as user-supplied input is not properly validated when parsing a specially crafted TAR file. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2015-3307)
- A type confusion flaw exists in the '__toString()' method in 'incomplete_class.c' that may allow a context-dependent attacker to leak arbitrary memory blocks or potentially cause a denial of service. (CVE-2015-4602)
- Multiple unspecified issues exist in '/soap/php_http.c' and '/soap/php_encoding.c'. This may allow an attacker to have an unspecified impact. (CVE-2015-4601)
- A denial of service vulnerability affects Fine Free File, a common component used in PHP known as 'file'. Specifically, this issue affects the source file 'libmagic/softmagic.c' because it fails to properly handle offsets that exceed 'bytecnt' or vice versa. (CVE-2015-4605)
SolutionApply the vendor patch or upgrade to PHP version 5.6.8 or later. If 5.6.x cannot be installed, 5.4.40 and 5.5.24 are also patched for these vulnerabilities.