PHP 5.6.10 < 5.6.11 Multiple Vulnerabilities (BACKRONYM)

High Nessus Network Monitor Plugin ID 8954

Synopsis

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

Description

According to its banner, the version of PHP 5.6.x running on the remote web server is prior to 5.6.11. It is, therefore, affected by multiple vulnerabilities.
- A security feature bypass vulnerability, known as 'BACKRONYM', exists due to a failure to properly enforce the requirement of an SSL/TLS connection when the --ssl client option is used. A man-in-the-middle attacker can exploit this flaw to coerce the client to downgrade to an unencrypted connection, allowing the attacker to disclose data from the database or manipulate database queries. (CVE-2015-3152)
- A flaw in the phar_convert_to_other function in ext/phar/phar_object.c could allow a remote attacker to cause a denial of service. (CVE-2015-5589)
- A Stack-based buffer overflow in the phar_fix_filepath function in ext/phar/phar.c could allow a remote attacker to cause a denial of service. (CVE-2015-5590)
- A flaw exists in the PHP Connector/C component due to a failure to properly enforce the requirement of an SSL/TLS connection when the --ssl client option is used.
- A man-in-the-middle attacker can exploit this to downgrade the connection to plain HTTP when HTTPS is expected. (CVE-2015-8838)
- A use-after-free error exists in the spl_recursive_it_move_forward_ex() function. An attacker can exploit this to dereference already freed memory, potentially allowing the execution of arbitrary code.
- A use-after-free error exists in the sqlite3SafetyCheckSickOrOk() function. An attacker can exploit this to dereference already freed memory, potentially allowing the execution of arbitrary code.
- The '!' character is not treated as a special character when delayed variable substitution is enabled. The functions escapeshellcmd() and escapeshellarg() are unable to properly sanitize arguments containing '!'.
- An attacker can exploit this to execute arbitrary commands.
- A double-free flaw exists in zend_vm_execute.h due to improper handling of certain code. An attacker can exploit this flaw to crash a PHP application, resulting in a denial of service condition.

Solution

Upgrade to PHP version 5.6.11 or later.

See Also

http://www.php.net/ChangeLog-5.php#5.6.11

https://bugs.php.net/bug.php?id=69970

http://www.securityweek.com/backronym-other-vulnerabilities-patched-php

Plugin Details

Severity: High

ID: 8954

Family: Web Servers

Published: 2015/10/07

Updated: 2019/03/06

Dependencies: 8682

Nessus ID: 84673

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Patch Publication Date: 2015/07/10

Vulnerability Publication Date: 2015/06/30

Reference Information

CVE: CVE-2015-3152, CVE-2015-5589, CVE-2015-5590, CVE-2015-8838