PHP 5.3.x < 5.3.14 / 5.4.x < 5.4.4 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9097


The remote web server uses a version of PHP that is affected by multiple vulnerabilities.


Versions of PHP 5.3.x prior to 5.3.14, or 5.4.x prior to 5.4.4 are affected by the following vulnerabilities :

- An integer overflow error exists in the function 'phar_parse_tarfile' in the file 'ext/phar/tar.c'. This error can lead to a heap-based buffer overflow when handling a maliciously crafted TAR file. Arbitrary code execution is possible due to this error. (CVE-2012-2386)
- A weakness exists in the 'crypt' function related to the DES implementation that can allow brute-force attacks. (CVE-2012-2143)
- Several design errors exist involving the incorrect parsing of PHP PDO prepared statements could lead to disclosure of sensitive information or denial of service. (CVE-2012-3450)
- A variable initialization error exists in the file 'ext/openssl/openssl.c' that can allow process memory contents to be disclosed when input data is of length zero. (CVE-2012-6113)


Apply the vendor patch or upgrade to PHP version 5.4.4 or later. If 5.4.x cannot be installed, 5.3.14 is also patched for these vulnerabilities.

See Also

Plugin Details

Severity: High

ID: 9097

Family: Web Servers

Published: 2/25/2016

Updated: 3/6/2019

Nessus ID: 59529, 59530

Risk Information


Risk Factor: Medium

Score: 6.7


Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C


Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:X

Vulnerability Information

CPE: cpe:/a:php:php

Patch Publication Date: 6/14/2012

Vulnerability Publication Date: 4/21/2011

Reference Information

CVE: CVE-2012-2143, CVE-2012-2386, CVE-2012-3450, CVE-2012-6113

BID: 53729, 47545, 54777, 57462