PHP 5.5.x < 5.5.34 / 5.6.x < 5.6.20 / 7.0.x < 7.0.5 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 9171

Synopsis

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

Description

Versions of PHP 5.5.x prior to 5.5.34, or 5.6.x prior to 5.6.20, or 7.0.x prior to 7.0.5 are vulnerable to the following issues :

- A format string flaw exists in the 'php_snmp_error()' function in 'ext/snmp/snmp.c'. The issue is triggered as string format specifiers (e.g. %s and %x) are not properly used. With a specially crafted SNMP object, a remote attacker can cause a denial of service or potentially execute arbitrary code. (OSVDB 136483)
- An invalid memory write is triggered when handling the path of phar filenames. This may allow a remote attacker to have an unspecified impact. (OSVDB 136484)
- A flaw exists in the 'mbfl_strcut()' function in 'ext/mbstring/libmbfl/mbfl/mbfilter.c'. This issue is triggered when handling negative sz values. This may allow a remote attacker to cause a crash. (OSVDB 136485)
- An integer overflow condition exists in the 'php_raw_url_encode()' function in 'ext/standard/url.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to have an unspecified impact. (OSVDB 136486)

Solution

Upgrade to PHP version 7.0.5 or later. If 7.x cannot be obtained, 5.6.20 and 5.5.34 are also patched for these vulnerabilities.

See Also

http://www.php.net/ChangeLog-5.php#5.5.34

http://www.php.net/ChangeLog-5.php#5.6.20

http://www.php.net/ChangeLog-7.php#7.0.5

Plugin Details

Severity: Critical

ID: 9171

Family: Web Servers

Published: 2016/04/08

Modified: 2016/04/08

Dependencies: 8682, 9243

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 9.3

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Patch Publication Date: 2016/03/31

Vulnerability Publication Date: 2016/03/29