PHP 5.6.x < 5.6.26 / 7.0.x < 7.0.11 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9580
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

Description

Versions of PHP 5.6.x prior to 5.6.26 and 7.0.x prior to 7.0.11 are vulnerable to the following issues :

- An overflow condition exists in the 'msgfmt_format_message()' function in 'common/locid.cpp' that is triggered when handling local strings. This may allow a remote attacker to cause a stack-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code.
- An overflow condition exists in the 'php_mysqlnd_rowp_read_text_protocol_aux()' function in 'ext/mysqlnd/mysqlnd_wireprotocol.c' that is triggered when handling the BIT field. This may allow a context-dependent or Man-in-the-Middle (MitM) attacker to cause a heap-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code.
- A use-after-free error exists in the 'wddx_stack_destroy()' function in 'ext/wddx/wddx.c' that is triggered when deserializing 'recordset' elements. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
- An out-of-bounds access flaw exists in the 'phar_parse_zipfile()' function in 'ext/phar/zip.c' that is triggered when handling the uncompressed file size. This may allow a remote attacker to have an unspecified impact.
- A flaw exists in the 'spl_array_get_dimension_ptr_ptr()' function in 'ext/spl/spl_array.c' that is triggered as types are not properly checked during the unserialization of 'SplArray'. This may allow a remote attacker to cause a crash or potentially have a more severe, unspecified impact.
- An out-of-bounds access flaw exists in the 'phar_parse_tarfile()' function in 'ext/phar/tar.c' that is triggered during the verification of signatures. This may allow a remote attacker to have an unspecified impact.
- A flaw is triggered as certain input is not properly validated when destroying deserialized objects. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code.
- An out-of-bounds read flaw exists in the 'php_wddx_push_element()' function in 'ext/wddx/wddx.c' that may allow a remote attacker to cause a crash or potentially disclose memory contents.
- An integer overflow flaw exists in the 'fgetcsv()' function. The issue is triggered as certain input is not properly validated when handling CSV field lengths. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code.
- An integer overflow flaw exists in the 'wordwrap()' function in 'ext/standard/string.c'. The issue is triggered as certain input is not properly validated. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code.
- An integer overflow flaw exists in the 'fgets()' function in 'ext/standard/file.c'. The issue is triggered as certain input is not properly validated. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code.
- An integer overflow condition exists in the 'xml_utf8_encode()' function in 'ext/xml/xml.c'. The issue is triggered as certain input is not properly validated. This may allow a remote attacker to have an unspecified impact.
- A flaw exists in the 'exif_process_IFD_in_TIFF()' function in 'ext/exif/exif.c' that is triggered during the handling of uninitialized thumbnail data. This may allow a remote attacker to disclose the contents of memory.

Solution

Upgrade to PHP version 7.0.11 or later. If 7.x cannot be obtained, 5.6.26 has also been patched for these vulnerabilities.

See Also

http://www.php.net/ChangeLog-5.php#5.6.26

http://www.php.net/ChangeLog-7.php#7.0.11

Plugin Details

Severity: High

ID: 9580

Family: Web Servers

Published: 9/26/2016

Updated: 3/6/2019

Dependencies: 8682, 9243

Nessus ID: 93656

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Patch Publication Date: 9/13/2016

Vulnerability Publication Date: 9/13/2016

Reference Information

CVE: CVE-2016-7411, CVE-2016-7412, CVE-2016-7413, CVE-2016-7414, CVE-2016-7416, CVE-2016-7417, CVE-2016-7418, CVE-2016-7415

BID: 93005, 93006, 93004, 93008, 93007, 93011, 93009