PHP 5.6.x < 5.6.26 / 7.0.x < 7.0.11 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 9580

Synopsis

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

Description

Versions of PHP 5.6.x prior to 5.6.26 and 7.0.x prior to 7.0.11 are vulnerable to the following issues :

- An overflow condition exists in the 'msgfmt_format_message()' function in 'common/locid.cpp' that is triggered when handling local strings. This may allow a remote attacker to cause a stack-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code. (OSVDB 144259)
- An overflow condition exists in the 'php_mysqlnd_rowp_read_text_protocol_aux()' function in 'ext/mysqlnd/mysqlnd_wireprotocol.c' that is triggered when handling the BIT field. This may allow a context-dependent or Man-in-the-Middle (MitM) attacker to cause a heap-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code. (OSVDB 144260)
- A use-after-free error exists in the 'wddx_stack_destroy()' function in 'ext/wddx/wddx.c' that is triggered when deserializing 'recordset' elements. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 144261)
- An out-of-bounds access flaw exists in the 'phar_parse_zipfile()' function in 'ext/phar/zip.c' that is triggered when handling the uncompressed file size. This may allow a remote attacker to have an unspecified impact. (OSVDB 144262)
- A flaw exists in the 'spl_array_get_dimension_ptr_ptr()' function in 'ext/spl/spl_array.c' that is triggered as types are not properly checked during the unserialization of 'SplArray'. This may allow a remote attacker to cause a crash or potentially have a more severe, unspecified impact. (OSVDB 144263)
- An out-of-bounds access flaw exists in the 'phar_parse_tarfile()' function in 'ext/phar/tar.c' that is triggered during the verification of signatures. This may allow a remote attacker to have an unspecified impact. (OSVDB 144264)
- A flaw is triggered as certain input is not properly validated when destroying deserialized objects. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (OSVDB 144268)
- An out-of-bounds read flaw exists in the 'php_wddx_push_element()' function in 'ext/wddx/wddx.c' that may allow a remote attacker to cause a crash or potentially disclose memory contents. (OSVDB 144269)
- An integer overflow flaw exists in the 'fgetcsv()' function. The issue is triggered as certain input is not properly validated when handling CSV field lengths. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (OSVDB 144270)
- An integer overflow flaw exists in the 'wordwrap()' function in 'ext/standard/string.c'. The issue is triggered as certain input is not properly validated. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (OSVDB 144271)
- An integer overflow flaw exists in the 'fgets()' function in 'ext/standard/file.c'. The issue is triggered as certain input is not properly validated. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (OSVDB 144273)
- An integer overflow condition exists in the 'xml_utf8_encode()' function in 'ext/xml/xml.c'. The issue is triggered as certain input is not properly validated. This may allow a remote attacker to have an unspecified impact. (OSVDB 144275)
- A flaw exists in the 'exif_process_IFD_in_TIFF()' function in 'ext/exif/exif.c' that is triggered during the handling of uninitialized thumbnail data. This may allow a remote attacker to disclose the contents of memory. (OSVDB 144287)

Solution

Upgrade to PHP version 7.0.11 or later. If 7.x cannot be obtained, 5.6.26 has also been patched for these vulnerabilities.

See Also

http://www.php.net/ChangeLog-5.php#5.6.26

http://www.php.net/ChangeLog-7.php#7.0.11

Plugin Details

Severity: High

ID: 9580

Family: Web Servers

Published: 2016/09/26

Modified: 2016/09/26

Dependencies: 8682, 9243

Nessus ID: 93656

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 7.3

Temporal Score: 6.9

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Patch Publication Date: 2016/09/13

Vulnerability Publication Date: 2016/09/13

Reference Information

CVE: CVE-2016-7411, CVE-2016-7412, CVE-2016-7413, CVE-2016-7414, CVE-2016-7415, CVE-2016-7416, CVE-2016-7417, CVE-2016-7418

BID: 93004, 93005, 93006, 93007, 93008, 93009, 93011