According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.23 or 7.1.x prior to 7.1.9, therefore, affected by a heap user after free vulnerability when unserializing invalid array size.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.23. It is, therefore, affected by a heap-based buffer overflow condition exists in the ext/standard/var_unserializer.re script due to improper use of the hash API for key deletion. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201709-21 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       referenced CVE identifiers for details.
  Impact :

    A remote attacker could execute arbitrary code with the privileges of       the process or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Several vulnerabilities were found in PHP, a widely-used open source general purpose scripting language :

  - CVE-2017-11144     Denial of service in openssl extension due to incorrect     return value check of OpenSSL sealing function

  - CVE-2017-11145     Out-of-bounds read in wddx_deserialize()

  - CVE-2017-11628     Buffer overflow in PHP INI parsing API

  - CVE-2017-12932 / CVE-2017-12934     Use-after-frees during unserialisation

  - CVE-2017-12933     Buffer overread in finish_nested_data()

  - CVE-2017-16642     Out-of-bounds read in timelib_meridian()

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:2519 advisory.

    PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

    The following packages have been upgraded to a later upstream version: rh-php71-php (7.1.30). (BZ#1631672)

    Security Fix(es):

    * gd: Unsigned integer underflow _gdContributionsAlloc() (CVE-2016-10166)

    * php: Out of bounds access in php_pcre.c:php_pcre_replace_impl() (CVE-2017-9118)

    * php: Integer overflow in mysqli_api.c:mysqli_real_escape_string() (CVE-2017-9120)

    * php: Heap use after free in ext/standard/var_unserializer.re (CVE-2017-12932)

    * php: Reflected XSS in .phar 404 page (CVE-2018-5712)

    * php: Stack-based buffer under-read in php_stream_url_wrap_http_ex() in http_fopen_wrapper.c when parsing     HTTP response (CVE-2018-7584)

    * php: Infinite loop in ext/iconv/iconv.c when using stream filter with convert.incov on invalid sequence     leads to denial-of-service (CVE-2018-10546)

    * php: Reflected XSS vulnerability on PHAR 403 and 404 error pages (CVE-2018-10547)

    * php: NULL pointer dereference due to mishandling of ldap_get_dn return value allows DoS via malicious     LDAP server reply (CVE-2018-10548)

    * php: Mishandled http_header_value in an atoi() call in http_fopen_wrapper.c (CVE-2018-14884)

    * php: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked'     request (CVE-2018-17082)

    * gd: Heap based buffer overflow in gdImageColorMatch() in gd_color_match.c (CVE-2019-6977)

    * php: Invalid memory access in function xmlrpc_decode() (CVE-2019-9020)

    * php: File rename across filesystems may allow unwanted access during processing (CVE-2019-9637)

    * php: Uninitialized read in exif_process_IFD_in_MAKERNOTE (CVE-2019-9638)

    * php: Uninitialized read in exif_process_IFD_in_MAKERNOTE (CVE-2019-9639)

    * php: Invalid read in exif_process_SOFn() (CVE-2019-9640)

    * php: Out-of-bounds read due to integer overflow in iconv_mime_decode_headers() (CVE-2019-11039)

    * php: Buffer over-read in exif_read_data() (CVE-2019-11040)

    * php: Out-of-bound read in timelib_meridian() (CVE-2017-16642)

    * gd: Infinite loop in gdImageCreateFromGifCtx() in gd_gif_in.c (CVE-2018-5711)

    * php: Dumpable FPM child processes allow bypassing opcache access controls (CVE-2018-10545)

    * php: Out-of-bounds read in ext/exif/exif.c:exif_read_data() when reading crafted JPEG data     (CVE-2018-10549)

    * php: exif: Buffer over-read in exif_process_IFD_in_MAKERNOTE() (CVE-2018-14851)

    * php: Buffer over-read in PHAR reading functions (CVE-2018-20783)

    * php: Heap-based buffer over-read in PHAR reading functions (CVE-2019-9021)

    * php: memcpy with negative length via crafted DNS response (CVE-2019-9022)

    * php: Heap-based buffer over-read in mbstring regular expression functions (CVE-2019-9023)

    * php: Out-of-bounds read in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c (CVE-2019-9024)

    * php: Heap buffer overflow in function exif_process_IFD_TAG() (CVE-2019-11034)

    * php: Heap buffer overflow in function exif_iif_add_value() (CVE-2019-11035)

    * php: Buffer over-read in exif_process_IFD_TAG() leading to information disclosure (CVE-2019-11036)

    * gd: Information disclosure in gdImageCreateFromXbm() (CVE-2019-11038)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.9. It is, therefore, affected by a heap-based buffer overflow condition exists in the ext/standard/var_unserializer.re script due to improper use of the hash API for key deletion. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:1296 advisory.

    PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

    The following packages have been upgraded to a later upstream version: rh-php70-php (7.0.27). (BZ#1518843)

    Security Fix(es):

    * php: Heap overflow in mysqlnd when not receiving UNSIGNED_FLAG in BIT field (CVE-2016-7412)

    * php: Use after free in wddx_deserialize (CVE-2016-7413)

    * php: Out of bounds heap read when verifying signature of zip phar in phar_parse_zipfile (CVE-2016-7414)

    * php: Stack based buffer overflow in msgfmt_format_message (CVE-2016-7416)

    * php: Missing type check when unserializing SplArray (CVE-2016-7417)

    * php: Null pointer dereference in php_wddx_push_element (CVE-2016-7418)

    * php: Use-after-free vulnerability when resizing the 'properties' hash table of a serialized object     (CVE-2016-7479)

    * php: Invalid read when wddx decodes empty boolean element (CVE-2016-9935)

    * php: Use After Free in unserialize() (CVE-2016-9936)

    * php: Wrong calculation in exif_convert_any_to_int function (CVE-2016-10158)

    * php: Integer overflow in phar_parse_pharfile (CVE-2016-10159)

    * php: Off-by-one error in phar_parse_pharfile when loading crafted phar archive (CVE-2016-10160)

    * php: Out-of-bounds heap read on unserialize in finish_nested_data() (CVE-2016-10161)

    * php: Null pointer dereference when unserializing PHP object (CVE-2016-10162)

    * gd: DoS vulnerability in gdImageCreateFromGd2Ctx() (CVE-2016-10167)

    * gd: Integer overflow in gd_io.c (CVE-2016-10168)

    * php: Use of uninitialized memory in unserialize() (CVE-2017-5340)

    * php: Buffer over-read from unitialized data in gdImageCreateFromGifCtx function (CVE-2017-7890)

    * oniguruma: Out-of-bounds stack read in match_at() during regular expression searching (CVE-2017-9224)

    * oniguruma: Heap buffer overflow in next_state_val() during regular expression compilation     (CVE-2017-9226)

    * oniguruma: Out-of-bounds stack read in mbc_enc_len() during regular expression searching (CVE-2017-9227)

    * oniguruma: Out-of-bounds heap write in bitset_set_range() (CVE-2017-9228)

    * oniguruma: Invalid pointer dereference in left_adjust_char_head() (CVE-2017-9229)

    * php: Incorrect WDDX deserialization of boolean parameters leads to DoS (CVE-2017-11143)

    * php: Incorrect return value check of OpenSSL sealing function leads to crash (CVE-2017-11144)

    * php: Out-of-bounds read in phar_parse_pharfile (CVE-2017-11147)

    * php: Stack-based buffer over-read in msgfmt_parse_message function (CVE-2017-11362)

    * php: Stack based 1-byte buffer over-write in zend_ini_do_op() function Zend/zend_ini_parser.c     (CVE-2017-11628)

    * php: heap use after free in ext/standard/var_unserializer.re (CVE-2017-12932)

    * php: heap use after free in ext/standard/var_unserializer.re (CVE-2017-12934)

    * php: reflected XSS in .phar 404 page (CVE-2018-5712)

    * php, gd: Stack overflow in gdImageFillToBorder on truecolor images (CVE-2016-9933)

    * php: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow (CVE-2016-9934)

    * php: wddx_deserialize() heap out-of-bound read via php_parse_date() (CVE-2017-11145)

    * php: buffer over-read in finish_nested_data function (CVE-2017-12933)

    * php: Out-of-bound read in timelib_meridian() (CVE-2017-16642)

    * php: Denial of Service (DoS) via infinite loop in libgd gdImageCreateFromGifCtx function in     ext/gd/libgd/gd_gif_in.c (CVE-2018-5711)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For details, see the Red Hat Software Collections 3.1 Release Notes linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for php7 fixes several issues.

These security issues were fixed :

  - CVE-2017-12932: Prevent heap use after free while     unserializing untrusted data, related to improper use of     the hash API for key deletion in a situation with an     invalid array size. Exploitation of this issue could     have had an unspecified impact on the integrity of PHP     (bsc#1054432).

  - CVE-2017-12934: Prevent heap use after free while     unserializing untrusted data, related to the     zval_get_type function in Zend/zend_types.h.
    Exploitation of this issue could have had an unspecified     impact on the integrity of PHP (bsc#1054408).

  - CVE-2017-12933: The finish_nested_data function in     ext/standard/var_unserializer.re was prone to a buffer     over-read while unserializing untrusted data.
    Exploitation of this issue could have had an unspecified     impact on the integrity of PHP (bsc#1054430)

These non-security issues were fixed :

  - bsc#1057104: php7-devel now requires php7-pear

  - bsc#1057845: Fixed namespace encapsulation of imported     classes/functions/constants

This update was imported from the SUSE:SLE-12:Update update project.

This update for php7 fixes several issues. These security issues were fixed :

  - CVE-2017-12932: Prevent heap use after free while     unserializing untrusted data, related to improper use of     the hash API for key deletion in a situation with an     invalid array size. Exploitation of this issue could     have had an unspecified impact on the integrity of PHP     (bsc#1054432).

  - CVE-2017-12934: Prevent heap use after free while     unserializing untrusted data, related to the     zval_get_type function in Zend/zend_types.h.
    Exploitation of this issue could have had an unspecified     impact on the integrity of PHP (bsc#1054408).

  - CVE-2017-12933: The finish_nested_data function in     ext/standard/var_unserializer.re was prone to a buffer     over-read while unserializing untrusted data.
    Exploitation of this issue could have had an unspecified     impact on the integrity of PHP (bsc#1054430)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Published	Updated	Severity
98877	PHP 7.1.x < 7.1.9 Heap User After Free Vulnerability	Web App Scanning	Component Vulnerability	1/31/2019	3/14/2023	critical
98876	PHP 7.0.x < 7.0.23 Heap User After Free Vulnerability	Web App Scanning	Component Vulnerability	1/31/2019	3/14/2023	critical
122544	PHP 7.2.x < 7.2.0 Heap-based Buffer Overflow Vulnerability	Nessus	CGI abuses	3/1/2019	5/26/2025	critical
103449	GLSA-201709-21 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	9/25/2017	1/11/2021	critical
105663	Debian DSA-4080-1 : php7.0 - security update	Nessus	Debian Local Security Checks	1/9/2018	4/5/2019	critical
194152	RHEL 7 : rh-php71-php (RHSA-2019:2519)	Nessus	Red Hat Local Security Checks	4/28/2024	11/6/2024	critical
122543	PHP 7.1.x < 7.1.9 Heap-based Buffer Overflow Vulnerability	Nessus	CGI abuses	3/1/2019	5/26/2025	critical
122539	PHP 7.0.x < 7.0.23 Heap-based Buffer Overflow Vulnerability	Nessus	CGI abuses	3/1/2019	5/26/2025	critical
194027	RHEL 6 / 7 : rh-php70-php (RHSA-2018:1296)	Nessus	Red Hat Local Security Checks	4/27/2024	4/15/2025	critical
103286	openSUSE Security Update : php7 (openSUSE-2017-1061)	Nessus	SuSE Local Security Checks	9/18/2017	1/19/2021	critical
120006	SUSE SLES12 Security Update : php7 (SUSE-SU-2017:2468-1)	Nessus	SuSE Local Security Checks	1/2/2019	7/11/2024	critical

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical