PHP 5.6.x < 5.6.14 Multiple Vulnerabilities
High Web Application Scanning Plugin ID 98806
SynopsisPHP 5.6.x < 5.6.14 Multiple Vulnerabilities
DescriptionAccording to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.14. It is, therefore, affected by multiple vulnerabilities :
- A NULL pointer dereference flaw exists in the phar_get_fp_offset() function in ext/phar/util.c that is triggered when pointing to a non-existent file. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.
- An uninitialized pointer flaw exists in the phar_make_dirstream() function in ext/phar/dirstream.c that is triggered when handling a zip entry filename that is a single forward slash. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or to disclose
Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to PHP version 5.6.14 or later.