PHP 7.0.x < 7.0.12 Multiple Vulnerabilities

critical Web App Scanning Plugin ID 98836

Language:

Synopsis

Description

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.12. It is, therefore, affected by multiple vulnerabilities :

- A NULL pointer dereference flaw exists in the SimpleXMLElement::asXML() function within file ext/simplexml/simplexml.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

- A flaw exists in the openssl_random_pseudo_bytes() function within file ext/openssl/openssl.c when handling strings larger than 2GB. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

- A flaw exists in the openssl_encrypt() function within file ext/openssl/openssl.c when handling strings larger than 2GB. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

- A flaw exists in the _bc_new_num_ex() function within file ext/bcmath/libbcmath/src/init.c when handling values passed via the 'scale' parameter. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

- A flaw exists in the php_resolve_path() function within file main/fopen_wrappers.c when handling negative size values passed via the 'filename' parameter. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

- A flaw exists in the dom_document_save_html() function within file ext/dom/document.c due to missing NULL checks. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

- A use-after-free error exists in the unserialize() function that allows an unauthenticated, remote attacker to dereference already freed memory, resulting in the execution of arbitrary code.

- An integer overflow condition exists in the number_format() function within file ext/standard/math.c when handling 'decimals' and 'dec_point' parameters that have values that are equal or close to 0x7fffffff. An unauthenticated, remote attacker can exploit this to cause a heap buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.

- A stack-based overflow condition exists in the ResourceBundle::create and ResourceBundle::getLocales methods and their respective functions within file ext/intl/resourcebundle/resourcebundle_class.c due to improper validation of input passed via the 'bundlename' parameter. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution or arbitrary code.

- An integer overflow condition exists in the php_pcre_replace_impl() function within file ext/pcre/php_pcre.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.

- A flaw exists in file ext/date/php_date.c within the php_date_interval_initialize_from_hash() function, when deserializing DateInterval objects, that allows an unauthenticated, remote attacker to cause an unspecified impact.

- An unspecified flaw exists in the SplObjectStorage::unserialize() function within file ext/spl/spl_observer.c due to allowing the use of non-objects as keys. An unauthenticated, remote attacker can exploit this to cause an unspecified impact.

Note that this software is reportedly affected by other vulnerabilities as well that have not been fixed yet in version 7.0.13.