PHP 7.0.x < 7.0.15 Multiple Vulnerabilities

critical Web Application Scanning Plugin ID 98839
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

PHP 7.0.x < 7.0.15 Multiple Vulnerabilities

Description

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.15. It is, therefore, affected by the following vulnerabilities :

- A remote code execution vulnerability exists due to a use-after-free error in the unserialize() function that is triggered when using DateInterval input. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-2787)

- A use-after-free error exists that is triggered when handling unserialized object properties. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. (CVE-2016-7479)

- An integer overflow condition exists in the _zend_hash_init() function in zend_hash.c due to improper validation of unserialized objects. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-5340)

- A floating pointer exception flaw exists in the exif_convert_any_to_int() function in exif.c that is triggered when handling TIFF and JPEG image tags. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10158)

- An integer overflow condition exists in the phar_parse_pharfile() function in phar.c due to improper validation when handling phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10159)

- An off-by-one overflow condition exists in the phar_parse_pharfile() function in phar.c due to improper parsing of phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10160)

- An out-of-bounds read error exists in the finish_nested_data() function in var_unserializer.c due to improper validation of unserialized data. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition or the disclosure of memory contents. (CVE-2016-10161)

- A NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10162)

- An signed integer overflow condition exists in gd_io.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact.

- A type confusion flaw exists that is triggered during the deserialization of specially crafted GMP objects. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition.

- A type confusion error exists that is triggered when deserializing ZVAL objects. An unauthenticated, remote attacker can exploit this to execute arbitrary code.

- An out-of-bounds read error exists in the phar_parse_pharfile() function in phar.c due to improper parsing of phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition.

- A denial of service vulnerability exists in the bundled GD Graphics Library (LibGD) in the gdImageCreateFromGd2Ctx() function in gd_gd2.c due to improper validation of images. An unauthenticated, remote attacker can exploit this, via a specially crafted image, to crash the process.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to PHP version 7.0.15 or later.

See Also

http://php.net/ChangeLog-7.php#7.0.15

Plugin Details

Severity: Critical

ID: 98839

Type: remote

Published: 1/9/2019

Updated: 9/7/2021

Scan Template: api, scan, pci

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Exploit Ease: No known exploits are available

Patch Publication Date: 3/30/2015

Vulnerability Publication Date: 3/30/2015

Reference Information

CVE: CVE-2015-2787, CVE-2016-7479, CVE-2017-5340, CVE-2016-10158, CVE-2016-10159, CVE-2016-10160, CVE-2016-10161, CVE-2016-10162, CVE-2016-10168, CVE-2017-11147, CVE-2016-10167, CVE-2016-10168