PHP 7.1.x < 7.1.7 Multiple Vulnerabilities

Critical Web Application Scanning Plugin ID 98864

Synopsis

PHP 7.1.x < 7.1.7 Multiple Vulnerabilities

Description

According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.7. It is, therefore, affected by the following vulnerabilities :

- An out-of-bounds read error exists in the GD Graphics Library (LibGD) in the gdImageCreateFromGifCtx() function within file gd_gif_in.c when handling a specially crafted GIF file. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or crash a process linked
to the library. (CVE-2017-7890)

- An out-of-bounds read error exists in Oniguruma in the match_at() function within file regexec.c. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or crash a process linked to the library. (CVE-2017-9224)

- An out-of-bounds write error exists in Oniguruma in the next_state_val() function during regular expression compilation. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-9226)

- An out-of-bounds read error exists in Oniguruma in the mbc_enc_len() function within file utf8.c. An unauthenticated, remote attacker can exploit this to disclose memory contents or crash a process linked to the library. (CVE-2017-9227)

- An out-of-bounds write error exists in Oniguruma in the bitset_set_range() function during regular expression compilation. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-9228)

- An invalid pointer deference flaw exists in Oniguruma in the left_adjust_char_head() function within file regexec.c during regular expression compilation. An unauthenticated, remote attacker can exploit this to crash a process linked to the library, resulting in a denial of service condition. (
CVE-2017-9229)

- A flaw exists in OpenSSL in the EVP_SealInit() function within file crypto/evp/p_seal.c due to returning an undocumented value of '-1'. An unauthenticated, remote attacker can exploit this to cause an unspecified impact. (CVE-2017-11144)

- An out-of-bounds read error exists in PHP in the php_parse_date() function within file ext/date/lib/parse_date.c. An unauthenticated, remote attacker can exploit this to disclose memory contents or cause a denial of service condition. (CVE-2017-11145)

- A use-after-free error exists in PHP in the zval_get_type() function within file ext/standard/var_unserializer.c. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-12934)

- An out-of-bounds read error exists in PHP in the finish_nested_data() function within file ext/standard/var_unserializer.re. An unauthenticated, remote attacker can exploit this to disclose memory contents or cause a denial of service condition. (CVE-2017-12933)

- An off-by-one overflow condition exists in PHP in the INI parsing API, specifically in the zend_ini_do_op() function within file Zend/zend_ini_parser.y, due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition
or the execution of arbitrary code. (CVE-2017-11628)

- A stack-based buffer overflow condition exists in PHP in the msgfmt_parse_message() function due to improper validation of user-supplied input when parsing locale. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-
2017-11362)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to PHP version 7.1.7 or later.

See Also

http://php.net/ChangeLog-7.php#7.1.7

Plugin Details

Severity: Critical

ID: 98864

Type: remote

Published: 2019/01/09

Updated: 2019/04/10

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Exploit Available: true

Patch Publication Date: 2017/07/06

Vulnerability Publication Date: 2017/05/17

Reference Information

CVE: CVE-2017-7890, CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229, CVE-2017-11144, CVE-2017-11145, CVE-2017-11362, CVE-2017-11628, CVE-2017-12933, CVE-2017-12934

BID: 99492, 99501