Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

PHP 5.x < 5.2.7 Multiple Vulnerabilities



The remote web server uses a version of PHP that is affected by multiple flaws.


According to its banner, the version of PHP 5.x installed on the remote host is older than 5.2.7. Such versions may be affected by several security issues :

- Missing initialization of 'BG(page_uid)' and 'BG(page_gid)' when PHP is used as an Apache module may allow for bypassing security restrictions due to SAPI 'php_getuid()' overloading.

- Incorrect 'php_value' order for Apache configuration may allow bypassing PHP's 'safe_mode' setting.

- File truncation can occur when calling 'dba_replace()' with an invalid argument.

- The ZipArchive: extractTo() method in the ZipArchive extension fails to filter directory traversal sequences from file names.

- There is a buffer overflow in the bundled PCRE library fixed by 7.8. (CVE-2008-2371)

- A buffer overflow in the 'imageloadfont()' function in 'ext/gd/gd.c' can be triggered when a specially crafted font is given. (CVE-2008-3658)

- There is a buffer overflow in PHP's internal function 'memnstr()', which is exposed to userspace as 'explode()'. (CVE-2008-3659)

- When used as a FastCGI module, PHP segfaults when opening a file whose name contains two dots (eg, 'file..php'). (CVE-2008-3660)

- Multiple directory traversal vulnerabilities in functions such as 'posix_access()', 'chdir()', 'ftok()' may allow a remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 and CVE-2008-2666).

- A buffer overflow may be triggered when processing long message headers in 'php_imap.c' due to use of an obsolete API call. (CVE-2008-2829) - A buffer overflow error exists in the function 'date_from_ISO8601' function within file 'xmlrpc.c' because user-supplied input is improperly validated. This can be exploited by a remote attacker to cause a denial of service or to execute arbitrary code. (CVE-2014-8626)


Upgrade to version 5.2.7 or higher.