Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

PHP < 5.2.14 / 5.3.x < 5.3.3 Multiple Vulnerabilities

High

Synopsis

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

Description

Versions of PHP prior to 5.2.14, or 5.3.x prior to 5.3.3 are affected by the following vulnerabilities :

- An information disclosure vulnerability in 'var_export()' when a fatal error occurs. - A resource destruction issue in 'shm_put_var()'. - A possible information leak because of an interruption of XOR operator. - A memory corruption issue caused by an unexpected call-time pass by reference and the following memory clobbering through callbacks. - A memory corruption issue in 'ArrayObject::uasort()'. - A memory corruption issue in 'parse_str()'. - A memory corruption issue in 'pack()'. - A memory corruption issue in 'substr_replace()'. - A memory corruption issue in 'addcslashes()'. - A stack exhaustion issue in 'fnmatch()'. - A buffer overflow vulnerability in the dechunking filter. - An arbitrary memory access issue in the sqlite extension. - A string format validation issue in the phar extension. - An unspecified issue relating to the handling of session variable serialization on certain prefix characters. - A NULL pointer dereference issue when processing invalid XML-RPC requests. - An unserialization issue in 'SplObjectStorage'. - Buffer overflow vulnerabilities in 'mysqlnd_list_fields' and 'mysqlnd_change_user'. - Buffer overflows when handling error packets in mysqlnd. - A flaw affects 'sqlite_single_query()' and 'sqlite_array_query()' methods included in the 'ext/sqlite/sqlite.c' source file. Specifically, the 'rres' resource is not properly initialized before use which may trigger a double-free condition when an empty query is passed to the 'real_result_dtor()' function.

Solution

Upgrade to PHP version 5.2.14, 5.3.3, or later.