Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

PHP 5.6.x < 5.6.30 Multiple Vulnerabilities

High

Synopsis

The remote web server uses a version of PHP that is affected by multiple attack vectors.

Description

Versions of PHP 5.6.x prior to 5.6.30 are affected by multiple vulnerabilities :

- An out-of-bounds read flaw exists in the 'phar_parse_pharfile()' function in 'ext/phar/phar.c' that is triggered when handling phar archives. This may allow a remote attacker to cause a denial of service. (OSVDB 149621) - A floating pointer exception flaw exists in the 'exif_convert_any_to_int()' function in 'ext/exif/exif.c' that is triggered when handling TIFF and JPEG image tags. This may allow a remote attacker to cause a crash. (OSVDB 149623) - An off-by-one overflow condition exists in the 'phar_parse_pharfile()' function in 'ext/phar/phar.c' that is triggered when parsing phar archives. This may allow a remote attacker to cause a limited buffer overflow, resulting in a crash. (OSVDB 149629) - An out-of-bounds read flaw exists in the 'finish_nested_data()' function in 'ext/standard/var_unserializer.c' that is triggered when handling unserialized data. This may allow a remote attacker to crash a process built with the language or potentially disclose memory contents. (OSVDB 149665) - An integer overflow condition exists in the 'phar_parse_pharfile()' function in 'ext/phar/phar.c'. The issue is triggered as certain input is not properly validated when handling phar archives. This may allow a context-dependent attacker to crash a process built with the language. (OSVDB 149666)

Solution

Upgrade to PHP version 5.6.30 or later.