Vulnerabilities > CVE-2014-9425

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
php
apple
nessus

Summary

Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP through 5.5.20 and 5.6.x through 5.6.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

Vulnerable Configurations

Part Description Count
Application
Php
708
OS
Apple
94

Nessus

  • NASL familyCGI abuses
    NASL idPHP_5_6_5.NASL
    descriptionAccording to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.5. It is, therefore, affected by multiple vulnerabilities: - A double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine could allow a remote attacker to cause a denial of service. (CVE-2014-9425) - An out-of-bounds read flaw in file
    last seen2020-06-01
    modified2020-06-02
    plugin id81082
    published2015-01-29
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81082
    titlePHP 5.6.x < 5.6.5 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(81082);
      script_version("1.18");
      script_cvs_date("Date: 2019/03/27 13:17:50");
    
      script_cve_id(
        "CVE-2014-9425",
        "CVE-2014-9427",
        "CVE-2014-9652",
        "CVE-2014-9709",
        "CVE-2015-0231",
        "CVE-2015-0232"
      );
      script_bugtraq_id(
        71800,
        71833,
        72505,
        72539,
        72541,
        73306
      );
    
      script_name(english:"PHP 5.6.x < 5.6.5 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of PHP.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server uses a version of PHP that is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of PHP 5.6.x installed on the
    remote host is prior to 5.6.5. It is, therefore, affected by multiple
    vulnerabilities:
    
      - A double free vulnerability in the
        zend_ts_hash_graceful_destroy function in
        zend_ts_hash.c in the Zend Engine could allow a remote
        attacker to cause a denial of service. (CVE-2014-9425)
    
      - An out-of-bounds read flaw in file 'cgi_main.c' exists
        when nmap is used to process an invalid file that begins
        with a hash character (#) but lacks a newline character.
        A remote attacker, using a specially crafted PHP file,
        can exploit this vulnerability to disclose memory
        contents, cause a denial of service, or possibly execute
        code. (CVE-2014-9427)
    
      - The mconvert function in softmagic.c does not properly
        handle a certain string-length field during a copy of a
        truncated version of a Pascal string, which could allow
        a remote attacker to cause a denial of service.
        (CVE-2014-9652)
    
      - An out-of-bounds read issue exists in the GetCode_()
        function in 'gd_gif_in.c'. This allows a remote attacker
        to disclose memory contents. (CVE-2014-9709)
    
      - A use-after-free memory error exists in the
        process_nested_data() function in 'var_unserializer.re'
        due to improper handling of duplicate numerical keys
        within the serialized properties of an object. A remote
        attacker, using a crafted unserialize method call, can
        exploit this vulnerability to execute arbitrary code.
        (CVE-2015-0231)
    
      - A flaw exists in the exif_process_unicode() function in
        'exif.c' that allows freeing an uninitialized pointer. A
        remote attacker, using specially crafted EXIF data in a
        JPEG image, can exploit this to cause a denial of
        service or to execute arbitrary code. (CVE-2015-0232)
    
    Note that Nessus has not attempted to exploit these issues but has
    instead relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-5.php#5.6.5");
      script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=68618");
      script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=68710");
      script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=68799");
      script_set_attribute(attribute:"solution", value:"Upgrade to PHP version 5.6.5 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-0231");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/01/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/29");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("php_version.nasl");
      script_require_keys("www/PHP");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("webapp_func.inc");
    
    port = get_http_port(default:80, php:TRUE);
    
    php = get_php_from_kb(
      port : port,
      exit_on_fail : TRUE
    );
    
    version = php["ver"];
    source = php["src"];
    
    backported = get_kb_item('www/php/'+port+'/'+version+'/backported');
    
    if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");
    
    # Check that it is the correct version of PHP
    if (version =~ "^5(\.6)?$") audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version);
    if (version !~ "^5\.6\.") audit(AUDIT_NOT_DETECT, "PHP version 5.6.x", port);
    
    if (version =~ "^5\.6\.[0-4]$")
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source    : '+source +
          '\n  Installed version : '+version +
          '\n  Fixed version     : 5.6.5' +
          '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-1218.NASL
    descriptionFrom Red Hat Security Advisory 2015:1218 : Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id84659
    published2015-07-13
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84659
    titleOracle Linux 6 : php (ELSA-2015-1218)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20150709_PHP_ON_SL6_X.NASL
    descriptionA flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP
    last seen2020-03-18
    modified2015-07-13
    plugin id84661
    published2015-07-13
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84661
    titleScientific Linux Security Update : php on SL6.x i386/x86_64 (20150709)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_11.NASL
    descriptionThe remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components : - Address Book - AirScan - apache_mod_php - Apple Online Store Kit - AppleEvents - Audio - bash - Certificate Trust Policy - CFNetwork Cookies - CFNetwork FTPProtocol - CFNetwork HTTPProtocol - CFNetwork Proxies - CFNetwork SSL - CoreCrypto - CoreText - Dev Tools - Disk Images - dyld - EFI - Finder - Game Center - Heimdal - ICU - Install Framework Legacy - Intel Graphics Driver - IOAudioFamily - IOGraphics - IOHIDFamily - IOStorageFamily - Kernel - libc - libpthread - libxpc - Login Window - lukemftpd - Mail - Multipeer Connectivity - NetworkExtension - Notes - OpenSSH - OpenSSL - procmail - remote_cmds - removefile - Ruby - Safari - Safari Downloads - Safari Extensions - Safari Safe Browsing - Security - SMB - SQLite - Telephony - Terminal - tidy - Time Machine - WebKit - WebKit CSS - WebKit JavaScript Bindings - WebKit Page Loading - WebKit Plug-ins Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id86270
    published2015-10-05
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86270
    titleMac OS X < 10.11 Multiple Vulnerabilities (GHOST)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-080.NASL
    descriptionMultiple vulnerabilities has been discovered and corrected in php : It was discovered that the file utility contains a flaw in the handling of indirect magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files (CVE-2014-1943). A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code (CVE-2014-2270). The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters (CVE-2013-7345). PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain socket with world-writable permissions by default, which allows any local user to connect to it and execute PHP scripts as the apache user (CVE-2014-0185). A flaw was found in the way file
    last seen2020-06-01
    modified2020-06-02
    plugin id82333
    published2015-03-30
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82333
    titleMandriva Linux Security Advisory : php (MDVSA-2015:080)
  • NASL familyCGI abuses
    NASL idPHP_5_5_21.NASL
    descriptionAccording to its banner, the version of PHP 5.5.x installed on the remote host is prior to 5.5.21. It is, therefore, affected by multiple vulnerabilities: - A double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine could allow a remote attacker to cause a denial of service. (CVE-2014-9425) - An out-of-bounds read flaw in file
    last seen2020-06-01
    modified2020-06-02
    plugin id81081
    published2015-01-29
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81081
    titlePHP 5.5.x < 5.5.21 Multiple Vulnerabilities
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201503-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201503-03 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker can leverage these vulnerabilities to execute arbitrary code or cause Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id81688
    published2015-03-09
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81688
    titleGLSA-201503-03 : PHP: Multiple vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-1218.NASL
    descriptionUpdated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id84660
    published2015-07-13
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84660
    titleRHEL 6 : php (RHSA-2015:1218)
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_JSA10804.NASL
    descriptionAccording to its self-reported version number and configuration, the remote Juniper Junos device is affected by multiple vulnerabilities in the included PHP version : - An unspecified flaw exists in the SQLite extension that allows an unauthenticated, remote attacker to bypass the
    last seen2020-06-01
    modified2020-06-02
    plugin id102079
    published2017-07-31
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/102079
    titleJuniper Junos PHP multiple vulnerabilities (JSA10804)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-1218.NASL
    descriptionUpdated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id84648
    published2015-07-13
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84648
    titleCentOS 6 : php (CESA-2015:1218)

Redhat

advisories
rhsa
idRHSA-2015:1218
rpms
  • php-0:5.3.3-46.el6_6
  • php-bcmath-0:5.3.3-46.el6_6
  • php-cli-0:5.3.3-46.el6_6
  • php-common-0:5.3.3-46.el6_6
  • php-dba-0:5.3.3-46.el6_6
  • php-debuginfo-0:5.3.3-46.el6_6
  • php-devel-0:5.3.3-46.el6_6
  • php-embedded-0:5.3.3-46.el6_6
  • php-enchant-0:5.3.3-46.el6_6
  • php-fpm-0:5.3.3-46.el6_6
  • php-gd-0:5.3.3-46.el6_6
  • php-imap-0:5.3.3-46.el6_6
  • php-intl-0:5.3.3-46.el6_6
  • php-ldap-0:5.3.3-46.el6_6
  • php-mbstring-0:5.3.3-46.el6_6
  • php-mysql-0:5.3.3-46.el6_6
  • php-odbc-0:5.3.3-46.el6_6
  • php-pdo-0:5.3.3-46.el6_6
  • php-pgsql-0:5.3.3-46.el6_6
  • php-process-0:5.3.3-46.el6_6
  • php-pspell-0:5.3.3-46.el6_6
  • php-recode-0:5.3.3-46.el6_6
  • php-snmp-0:5.3.3-46.el6_6
  • php-soap-0:5.3.3-46.el6_6
  • php-tidy-0:5.3.3-46.el6_6
  • php-xml-0:5.3.3-46.el6_6
  • php-xmlrpc-0:5.3.3-46.el6_6
  • php-zts-0:5.3.3-46.el6_6