Vulnerabilities > CVE-2015-2783 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in PHP

047910
CVSS 5.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
PARTIAL

Summary

ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read and application crash) via a crafted length value in conjunction with crafted serialized data in a phar archive, related to the phar_parse_metadata and phar_parse_pharfile functions.

Vulnerable Configurations

Part Description Count
Application
Php
651
OS
Redhat
8
OS
Apple
92

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_1E232A0CEB5711E4B5954061861086C1.NASL
    descriptionThe PHP project reports : The PHP development team announces the immediate availability of PHP 5.4.40. 14 security-related bugs were fixed in this release, including CVE-2014-9709, CVE-2015-2301, CVE-2015-2783, CVE-2015-1352. All PHP 5.4 users are encouraged to upgrade to this version. The PHP development team announces the immediate availability of PHP 5.5.24. Several bugs have been fixed, some of them being security related, like CVE-2015-1351 and CVE-2015-1352. All PHP 5.5 users are encouraged to upgrade to this version. The PHP development team announces the immediate availability of PHP 5.6.8. Several bugs have been fixed, some of them being security related, like CVE-2015-1351 and CVE-2015-1352. All PHP 5.6 users are encouraged to upgrade to this version.
    last seen2020-06-01
    modified2020-06-02
    plugin id83080
    published2015-04-27
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83080
    titleFreeBSD : Several vulnerabilities found in PHP (1e232a0c-eb57-11e4-b595-4061861086c1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(83080);
      script_version("2.9");
      script_cvs_date("Date: 2018/11/10 11:49:44");
    
      script_cve_id("CVE-2014-9709", "CVE-2015-1351", "CVE-2015-1352", "CVE-2015-2301", "CVE-2015-2783");
    
      script_name(english:"FreeBSD : Several vulnerabilities found in PHP (1e232a0c-eb57-11e4-b595-4061861086c1)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The PHP project reports :
    
    The PHP development team announces the immediate availability of PHP
    5.4.40. 14 security-related bugs were fixed in this release, including
    CVE-2014-9709, CVE-2015-2301, CVE-2015-2783, CVE-2015-1352. All PHP
    5.4 users are encouraged to upgrade to this version.
    
    The PHP development team announces the immediate availability of PHP
    5.5.24. Several bugs have been fixed, some of them being security
    related, like CVE-2015-1351 and CVE-2015-1352. All PHP 5.5 users are
    encouraged to upgrade to this version.
    
    The PHP development team announces the immediate availability of PHP
    5.6.8. Several bugs have been fixed, some of them being security
    related, like CVE-2015-1351 and CVE-2015-1352. All PHP 5.6 users are
    encouraged to upgrade to this version."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://php.net/archive/2015.php#id2015-04-16-2"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=199585"
      );
      # https://vuxml.freebsd.org/freebsd/1e232a0c-eb57-11e4-b595-4061861086c1.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?4e748b42"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:php5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:php55");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:php56");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/04/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"php5<5.4.40")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"php55<5.5.24")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"php56<5.6.8")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2015-111-10.NASL
    descriptionNew php packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id82923
    published2015-04-22
    reporterThis script is Copyright (C) 2015-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82923
    titleSlackware 14.0 / 14.1 / current : php (SSA:2015-111-10)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201606-10.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201606-10 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : An attacker can possibly execute arbitrary code or create a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id91704
    published2016-06-20
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91704
    titleGLSA-201606-10 : PHP: Multiple vulnerabilities
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-509.NASL
    descriptionA buffer overflow vulnerability was found in PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id82856
    published2015-04-20
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82856
    titleAmazon Linux AMI : php54 (ALAS-2015-509)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-1218.NASL
    descriptionFrom Red Hat Security Advisory 2015:1218 : Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id84659
    published2015-07-13
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84659
    titleOracle Linux 6 : php (ELSA-2015-1218)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-1135.NASL
    descriptionFrom Red Hat Security Advisory 2015:1135 : Updated php packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, causing it to crash or, possibly, execute arbitrary code. (CVE-2015-3330) A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id84351
    published2015-06-24
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84351
    titleOracle Linux 7 : php (ELSA-2015-1135)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20150709_PHP_ON_SL6_X.NASL
    descriptionA flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP
    last seen2020-03-18
    modified2015-07-13
    plugin id84661
    published2015-07-13
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84661
    titleScientific Linux Security Update : php on SL6.x i386/x86_64 (20150709)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-6407.NASL
    description16 Apr 2015, **PHP 5.6.8** Core : - Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence) - Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters). (Tjerk) - Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai) - Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) - Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString). (Stas) - Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values). (Juan Basso) - Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing). (Nikita) - Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita) - Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability). (Stas) - Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (Stas) Apache2handler : - Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (Gerrit Venema) cURL : - Implemented FR#69278 (HTTP2 support). (Masaki Kagaya) - Fixed bug #68739 (Missing break / control flow). (Laruence) - Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence) Date : - Fixed bug #69336 (Issues with
    last seen2020-06-05
    modified2015-04-24
    plugin id83044
    published2015-04-24
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83044
    titleFedora 21 : php-5.6.8-1.fc21 (2015-6407)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_11.NASL
    descriptionThe remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components : - Address Book - AirScan - apache_mod_php - Apple Online Store Kit - AppleEvents - Audio - bash - Certificate Trust Policy - CFNetwork Cookies - CFNetwork FTPProtocol - CFNetwork HTTPProtocol - CFNetwork Proxies - CFNetwork SSL - CoreCrypto - CoreText - Dev Tools - Disk Images - dyld - EFI - Finder - Game Center - Heimdal - ICU - Install Framework Legacy - Intel Graphics Driver - IOAudioFamily - IOGraphics - IOHIDFamily - IOStorageFamily - Kernel - libc - libpthread - libxpc - Login Window - lukemftpd - Mail - Multipeer Connectivity - NetworkExtension - Notes - OpenSSH - OpenSSL - procmail - remote_cmds - removefile - Ruby - Safari - Safari Downloads - Safari Extensions - Safari Safe Browsing - Security - SMB - SQLite - Telephony - Terminal - tidy - Time Machine - WebKit - WebKit CSS - WebKit JavaScript Bindings - WebKit Page Loading - WebKit Plug-ins Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id86270
    published2015-10-05
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86270
    titleMac OS X < 10.11 Multiple Vulnerabilities (GHOST)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-6399.NASL
    description16 Apr 2015, **PHP 5.5.24** Apache2handler : - Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (Gerrit Venema) Core : - Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence) - Fixed bug #67626 (User exceptions not properly handled in streams). (Julian) - Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters). (Tjerk) - Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai) - Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) - Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString). (Stas) - Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing). (Nikita) - Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita) - Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability). (Stas) - Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (Stas) Curl : - Implemented FR#69278 (HTTP2 support). (Masaki Kagaya) - Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence) Date : - Export date_get_immutable_ce so that it can be used by extensions. (Derick Rethans) - Fixed bug #69336 (Issues with
    last seen2020-06-05
    modified2015-04-28
    plugin id83093
    published2015-04-28
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83093
    titleFedora 20 : php-5.5.24-1.fc20 (2015-6399)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-1135.NASL
    descriptionUpdated php packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, causing it to crash or, possibly, execute arbitrary code. (CVE-2015-3330) A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id84355
    published2015-06-24
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84355
    titleRHEL 7 : php (RHSA-2015:1135)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-1135.NASL
    descriptionUpdated php packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, causing it to crash or, possibly, execute arbitrary code. (CVE-2015-3330) A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id84345
    published2015-06-24
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84345
    titleCentOS 7 : php (CESA-2015:1135)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1638-1.NASL
    descriptionThis update for php53 to version 5.3.17 fixes the following issues : These security issues were fixed : - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010). - CVE-2016-5094: Don
    last seen2020-06-01
    modified2020-06-02
    plugin id93161
    published2016-08-29
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93161
    titleSUSE SLES11 Security Update : php53 (SUSE-SU-2016:1638-1) (BACKRONYM)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-0868-1.NASL
    descriptionPHP was updated to fix ten security issues. The following vulnerabilities were fixed : - CVE-2014-9709: A specially crafted GIF file could cause a buffer read overflow in php-gd (bnc#923946) - CVE-2015-2301: Memory was use after it was freed in PHAR (bnc#922022) - CVE-2015-2305: heap overflow vulnerability in regcomp.c (bnc#922452) - CVE-2014-9705: heap buffer overflow in Enchant (bnc#922451) - CVE-2015-2787: use-after-free vulnerability in the process_nested_data function (bnc#924972) - unserialize SoapClient type confusion (bnc#925109) - CVE-2015-2348: move_uploaded_file truncates a pathNAME upon encountering a x00 character (bnc#924970) - CVE-2015-3330: Specially crafted PHAR files could, when executed under Apache httpd 2.4 (apache2handler), allow arbitrary code execution (bnc#928506) - CVE-2015-3329: Specially crafted PHAR data could lead to disclosure of sensitive information due to a buffer overflow (bnc#928506) - CVE-2015-2783: Specially crafted PHAR data could lead to disclosure of sensitive information due to a buffer over-read (bnc#928511) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-24
    modified2019-01-02
    plugin id119964
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119964
    titleSUSE SLES12 Security Update : php5 (SUSE-SU-2015:0868-1)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-209.NASL
    descriptionUpdated php packages fix security vulnerabilities : Buffer Over-read in unserialize when parsing Phar (CVE-2015-2783). Buffer Overflow when parsing tar/zip/phar in phar_set_inode (CVE-2015-3329). Potential remote code execution with apache 2.4 apache2handler (CVE-2015-3330). PHP has been updated to version 5.5.24, which fixes these issues and other bugs. Additionally the timezonedb packages has been upgraded to the latest version and the PECL packages which requires so has been rebuilt for php-5.5.24.
    last seen2020-06-01
    modified2020-06-02
    plugin id83101
    published2015-04-28
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83101
    titleMandriva Linux Security Advisory : php (MDVSA-2015:209)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_10_5.NASL
    descriptionThe remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - Apple ID OD Plug-in - AppleGraphicsControl - Bluetooth - bootp - CloudKit - CoreMedia Playback - CoreText - curl - Data Detectors Engine - Date & Time pref pane - Dictionary Application - DiskImages - dyld - FontParser - groff - ImageIO - Install Framework Legacy - IOFireWireFamily - IOGraphics - IOHIDFamily - Kernel - Libc - Libinfo - libpthread - libxml2 - libxpc - mail_cmds - Notification Center OSX - ntfs - OpenSSH - OpenSSL - perl - PostgreSQL - python - QL Office - Quartz Composer Framework - Quick Look - QuickTime 7 - SceneKit - Security - SMBClient - Speech UI - sudo - tcpdump - Text Formats - udf Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id85408
    published2015-08-17
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85408
    titleMac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2572-1.NASL
    descriptionIt was discovered that PHP incorrectly handled cleanup when used with Apache 2.4. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-3330) It was discovered that PHP incorrectly handled opening tar, zip or phar archives through the PHAR extension. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-3329) It was discovered that PHP incorrectly handled regular expressions. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-2305) Paulos Yibelo discovered that PHP incorrectly handled moving files when a pathname contained a null character. A remote attacker could use this issue to possibly bypass filename restrictions. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-2348) It was discovered that PHP incorrectly handled unserializing PHAR files. A remote attacker could use this issue to cause PHP to possibly expose sensitive information. (CVE-2015-2783) Taoguang Chen discovered that PHP incorrectly handled unserializing certain objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-2787). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id82911
    published2015-04-21
    reporterUbuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82911
    titleUbuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : php5 vulnerabilities (USN-2572-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-1218.NASL
    descriptionUpdated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id84660
    published2015-07-13
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84660
    titleRHEL 6 : php (RHSA-2015:1218)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-212.NASL
    descriptionCVE-2014-9705 Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries. CVE-2015-0232 The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image. CVE-2015-2301 Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file. CVE-2015-2331 Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow. CVE-2015-2783 Buffer Over-read in unserialize when parsing Phar CVE-2015-2787 Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231. CVE-2015-3329 Buffer Overflow when parsing tar/zip/phar in phar_set_inode) CVE-2015-3330 PHP potential remote code execution with apache 2.4 apache2handler CVE-2015-temp-68819 denial of service when processing a crafted file with Fileinfo NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2015-04-30
    plugin id83144
    published2015-04-30
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83144
    titleDebian DLA-212-1 : php5 security update
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2015-006.NASL
    descriptionThe remote host is running a version of Mac OS X 10.8.5 or 10.9.5 that is missing Security Update 2015-006. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - CoreText - FontParser - Libinfo - libxml2 - OpenSSL - perl - PostgreSQL - QL Office - Quartz Composer Framework - QuickTime 7 - SceneKit Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id85409
    published2015-08-17
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85409
    titleMac OS X Multiple Vulnerabilities (Security Update 2015-006)
  • NASL familyCGI abuses
    NASL idPHP_5_4_40.NASL
    descriptionAccording to its banner, the version of PHP 5.4.x running on the remote web server is prior to 5.4.40. It is, therefore, affected by multiple vulnerabilities : - An out-of-bounds read error exists in the GetCode_() function within file gd_gif_in.c that allows an unauthenticated, remote attacker to cause a denial of service condition or the disclosure of memory contents. (CVE-2014-9709) - A NULL pointer dereference flaw exists in the build_tablename() function within file pgsql.c in the PostgreSQL extension due to a failure to validate token extraction for table names. An authenticated, remote attacker can exploit this, via a crafted name, to cause a denial of service condition. (CVE-2015-1352) - A use-after-free error exists in the phar_rename_archive() function within file phar_object.c. An unauthenticated, remote attacker can exploit this, by attempting to rename a phar archive to an already existing file name, to cause a denial of service condition. (CVE-2015-2301) - An out-of-bounds read error exists in the Phar component due to improper validation of user-supplied input when handling phar parsing during unserialize() function calls. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the disclosure of memory contents. (CVE-2015-2783) - A memory corruption issue exists in the phar_parse_metadata() function in file ext/phar/phar.c due to improper validation of user-supplied input when parsing a specially crafted TAR archive. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-3307) - Multiple stack-based buffer overflow conditions exist in the phar_set_inode() function in file phar_internal.h when handling archive files, such as tar, zip, or phar files. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or the execution or arbitrary code. (CVE-2015-3329) - A flaw exists in the Apache2handler SAPI component when handling pipelined HTTP requests that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-3330) - A flaw exists in multiple functions due to a failure to check for NULL byte (%00) sequences in a path when processing or reading a file. An unauthenticated, remote attacker can exploit this, via specially crafted input to an application calling those functions, to bypass intended restrictions and disclose potentially sensitive information. (CVE-2015-3411, CVE-2015-3412) - A type confusion error exists in multiple functions within file ext/soap/soap.c that is triggered when calling unserialize(). An unauthenticated, remote attacker can exploit this to disclose memory contents, cause a denial of service condition, or execute arbitrary code. (CVE-2015-4599, CVE-2015-4600) - Multiple type confusion errors exist within files ext/soap/php_encoding.c, ext/soap/php_http.c, and ext/soap/soap.c that allow an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4601) - A type confusion error exists in the __PHP_Incomplete_Class() function within file ext/standard/incomplete_class.c that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4602) - A type confusion error exists in the exception::getTraceAsString() function within file Zend/zend_exceptions.c that allows a remote attacker to execute arbitrary code. (CVE-2015-4603) - A denial of service vulnerability exists due to a flaw in the bundled libmagic library, specifically in the mget() function within file softmagic.c. The function fails to maintain a certain pointer relationship. An unauthenticated, remote attacker can exploit this, via a crafted string, to crash the application. (CVE-2015-4604) - A denial of service vulnerability exists due to a flaw in the bundled libmagic library, specifically in the mcopy() function within file softmagic.c. The function fails to properly handle an offset that exceeds
    last seen2020-06-01
    modified2020-06-02
    plugin id83033
    published2015-04-23
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83033
    titlePHP 5.4.x < 5.4.40 Multiple Vulnerabilities
  • NASL familyCGI abuses
    NASL idPHP_5_6_8.NASL
    descriptionAccording to its banner, the version of PHP 5.6.x running on the remote web server is prior to 5.6.8. It is, therefore, affected by multiple vulnerabilities : - An unspecified use-after-free error exists in the _zend_shared_memdup() function within file ext/opcache/zend_shared_alloc.c that allows an unauthenticated, remote attacker to have an unspecified impact. (CVE-2015-1351) - A NULL pointer dereference flaw exists in the build_tablename() function within file pgsql.c in the PostgreSQL extension due to a failure to validate token extraction for table names. An authenticated, remote attacker can exploit this, via a crafted name, to cause a denial of service condition. (CVE-2015-1352) - An out-of-bounds read error exists in the Phar component due to improper validation of user-supplied input when handling phar parsing during unserialize() function calls. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the disclosure of memory contents. (CVE-2015-2783) - A memory corruption issue exists in the phar_parse_metadata() function in file ext/phar/phar.c due to improper validation of user-supplied input when parsing a specially crafted TAR archive. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-3307) - Multiple stack-based buffer overflow conditions exist in the phar_set_inode() function in file phar_internal.h when handling archive files, such as tar, zip, or phar files. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or the execution or arbitrary code. (CVE-2015-3329) - A flaw exists in the Apache2handler SAPI component when handling pipelined HTTP requests that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-3330) - A flaw exists in multiple functions due to a failure to check for NULL byte (%00) sequences in a path when processing or reading a file. An unauthenticated, remote attacker can exploit this, via specially crafted input to an application calling those functions, to bypass intended restrictions and disclose potentially sensitive information. (CVE-2015-3411, CVE-2015-3412) - A type confusion error exists in multiple functions within file ext/soap/soap.c that is triggered when calling unserialize(). An unauthenticated, remote attacker can exploit this to disclose memory contents, cause a denial of service condition, or execute arbitrary code. (CVE-2015-4599, CVE-2015-4600) - Multiple type confusion errors exist within files ext/soap/php_encoding.c, ext/soap/php_http.c, and ext/soap/soap.c that allow an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4601) - A type confusion error exists in the __PHP_Incomplete_Class() function within file ext/standard/incomplete_class.c that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4602) - A type confusion error exists in the exception::getTraceAsString() function within file Zend/zend_exceptions.c that allows a remote attacker to execute arbitrary code. (CVE-2015-4603) - A denial of service vulnerability exists due to a flaw in the bundled libmagic library, specifically in the mget() function within file softmagic.c. The function fails to maintain a certain pointer relationship. An unauthenticated, remote attacker can exploit this, via a crafted string, to crash the application. (CVE-2015-4604) - A denial of service vulnerability exists due to a flaw in the bundled libmagic library, specifically in the mcopy() function within file softmagic.c. The function fails to properly handle an offset that exceeds
    last seen2020-06-01
    modified2020-06-02
    plugin id83035
    published2015-04-23
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83035
    titlePHP 5.6.x < 5.6.8 Multiple Vulnerabilities
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20150623_PHP_ON_SL7_X.NASL
    descriptionA flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, causing it to crash or, possibly, execute arbitrary code. (CVE-2015-3330) A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP
    last seen2020-03-18
    modified2015-06-25
    plugin id84394
    published2015-06-25
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84394
    titleScientific Linux Security Update : php on SL7.x x86_64 (20150623)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-352.NASL
    descriptionPHP was updated to fix three security issues. The following vulnerabilities were fixed : - CVE-2015-3330: Specially crafted PHAR files could, when executed under Apache httpd 2.4 (apache2handler), allow arbitrary code execution (bnc#928506) - CVE-2015-3329: Specially crafted PHAR data could lead to disclosure of sensitive information due to a buffer overflow (bnc#928506) - CVE-2015-2783: Specially crafted PHAR data could lead to disclosure of sensitive information due to a buffer over-read (bnc#928511) On openSUSE 13.2, the following bug was fixed : - boo#927147: php5-fpm did not start correctly
    last seen2020-06-05
    modified2015-05-13
    plugin id83391
    published2015-05-13
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83391
    titleopenSUSE Security Update : php5 (openSUSE-2015-352)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-6195.NASL
    description16 Apr 2015, **PHP 5.6.8** Core : - Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence) - Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters). (Tjerk) - Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai) - Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) - Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString). (Stas) - Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values). (Juan Basso) - Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing). (Nikita) - Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita) - Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability). (Stas) - Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (Stas) Apache2handler : - Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (Gerrit Venema) cURL : - Implemented FR#69278 (HTTP2 support). (Masaki Kagaya) - Fixed bug #68739 (Missing break / control flow). (Laruence) - Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence) Date : - Fixed bug #69336 (Issues with
    last seen2020-06-05
    modified2015-04-23
    plugin id83018
    published2015-04-23
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83018
    titleFedora 22 : php-5.6.8-1.fc22 (2015-6195)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3280.NASL
    descriptionMultiple vulnerabilities have been discovered in PHP : - CVE-2015-4025 / CVE-2015-4026 Multiple function didn
    last seen2020-06-01
    modified2020-06-02
    plugin id84025
    published2015-06-09
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84025
    titleDebian DSA-3280-1 : php5 - security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1018-1.NASL
    descriptionPHP 5.3 was updated to fix multiple security issues : bnc#931776: pcntl_exec() does not check path validity (CVE-2015-4026) bnc#931772: overflow in ftp_genlist() resulting in heap overflow (CVE-2015-4022) bnc#931769: memory corruption in phar_parse_tarfile when entry filename starts with NULL (CVE-2015-4021) bnc#931421: multipart/form-data remote denial-of-service vulnerability (CVE-2015-4024) bnc#928511: buffer over-read in unserialize when parsing Phar (CVE-2015-2783) bnc#928506: buffer over flow when parsing tar/zip/phar in phar_set_inode() (CVE-2015-3329) bnc#925109: SoapClient
    last seen2020-06-01
    modified2020-06-02
    plugin id84082
    published2015-06-10
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84082
    titleSUSE SLES11 Security Update : php53 (SUSE-SU-2015:1018-1)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-1218.NASL
    descriptionUpdated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id84648
    published2015-07-13
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84648
    titleCentOS 6 : php (CESA-2015:1218)
  • NASL familyCGI abuses
    NASL idPHP_5_5_24.NASL
    descriptionAccording to its banner, the version of PHP 5.5.x running on the remote web server is prior to 5.5.24. It is, therefore, affected by multiple vulnerabilities : - An unspecified use-after-free error exists in the _zend_shared_memdup() function within file ext/opcache/zend_shared_alloc.c that allows an unauthenticated, remote attacker to have an unspecified impact. (CVE-2015-1351) - A NULL pointer dereference flaw exists in the build_tablename() function within file pgsql.c in the PostgreSQL extension due to a failure to validate token extraction for table names. An authenticated, remote attacker can exploit this, via a crafted name, to cause a denial of service condition. (CVE-2015-1352) - An out-of-bounds read error exists in the Phar component due to improper validation of user-supplied input when handling phar parsing during unserialize() function calls. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the disclosure of memory contents. (CVE-2015-2783) - A memory corruption issue exists in the phar_parse_metadata() function in file ext/phar/phar.c due to improper validation of user-supplied input when parsing a specially crafted TAR archive. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-3307) - Multiple stack-based buffer overflow conditions exist in the phar_set_inode() function in file phar_internal.h when handling archive files, such as tar, zip, or phar files. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or the execution or arbitrary code. (CVE-2015-3329) - A flaw exists in the Apache2handler SAPI component when handling pipelined HTTP requests that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-3330) - A flaw exists in multiple functions due to a failure to check for NULL byte (%00) sequences in a path when processing or reading a file. An unauthenticated, remote attacker can exploit this, via specially crafted input to an application calling those functions, to bypass intended restrictions and disclose potentially sensitive information. (CVE-2015-3411, CVE-2015-3412) - A type confusion error exists in multiple functions within file ext/soap/soap.c that is triggered when calling unserialize(). An unauthenticated, remote attacker can exploit this to disclose memory contents, cause a denial of service condition, or execute arbitrary code. (CVE-2015-4599, CVE-2015-4600) - Multiple type confusion errors exist within files ext/soap/php_encoding.c, ext/soap/php_http.c, and ext/soap/soap.c that allow an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4601) - A type confusion error exists in the __PHP_Incomplete_Class() function within file ext/standard/incomplete_class.c that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4602) - A type confusion error exists in the exception::getTraceAsString() function within file Zend/zend_exceptions.c that allows a remote attacker to execute arbitrary code. (CVE-2015-4603) - A denial of service vulnerability exists due to a flaw in the bundled libmagic library, specifically in the mget() function within file softmagic.c. The function fails to maintain a certain pointer relationship. An unauthenticated, remote attacker can exploit this, via a crafted string, to crash the application. (CVE-2015-4604) - A denial of service vulnerability exists due to a flaw in the bundled libmagic library, specifically in the mcopy() function within file softmagic.c. The function fails to properly handle an offset that exceeds
    last seen2020-06-01
    modified2020-06-02
    plugin id83034
    published2015-04-23
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83034
    titlePHP 5.5.x < 5.5.24 Multiple Vulnerabilities
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1543.NASL
    descriptionAccording to the versions of the php packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A flaws was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.(CVE-2014-8142) - It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.(CVE-2015-4026) - A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.(CVE-2015-6834) - It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.(CVE-2015-4025) - An integer overflow flaw was found in the way custom objects were unserialized. Specially crafted input processed by the unserialize() function could cause a PHP application to crash.(CVE-2014-3669) - It was found that PHP move_uploaded_file() function did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.(CVE-2015-2348) - An integer overflow flaw leading to a heap-based buffer overflow was found in the way PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id124996
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124996
    titleEulerOS Virtualization 3.0.1.0 : php (EulerOS-SA-2019-1543)

Redhat

advisories
  • rhsa
    idRHSA-2015:1066
  • rhsa
    idRHSA-2015:1135
  • rhsa
    idRHSA-2015:1186
  • rhsa
    idRHSA-2015:1187
  • rhsa
    idRHSA-2015:1218
rpms
  • php54-0:2.0-1.el6
  • php54-0:2.0-1.el7
  • php54-php-0:5.4.40-1.el6
  • php54-php-0:5.4.40-1.el7
  • php54-php-bcmath-0:5.4.40-1.el6
  • php54-php-bcmath-0:5.4.40-1.el7
  • php54-php-cli-0:5.4.40-1.el6
  • php54-php-cli-0:5.4.40-1.el7
  • php54-php-common-0:5.4.40-1.el6
  • php54-php-common-0:5.4.40-1.el7
  • php54-php-dba-0:5.4.40-1.el6
  • php54-php-dba-0:5.4.40-1.el7
  • php54-php-debuginfo-0:5.4.40-1.el6
  • php54-php-debuginfo-0:5.4.40-1.el7
  • php54-php-devel-0:5.4.40-1.el6
  • php54-php-devel-0:5.4.40-1.el7
  • php54-php-enchant-0:5.4.40-1.el6
  • php54-php-enchant-0:5.4.40-1.el7
  • php54-php-fpm-0:5.4.40-1.el6
  • php54-php-fpm-0:5.4.40-1.el7
  • php54-php-gd-0:5.4.40-1.el6
  • php54-php-gd-0:5.4.40-1.el7
  • php54-php-imap-0:5.4.40-1.el6
  • php54-php-intl-0:5.4.40-1.el6
  • php54-php-intl-0:5.4.40-1.el7
  • php54-php-ldap-0:5.4.40-1.el6
  • php54-php-ldap-0:5.4.40-1.el7
  • php54-php-mbstring-0:5.4.40-1.el6
  • php54-php-mbstring-0:5.4.40-1.el7
  • php54-php-mysqlnd-0:5.4.40-1.el6
  • php54-php-mysqlnd-0:5.4.40-1.el7
  • php54-php-odbc-0:5.4.40-1.el6
  • php54-php-odbc-0:5.4.40-1.el7
  • php54-php-pdo-0:5.4.40-1.el6
  • php54-php-pdo-0:5.4.40-1.el7
  • php54-php-pecl-zendopcache-0:7.0.4-3.el6
  • php54-php-pecl-zendopcache-0:7.0.4-3.el7
  • php54-php-pecl-zendopcache-debuginfo-0:7.0.4-3.el6
  • php54-php-pecl-zendopcache-debuginfo-0:7.0.4-3.el7
  • php54-php-pgsql-0:5.4.40-1.el6
  • php54-php-pgsql-0:5.4.40-1.el7
  • php54-php-process-0:5.4.40-1.el6
  • php54-php-process-0:5.4.40-1.el7
  • php54-php-pspell-0:5.4.40-1.el6
  • php54-php-pspell-0:5.4.40-1.el7
  • php54-php-recode-0:5.4.40-1.el6
  • php54-php-recode-0:5.4.40-1.el7
  • php54-php-snmp-0:5.4.40-1.el6
  • php54-php-snmp-0:5.4.40-1.el7
  • php54-php-soap-0:5.4.40-1.el6
  • php54-php-soap-0:5.4.40-1.el7
  • php54-php-tidy-0:5.4.40-1.el6
  • php54-php-xml-0:5.4.40-1.el6
  • php54-php-xml-0:5.4.40-1.el7
  • php54-php-xmlrpc-0:5.4.40-1.el6
  • php54-php-xmlrpc-0:5.4.40-1.el7
  • php54-runtime-0:2.0-1.el6
  • php54-runtime-0:2.0-1.el7
  • php54-scldevel-0:2.0-1.el6
  • php54-scldevel-0:2.0-1.el7
  • php-0:5.4.16-36.ael7b_1
  • php-0:5.4.16-36.el7_1
  • php-bcmath-0:5.4.16-36.ael7b_1
  • php-bcmath-0:5.4.16-36.el7_1
  • php-cli-0:5.4.16-36.ael7b_1
  • php-cli-0:5.4.16-36.el7_1
  • php-common-0:5.4.16-36.ael7b_1
  • php-common-0:5.4.16-36.el7_1
  • php-dba-0:5.4.16-36.ael7b_1
  • php-dba-0:5.4.16-36.el7_1
  • php-debuginfo-0:5.4.16-36.ael7b_1
  • php-debuginfo-0:5.4.16-36.el7_1
  • php-devel-0:5.4.16-36.ael7b_1
  • php-devel-0:5.4.16-36.el7_1
  • php-embedded-0:5.4.16-36.ael7b_1
  • php-embedded-0:5.4.16-36.el7_1
  • php-enchant-0:5.4.16-36.ael7b_1
  • php-enchant-0:5.4.16-36.el7_1
  • php-fpm-0:5.4.16-36.ael7b_1
  • php-fpm-0:5.4.16-36.el7_1
  • php-gd-0:5.4.16-36.ael7b_1
  • php-gd-0:5.4.16-36.el7_1
  • php-intl-0:5.4.16-36.ael7b_1
  • php-intl-0:5.4.16-36.el7_1
  • php-ldap-0:5.4.16-36.ael7b_1
  • php-ldap-0:5.4.16-36.el7_1
  • php-mbstring-0:5.4.16-36.ael7b_1
  • php-mbstring-0:5.4.16-36.el7_1
  • php-mysql-0:5.4.16-36.ael7b_1
  • php-mysql-0:5.4.16-36.el7_1
  • php-mysqlnd-0:5.4.16-36.ael7b_1
  • php-mysqlnd-0:5.4.16-36.el7_1
  • php-odbc-0:5.4.16-36.ael7b_1
  • php-odbc-0:5.4.16-36.el7_1
  • php-pdo-0:5.4.16-36.ael7b_1
  • php-pdo-0:5.4.16-36.el7_1
  • php-pgsql-0:5.4.16-36.ael7b_1
  • php-pgsql-0:5.4.16-36.el7_1
  • php-process-0:5.4.16-36.ael7b_1
  • php-process-0:5.4.16-36.el7_1
  • php-pspell-0:5.4.16-36.ael7b_1
  • php-pspell-0:5.4.16-36.el7_1
  • php-recode-0:5.4.16-36.ael7b_1
  • php-recode-0:5.4.16-36.el7_1
  • php-snmp-0:5.4.16-36.ael7b_1
  • php-snmp-0:5.4.16-36.el7_1
  • php-soap-0:5.4.16-36.ael7b_1
  • php-soap-0:5.4.16-36.el7_1
  • php-xml-0:5.4.16-36.ael7b_1
  • php-xml-0:5.4.16-36.el7_1
  • php-xmlrpc-0:5.4.16-36.ael7b_1
  • php-xmlrpc-0:5.4.16-36.el7_1
  • php55-php-0:5.5.21-4.el6
  • php55-php-0:5.5.21-4.el7
  • php55-php-bcmath-0:5.5.21-4.el6
  • php55-php-bcmath-0:5.5.21-4.el7
  • php55-php-cli-0:5.5.21-4.el6
  • php55-php-cli-0:5.5.21-4.el7
  • php55-php-common-0:5.5.21-4.el6
  • php55-php-common-0:5.5.21-4.el7
  • php55-php-dba-0:5.5.21-4.el6
  • php55-php-dba-0:5.5.21-4.el7
  • php55-php-debuginfo-0:5.5.21-4.el6
  • php55-php-debuginfo-0:5.5.21-4.el7
  • php55-php-devel-0:5.5.21-4.el6
  • php55-php-devel-0:5.5.21-4.el7
  • php55-php-enchant-0:5.5.21-4.el6
  • php55-php-enchant-0:5.5.21-4.el7
  • php55-php-fpm-0:5.5.21-4.el6
  • php55-php-fpm-0:5.5.21-4.el7
  • php55-php-gd-0:5.5.21-4.el6
  • php55-php-gd-0:5.5.21-4.el7
  • php55-php-gmp-0:5.5.21-4.el6
  • php55-php-gmp-0:5.5.21-4.el7
  • php55-php-imap-0:5.5.21-4.el6
  • php55-php-intl-0:5.5.21-4.el6
  • php55-php-intl-0:5.5.21-4.el7
  • php55-php-ldap-0:5.5.21-4.el6
  • php55-php-ldap-0:5.5.21-4.el7
  • php55-php-mbstring-0:5.5.21-4.el6
  • php55-php-mbstring-0:5.5.21-4.el7
  • php55-php-mysqlnd-0:5.5.21-4.el6
  • php55-php-mysqlnd-0:5.5.21-4.el7
  • php55-php-odbc-0:5.5.21-4.el6
  • php55-php-odbc-0:5.5.21-4.el7
  • php55-php-opcache-0:5.5.21-4.el6
  • php55-php-opcache-0:5.5.21-4.el7
  • php55-php-pdo-0:5.5.21-4.el6
  • php55-php-pdo-0:5.5.21-4.el7
  • php55-php-pgsql-0:5.5.21-4.el6
  • php55-php-pgsql-0:5.5.21-4.el7
  • php55-php-process-0:5.5.21-4.el6
  • php55-php-process-0:5.5.21-4.el7
  • php55-php-pspell-0:5.5.21-4.el6
  • php55-php-pspell-0:5.5.21-4.el7
  • php55-php-recode-0:5.5.21-4.el6
  • php55-php-recode-0:5.5.21-4.el7
  • php55-php-snmp-0:5.5.21-4.el6
  • php55-php-snmp-0:5.5.21-4.el7
  • php55-php-soap-0:5.5.21-4.el6
  • php55-php-soap-0:5.5.21-4.el7
  • php55-php-tidy-0:5.5.21-4.el6
  • php55-php-xml-0:5.5.21-4.el6
  • php55-php-xml-0:5.5.21-4.el7
  • php55-php-xmlrpc-0:5.5.21-4.el6
  • php55-php-xmlrpc-0:5.5.21-4.el7
  • rh-php56-php-0:5.6.5-7.el6
  • rh-php56-php-0:5.6.5-7.el7
  • rh-php56-php-bcmath-0:5.6.5-7.el6
  • rh-php56-php-bcmath-0:5.6.5-7.el7
  • rh-php56-php-cli-0:5.6.5-7.el6
  • rh-php56-php-cli-0:5.6.5-7.el7
  • rh-php56-php-common-0:5.6.5-7.el6
  • rh-php56-php-common-0:5.6.5-7.el7
  • rh-php56-php-dba-0:5.6.5-7.el6
  • rh-php56-php-dba-0:5.6.5-7.el7
  • rh-php56-php-dbg-0:5.6.5-7.el6
  • rh-php56-php-dbg-0:5.6.5-7.el7
  • rh-php56-php-debuginfo-0:5.6.5-7.el6
  • rh-php56-php-debuginfo-0:5.6.5-7.el7
  • rh-php56-php-devel-0:5.6.5-7.el6
  • rh-php56-php-devel-0:5.6.5-7.el7
  • rh-php56-php-embedded-0:5.6.5-7.el6
  • rh-php56-php-embedded-0:5.6.5-7.el7
  • rh-php56-php-enchant-0:5.6.5-7.el6
  • rh-php56-php-enchant-0:5.6.5-7.el7
  • rh-php56-php-fpm-0:5.6.5-7.el6
  • rh-php56-php-fpm-0:5.6.5-7.el7
  • rh-php56-php-gd-0:5.6.5-7.el6
  • rh-php56-php-gd-0:5.6.5-7.el7
  • rh-php56-php-gmp-0:5.6.5-7.el6
  • rh-php56-php-gmp-0:5.6.5-7.el7
  • rh-php56-php-imap-0:5.6.5-7.el6
  • rh-php56-php-intl-0:5.6.5-7.el6
  • rh-php56-php-intl-0:5.6.5-7.el7
  • rh-php56-php-ldap-0:5.6.5-7.el6
  • rh-php56-php-ldap-0:5.6.5-7.el7
  • rh-php56-php-mbstring-0:5.6.5-7.el6
  • rh-php56-php-mbstring-0:5.6.5-7.el7
  • rh-php56-php-mysqlnd-0:5.6.5-7.el6
  • rh-php56-php-mysqlnd-0:5.6.5-7.el7
  • rh-php56-php-odbc-0:5.6.5-7.el6
  • rh-php56-php-odbc-0:5.6.5-7.el7
  • rh-php56-php-opcache-0:5.6.5-7.el6
  • rh-php56-php-opcache-0:5.6.5-7.el7
  • rh-php56-php-pdo-0:5.6.5-7.el6
  • rh-php56-php-pdo-0:5.6.5-7.el7
  • rh-php56-php-pgsql-0:5.6.5-7.el6
  • rh-php56-php-pgsql-0:5.6.5-7.el7
  • rh-php56-php-process-0:5.6.5-7.el6
  • rh-php56-php-process-0:5.6.5-7.el7
  • rh-php56-php-pspell-0:5.6.5-7.el6
  • rh-php56-php-pspell-0:5.6.5-7.el7
  • rh-php56-php-recode-0:5.6.5-7.el6
  • rh-php56-php-recode-0:5.6.5-7.el7
  • rh-php56-php-snmp-0:5.6.5-7.el6
  • rh-php56-php-snmp-0:5.6.5-7.el7
  • rh-php56-php-soap-0:5.6.5-7.el6
  • rh-php56-php-soap-0:5.6.5-7.el7
  • rh-php56-php-tidy-0:5.6.5-7.el6
  • rh-php56-php-xml-0:5.6.5-7.el6
  • rh-php56-php-xml-0:5.6.5-7.el7
  • rh-php56-php-xmlrpc-0:5.6.5-7.el6
  • rh-php56-php-xmlrpc-0:5.6.5-7.el7
  • php-0:5.3.3-46.el6_6
  • php-bcmath-0:5.3.3-46.el6_6
  • php-cli-0:5.3.3-46.el6_6
  • php-common-0:5.3.3-46.el6_6
  • php-dba-0:5.3.3-46.el6_6
  • php-debuginfo-0:5.3.3-46.el6_6
  • php-devel-0:5.3.3-46.el6_6
  • php-embedded-0:5.3.3-46.el6_6
  • php-enchant-0:5.3.3-46.el6_6
  • php-fpm-0:5.3.3-46.el6_6
  • php-gd-0:5.3.3-46.el6_6
  • php-imap-0:5.3.3-46.el6_6
  • php-intl-0:5.3.3-46.el6_6
  • php-ldap-0:5.3.3-46.el6_6
  • php-mbstring-0:5.3.3-46.el6_6
  • php-mysql-0:5.3.3-46.el6_6
  • php-odbc-0:5.3.3-46.el6_6
  • php-pdo-0:5.3.3-46.el6_6
  • php-pgsql-0:5.3.3-46.el6_6
  • php-process-0:5.3.3-46.el6_6
  • php-pspell-0:5.3.3-46.el6_6
  • php-recode-0:5.3.3-46.el6_6
  • php-snmp-0:5.3.3-46.el6_6
  • php-soap-0:5.3.3-46.el6_6
  • php-tidy-0:5.3.3-46.el6_6
  • php-xml-0:5.3.3-46.el6_6
  • php-xmlrpc-0:5.3.3-46.el6_6
  • php-zts-0:5.3.3-46.el6_6