Vulnerabilities > CVE-2015-2787 - Remote Code Execution vulnerability in PHP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231. <a href="http://cwe.mitre.org/data/definitions/416.html">CWE-416: Use After Free</a>
Vulnerable Configurations
Nessus
NASL family CGI abuses NASL id PHP_5_6_7.NASL description According to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.7. It is, therefore, affected by multiple vulnerabilities : - A use-after-free error exists related to function last seen 2020-06-01 modified 2020-06-02 plugin id 82027 published 2015-03-24 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82027 title PHP 5.6.x < 5.6.7 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(82027); script_version("1.15"); script_cvs_date("Date: 2019/11/22"); script_cve_id( "CVE-2015-0231", "CVE-2015-2305", "CVE-2015-2331", "CVE-2015-2348", "CVE-2015-2787", "CVE-2015-4147", "CVE-2015-4148" ); script_bugtraq_id( 72539, 73182, 73357, 73381, 73383, 73385, 73431, 73434, 75103 ); script_name(english:"PHP 5.6.x < 5.6.7 Multiple Vulnerabilities"); script_summary(english:"Checks the version of PHP."); script_set_attribute(attribute:"synopsis", value: "The remote web server uses a version of PHP that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.7. It is, therefore, affected by multiple vulnerabilities : - A use-after-free error exists related to function 'unserialize', which can allow a remote attacker to execute arbitrary code. Note that this issue is due to an incomplete fix for CVE-2014-8142. (CVE-2015-0231) - An integer overflow error exists in function 'regcomp' in the Henry Spencer regex library, due to improper validation of user-supplied input. An attacker can exploit this to cause a denial of service or to execute arbitrary code. (CVE-2015-2305) - An integer overflow error exists in the '_zip_cdir_new' function, due to improper validation of user-supplied input. An attacker, using a crafted ZIP archive, can exploit this to cause a denial of service or to execute arbitrary code. (CVE-2015-2331) - A filter bypass vulnerability exists due to a flaw in the move_uploaded_file() function in which pathnames are truncated when a NULL byte is encountered. This allows a remote attacker, via a crafted second argument, to bypass intended extension restrictions and create files with unexpected names. (CVE-2015-2348) - A user-after-free error exists in the process_nested_data() function. This allows a remote attacker, via a crafted unserialize call, to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-2787) - A type confusion vulnerability in the SoapClient's __call() function in ext/soap/soap.c could allow a remote attacker to execute arbitrary code by providing crafted serialized data with an unexpected data type (CVE-2015-4147, CVE-2015-4148) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-5.php#5.6.7"); script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=69207"); script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=68976"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP version 5.6.7 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-4147"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/18"); script_set_attribute(attribute:"patch_publication_date", value:"2015/03/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/24"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("php_version.nasl"); script_require_keys("www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); php = get_php_from_kb( port : port, exit_on_fail : TRUE ); version = php["ver"]; source = php["src"]; backported = get_kb_item('www/php/'+port+'/'+version+'/backported'); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install"); # Check that it is the correct version of PHP if (version =~ "^5(\.6)?$") audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version); if (version !~ "^5\.6\.") audit(AUDIT_NOT_DETECT, "PHP version 5.6.x", port); if (version =~ "^5\.6\.[0-6]($|[^0-9])") { if (report_verbosity > 0) { report = '\n Version source : '+source + '\n Installed version : '+version + '\n Fixed version : 5.6.7' + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201606-10.NASL description The remote host is affected by the vulnerability described in GLSA-201606-10 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : An attacker can possibly execute arbitrary code or create a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 91704 published 2016-06-20 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91704 title GLSA-201606-10 : PHP: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201606-10. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(91704); script_version("2.3"); script_cvs_date("Date: 2019/04/11 17:23:06"); script_cve_id("CVE-2013-6501", "CVE-2014-9705", "CVE-2014-9709", "CVE-2015-0231", "CVE-2015-0273", "CVE-2015-1351", "CVE-2015-1352", "CVE-2015-2301", "CVE-2015-2348", "CVE-2015-2783", "CVE-2015-2787", "CVE-2015-3329", "CVE-2015-3330", "CVE-2015-4021", "CVE-2015-4022", "CVE-2015-4025", "CVE-2015-4026", "CVE-2015-4147", "CVE-2015-4148", "CVE-2015-4642", "CVE-2015-4643", "CVE-2015-4644", "CVE-2015-6831", "CVE-2015-6832", "CVE-2015-6833", "CVE-2015-6834", "CVE-2015-6835", "CVE-2015-6836", "CVE-2015-6837", "CVE-2015-6838", "CVE-2015-7803", "CVE-2015-7804"); script_xref(name:"GLSA", value:"201606-10"); script_name(english:"GLSA-201606-10 : PHP: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201606-10 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : An attacker can possibly execute arbitrary code or create a Denial of Service condition. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201606-10" ); script_set_attribute( attribute:"solution", value: "All PHP 5.4 users should upgrade to the latest 5.5 stable branch, as PHP 5.4 is now masked in Portage: # emerge --sync # emerge --ask --oneshot --verbose '>=dev=lang/php-5.5.33' All PHP 5.5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev=lang/php-5.5.33' All PHP 5.6 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev=lang/php-5.6.19'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:php"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2016/06/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-lang/php", unaffected:make_list("ge 5.6.19", "rge 5.5.33", "rge 5.5.34", "rge 5.5.35", "rge 5.5.36", "rge 5.5.37", "rge 5.5.38"), vulnerable:make_list("lt 5.6.19"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "PHP"); }NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-1218.NASL description From Red Hat Security Advisory 2015:1218 : Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 84659 published 2015-07-13 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84659 title Oracle Linux 6 : php (ELSA-2015-1218) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-1135.NASL description From Red Hat Security Advisory 2015:1135 : Updated php packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, causing it to crash or, possibly, execute arbitrary code. (CVE-2015-3330) A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 84351 published 2015-06-24 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84351 title Oracle Linux 7 : php (ELSA-2015-1135) NASL family Scientific Linux Local Security Checks NASL id SL_20150709_PHP_ON_SL6_X.NASL description A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP last seen 2020-03-18 modified 2015-07-13 plugin id 84661 published 2015-07-13 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84661 title Scientific Linux Security Update : php on SL6.x i386/x86_64 (20150709) NASL family MacOS X Local Security Checks NASL id MACOSX_10_11.NASL description The remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components : - Address Book - AirScan - apache_mod_php - Apple Online Store Kit - AppleEvents - Audio - bash - Certificate Trust Policy - CFNetwork Cookies - CFNetwork FTPProtocol - CFNetwork HTTPProtocol - CFNetwork Proxies - CFNetwork SSL - CoreCrypto - CoreText - Dev Tools - Disk Images - dyld - EFI - Finder - Game Center - Heimdal - ICU - Install Framework Legacy - Intel Graphics Driver - IOAudioFamily - IOGraphics - IOHIDFamily - IOStorageFamily - Kernel - libc - libpthread - libxpc - Login Window - lukemftpd - Mail - Multipeer Connectivity - NetworkExtension - Notes - OpenSSH - OpenSSL - procmail - remote_cmds - removefile - Ruby - Safari - Safari Downloads - Safari Extensions - Safari Safe Browsing - Security - SMB - SQLite - Telephony - Terminal - tidy - Time Machine - WebKit - WebKit CSS - WebKit JavaScript Bindings - WebKit Page Loading - WebKit Plug-ins Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 86270 published 2015-10-05 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86270 title Mac OS X < 10.11 Multiple Vulnerabilities (GHOST) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1135.NASL description Updated php packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, causing it to crash or, possibly, execute arbitrary code. (CVE-2015-3330) A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 84355 published 2015-06-24 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84355 title RHEL 7 : php (RHSA-2015:1135) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-1135.NASL description Updated php packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, causing it to crash or, possibly, execute arbitrary code. (CVE-2015-3330) A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 84345 published 2015-06-24 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84345 title CentOS 7 : php (CESA-2015:1135) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1638-1.NASL description This update for php53 to version 5.3.17 fixes the following issues : These security issues were fixed : - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010). - CVE-2016-5094: Don last seen 2020-06-01 modified 2020-06-02 plugin id 93161 published 2016-08-29 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93161 title SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1638-1) (BACKRONYM) NASL family Web Servers NASL id HPSMH_7_5.NASL description According to the web server last seen 2020-06-01 modified 2020-06-02 plugin id 84923 published 2015-07-22 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84923 title HP System Management Homepage 7.3.x / 7.4.x < 7.5.0 Multiple Vulnerabilities (FREAK) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-295.NASL description PHP was updated to fix three security issues. The following vulnerabilities were fixed : - use-after-free vulnerability in the process_nested_data function (CVE-2015-2787 bnc#924972) - unserialize SoapClient type confusion (bnc#925109) - move_uploaded_file truncates a pathNAME upon encountering a x00 character (CVE-2015-2348 bnc#924970) last seen 2020-06-05 modified 2015-04-09 plugin id 82653 published 2015-04-09 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82653 title openSUSE Security Update : php5 (openSUSE-2015-295) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-0868-1.NASL description PHP was updated to fix ten security issues. The following vulnerabilities were fixed : - CVE-2014-9709: A specially crafted GIF file could cause a buffer read overflow in php-gd (bnc#923946) - CVE-2015-2301: Memory was use after it was freed in PHAR (bnc#922022) - CVE-2015-2305: heap overflow vulnerability in regcomp.c (bnc#922452) - CVE-2014-9705: heap buffer overflow in Enchant (bnc#922451) - CVE-2015-2787: use-after-free vulnerability in the process_nested_data function (bnc#924972) - unserialize SoapClient type confusion (bnc#925109) - CVE-2015-2348: move_uploaded_file truncates a pathNAME upon encountering a x00 character (bnc#924970) - CVE-2015-3330: Specially crafted PHAR files could, when executed under Apache httpd 2.4 (apache2handler), allow arbitrary code execution (bnc#928506) - CVE-2015-3329: Specially crafted PHAR data could lead to disclosure of sensitive information due to a buffer overflow (bnc#928506) - CVE-2015-2783: Specially crafted PHAR data could lead to disclosure of sensitive information due to a buffer over-read (bnc#928511) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-24 modified 2019-01-02 plugin id 119964 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119964 title SUSE SLES12 Security Update : php5 (SUSE-SU-2015:0868-1) NASL family MacOS X Local Security Checks NASL id MACOSX_10_10_5.NASL description The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - Apple ID OD Plug-in - AppleGraphicsControl - Bluetooth - bootp - CloudKit - CoreMedia Playback - CoreText - curl - Data Detectors Engine - Date & Time pref pane - Dictionary Application - DiskImages - dyld - FontParser - groff - ImageIO - Install Framework Legacy - IOFireWireFamily - IOGraphics - IOHIDFamily - Kernel - Libc - Libinfo - libpthread - libxml2 - libxpc - mail_cmds - Notification Center OSX - ntfs - OpenSSH - OpenSSL - perl - PostgreSQL - python - QL Office - Quartz Composer Framework - Quick Look - QuickTime 7 - SceneKit - Security - SMBClient - Speech UI - sudo - tcpdump - Text Formats - udf Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 85408 published 2015-08-17 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85408 title Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2572-1.NASL description It was discovered that PHP incorrectly handled cleanup when used with Apache 2.4. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-3330) It was discovered that PHP incorrectly handled opening tar, zip or phar archives through the PHAR extension. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-3329) It was discovered that PHP incorrectly handled regular expressions. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-2305) Paulos Yibelo discovered that PHP incorrectly handled moving files when a pathname contained a null character. A remote attacker could use this issue to possibly bypass filename restrictions. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-2348) It was discovered that PHP incorrectly handled unserializing PHAR files. A remote attacker could use this issue to cause PHP to possibly expose sensitive information. (CVE-2015-2783) Taoguang Chen discovered that PHP incorrectly handled unserializing certain objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-2787). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 82911 published 2015-04-21 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82911 title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : php5 vulnerabilities (USN-2572-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1218.NASL description Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 84660 published 2015-07-13 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84660 title RHEL 6 : php (RHSA-2015:1218) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-212.NASL description CVE-2014-9705 Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries. CVE-2015-0232 The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image. CVE-2015-2301 Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file. CVE-2015-2331 Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow. CVE-2015-2783 Buffer Over-read in unserialize when parsing Phar CVE-2015-2787 Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231. CVE-2015-3329 Buffer Overflow when parsing tar/zip/phar in phar_set_inode) CVE-2015-3330 PHP potential remote code execution with apache 2.4 apache2handler CVE-2015-temp-68819 denial of service when processing a crafted file with Fileinfo NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-04-30 plugin id 83144 published 2015-04-30 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83144 title Debian DLA-212-1 : php5 security update NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2015-006.NASL description The remote host is running a version of Mac OS X 10.8.5 or 10.9.5 that is missing Security Update 2015-006. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - CoreText - FontParser - Libinfo - libxml2 - OpenSSL - perl - PostgreSQL - QL Office - Quartz Composer Framework - QuickTime 7 - SceneKit Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 85409 published 2015-08-17 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85409 title Mac OS X Multiple Vulnerabilities (Security Update 2015-006) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3198.NASL description Multiple vulnerabilities have been discovered in the PHP language : - CVE-2015-2301 Use-after-free in the phar extension. - CVE-2015-2331 Emmanuel Law discovered an integer overflow in the processing of ZIP archives, resulting in denial of service or potentially the execution of arbitrary code. last seen 2020-03-17 modified 2015-03-23 plugin id 81982 published 2015-03-23 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81982 title Debian DSA-3198-1 : php5 - security update NASL family CGI abuses NASL id PHP_5_5_23.NASL description According to its banner, the version of PHP 5.5.x installed on the remote host is prior to 5.5.23. It is, therefore, affected by multiple vulnerabilities : - A use-after-free error exists related to function last seen 2020-06-01 modified 2020-06-02 plugin id 82026 published 2015-03-24 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82026 title PHP 5.5.x < 5.5.23 Multiple Vulnerabilities NASL family Scientific Linux Local Security Checks NASL id SL_20150623_PHP_ON_SL7_X.NASL description A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, causing it to crash or, possibly, execute arbitrary code. (CVE-2015-3330) A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP last seen 2020-03-18 modified 2015-06-25 plugin id 84394 published 2015-06-25 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84394 title Scientific Linux Security Update : php on SL7.x x86_64 (20150623) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1018-1.NASL description PHP 5.3 was updated to fix multiple security issues : bnc#931776: pcntl_exec() does not check path validity (CVE-2015-4026) bnc#931772: overflow in ftp_genlist() resulting in heap overflow (CVE-2015-4022) bnc#931769: memory corruption in phar_parse_tarfile when entry filename starts with NULL (CVE-2015-4021) bnc#931421: multipart/form-data remote denial-of-service vulnerability (CVE-2015-4024) bnc#928511: buffer over-read in unserialize when parsing Phar (CVE-2015-2783) bnc#928506: buffer over flow when parsing tar/zip/phar in phar_set_inode() (CVE-2015-3329) bnc#925109: SoapClient last seen 2020-06-01 modified 2020-06-02 plugin id 84082 published 2015-06-10 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84082 title SUSE SLES11 Security Update : php53 (SUSE-SU-2015:1018-1) NASL family CGI abuses NASL id PHP_7_0_15.NASL description According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.15. It is, therefore, affected by the following vulnerabilities : - A remote code execution vulnerability exists due to a use-after-free error in the unserialize() function that is triggered when using DateInterval input. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-2787) - A use-after-free error exists that is triggered when handling unserialized object properties. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. (CVE-2016-7479) - An integer overflow condition exists in the _zend_hash_init() function in zend_hash.c due to improper validation of unserialized objects. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-5340) - A floating pointer exception flaw exists in the exif_convert_any_to_int() function in exif.c that is triggered when handling TIFF and JPEG image tags. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10158) - An integer overflow condition exists in the phar_parse_pharfile() function in phar.c due to improper validation when handling phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10159) - An off-by-one overflow condition exists in the phar_parse_pharfile() function in phar.c due to improper parsing of phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10160) - An out-of-bounds read error exists in the finish_nested_data() function in var_unserializer.c due to improper validation of unserialized data. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition or the disclosure of memory contents. (CVE-2016-10161) - A NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10162) - An signed integer overflow condition exists in gd_io.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. - A type confusion flaw exists that is triggered during the deserialization of specially crafted GMP objects. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. - A type confusion error exists that is triggered when deserializing ZVAL objects. An unauthenticated, remote attacker can exploit this to execute arbitrary code. - A denial of service vulnerability exists in the bundled GD Graphics Library (LibGD) in the gdImageCreateFromGd2Ctx() function in gd_gd2.c due to improper validation of images. An unauthenticated, remote attacker can exploit this, via a specially crafted image, to crash the process. (CVE-2016-10167) - An integer overflow condition exists in the gd_io.c script of the GD Graphics Library (libgd). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-10168) - An out-of-bounds read error exists in the phar_parse_pharfile() function in phar.c due to improper parsing of phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2017-11147) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-04-30 modified 2017-01-26 plugin id 96800 published 2017-01-26 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96800 title PHP 7.0.x < 7.0.15 Multiple Vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-1218.NASL description Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 84648 published 2015-07-13 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84648 title CentOS 6 : php (CESA-2015:1218) NASL family CGI abuses NASL id PHP_5_4_39.NASL description According to its banner, the version of PHP 5.4.x installed on the remote host is prior to 5.4.39. It is, therefore, affected by multiple vulnerabilities : - A use-after-free error exists related to function last seen 2020-06-01 modified 2020-06-02 plugin id 82025 published 2015-03-24 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82025 title PHP 5.4.x < 5.4.39 Multiple Vulnerabilities NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1543.NASL description According to the versions of the php packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A flaws was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.(CVE-2014-8142) - It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.(CVE-2015-4026) - A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.(CVE-2015-6834) - It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.(CVE-2015-4025) - An integer overflow flaw was found in the way custom objects were unserialized. Specially crafted input processed by the unserialize() function could cause a PHP application to crash.(CVE-2014-3669) - It was found that PHP move_uploaded_file() function did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.(CVE-2015-2348) - An integer overflow flaw leading to a heap-based buffer overflow was found in the way PHP last seen 2020-06-01 modified 2020-06-02 plugin id 124996 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124996 title EulerOS Virtualization 3.0.1.0 : php (EulerOS-SA-2019-1543)
Redhat
| advisories |
| ||||||||||||||||
| rpms |
|
References
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.html
- http://lists.opensuse.org/opensuse-updates/2015-04/msg00015.html
- http://marc.info/?l=bugtraq&m=143748090628601&w=2
- http://marc.info/?l=bugtraq&m=144050155601375&w=2
- http://php.net/ChangeLog-5.php
- http://rhn.redhat.com/errata/RHSA-2015-1053.html
- http://rhn.redhat.com/errata/RHSA-2015-1066.html
- http://rhn.redhat.com/errata/RHSA-2015-1135.html
- http://rhn.redhat.com/errata/RHSA-2015-1218.html
- http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
- http://www.securityfocus.com/bid/73431
- http://www.securitytracker.com/id/1032485
- http://www.ubuntu.com/usn/USN-2572-1
- https://bugs.php.net/bug.php?id=68976
- https://gist.github.com/smalyshev/eea9eafc7c88a4a6d10d
- https://security.gentoo.org/glsa/201606-10
- https://support.apple.com/HT205267
- https://support.apple.com/kb/HT205031