Vulnerabilities > CVE-2015-8865 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

047910
CVSS 7.3 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
php
apple
CWE-119
nessus

Summary

The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file.

Vulnerable Configurations

Part Description Count
Application
Php
744
OS
Apple
99

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-499.NASL
    description - CVE-2015-8865 The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file. - CVE-2015-8866 libxml_disable_entity_loader setting is shared between threads ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161. - CVE-2015-8878 main/php_open_temporary_file.c in PHP before 5.5.28 and 5.6.x before 5.6.12 does not ensure thread safety, which allows remote attackers to cause a denial of service (race condition and heap memory corruption) by leveraging an application that performs many temporary-file accesses. - CVE-2015-8879 The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table. - CVE-2016-4070 Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. - CVE-2016-4071 Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call. - CVE-2016-4072 The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the phar_analyze_path function in ext/phar/phar.c. - CVE-2016-4073 Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted mb_strcut call. - CVE-2016-4343 The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive. - CVE-2016-4537 The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call. - CVE-2016-4539 The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (buffer under-read and segmentation fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a parser level of zero. - CVE-2016-4540 - CVE-2016-4541 The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset. - CVE-2016-4542 - CVE-2016-4543 - CVE-2016-4544 The exif_process_* function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2016-06-01
    plugin id91397
    published2016-06-01
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91397
    titleDebian DLA-499-1 : php5 security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-499-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(91397);
      script_version("2.12");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2015-8865", "CVE-2015-8866", "CVE-2015-8878", "CVE-2015-8879", "CVE-2016-4070", "CVE-2016-4071", "CVE-2016-4072", "CVE-2016-4073", "CVE-2016-4343", "CVE-2016-4537", "CVE-2016-4539", "CVE-2016-4540", "CVE-2016-4541", "CVE-2016-4542", "CVE-2016-4543", "CVE-2016-4544");
    
      script_name(english:"Debian DLA-499-1 : php5 security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - CVE-2015-8865 The file_check_mem function in funcs.c in
        file before 5.23, as used in the Fileinfo component in
        PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before
        7.0.5, mishandles continuation-level jumps, which allows
        context-dependent attackers to cause a denial of service
        (buffer overflow and application crash) or possibly
        execute arbitrary code via a crafted magic file.
    
      - CVE-2015-8866 libxml_disable_entity_loader setting is
        shared between threads ext/libxml/libxml.c in PHP before
        5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used,
        does not isolate each thread from
        libxml_disable_entity_loader changes in other threads,
        which allows remote attackers to conduct XML External
        Entity (XXE) and XML Entity Expansion (XEE) attacks via
        a crafted XML document, a related issue to
        CVE-2015-5161.
    
      - CVE-2015-8878 main/php_open_temporary_file.c in PHP
        before 5.5.28 and 5.6.x before 5.6.12 does not ensure
        thread safety, which allows remote attackers to cause a
        denial of service (race condition and heap memory
        corruption) by leveraging an application that performs
        many temporary-file accesses.
    
      - CVE-2015-8879 The odbc_bindcols function in
        ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles
        driver behavior for SQL_WVARCHAR columns, which allows
        remote attackers to cause a denial of service
        (application crash) in opportunistic circumstances by
        leveraging use of the odbc_fetch_array function to
        access a certain type of Microsoft SQL Server table.
    
      - CVE-2016-4070 Integer overflow in the php_raw_url_encode
        function in ext/standard/url.c in PHP before 5.5.34,
        5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote
        attackers to cause a denial of service (application
        crash) via a long string to the rawurlencode function.
    
      - CVE-2016-4071 Format string vulnerability in the
        php_snmp_error function in ext/snmp/snmp.c in PHP before
        5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows
        remote attackers to execute arbitrary code via format
        string specifiers in an SNMP::get call.
    
      - CVE-2016-4072 The Phar extension in PHP before 5.5.34,
        5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote
        attackers to execute arbitrary code via a crafted
        filename, as demonstrated by mishandling of \0
        characters by the phar_analyze_path function in
        ext/phar/phar.c.
    
      - CVE-2016-4073 Multiple integer overflows in the
        mbfl_strcut function in
        ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before
        5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow
        remote attackers to cause a denial of service
        (application crash) or possibly execute arbitrary code
        via a crafted mb_strcut call.
    
      - CVE-2016-4343 The phar_make_dirstream function in
        ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before
        7.0.3 mishandles zero-size ././@LongLink files, which
        allows remote attackers to cause a denial of service
        (uninitialized pointer dereference) or possibly have
        unspecified other impact via a crafted TAR archive.
    
      - CVE-2016-4537 The bcpowmod function in
        ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before
        5.6.21, and 7.x before 7.0.6 accepts a negative integer
        for the scale argument, which allows remote attackers to
        cause a denial of service or possibly have unspecified
        other impact via a crafted call.
    
      - CVE-2016-4539 The xml_parse_into_struct function in
        ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21,
        and 7.x before 7.0.6 allows remote attackers to cause a
        denial of service (buffer under-read and segmentation
        fault) or possibly have unspecified other impact via
        crafted XML data in the second argument, leading to a
        parser level of zero.
    
      - CVE-2016-4540
    
      - CVE-2016-4541 The grapheme_strpos function in
        ext/intl/grapheme/grapheme_string.c in before 5.5.35,
        5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote
        attackers to cause a denial of service (out-of-bounds
        read) or possibly have unspecified other impact via a
        negative offset.
    
      - CVE-2016-4542
    
      - CVE-2016-4543
    
      - CVE-2016-4544 The exif_process_* function in
        ext/exif/exif.c in PHP before 5.5.35, 5.6.x before
        5.6.21, and 7.x before 7.0.6 does not validate IFD
        sizes, which allows remote attackers to cause a denial
        of service (out-of-bounds read) or possibly have
        unspecified other impact via crafted header data.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2016/05/msg00053.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/php5"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libapache2-mod-php5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libapache2-mod-php5filter");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libphp5-embed");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-pear");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-cgi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-cli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-enchant");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-fpm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-gd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-gmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-interbase");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-intl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-mcrypt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-mysqlnd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-pspell");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-recode");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-snmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-sqlite");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-sybase");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-tidy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-xmlrpc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-xsl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/05/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"libapache2-mod-php5", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"libapache2-mod-php5filter", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"libphp5-embed", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php-pear", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-cgi", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-cli", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-common", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-curl", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-dbg", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-dev", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-enchant", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-fpm", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-gd", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-gmp", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-imap", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-interbase", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-intl", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-ldap", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-mcrypt", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-mysql", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-mysqlnd", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-odbc", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-pgsql", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-pspell", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-recode", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-snmp", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-sqlite", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-sybase", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-tidy", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-xmlrpc", reference:"5.4.45-0+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"php5-xsl", reference:"5.4.45-0+deb7u3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCGI abuses
    NASL idPHP_5_6_20.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.20. It is, therefore, affected by multiple vulnerabilities : - A buffer over-write condition exists in the finfo_open() function due to improper validation of magic files. An unauthenticated, remote attacker can exploit this, via a crafted file, to cause a denial of service or to execute arbitrary code. - A flaw exists in the php_snmp_error() function within file ext/snmp/snmp.c that is triggered when handling format string specifiers. An unauthenticated, remote attacker can exploit this, via a crafted SNMP object, to cause a denial of service or to execute arbitrary code. - An invalid memory write error exists when handling the path of phar file names that allows an attacker to have an unspecified impact. - A flaw exists in the mbfl_strcut() function within file ext/mbstring/libmbfl/mbfl/mbfilter.c when handling negative parameter values. An unauthenticated, remote attacker can exploit this to cause a denial of service. - An integer overflow condition exists in the php_raw_url_encode() function within file ext/standard/url.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id90361
    published2016-04-06
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90361
    titlePHP 5.6.x < 5.6.20 Multiple Vulnerabilities
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL54924436.NASL
    descriptionThe file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file. (CVE-2015-8865)
    last seen2020-03-17
    modified2017-03-01
    plugin id97447
    published2017-03-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97447
    titleF5 Networks BIG-IP : PHP vulnerability (K54924436)
  • NASL familyCGI abuses
    NASL idPHP_7_0_5.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.5. It is, therefore, affected by multiple vulnerabilities : - A buffer over-write condition exists in the finfo_open() function due to improper validation of magic files. An unauthenticated, remote attacker can exploit this, via a crafted file, to cause a denial of service or to execute arbitrary code. - A flaw exists in the php_snmp_error() function within file ext/snmp/snmp.c that is triggered when handling format string specifiers. An unauthenticated, remote attacker can exploit this, via a crafted SNMP object, to cause a denial of service or to execute arbitrary code. - An invalid memory write error exists when handling the path of phar file names that allows an attacker to have an unspecified impact. - A flaw exists in the mbfl_strcut() function within file ext/mbstring/libmbfl/mbfl/mbfilter.c when handling negative parameter values. An unauthenticated, remote attacker can exploit this to cause a denial of service. - An integer overflow condition exists in the php_raw_url_encode() function within file ext/standard/url.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id90362
    published2016-04-06
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90362
    titlePHP 7.0.x < 7.0.5 Multiple Vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-460.NASL
    descriptionA malformed magic file could trigger a segmentation fault and thus crash applications due to a buffer over-write in the file_check_mem function. For Debian 7
    last seen2020-03-17
    modified2016-05-09
    plugin id90944
    published2016-05-09
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90944
    titleDebian DLA-460-1 : file security update
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-42.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-42 (file: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in file. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user or automated system to process a specially crafted input file, possibly resulting in execution of arbitrary code with the privileges of the process, a Denial of Service condition or have other unspecified impacts. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96576
    published2017-01-18
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96576
    titleGLSA-201701-42 : file: Multiple vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3560.NASL
    descriptionSeveral vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.20, which includes additional bug fixes. Please refer to the upstream changelog for more information : - https://php.net/ChangeLog-5.php#5.6.20
    last seen2020-06-01
    modified2020-06-02
    plugin id90768
    published2016-04-28
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90768
    titleDebian DSA-3560-1 : php5 - security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1795.NASL
    descriptionAccording to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file.(CVE-2015-8865) - The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call.(CVE-2016-4537) - The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 modifies certain data structures without considering whether they are copies of the _zero_, _one_, or _two_ global variable, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call.(CVE-2016-4538) - Integer overflow in the fread function in ext/standard/file.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer in the second argument.(CVE-2016-5096) - An out-of-bounds write flaw was found in the fpm_log_write() logging function of PHP
    last seen2020-05-06
    modified2019-08-23
    plugin id128087
    published2019-08-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128087
    titleEulerOS 2.0 SP5 : php (EulerOS-SA-2019-1795)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3686-1.NASL
    descriptionAlexander Cherepanov discovered that file incorrectly handled a large number of notes. An attacker could use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-9620) Alexander Cherepanov discovered that file incorrectly handled certain long strings. An attacker could use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-9620) Alexander Cherepanov discovered that file incorrectly handled certain malformed ELF files. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-9653) It was discovered that file incorrectly handled certain magic files. An attacker could use this issue with a specially crafted magic file to cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-8865) It was discovered that file incorrectly handled certain malformed ELF files. An attacker could use this issue to cause a denial of service. (CVE-2018-10360). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110552
    published2018-06-15
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110552
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : file vulnerabilities (USN-3686-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1865.NASL
    descriptionAccording to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An out-of-bounds write flaw was found in the fpm_log_write() logging function of PHP
    last seen2020-05-08
    modified2019-09-17
    plugin id128917
    published2019-09-17
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128917
    titleEulerOS 2.0 SP2 : php (EulerOS-SA-2019-1865)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201611-22.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201611-22 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : An attacker can possibly execute arbitrary code or create a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id95421
    published2016-12-01
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95421
    titleGLSA-201611-22 : PHP: Multiple vulnerabilities (httpoxy)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2984-1.NASL
    descriptionIt was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-8865) Hans Jerry Illikainen discovered that the PHP Zip extension incorrectly handled certain malformed Zip archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-3078) It was discovered that PHP incorrectly handled invalid indexes in the SplDoublyLinkedList class. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-3132) It was discovered that the PHP rawurlencode() function incorrectly handled large strings. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4070) It was discovered that the PHP php_snmp_error() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4071) It was discovered that the PHP phar extension incorrectly handled certain filenames in archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4072) It was discovered that the PHP mb_strcut() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4073) It was discovered that the PHP phar extension incorrectly handled certain archive files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-4342, CVE-2016-4343) It was discovered that the PHP bcpowmod() function incorrectly handled memory. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-4537, CVE-2016-4538) It was discovered that the PHP XML parser incorrectly handled certain malformed XML data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-4539) It was discovered that certain PHP grapheme functions incorrectly handled negative offsets. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-4540, CVE-2016-4541) It was discovered that PHP incorrectly handled certain malformed EXIF tags. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id91320
    published2016-05-25
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91320
    titleUbuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : php5, php7.0 vulnerabilities (USN-2984-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2043.NASL
    descriptionAccording to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11040) - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11042) - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11041) - The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 incorrectly relies on the deprecated RAND_pseudo_bytes function, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors.(CVE-2015-8867) - A flaw was found in the way the way PHP
    last seen2020-05-08
    modified2019-09-24
    plugin id129236
    published2019-09-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129236
    titleEulerOS 2.0 SP3 : php (EulerOS-SA-2019-2043)
  • NASL familyCGI abuses
    NASL idPHP_5_5_34.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.34. It is, therefore, affected by multiple vulnerabilities : - A buffer over-write condition exists in the finfo_open() function due to improper validation of magic files. An unauthenticated, remote attacker can exploit this, via a crafted file, to cause a denial of service or to execute arbitrary code. (CVE-2015-8865) - An integer overflow condition exists in the php_raw_url_encode() function within file ext/standard/url.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2016-4070) - A flaw exists in the php_snmp_error() function within file ext/snmp/snmp.c that is triggered when handling format string specifiers. An unauthenticated, remote attacker can exploit this, via a crafted SNMP object, to cause a denial of service or to execute arbitrary code. (CVE-2016-4071) - An invalid memory write error exists when handling the path of phar file names that allows an attacker to have an unspecified impact. (CVE-2016-4072) - A flaw exists in the mbfl_strcut() function within file ext/mbstring/libmbfl/mbfl/mbfilter.c when handling negative parameter values. An unauthenticated, remote attacker can exploit this to cause a denial of service. (CVE-2016-4073) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id90360
    published2016-04-06
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90360
    titlePHP 5.5.x < 5.5.34 Multiple Vulnerabilities
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-698.NASL
    descriptionThe following security-related issues were resolved : Buffer over-write in finfo_open with malformed magic file (CVE-2015-8865) Signedness vulnerability causing heap overflow in libgd (CVE-2016-3074) Integer overflow in php_raw_url_encode (CVE-2016-4070) Format string vulnerability in php_snmp_error() (CVE-2016-4071) Invalid memory write in phar on filename containing \\0 inside name (CVE-2016-4072) Negative size parameter in memcpy (CVE-2016-4073)
    last seen2020-06-01
    modified2020-06-02
    plugin id90867
    published2016-05-04
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90867
    titleAmazon Linux AMI : php56 / php55 (ALAS-2016-698)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1928.NASL
    descriptionAccording to the versions of the php packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the way the way PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id128931
    published2019-09-17
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128931
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : php (EulerOS-SA-2019-1928)

Redhat

advisories
rhsa
idRHSA-2016:2750
rpms
  • rh-php56-0:2.3-1.el6
  • rh-php56-0:2.3-1.el7
  • rh-php56-php-0:5.6.25-1.el6
  • rh-php56-php-0:5.6.25-1.el7
  • rh-php56-php-bcmath-0:5.6.25-1.el6
  • rh-php56-php-bcmath-0:5.6.25-1.el7
  • rh-php56-php-cli-0:5.6.25-1.el6
  • rh-php56-php-cli-0:5.6.25-1.el7
  • rh-php56-php-common-0:5.6.25-1.el6
  • rh-php56-php-common-0:5.6.25-1.el7
  • rh-php56-php-dba-0:5.6.25-1.el6
  • rh-php56-php-dba-0:5.6.25-1.el7
  • rh-php56-php-dbg-0:5.6.25-1.el6
  • rh-php56-php-dbg-0:5.6.25-1.el7
  • rh-php56-php-debuginfo-0:5.6.25-1.el6
  • rh-php56-php-debuginfo-0:5.6.25-1.el7
  • rh-php56-php-devel-0:5.6.25-1.el6
  • rh-php56-php-devel-0:5.6.25-1.el7
  • rh-php56-php-embedded-0:5.6.25-1.el6
  • rh-php56-php-embedded-0:5.6.25-1.el7
  • rh-php56-php-enchant-0:5.6.25-1.el6
  • rh-php56-php-enchant-0:5.6.25-1.el7
  • rh-php56-php-fpm-0:5.6.25-1.el6
  • rh-php56-php-fpm-0:5.6.25-1.el7
  • rh-php56-php-gd-0:5.6.25-1.el6
  • rh-php56-php-gd-0:5.6.25-1.el7
  • rh-php56-php-gmp-0:5.6.25-1.el6
  • rh-php56-php-gmp-0:5.6.25-1.el7
  • rh-php56-php-imap-0:5.6.25-1.el6
  • rh-php56-php-intl-0:5.6.25-1.el6
  • rh-php56-php-intl-0:5.6.25-1.el7
  • rh-php56-php-ldap-0:5.6.25-1.el6
  • rh-php56-php-ldap-0:5.6.25-1.el7
  • rh-php56-php-mbstring-0:5.6.25-1.el6
  • rh-php56-php-mbstring-0:5.6.25-1.el7
  • rh-php56-php-mysqlnd-0:5.6.25-1.el6
  • rh-php56-php-mysqlnd-0:5.6.25-1.el7
  • rh-php56-php-odbc-0:5.6.25-1.el6
  • rh-php56-php-odbc-0:5.6.25-1.el7
  • rh-php56-php-opcache-0:5.6.25-1.el6
  • rh-php56-php-opcache-0:5.6.25-1.el7
  • rh-php56-php-pdo-0:5.6.25-1.el6
  • rh-php56-php-pdo-0:5.6.25-1.el7
  • rh-php56-php-pear-1:1.9.5-4.el6
  • rh-php56-php-pear-1:1.9.5-4.el7
  • rh-php56-php-pgsql-0:5.6.25-1.el6
  • rh-php56-php-pgsql-0:5.6.25-1.el7
  • rh-php56-php-process-0:5.6.25-1.el6
  • rh-php56-php-process-0:5.6.25-1.el7
  • rh-php56-php-pspell-0:5.6.25-1.el6
  • rh-php56-php-pspell-0:5.6.25-1.el7
  • rh-php56-php-recode-0:5.6.25-1.el6
  • rh-php56-php-recode-0:5.6.25-1.el7
  • rh-php56-php-snmp-0:5.6.25-1.el6
  • rh-php56-php-snmp-0:5.6.25-1.el7
  • rh-php56-php-soap-0:5.6.25-1.el6
  • rh-php56-php-soap-0:5.6.25-1.el7
  • rh-php56-php-tidy-0:5.6.25-1.el6
  • rh-php56-php-xml-0:5.6.25-1.el6
  • rh-php56-php-xml-0:5.6.25-1.el7
  • rh-php56-php-xmlrpc-0:5.6.25-1.el6
  • rh-php56-php-xmlrpc-0:5.6.25-1.el7
  • rh-php56-runtime-0:2.3-1.el6
  • rh-php56-runtime-0:2.3-1.el7
  • rh-php56-scldevel-0:2.3-1.el6
  • rh-php56-scldevel-0:2.3-1.el7

References