Vulnerabilities > CVE-2016-2554 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in PHP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_85EB4E46CF1611E5840F485D605F4717.NASL description PHP reports : - Core : - Fixed bug #71039 (exec functions ignore length but look for NULL termination). - Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input). - Fixed bug #71459 (Integer overflow in iptcembed()). - PCRE : - Upgraded bundled PCRE library to 8.38.(CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394) - Phar : - Fixed bug #71354 (Heap corruption in tar/zip/phar parser). - Fixed bug #71391 (NULL pointer Dereference in phar_tar_setupmetadata()). - Fixed bug #71488 (Stack overflow when decompressing tar archives). (CVE-2016-2554) - WDDX : - Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization). last seen 2020-06-01 modified 2020-06-02 plugin id 88671 published 2016-02-10 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88671 title FreeBSD : php -- multiple vulnerabilities (85eb4e46-cf16-11e5-840f-485d605f4717) NASL family CGI abuses NASL id PHP_5_6_18.NASL description According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.18. It is, therefore, affected by multiple vulnerabilities : - The Perl-Compatible Regular Expressions (PCRE) library is affected by multiple vulnerabilities related to the handling of regular expressions, subroutine calls, and binary files. A remote attacker can exploit these to cause a denial of service, obtain sensitive information, or have other unspecified impact. (CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394) - A flaw exists in file ext/standard/exec.c in the escapeshellcmd() and escapeshellarg() functions due to the program truncating NULL bytes in strings. A remote attacker can exploit this to bypass restrictions. - A flaw exists in file ext/standard/streamsfuncs.c in the stream_get_meta_data() function due to a failure to restrict writing user-supplied data to fields not already set. A remote attacker can exploit this to falsify the output of the function, resulting in the insertion of malicious metadata. - A type confusion error exists in file ext/wddx/wddx.c in the php_wddx_pop_element() function when deserializing WDDX packets. A remote attacker can exploit this to have an unspecified impact. - A flaw exists in file ext/phar/phar_object.c in the PharFileInfo::getContent() method due to the use of uninitialized memory causing improper validation of user-supplied input. A remote attacker can exploit this to corrupt memory, resulting in a denial of service or the execution of arbitrary code. - A NULL pointer dereference flaw exists in file ext/phar/tar.c in the phar_tar_setupmetadata() function when parsing metadata from a crafted TAR file. A remote attacker can exploit this to cause a denial of service. - An integer overflow condition exists in file ext/standard/iptc.c in the iptcembed() function due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. - An overflow condition exists in file ext/phar/tar.c in the phar_parse_tarfile() function due to improper validation of user-supplied input when decompressing TAR files. A remote attacker can exploit this to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-2554) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-03-21 modified 2016-02-11 plugin id 88694 published 2016-02-11 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88694 title PHP 5.6.x < 5.6.18 Multiple Vulnerabilities NASL family CGI abuses NASL id PHP_7_0_3.NASL description According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.3. It is, therefore, affected by multiple vulnerabilities : - The Perl-Compatible Regular Expressions (PCRE) library is affected by multiple vulnerabilities related to the handling of regular expressions, subroutine calls, and binary files. A remote attacker can exploit these to cause a denial of service, obtain sensitive information, or have other unspecified impact. (CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394) - A flaw exists in file ext/standard/exec.c in the escapeshellcmd() and escapeshellarg() functions due to the program truncating NULL bytes in strings. A remote attacker can exploit this to bypass restrictions. - A flaw exists in file ext/standard/streamsfuncs.c in the stream_get_meta_data() function due to a failure to restrict writing user-supplied data to fields not already set. A remote attacker can exploit this to falsify the output of the function, resulting in the insertion of malicious metadata. - A type confusion error exists in file ext/wddx/wddx.c in the php_wddx_pop_element() function when deserializing WDDX packets. A remote attacker can exploit this to have an unspecified impact. - A flaw exists in file ext/phar/phar_object.c in the PharFileInfo::getContent() method due to the use of uninitialized memory causing improper validation of user-supplied input. A remote attacker can exploit this to corrupt memory, resulting in a denial of service or the execution of arbitrary code. - A NULL pointer dereference flaw exists in file ext/phar/tar.c in the phar_tar_setupmetadata() function when parsing metadata from a crafted TAR file. A remote attacker can exploit this to cause a denial of service. - An integer overflow condition exists in file ext/standard/iptc.c in the iptcembed() function due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. - An overflow condition exists in file ext/phar/tar.c in the phar_parse_tarfile() function due to improper validation of user-supplied input when decompressing TAR files. A remote attacker can exploit this to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-2554) - An uninitialized pointer flaw exists in the phar_make_dirstream() function within file ext/phar/dirstream.c due to improper handling of ././@LongLink files. An unauthenticated, remote attacker can exploit this, via a specially crafted TAR file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4343) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 88695 published 2016-02-11 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88695 title PHP 7.0.x < 7.0.3 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-517.NASL description This update for php5 fixes the following security issues : - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792). - CVE-2015-8835: SoapClient s_call method suffered from a type confusion issue that could have lead to crashes [bsc#973351] - CVE-2016-2554: A NULL pointer dereference in phar_get_fp_offset could lead to crashes. [bsc#968284] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821] - CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612] - CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611] This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2016-04-29 plugin id 90782 published 2016-04-29 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/90782 title openSUSE Security Update : php5 (openSUSE-2016-517) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-818.NASL description Several issues have been discovered in PHP (recursive acronym for PHP: Hypertext Preprocessor), a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. - CVE-2016-2554 Stack-based buffer overflow in ext/phar/tar.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive. - CVE-2016-3141 Use-after-free vulnerability in wddx.c in the WDDX extension allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element. - CVE-2016-3142 The phar_parse_zipfile function in zip.c in the PHAR extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid location. - CVE-2016-4342 ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 mishandles zero-length uncompressed data, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) TAR, (2) ZIP, or (3) PHAR archive. - CVE-2016-9934 ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string. - CVE-2016-9935 The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document. - CVE-2016-10158 The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (application crash) via crafted EXIF data that triggers an attempt to divide the minimum representable negative integer by -1. - CVE-2016-10159 Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive. - CVE-2016-10160 Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch. - CVE-2016-10161 The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call. - BUG-71323.patch Output of stream_get_meta_data can be falsified by its input - BUG-70979.patch Crash on bad SOAP request - BUG-71039.patch exec functions ignore length but look for NULL termination - BUG-71459.patch Integer overflow in iptcembed() - BUG-71391.patch NULL pointer Dereference in phar_tar_setupmetadata() - BUG-71335.patch Type confusion vulnerability in WDDX packet deserialization For Debian 7 last seen 2020-03-17 modified 2017-02-08 plugin id 97052 published 2017-02-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97052 title Debian DLA-818-1 : php5 security update NASL family CGI abuses NASL id PHP_5_5_32.NASL description According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.32. It is, therefore, affected by multiple vulnerabilities : - The Perl-Compatible Regular Expressions (PCRE) library is affected by multiple vulnerabilities related to the handling of regular expressions, subroutine calls, and binary files. A remote attacker can exploit these to cause a denial of service, obtain sensitive information, or have other unspecified impact. (CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394) - A flaw exists in file ext/standard/exec.c in the escapeshellcmd() and escapeshellarg() functions due to the program truncating NULL bytes in strings. A remote attacker can exploit this to bypass restrictions. - A flaw exists in file ext/standard/streamsfuncs.c in the stream_get_meta_data() function due to a failure to restrict writing user-supplied data to fields not already set. A remote attacker can exploit this to falsify the output of the function, resulting in the insertion of malicious metadata. - A type confusion error exists in file ext/wddx/wddx.c in the php_wddx_pop_element() function when deserializing WDDX packets. A remote attacker can exploit this to have an unspecified impact. - A flaw exists in file ext/phar/phar_object.c in the PharFileInfo::getContent() method due to the use of uninitialized memory causing improper validation of user-supplied input. A remote attacker can exploit this to corrupt memory, resulting in a denial of service or the execution of arbitrary code. - A NULL pointer dereference flaw exists in file ext/phar/tar.c in the phar_tar_setupmetadata() function when parsing metadata from a crafted TAR file. A remote attacker can exploit this to cause a denial of service. - An integer overflow condition exists in file ext/standard/iptc.c in the iptcembed() function due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. - An overflow condition exists in file ext/phar/tar.c in the phar_parse_tarfile() function due to improper validation of user-supplied input when decompressing TAR files. A remote attacker can exploit this to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-2554) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 88693 published 2016-02-11 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88693 title PHP 5.5.x < 5.5.32 Multiple Vulnerabilities NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-685.NASL description A stack overflow vulnerability was reported that may occur when decompressing tar archives due to phar_tar_writeheaders() potentially copying non-terminated linknames from entries parsed by phar_parse_tarfile(). last seen 2020-06-01 modified 2020-06-02 plugin id 90513 published 2016-04-14 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/90513 title Amazon Linux AMI : php56 / php55 (ALAS-2016-685) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1638-1.NASL description This update for php53 to version 5.3.17 fixes the following issues : These security issues were fixed : - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010). - CVE-2016-5094: Don last seen 2020-06-01 modified 2020-06-02 plugin id 93161 published 2016-08-29 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93161 title SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1638-1) (BACKRONYM) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2649.NASL description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ** DISPUTED ** Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says last seen 2020-05-08 modified 2019-12-18 plugin id 132184 published 2019-12-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132184 title EulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1166-1.NASL description This update for php5 fixes the following security issues : - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792). - CVE-2015-8835: SoapClient s_call method suffered from a type confusion issue that could have lead to crashes [bsc#973351] - CVE-2016-2554: A NULL pointer dereference in phar_get_fp_offset could lead to crashes. [bsc#968284] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821] - CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612] - CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-24 modified 2019-01-02 plugin id 119975 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119975 title SUSE SLES12 Security Update : php5 (SUSE-SU-2016:1166-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2221.NASL description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.(CVE-2016-7124) - Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive.(CVE-2016-2554) - A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.(CVE-2015-6831) - The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20 mishandling in the header function.(CVE-2015-8935) - The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 incorrectly relies on the deprecated RAND_pseudo_bytes function, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors.(CVE-2015-8867) - Use-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to execute arbitrary code via crafted serialized data that triggers misuse of an array field.(CVE-2015-6832) - Directory traversal vulnerability in the PharData class in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to write to arbitrary files via a .. (dot dot) in a ZIP archive entry that is mishandled during an extractTo call.(CVE-2015-6833) - Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive.(CVE-2014-9767) - The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c.(CVE-2016-7414) - ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.(CVE-2016-9934) - The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document.(CVE-2016-9935) - In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.(CVE-2017-11143) - Integer overflow in the php_html_entities function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from the htmlspecialchars function.(CVE-2016-5094) - The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7 does not ensure the presence of a last seen 2020-05-08 modified 2019-11-08 plugin id 130683 published 2019-11-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130683 title EulerOS 2.0 SP5 : php (EulerOS-SA-2019-2221) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2952-1.NASL description It was discovered that the PHP Zip extension incorrectly handled directories when processing certain zip files. A remote attacker could possibly use this issue to create arbitrary directories. (CVE-2014-9767) It was discovered that the PHP Soap client incorrectly validated data types. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-8835, CVE-2016-3185) It was discovered that the PHP MySQL native driver incorrectly handled TLS connections to MySQL databases. A man in the middle attacker could possibly use this issue to downgrade and snoop on TLS connections. This vulnerability is known as BACKRONYM. (CVE-2015-8838) It was discovered that PHP incorrectly handled the imagerotate function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-1903) Hans Jerry Illikainen discovered that the PHP phar extension incorrectly handled certain tar archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-2554) It was discovered that the PHP WDDX extension incorrectly handled certain malformed XML data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-3141) It was discovered that the PHP phar extension incorrectly handled certain zip files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2016-3142) It was discovered that the PHP libxml_disable_entity_loader() setting was shared between threads. When running under PHP-FPM, this could result in XML external entity injection and entity expansion issues. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (No CVE number) It was discovered that the PHP openssl_random_pseudo_bytes() function did not return cryptographically strong pseudo-random bytes. (No CVE number) It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP php_snmp_error() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE number pending) It was discovered that the PHP rawurlencode() function incorrectly handled large strings. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE number pending) It was discovered that the PHP phar extension incorrectly handled certain filenames in archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP mb_strcut() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 90677 published 2016-04-22 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90677 title Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : php5 vulnerabilities (USN-2952-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2952-2.NASL description USN-2952-1 fixed vulnerabilities in PHP. One of the backported patches caused a regression in the PHP Soap client. This update fixes the problem. We apologize for the inconvenience. It was discovered that the PHP Zip extension incorrectly handled directories when processing certain zip files. A remote attacker could possibly use this issue to create arbitrary directories. (CVE-2014-9767) It was discovered that the PHP Soap client incorrectly validated data types. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-8835, CVE-2016-3185) It was discovered that the PHP MySQL native driver incorrectly handled TLS connections to MySQL databases. A man in the middle attacker could possibly use this issue to downgrade and snoop on TLS connections. This vulnerability is known as BACKRONYM. (CVE-2015-8838) It was discovered that PHP incorrectly handled the imagerotate function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-1903) Hans Jerry Illikainen discovered that the PHP phar extension incorrectly handled certain tar archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-2554) It was discovered that the PHP WDDX extension incorrectly handled certain malformed XML data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-3141) It was discovered that the PHP phar extension incorrectly handled certain zip files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2016-3142) It was discovered that the PHP libxml_disable_entity_loader() setting was shared between threads. When running under PHP-FPM, this could result in XML external entity injection and entity expansion issues. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (No CVE number) It was discovered that the PHP openssl_random_pseudo_bytes() function did not return cryptographically strong pseudo-random bytes. (No CVE number) It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP php_snmp_error() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE number pending) It was discovered that the PHP rawurlencode() function incorrectly handled large strings. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE number pending) It was discovered that the PHP phar extension incorrectly handled certain filenames in archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP mb_strcut() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 90825 published 2016-05-02 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90825 title Ubuntu 15.10 : php5 regression (USN-2952-2) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1581-1.NASL description This update for php53 fixes the following issues : - CVE-2016-5093: A get_icu_value_internal out-of-bounds read could crash the php interpreter (bsc#982010) - CVE-2016-5094,CVE-2016-5095: Don last seen 2020-06-01 modified 2020-06-02 plugin id 91665 published 2016-06-17 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91665 title SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1581-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-323.NASL description This update for php5 fixes the following issues : - CVE-2016-2554: A stack overflow vulnerability when decompressing tar phar archives was fixed. last seen 2020-06-05 modified 2016-03-11 plugin id 89856 published 2016-03-11 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89856 title openSUSE Security Update : php5 (openSUSE-2016-323) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2438.NASL description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.(CVE-2019-11043) - The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.(CVE-2017-12933) - ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.(CVE-2016-7124) - The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi )abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.(CVE-2015-8382) - An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.(CVE-2018-5712) - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.(CVE-2018-14851) - The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.(CVE-2016-7480) - ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.(CVE-2016-7411) - The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table.(CVE-2015-8879) - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension last seen 2020-05-08 modified 2019-12-04 plugin id 131592 published 2019-12-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131592 title EulerOS 2.0 SP2 : php (EulerOS-SA-2019-2438) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1145-1.NASL description This update for php53 fixes the following issues : - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792). - CVE-2015-8835: SoapClient s_call method suffered from a type confusion issue that could have lead to crashes [bsc#973351] - CVE-2016-2554: A NULL pointer dereference in phar_get_fp_offset could lead to crashes. [bsc#968284] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2015-7803: A Stack overflow vulnerability when decompressing tar phar archives could potentially lead to code execution. [bsc#949961] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821] - CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612] - CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 90757 published 2016-04-27 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90757 title SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1145-1)
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00052.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00056.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00058.html
- http://php.net/ChangeLog-5.php
- http://php.net/ChangeLog-7.php
- http://rhn.redhat.com/errata/RHSA-2016-2750.html
- http://www.ubuntu.com/usn/USN-2952-1
- http://www.ubuntu.com/usn/USN-2952-2
- https://bugs.php.net/bug.php?id=71488
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731