Vulnerabilities > CVE-2016-3141 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
apple
php
CWE-119
critical
nessus

Summary

Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element.

Vulnerable Configurations

Part Description Count
OS
Apple
98
Application
Php
729

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-517.NASL
    descriptionThis update for php5 fixes the following security issues : - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792). - CVE-2015-8835: SoapClient s_call method suffered from a type confusion issue that could have lead to crashes [bsc#973351] - CVE-2016-2554: A NULL pointer dereference in phar_get_fp_offset could lead to crashes. [bsc#968284] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821] - CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612] - CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611] This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2016-04-29
    plugin id90782
    published2016-04-29
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/90782
    titleopenSUSE Security Update : php5 (openSUSE-2016-517)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2016-517.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(90782);
      script_version("2.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2014-9767", "CVE-2015-8835", "CVE-2015-8838", "CVE-2016-2554", "CVE-2016-3141", "CVE-2016-3142", "CVE-2016-3185");
    
      script_name(english:"openSUSE Security Update : php5 (openSUSE-2016-517)");
      script_summary(english:"Check for the openSUSE-2016-517 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for php5 fixes the following security issues :
    
      - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM
        (bnc#973792).
    
      - CVE-2015-8835: SoapClient s_call method suffered from a
        type confusion issue that could have lead to crashes
        [bsc#973351]
    
      - CVE-2016-2554: A NULL pointer dereference in
        phar_get_fp_offset could lead to crashes. [bsc#968284]
        Note: we do not ship the phar extension currently, so we
        are not affected.
    
      - CVE-2016-3141: A use-after-free / double-free in the
        WDDX deserialization could lead to crashes or potential
        code execution. [bsc#969821]
    
      - CVE-2016-3142: An Out-of-bounds read in
        phar_parse_zipfile() could lead to crashes. [bsc#971912]
        Note: we do not ship the phar extension currently, so we
        are not affected.
    
      - CVE-2014-9767: A directory traversal when extracting zip
        files was fixed that could lead to overwritten files.
        [bsc#971612]
    
      - CVE-2016-3185: A type confusion vulnerability in
        make_http_soap_request() could lead to crashes or
        potentially code execution. [bsc#971611]
    
    This update was imported from the SUSE:SLE-12:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=968284"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=969821"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=971611"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=971612"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=971912"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=973351"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=973792"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected php5 packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_php5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_php5-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bcmath");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bcmath-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bz2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bz2-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-calendar");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-calendar-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ctype");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ctype-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-curl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dba-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dom");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dom-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-enchant");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-enchant-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-exif");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-exif-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fastcgi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fastcgi-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fileinfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fileinfo-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-firebird");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-firebird-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fpm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fpm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ftp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ftp-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gettext");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gettext-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gmp-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-iconv");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-iconv-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-imap-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-intl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-intl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-json");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-json-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ldap-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mbstring");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mbstring-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mcrypt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mcrypt-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mssql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mssql-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mysql-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-odbc-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-opcache");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-opcache-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-openssl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-openssl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pcntl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pcntl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pdo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pdo-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pear");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pgsql-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-phar");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-phar-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-posix");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-posix-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pspell");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pspell-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-readline");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-readline-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-shmop");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-shmop-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-snmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-snmp-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-soap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-soap-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sockets");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sockets-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sqlite");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sqlite-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-suhosin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-suhosin-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvmsg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvmsg-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvsem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvsem-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvshm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvshm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tidy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tidy-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tokenizer");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tokenizer-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-wddx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-wddx-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlreader");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlreader-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlrpc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlrpc-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlwriter");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlwriter-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xsl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xsl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zip");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zip-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zlib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zlib-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/04/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.1", reference:"apache2-mod_php5-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"apache2-mod_php5-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-bcmath-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-bcmath-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-bz2-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-bz2-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-calendar-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-calendar-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-ctype-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-ctype-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-curl-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-curl-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-dba-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-dba-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-debugsource-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-devel-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-dom-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-dom-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-enchant-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-enchant-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-exif-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-exif-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-fastcgi-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-fastcgi-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-fileinfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-fileinfo-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-firebird-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-firebird-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-fpm-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-fpm-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-ftp-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-ftp-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-gd-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-gd-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-gettext-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-gettext-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-gmp-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-gmp-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-iconv-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-iconv-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-imap-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-imap-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-intl-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-intl-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-json-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-json-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-ldap-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-ldap-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-mbstring-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-mbstring-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-mcrypt-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-mcrypt-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-mssql-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-mssql-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-mysql-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-mysql-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-odbc-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-odbc-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-opcache-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-opcache-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-openssl-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-openssl-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-pcntl-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-pcntl-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-pdo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-pdo-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-pear-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-pgsql-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-pgsql-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-phar-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-phar-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-posix-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-posix-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-pspell-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-pspell-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-readline-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-readline-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-shmop-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-shmop-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-snmp-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-snmp-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-soap-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-soap-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-sockets-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-sockets-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-sqlite-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-sqlite-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-suhosin-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-suhosin-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-sysvmsg-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-sysvmsg-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-sysvsem-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-sysvsem-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-sysvshm-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-sysvshm-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-tidy-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-tidy-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-tokenizer-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-tokenizer-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-wddx-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-wddx-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-xmlreader-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-xmlreader-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-xmlrpc-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-xmlrpc-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-xmlwriter-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-xmlwriter-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-xsl-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-xsl-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-zip-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-zip-debuginfo-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-zlib-5.5.14-44.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"php5-zlib-debuginfo-5.5.14-44.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache2-mod_php5 / apache2-mod_php5-debuginfo / php5 / php5-bcmath / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-818.NASL
    descriptionSeveral issues have been discovered in PHP (recursive acronym for PHP: Hypertext Preprocessor), a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. - CVE-2016-2554 Stack-based buffer overflow in ext/phar/tar.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive. - CVE-2016-3141 Use-after-free vulnerability in wddx.c in the WDDX extension allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element. - CVE-2016-3142 The phar_parse_zipfile function in zip.c in the PHAR extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid location. - CVE-2016-4342 ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 mishandles zero-length uncompressed data, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) TAR, (2) ZIP, or (3) PHAR archive. - CVE-2016-9934 ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string. - CVE-2016-9935 The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document. - CVE-2016-10158 The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (application crash) via crafted EXIF data that triggers an attempt to divide the minimum representable negative integer by -1. - CVE-2016-10159 Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive. - CVE-2016-10160 Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch. - CVE-2016-10161 The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call. - BUG-71323.patch Output of stream_get_meta_data can be falsified by its input - BUG-70979.patch Crash on bad SOAP request - BUG-71039.patch exec functions ignore length but look for NULL termination - BUG-71459.patch Integer overflow in iptcembed() - BUG-71391.patch NULL pointer Dereference in phar_tar_setupmetadata() - BUG-71335.patch Type confusion vulnerability in WDDX packet deserialization For Debian 7
    last seen2020-03-17
    modified2017-02-08
    plugin id97052
    published2017-02-08
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97052
    titleDebian DLA-818-1 : php5 security update
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_11_5.NASL
    descriptionThe remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.5. It is, therefore, affected by multiple vulnerabilities in the following components : - AMD - apache_mod_php - AppleGraphicsControl - AppleGraphicsPowerManagement - Assistant - ATS - Audio - Captive - CFNetwork - CommonCrypto - CoreCapture - CoreStorage - Crash - Disk - Disk - Driver - Drivers - Drivers - Graphics - Graphics - Graphics - ImageIO - Images - Intel - IOAcceleratorFamily - IOAudioFamily - IOFireWireFamily - IOHIDFamily - Kernel - libc - libxml2 - libxslt - Lock - MapKit - Messages - Multi-Touch - Network - NVIDIA - OpenGL - Proxies - QuickTime - Reporter - SceneKit - Screen - Tcl - Utility Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id91228
    published2016-05-19
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91228
    titleMac OS X 10.11.x < 10.11.5 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1638-1.NASL
    descriptionThis update for php53 to version 5.3.17 fixes the following issues : These security issues were fixed : - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010). - CVE-2016-5094: Don
    last seen2020-06-01
    modified2020-06-02
    plugin id93161
    published2016-08-29
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93161
    titleSUSE SLES11 Security Update : php53 (SUSE-SU-2016:1638-1) (BACKRONYM)
  • NASL familyCGI abuses
    NASL idPHP_5_5_33.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.33. It is, therefore, affected by multiple vulnerabilities : - A use-after-free error exists in file ext/wddx/wddx.c in the php_wddx_pop_element() function when handling XML data. An unauthenticated, remote attacker can exploit this, via crafted XML data, to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-3141) - An out-of-bounds read error exists in file ext/phar/zip.c in the phar_parse_zipfile() function that allows an unauthenticated, remote attacker to cause a denial of service or to gain access to sensitive information. (CVE-2016-3142) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id90007
    published2016-03-17
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90007
    titlePHP 5.5.x < 5.5.33 Multiple Vulnerabilities
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2649.NASL
    descriptionAccording to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ** DISPUTED ** Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says
    last seen2020-05-08
    modified2019-12-18
    plugin id132184
    published2019-12-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132184
    titleEulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1166-1.NASL
    descriptionThis update for php5 fixes the following security issues : - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792). - CVE-2015-8835: SoapClient s_call method suffered from a type confusion issue that could have lead to crashes [bsc#973351] - CVE-2016-2554: A NULL pointer dereference in phar_get_fp_offset could lead to crashes. [bsc#968284] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821] - CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612] - CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-24
    modified2019-01-02
    plugin id119975
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119975
    titleSUSE SLES12 Security Update : php5 (SUSE-SU-2016:1166-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-516.NASL
    descriptionThis update for php5 fixes the following security issues : - bsc#974305: buffer overflow in libmagic - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792). - CVE-2015-8835: SoapClient s__call method suffered from type confusion issue (bnc#973351). - CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821] - CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912] - CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612] - CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611]
    last seen2020-06-05
    modified2016-04-28
    plugin id90772
    published2016-04-28
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/90772
    titleopenSUSE Security Update : php5 (openSUSE-2016-516)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2221.NASL
    descriptionAccording to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.(CVE-2016-7124) - Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive.(CVE-2016-2554) - A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.(CVE-2015-6831) - The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20 mishandling in the header function.(CVE-2015-8935) - The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 incorrectly relies on the deprecated RAND_pseudo_bytes function, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors.(CVE-2015-8867) - Use-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to execute arbitrary code via crafted serialized data that triggers misuse of an array field.(CVE-2015-6832) - Directory traversal vulnerability in the PharData class in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to write to arbitrary files via a .. (dot dot) in a ZIP archive entry that is mishandled during an extractTo call.(CVE-2015-6833) - Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive.(CVE-2014-9767) - The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c.(CVE-2016-7414) - ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.(CVE-2016-9934) - The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document.(CVE-2016-9935) - In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.(CVE-2017-11143) - Integer overflow in the php_html_entities function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from the htmlspecialchars function.(CVE-2016-5094) - The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7 does not ensure the presence of a
    last seen2020-05-08
    modified2019-11-08
    plugin id130683
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130683
    titleEulerOS 2.0 SP5 : php (EulerOS-SA-2019-2221)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2952-1.NASL
    descriptionIt was discovered that the PHP Zip extension incorrectly handled directories when processing certain zip files. A remote attacker could possibly use this issue to create arbitrary directories. (CVE-2014-9767) It was discovered that the PHP Soap client incorrectly validated data types. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-8835, CVE-2016-3185) It was discovered that the PHP MySQL native driver incorrectly handled TLS connections to MySQL databases. A man in the middle attacker could possibly use this issue to downgrade and snoop on TLS connections. This vulnerability is known as BACKRONYM. (CVE-2015-8838) It was discovered that PHP incorrectly handled the imagerotate function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-1903) Hans Jerry Illikainen discovered that the PHP phar extension incorrectly handled certain tar archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-2554) It was discovered that the PHP WDDX extension incorrectly handled certain malformed XML data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-3141) It was discovered that the PHP phar extension incorrectly handled certain zip files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2016-3142) It was discovered that the PHP libxml_disable_entity_loader() setting was shared between threads. When running under PHP-FPM, this could result in XML external entity injection and entity expansion issues. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (No CVE number) It was discovered that the PHP openssl_random_pseudo_bytes() function did not return cryptographically strong pseudo-random bytes. (No CVE number) It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP php_snmp_error() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE number pending) It was discovered that the PHP rawurlencode() function incorrectly handled large strings. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE number pending) It was discovered that the PHP phar extension incorrectly handled certain filenames in archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP mb_strcut() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id90677
    published2016-04-22
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90677
    titleUbuntu 12.04 LTS / 14.04 LTS / 15.10 : php5 vulnerabilities (USN-2952-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2952-2.NASL
    descriptionUSN-2952-1 fixed vulnerabilities in PHP. One of the backported patches caused a regression in the PHP Soap client. This update fixes the problem. We apologize for the inconvenience. It was discovered that the PHP Zip extension incorrectly handled directories when processing certain zip files. A remote attacker could possibly use this issue to create arbitrary directories. (CVE-2014-9767) It was discovered that the PHP Soap client incorrectly validated data types. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-8835, CVE-2016-3185) It was discovered that the PHP MySQL native driver incorrectly handled TLS connections to MySQL databases. A man in the middle attacker could possibly use this issue to downgrade and snoop on TLS connections. This vulnerability is known as BACKRONYM. (CVE-2015-8838) It was discovered that PHP incorrectly handled the imagerotate function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-1903) Hans Jerry Illikainen discovered that the PHP phar extension incorrectly handled certain tar archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-2554) It was discovered that the PHP WDDX extension incorrectly handled certain malformed XML data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-3141) It was discovered that the PHP phar extension incorrectly handled certain zip files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2016-3142) It was discovered that the PHP libxml_disable_entity_loader() setting was shared between threads. When running under PHP-FPM, this could result in XML external entity injection and entity expansion issues. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (No CVE number) It was discovered that the PHP openssl_random_pseudo_bytes() function did not return cryptographically strong pseudo-random bytes. (No CVE number) It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP php_snmp_error() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE number pending) It was discovered that the PHP rawurlencode() function incorrectly handled large strings. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE number pending) It was discovered that the PHP phar extension incorrectly handled certain filenames in archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP mb_strcut() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id90825
    published2016-05-02
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90825
    titleUbuntu 15.10 : php5 regression (USN-2952-2)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1581-1.NASL
    descriptionThis update for php53 fixes the following issues : - CVE-2016-5093: A get_icu_value_internal out-of-bounds read could crash the php interpreter (bsc#982010) - CVE-2016-5094,CVE-2016-5095: Don
    last seen2020-06-01
    modified2020-06-02
    plugin id91665
    published2016-06-17
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91665
    titleSUSE SLES11 Security Update : php53 (SUSE-SU-2016:1581-1)
  • NASL familyCGI abuses
    NASL idPHP_5_6_19.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.19. It is, therefore, affected by multiple vulnerabilities : - A use-after-free error exists in file ext/wddx/wddx.c in the php_wddx_pop_element() function when handling XML data. An unauthenticated, remote attacker can exploit this, via crafted XML data, to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-3141) - An out-of-bounds read error exists in file ext/phar/zip.c in the phar_parse_zipfile() function that allows an unauthenticated, remote attacker to cause a denial of service or to gain access to sensitive information. (CVE-2016-3142) - A NULL pointer dereference flaw exists in file ext/xsl/xsltprocessor.c in the xsl_ext_function_php() function that allows an unauthenticated, remote attacker to cause a denial of service. - A flaw exists in file sapi/cli/php_cli_server.c due to the built-in HTTP server not properly restricting file requests. An unauthenticated, remote attacker can exploit this to access arbitrary files. - A use-after-free error exists in Zend Opcache when updating cached directory names that have been cached in the current working directory. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. - A NULL pointer dereference flaw exists in file ext/zip/php_zip.c in the Zip::ExtractTo() method that allows an unauthenticated, remote attacker to cause a denial of service. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id90008
    published2016-03-17
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90008
    titlePHP 5.6.x < 5.6.19 Multiple Vulnerabilities
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2438.NASL
    descriptionAccording to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.(CVE-2019-11043) - The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.(CVE-2017-12933) - ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.(CVE-2016-7124) - The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi )abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.(CVE-2015-8382) - An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.(CVE-2018-5712) - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.(CVE-2018-14851) - The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.(CVE-2016-7480) - ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.(CVE-2016-7411) - The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table.(CVE-2015-8879) - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension
    last seen2020-05-08
    modified2019-12-04
    plugin id131592
    published2019-12-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131592
    titleEulerOS 2.0 SP2 : php (EulerOS-SA-2019-2438)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1145-1.NASL
    descriptionThis update for php53 fixes the following issues : - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792). - CVE-2015-8835: SoapClient s_call method suffered from a type confusion issue that could have lead to crashes [bsc#973351] - CVE-2016-2554: A NULL pointer dereference in phar_get_fp_offset could lead to crashes. [bsc#968284] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2015-7803: A Stack overflow vulnerability when decompressing tar phar archives could potentially lead to code execution. [bsc#949961] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821] - CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612] - CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id90757
    published2016-04-27
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90757
    titleSUSE SLES11 Security Update : php53 (SUSE-SU-2016:1145-1)

Redhat

advisories
rhsa
idRHSA-2016:2750
rpms
  • rh-php56-0:2.3-1.el6
  • rh-php56-0:2.3-1.el7
  • rh-php56-php-0:5.6.25-1.el6
  • rh-php56-php-0:5.6.25-1.el7
  • rh-php56-php-bcmath-0:5.6.25-1.el6
  • rh-php56-php-bcmath-0:5.6.25-1.el7
  • rh-php56-php-cli-0:5.6.25-1.el6
  • rh-php56-php-cli-0:5.6.25-1.el7
  • rh-php56-php-common-0:5.6.25-1.el6
  • rh-php56-php-common-0:5.6.25-1.el7
  • rh-php56-php-dba-0:5.6.25-1.el6
  • rh-php56-php-dba-0:5.6.25-1.el7
  • rh-php56-php-dbg-0:5.6.25-1.el6
  • rh-php56-php-dbg-0:5.6.25-1.el7
  • rh-php56-php-debuginfo-0:5.6.25-1.el6
  • rh-php56-php-debuginfo-0:5.6.25-1.el7
  • rh-php56-php-devel-0:5.6.25-1.el6
  • rh-php56-php-devel-0:5.6.25-1.el7
  • rh-php56-php-embedded-0:5.6.25-1.el6
  • rh-php56-php-embedded-0:5.6.25-1.el7
  • rh-php56-php-enchant-0:5.6.25-1.el6
  • rh-php56-php-enchant-0:5.6.25-1.el7
  • rh-php56-php-fpm-0:5.6.25-1.el6
  • rh-php56-php-fpm-0:5.6.25-1.el7
  • rh-php56-php-gd-0:5.6.25-1.el6
  • rh-php56-php-gd-0:5.6.25-1.el7
  • rh-php56-php-gmp-0:5.6.25-1.el6
  • rh-php56-php-gmp-0:5.6.25-1.el7
  • rh-php56-php-imap-0:5.6.25-1.el6
  • rh-php56-php-intl-0:5.6.25-1.el6
  • rh-php56-php-intl-0:5.6.25-1.el7
  • rh-php56-php-ldap-0:5.6.25-1.el6
  • rh-php56-php-ldap-0:5.6.25-1.el7
  • rh-php56-php-mbstring-0:5.6.25-1.el6
  • rh-php56-php-mbstring-0:5.6.25-1.el7
  • rh-php56-php-mysqlnd-0:5.6.25-1.el6
  • rh-php56-php-mysqlnd-0:5.6.25-1.el7
  • rh-php56-php-odbc-0:5.6.25-1.el6
  • rh-php56-php-odbc-0:5.6.25-1.el7
  • rh-php56-php-opcache-0:5.6.25-1.el6
  • rh-php56-php-opcache-0:5.6.25-1.el7
  • rh-php56-php-pdo-0:5.6.25-1.el6
  • rh-php56-php-pdo-0:5.6.25-1.el7
  • rh-php56-php-pear-1:1.9.5-4.el6
  • rh-php56-php-pear-1:1.9.5-4.el7
  • rh-php56-php-pgsql-0:5.6.25-1.el6
  • rh-php56-php-pgsql-0:5.6.25-1.el7
  • rh-php56-php-process-0:5.6.25-1.el6
  • rh-php56-php-process-0:5.6.25-1.el7
  • rh-php56-php-pspell-0:5.6.25-1.el6
  • rh-php56-php-pspell-0:5.6.25-1.el7
  • rh-php56-php-recode-0:5.6.25-1.el6
  • rh-php56-php-recode-0:5.6.25-1.el7
  • rh-php56-php-snmp-0:5.6.25-1.el6
  • rh-php56-php-snmp-0:5.6.25-1.el7
  • rh-php56-php-soap-0:5.6.25-1.el6
  • rh-php56-php-soap-0:5.6.25-1.el7
  • rh-php56-php-tidy-0:5.6.25-1.el6
  • rh-php56-php-xml-0:5.6.25-1.el6
  • rh-php56-php-xml-0:5.6.25-1.el7
  • rh-php56-php-xmlrpc-0:5.6.25-1.el6
  • rh-php56-php-xmlrpc-0:5.6.25-1.el7
  • rh-php56-runtime-0:2.3-1.el6
  • rh-php56-runtime-0:2.3-1.el7
  • rh-php56-scldevel-0:2.3-1.el6
  • rh-php56-scldevel-0:2.3-1.el7