Vulnerabilities > CVE-2016-7128 - Information Exposure vulnerability in PHP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles the case of a thumbnail offset that exceeds the file size, which allows remote attackers to obtain sensitive information from process memory via a crafted TIFF image.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family CGI abuses NASL id PHP_7_0_10.NASL description According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.10. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the object_common2() function in var_unserializer.c that occurs when handling objects during deserialization. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-7124) - An unspecified flaw exists in session.c that occurs when handling session names. An unauthenticated, remote attacker can exploit this to inject arbitrary data into sessions. (CVE-2016-7125) - An integer truncation flaw exists in the select_colors() function in gd_topal.c that is triggered when handling the number of colors. An unauthenticated, remote attacker can exploit to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2016-7126) - An indexing flaw exists in the imagegammacorrect() function in gd.c that occurs when handling negative gamma values. An unauthenticated, remote attacker can exploit this to write a NULL to an arbitrary memory location, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-7127) - A flaw exists in the exif_process_IFD_in_TIFF() function in exif.c that occurs when handling TIFF image content. An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2016-7128) - A flaw exists in the php_wddx_process_data() function in wddx.c that occurs when deserializing invalid dateTime values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7129) - A NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c that is triggered during the handling of Base64 binary values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7130) - A NULL pointer dereference flaw exists in the php_wddx_deserialize_ex() function in wddx.c that occurs during the handling of invalid XML content. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7131) - An unspecified NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7132) - An integer overflow condition exists in the zend_mm_realloc_heap() function in zend_alloc.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-7133) - An overflow condition exists in the curl_escape() function in interface.c due to improper handling of overly long strings. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-7134) last seen 2020-04-30 modified 2016-08-23 plugin id 93078 published 2016-08-23 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93078 title PHP 7.0.x < 7.0.10 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(93078); script_version("1.12"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27"); script_cve_id( "CVE-2016-7124", "CVE-2016-7125", "CVE-2016-7126", "CVE-2016-7127", "CVE-2016-7128", "CVE-2016-7129", "CVE-2016-7130", "CVE-2016-7131", "CVE-2016-7132", "CVE-2016-7133", "CVE-2016-7134" ); script_bugtraq_id( 92552, 92564, 92755, 92756, 92757, 92758, 92764, 92765, 92766, 92767, 92768 ); script_name(english:"PHP 7.0.x < 7.0.10 Multiple Vulnerabilities"); script_summary(english:"Checks the version of PHP."); script_set_attribute(attribute:"synopsis", value: "The version of PHP running on the remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.10. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the object_common2() function in var_unserializer.c that occurs when handling objects during deserialization. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-7124) - An unspecified flaw exists in session.c that occurs when handling session names. An unauthenticated, remote attacker can exploit this to inject arbitrary data into sessions. (CVE-2016-7125) - An integer truncation flaw exists in the select_colors() function in gd_topal.c that is triggered when handling the number of colors. An unauthenticated, remote attacker can exploit to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2016-7126) - An indexing flaw exists in the imagegammacorrect() function in gd.c that occurs when handling negative gamma values. An unauthenticated, remote attacker can exploit this to write a NULL to an arbitrary memory location, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-7127) - A flaw exists in the exif_process_IFD_in_TIFF() function in exif.c that occurs when handling TIFF image content. An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2016-7128) - A flaw exists in the php_wddx_process_data() function in wddx.c that occurs when deserializing invalid dateTime values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7129) - A NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c that is triggered during the handling of Base64 binary values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7130) - A NULL pointer dereference flaw exists in the php_wddx_deserialize_ex() function in wddx.c that occurs during the handling of invalid XML content. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7131) - An unspecified NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7132) - An integer overflow condition exists in the zend_mm_realloc_heap() function in zend_alloc.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-7133) - An overflow condition exists in the curl_escape() function in interface.c due to improper handling of overly long strings. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-7134)"); script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.0.10"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP version 7.0.10 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-7134"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/03"); script_set_attribute(attribute:"patch_publication_date", value:"2016/08/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/23"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("php_version.nasl"); script_require_keys("www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("vcf.inc"); include("vcf_extras.inc"); include("http.inc"); include("webapp_func.inc"); vcf::php::initialize(); port = get_http_port(default:80, php:TRUE); app_info = vcf::php::get_app_info(port:port); constraints = [ { "min_version" : "7.0.0alpha0", "fixed_version" : "7.0.10" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-2328-1.NASL description This update for php53 fixes the following security issues : - CVE-2014-3587: Integer overflow in the cdf_read_property_info affecting SLES11 SP3 [bsc#987530] - CVE-2016-6297: Stack-based buffer overflow vulnerability in php_stream_zip_opener [bsc#991426] - CVE-2016-6291: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE [bsc#991427] - CVE-2016-6289: Integer overflow leads to buffer overflow in virtual_file_ex [bsc#991428] - CVE-2016-6290: Use after free in unserialize() with Unexpected Session Deserialization [bsc#991429] - CVE-2016-5399: Improper error handling in bzread() [bsc#991430] - CVE-2016-6288: Buffer over-read in php_url_parse_ex [bsc#991433] - CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c [bsc#991437] - CVE-2016-7124: Create an Unexpected Object and Don last seen 2020-06-01 modified 2020-06-02 plugin id 93589 published 2016-09-19 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93589 title SUSE SLES11 Security Update : php53 (SUSE-SU-2016:2328-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-2408-1.NASL description This update for php5 fixes the following security issues : - CVE-2016-6128: Invalid color index not properly handled [bsc#987580] - CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032] - CVE-2016-6292: NULL pointer dereference in exif_process_user_comment [bsc#991422] - CVE-2016-6295: Use after free in SNMP with GC and unserialize() [bsc#991424] - CVE-2016-6297: Stack-based buffer overflow vulnerability in php_stream_zip_opener [bsc#991426] - CVE-2016-6291: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE [bsc#991427] - CVE-2016-6289: Integer overflow leads to buffer overflow in virtual_file_ex [bsc#991428] - CVE-2016-6290: Use after free in unserialize() with Unexpected Session Deserialization [bsc#991429] - CVE-2016-5399: Improper error handling in bzread() [bsc#991430] - CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c [bsc#991437] - CVE-2016-6207: Integer overflow error within _gdContributionsAlloc() [bsc#991434] - CVE-2014-3587: Integer overflow in the cdf_read_property_info affecting SLES11 SP3 [bsc#987530] - CVE-2016-6288: Buffer over-read in php_url_parse_ex [bsc#991433] - CVE-2016-7124: Create an Unexpected Object and Don last seen 2020-03-24 modified 2019-01-02 plugin id 119979 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119979 title SUSE SLES12 Security Update : php5 (SUSE-SU-2016:2408-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-2459-1.NASL description This update for php53 fixes the following security issues : - CVE-2016-7124: Create an Unexpected Object and Don last seen 2020-06-01 modified 2020-06-02 plugin id 93894 published 2016-10-06 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93894 title SUSE SLES11 Security Update : php53 (SUSE-SU-2016:2459-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3689.NASL description Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.26, which includes additional bug fixes. Please refer to the upstream changelog for more information : - https://php.net/ChangeLog-5.php#5.6.25 - https://php.net/ChangeLog-5.php#5.6.26 last seen 2020-06-01 modified 2020-06-02 plugin id 93914 published 2016-10-10 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93914 title Debian DSA-3689-1 : php5 - security update NASL family Debian Local Security Checks NASL id DEBIAN_DLA-749.NASL description CVE-2016-5385 PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application last seen 2020-03-17 modified 2016-12-20 plugin id 96010 published 2016-12-20 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96010 title Debian DLA-749-1 : php5 security update (httpoxy) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1156.NASL description This update for php5 fixes the following security issues : - CVE-2016-6128: Invalid color index not properly handled [bsc#987580] - CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032] - CVE-2016-6292: NULL pointer dereference in exif_process_user_comment [bsc#991422] - CVE-2016-6295: Use after free in SNMP with GC and unserialize() [bsc#991424] - CVE-2016-6297: Stack-based buffer overflow vulnerability in php_stream_zip_opener [bsc#991426] - CVE-2016-6291: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE [bsc#991427] - CVE-2016-6289: Integer overflow leads to buffer overflow in virtual_file_ex [bsc#991428] - CVE-2016-6290: Use after free in unserialize() with Unexpected Session Deserialization [bsc#991429] - CVE-2016-5399: Improper error handling in bzread() [bsc#991430] - CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c [bsc#991437] - CVE-2016-6207: Integer overflow error within _gdContributionsAlloc() [bsc#991434] - CVE-2014-3587: Integer overflow in the cdf_read_property_info affecting SLES11 SP3 [bsc#987530] - CVE-2016-6288: Buffer over-read in php_url_parse_ex [bsc#991433] - CVE-2016-7124: Create an Unexpected Object and Don last seen 2020-06-05 modified 2016-10-05 plugin id 93856 published 2016-10-05 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93856 title openSUSE Security Update : php5 (openSUSE-2016-1156) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2649.NASL description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ** DISPUTED ** Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says last seen 2020-05-08 modified 2019-12-18 plugin id 132184 published 2019-12-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132184 title EulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649) NASL family CGI abuses NASL id PHP_5_6_25.NASL description According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.25. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the object_common2() function in var_unserializer.c that occurs when handling objects during deserialization. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-7124) - An unspecified flaw exists in session.c that occurs when handling session names. An unauthenticated, remote attacker can exploit this to inject arbitrary data into sessions. (CVE-2016-7125) - An integer truncation flaw exists in the select_colors() function in gd_topal.c that is triggered when handling the number of colors. An unauthenticated, remote attacker can exploit to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2016-7126) - An indexing flaw exists in the imagegammacorrect() function in gd.c that occurs when handling negative gamma values. An unauthenticated, remote attacker can exploit this to write a NULL to an arbitrary memory location, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-7127) - A flaw exists in the exif_process_IFD_in_TIFF() function in exif.c that occurs when handling TIFF image content. An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2016-7128) - A flaw exists in the php_wddx_process_data() function in wddx.c that occurs when deserializing invalid dateTime values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7129) - A NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c that is triggered during the handling of Base64 binary values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7130) - A NULL pointer dereference flaw exists in the php_wddx_deserialize_ex() function in wddx.c that occurs during the handling of invalid XML content. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7131) - An unspecified NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. CVE-2016-7132) - An integer overflow condition exists in the php_snmp_parse_oid() function in snmp.c. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. - An overflow condition exists in the sql_regcase() function in ereg.c due to improper handling of overly long strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. - An integer overflow condition exists in the php_base64_encode() function in base64.c that occurs when handling overly long strings. An unauthenticated, remote attacker can exploit this to execute arbitrary code. - An integer overflow condition exists in the php_quot_print_encode() function in quot_print.c that occurs when handling overly long strings. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow condition, resulting in the execution of arbitrary code. - A use-after-free error exists in the unserialize() function in var.c. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. - A flaw exists in the php_ftp_fopen_connect() function in ftp_fopen_wrapper.c that allows a man-in-the-middle attacker to silently downgrade to regular FTP even if a secure method has been requested. - An integer overflow condition exists in the php_url_encode() function in url.c that occurs when handling overly long strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. - An integer overflow condition exists in the php_uuencode() function in uuencode.c. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. - An integer overflow condition exists in the bzdecompress() function in bz2.c. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. - An integer overflow condition exists in the curl_escape() function in interface.c that occurs when handling overly long escaped strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 93077 published 2016-08-23 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93077 title PHP 5.6.x < 5.6.25 Multiple Vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3095-1.NASL description Taoguang Chen discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7124) Taoguang Chen discovered that PHP incorrectly handled invalid session names. A remote attacker could use this issue to inject arbitrary session data. (CVE-2016-7125) It was discovered that PHP incorrectly handled certain gamma values in the imagegammacorrect function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7127) It was discovered that PHP incorrectly handled certain crafted TIFF image thumbnails. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly expose sensitive information. (CVE-2016-7128) It was discovered that PHP incorrectly handled unserializing certain wddxPacket XML documents. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7129, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132, CVE-2016-7413) It was discovered that PHP incorrectly handled certain memory operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-7133) It was discovered that PHP incorrectly handled long strings in curl_escape calls. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-7134) Taoguang Chen discovered that PHP incorrectly handled certain failures when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-7411) It was discovered that PHP incorrectly handled certain flags in the MySQL driver. Malicious remote MySQL servers could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7412) It was discovered that PHP incorrectly handled ZIP file signature verification when processing a PHAR archive. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7414) It was discovered that PHP incorrectly handled certain locale operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7416) It was discovered that PHP incorrectly handled SplArray unserializing. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7417) Ke Liu discovered that PHP incorrectly handled unserializing wddxPacket XML documents with incorrect boolean elements. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7418). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 93864 published 2016-10-05 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93864 title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : php5, php7.0 vulnerabilities (USN-3095-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201611-22.NASL description The remote host is affected by the vulnerability described in GLSA-201611-22 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : An attacker can possibly execute arbitrary code or create a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 95421 published 2016-12-01 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95421 title GLSA-201611-22 : PHP: Multiple vulnerabilities (httpoxy) NASL family Misc. NASL id SECURITYCENTER_5_4_1.NASL description According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is prior to 5.4.1. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists in x509_vfy.c due to improper handling of certificate revocation lists (CRLs). An unauthenticated, remote attacker can exploit this, via a specially crafted CRL, to cause a NULL pointer dereference, resulting in a crash of the service. (CVE-2016-7052) - A cross-site scripting (XSS) vulnerability exists within the JQuery UI dialog() function due to improper validation of input to the last seen 2020-06-01 modified 2020-06-02 plugin id 96832 published 2017-01-27 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96832 title Tenable SecurityCenter < 5.4.1 Multiple Vulnerabilities (TNS-2016-19) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2016-252-01.NASL description New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 93384 published 2016-09-09 reporter This script is Copyright (C) 2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/93384 title Slackware 14.0 / 14.1 / 14.2 / current : php (SSA:2016-252-01) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1095.NASL description This update for php5 fixes the following security issues : - CVE-2016-7124: Create an Unexpected Object and Don last seen 2020-06-05 modified 2016-09-20 plugin id 93597 published 2016-09-20 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/93597 title openSUSE Security Update : php5 (openSUSE-2016-1095) NASL family Misc. NASL id SECURITYCENTER_PHP_5_6_25.NASL description The Tenable SecurityCenter application installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities in the bundled version of PHP : - An unspecified flaw exists in the object_common2() function in var_unserializer.c that occurs when handling objects during deserialization. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-7124) - An unspecified flaw exists in session.c that occurs when handling session names. An unauthenticated, remote attacker can exploit this to inject arbitrary data into sessions. (CVE-2016-7125) - An integer truncation flaw exists in the select_colors() function in gd_topal.c that is triggered when handling the number of colors. An unauthenticated, remote attacker can exploit to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2016-7126) - An indexing flaw exists in the imagegammacorrect() function in gd.c that occurs when handling negative gamma values. An unauthenticated, remote attacker can exploit this to write a NULL to an arbitrary memory location, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-7127) - A flaw exists in the exif_process_IFD_in_TIFF() function in exif.c that occurs when handling TIFF image content. An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2016-7128) - A flaw exists in the php_wddx_process_data() function in wddx.c that occurs when deserializing invalid dateTime values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7129) - A NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c that is triggered during the handling of Base64 binary values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7130) - A NULL pointer dereference flaw exists in the php_wddx_deserialize_ex() function in wddx.c that occurs during the handling of invalid XML content. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7131) - An unspecified NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. CVE-2016-7132) - An integer overflow condition exists in the php_snmp_parse_oid() function in snmp.c. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. - An overflow condition exists in the sql_regcase() function in ereg.c due to improper handling of overly long strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. - An integer overflow condition exists in the php_base64_encode() function in base64.c that occurs when handling overly long strings. An unauthenticated, remote attacker can exploit this to execute arbitrary code. - An integer overflow condition exists in the php_quot_print_encode() function in quot_print.c that occurs when handling overly long strings. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow condition, resulting in the execution of arbitrary code. - A use-after-free error exists in the unserialize() function in var.c. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. - A flaw exists in the php_ftp_fopen_connect() function in ftp_fopen_wrapper.c that allows a man-in-the-middle attacker to silently downgrade to regular FTP even if a secure method has been requested. - An integer overflow condition exists in the php_url_encode() function in url.c that occurs when handling overly long strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. - An integer overflow condition exists in the php_uuencode() function in uuencode.c. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. - An integer overflow condition exists in the bzdecompress() function in bz2.c. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. - An integer overflow condition exists in the curl_escape() function in interface.c that occurs when handling overly long escaped strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 101047 published 2017-06-26 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101047 title Tenable SecurityCenter PHP < 5.6.25 Multiple Vulnerabilities (TNS-2016-09) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2438.NASL description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.(CVE-2019-11043) - The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.(CVE-2017-12933) - ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.(CVE-2016-7124) - The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi )abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.(CVE-2015-8382) - An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.(CVE-2018-5712) - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.(CVE-2018-14851) - The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.(CVE-2016-7480) - ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.(CVE-2016-7411) - The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table.(CVE-2015-8879) - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension last seen 2020-05-08 modified 2019-12-04 plugin id 131592 published 2019-12-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131592 title EulerOS 2.0 SP2 : php (EulerOS-SA-2019-2438) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1984.NASL description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument.(CVE-2014-9912) - Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP before 5.5.27 and 5.6.x before 5.6.11 allows remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation.(CVE-2015-4116) - A flaw was found in the way the way PHP last seen 2020-05-08 modified 2019-09-24 plugin id 129178 published 2019-09-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129178 title EulerOS 2.0 SP5 : php (EulerOS-SA-2019-1984) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-2460-1.NASL description This update for php7 fixes the following security issues : - CVE-2016-6128: Invalid color index not properly handled [bsc#987580] - CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032] - CVE-2016-6292: NULL pointer dereference in exif_process_user_comment [bsc#991422] - CVE-2016-6295: Use after free in SNMP with GC and unserialize() [bsc#991424] - CVE-2016-6297: Stack-based buffer overflow vulnerability in php_stream_zip_opener [bsc#991426] - CVE-2016-6291: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE [bsc#991427] - CVE-2016-6289: Integer overflow leads to buffer overflow in virtual_file_ex [bsc#991428] - CVE-2016-6290: Use after free in unserialize() with Unexpected Session Deserialization [bsc#991429] - CVE-2016-5399: Improper error handling in bzread() [bsc#991430] - CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c [bsc#991437] - CVE-2016-6207: Integer overflow error within _gdContributionsAlloc() [bsc#991434] - CVE-2016-4473: Invalid free() instead of efree() in phar_extract_file() - CVE-2016-7124: Create an Unexpected Object and Don last seen 2020-06-01 modified 2020-06-02 plugin id 119981 published 2019-01-02 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119981 title SUSE SLES12 Security Update : php7 (SUSE-SU-2016:2460-1)
Redhat
advisories |
| ||||
rpms |
|
References
- http://www.php.net/ChangeLog-7.php
- https://github.com/php/php-src/commit/6dbb1ee46b5f4725cc6519abf91e512a2a10dfed?w=1
- http://openwall.com/lists/oss-security/2016/09/02/9
- http://www.php.net/ChangeLog-5.php
- https://bugs.php.net/bug.php?id=72627
- http://www.securityfocus.com/bid/92564
- https://security.gentoo.org/glsa/201611-22
- http://www.securitytracker.com/id/1036680
- https://www.tenable.com/security/tns-2016-19
- http://rhn.redhat.com/errata/RHSA-2016-2750.html