Vulnerabilities > CVE-2019-11044
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | Php
| 101 |
Application | 7 | |
OS | 2 |
Nessus
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2020-1339.NASL description In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access. (CVE-2019-11045) In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations. (CVE-2019-11049) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11047) A flaw was discovered in the link function in PHP. When compiled on Windows, it does not correctly handle paths containing NULL bytes. An attacker could abuse this flaw to bypass application checks on file paths. (CVE-2019-11044) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11050) In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren last seen 2020-06-01 modified 2020-06-02 plugin id 133558 published 2020-02-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133558 title Amazon Linux AMI : php72 / php73 (ALAS-2020-1339) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2020-1339. # include("compat.inc"); if (description) { script_id(133558); script_version("1.2"); script_cvs_date("Date: 2020/02/12"); script_cve_id("CVE-2019-11044", "CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11049", "CVE-2019-11050"); script_xref(name:"ALAS", value:"2020-1339"); script_name(english:"Amazon Linux AMI : php72 / php73 (ALAS-2020-1339)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access. (CVE-2019-11045) In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations. (CVE-2019-11049) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11047) A flaw was discovered in the link function in PHP. When compiled on Windows, it does not correctly handle paths containing NULL bytes. An attacker could abuse this flaw to bypass application checks on file paths. (CVE-2019-11044) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11050) In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations. (CVE-2019-11046)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2020-1339.html" ); script_set_attribute( attribute:"solution", value: "Run 'yum update php72' to update your system. Run 'yum update php73' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-embedded"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-mysqlnd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-opcache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pdo-dblib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-process"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-embedded"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-mysqlnd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-opcache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pdo-dblib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-process"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/10"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"php72-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-bcmath-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-cli-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-common-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-dba-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-dbg-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-debuginfo-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-devel-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-embedded-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-enchant-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-fpm-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-gd-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-gmp-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-imap-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-intl-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-json-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-ldap-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-mbstring-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-mysqlnd-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-odbc-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-opcache-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-pdo-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-pdo-dblib-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-pgsql-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-process-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-pspell-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-recode-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-snmp-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-soap-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-tidy-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-xml-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-xmlrpc-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-bcmath-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-cli-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-common-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-dba-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-dbg-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-debuginfo-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-devel-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-embedded-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-enchant-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-fpm-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-gd-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-gmp-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-imap-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-intl-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-json-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-ldap-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-mbstring-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-mysqlnd-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-odbc-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-opcache-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-pdo-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-pdo-dblib-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-pgsql-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-process-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-pspell-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-recode-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-snmp-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-soap-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-tidy-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-xml-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-xmlrpc-7.3.13-1.22.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php72 / php72-bcmath / php72-cli / php72-common / php72-dba / etc"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2019-437D94E271.NASL description **PHP version 7.3.13** (18 Dec 2019) **Bcmath:** - Fixed bug php#78878 (Buffer underflow in bc_shift_addsub). (**CVE-2019-11046**). (cmb) **Core:** - Fixed bug php#78862 (link() silently truncates after a null byte on Windows). (**CVE-2019-11044**). (cmb) - Fixed bug php#78863 (DirectoryIterator class silently truncates after a null byte). (**CVE-2019-11045**). (cmb) - Fixed bug php#78943 (mail() may release string with refcount==1 twice). (**CVE-2019-11049**). (cmb) - Fixed bug php#78787 (Segfault with trait overriding inherited private shadow property). (Nikita) - Fixed bug php#78868 (Calling __autoload() with incorrect EG(fake_scope) value). (Antony Dovgal, Dmitry) - Fixed bug php#78296 (is_file fails to detect file). (cmb) **EXIF:** - Fixed bug php#78793 (Use-after-free in exif parsing under memory sanitizer). (**CVE-2019-11050**). (Nikita) - Fixed bug php#78910 (Heap-buffer-overflow READ in exif). (**CVE-2019-11047**). (Nikita) **GD:** - Fixed bug php#78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb) **MBString:** - Upgraded bundled Oniguruma to 6.9.4. (cmb) **OPcache:** - Fixed potential ASLR related invalid opline handler issues. (cmb) - Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice). (Tyson Andre) **PCRE:** - Fixed bug php#78853 (preg_match() may return integer > 1). (cmb) **Standard:** - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita) - Fixed bug php#77638 (var_export last seen 2020-06-01 modified 2020-06-02 plugin id 132644 published 2020-01-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132644 title Fedora 30 : php (2019-437d94e271) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-437d94e271. # include("compat.inc"); if (description) { script_id(132644); script_version("1.4"); script_cvs_date("Date: 2020/01/31"); script_cve_id("CVE-2019-11044", "CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11049", "CVE-2019-11050"); script_xref(name:"FEDORA", value:"2019-437d94e271"); script_name(english:"Fedora 30 : php (2019-437d94e271)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "**PHP version 7.3.13** (18 Dec 2019) **Bcmath:** - Fixed bug php#78878 (Buffer underflow in bc_shift_addsub). (**CVE-2019-11046**). (cmb) **Core:** - Fixed bug php#78862 (link() silently truncates after a null byte on Windows). (**CVE-2019-11044**). (cmb) - Fixed bug php#78863 (DirectoryIterator class silently truncates after a null byte). (**CVE-2019-11045**). (cmb) - Fixed bug php#78943 (mail() may release string with refcount==1 twice). (**CVE-2019-11049**). (cmb) - Fixed bug php#78787 (Segfault with trait overriding inherited private shadow property). (Nikita) - Fixed bug php#78868 (Calling __autoload() with incorrect EG(fake_scope) value). (Antony Dovgal, Dmitry) - Fixed bug php#78296 (is_file fails to detect file). (cmb) **EXIF:** - Fixed bug php#78793 (Use-after-free in exif parsing under memory sanitizer). (**CVE-2019-11050**). (Nikita) - Fixed bug php#78910 (Heap-buffer-overflow READ in exif). (**CVE-2019-11047**). (Nikita) **GD:** - Fixed bug php#78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb) **MBString:** - Upgraded bundled Oniguruma to 6.9.4. (cmb) **OPcache:** - Fixed potential ASLR related invalid opline handler issues. (cmb) - Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice). (Tyson Andre) **PCRE:** - Fixed bug php#78853 (preg_match() may return integer > 1). (cmb) **Standard:** - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita) - Fixed bug php#77638 (var_export'ing certain class instances segfaults). (cmb) - Fixed bug php#78840 (imploding $GLOBALS crashes). (cmb) - Fixed bug php#78833 (Integer overflow in pack causes out-of-bound access). (cmb) - Fixed bug php#78814 (strip_tags allows / in tag name => whitelist bypass). (cmb) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-437d94e271" ); script_set_attribute(attribute:"solution", value:"Update the affected php package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^30([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC30", reference:"php-7.3.13-1.fc30")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php"); }
NASL family CGI abuses NASL id PHP_7_2_26.NASL description According to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.26. It is, therefore, affected by multiple vulnerabilities: - An arbitrary file read vulnerability exists in link() and DirectoryIterator class due to improper handling of embedded \0 byte character and treats them as terminating at that byte. An attacker can exploit this to disclose information in applications checking paths that the code is allowed to access. (CVE-2019-11044 CVE-2019-11045) - An out-of-bounds READ error exists in the bcmath extension due to an input validation error. An unauthenticated, remote attacker can exploit this by supplying a string containing characters that are identified as numeric by the OS but are not ASCII number. This can cause lead to the disclosure of information within some memory locations. (CVE-2019-11046) - An out-of-bounds READ error exists in parsing EXIF information from an image. An unauthenticated, remote attacker can exploit this and supply it iwth data that will cause it to read past the allocated buffer disclosing of information. (CVE-2019-11047) last seen 2020-06-01 modified 2020-06-02 plugin id 132770 published 2020-01-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132770 title PHP 7.2.x < 7.2.26 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(132770); script_version("1.4"); script_cvs_date("Date: 2020/01/31"); script_cve_id( "CVE-2019-11044", "CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11050" ); script_name(english:"PHP 7.2.x < 7.2.26 Multiple Vulnerabilities"); script_summary(english:"Checks the version of PHP."); script_set_attribute(attribute:"synopsis", value: "The version of PHP running on the remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.26. It is, therefore, affected by multiple vulnerabilities: - An arbitrary file read vulnerability exists in link() and DirectoryIterator class due to improper handling of embedded \0 byte character and treats them as terminating at that byte. An attacker can exploit this to disclose information in applications checking paths that the code is allowed to access. (CVE-2019-11044 CVE-2019-11045) - An out-of-bounds READ error exists in the bcmath extension due to an input validation error. An unauthenticated, remote attacker can exploit this by supplying a string containing characters that are identified as numeric by the OS but are not ASCII number. This can cause lead to the disclosure of information within some memory locations. (CVE-2019-11046) - An out-of-bounds READ error exists in parsing EXIF information from an image. An unauthenticated, remote attacker can exploit this and supply it iwth data that will cause it to read past the allocated buffer disclosing of information. (CVE-2019-11047)"); script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.2.26"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP version 7.2.26 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11050"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/18"); script_set_attribute(attribute:"patch_publication_date", value:"2019/12/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/10"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("php_version.nasl"); script_require_keys("www/PHP", "installed_sw/PHP", "Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include('http.inc'); include('vcf.inc'); include('audit.inc'); port = get_http_port(default:80, php:TRUE); app_info = vcf::get_app_info(app:'PHP', port:port, webapp:TRUE); backported = get_kb_item('www/php/' + port + '/' + app_info.version + '/backported'); if ((report_paranoia < 2) && backported) audit(AUDIT_BACKPORT_SERVICE, port, 'PHP ' + app_info.version + ' install'); constraints = [ {'min_version':'7.2.0alpha1', 'fixed_version':'7.2.26'} ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
NASL family Fedora Local Security Checks NASL id FEDORA_2019-A54A622670.NASL description **PHP version 7.3.13** (18 Dec 2019) **Bcmath:** - Fixed bug php#78878 (Buffer underflow in bc_shift_addsub). (**CVE-2019-11046**). (cmb) **Core:** - Fixed bug php#78862 (link() silently truncates after a null byte on Windows). (**CVE-2019-11044**). (cmb) - Fixed bug php#78863 (DirectoryIterator class silently truncates after a null byte). (**CVE-2019-11045**). (cmb) - Fixed bug php#78943 (mail() may release string with refcount==1 twice). (**CVE-2019-11049**). (cmb) - Fixed bug php#78787 (Segfault with trait overriding inherited private shadow property). (Nikita) - Fixed bug php#78868 (Calling __autoload() with incorrect EG(fake_scope) value). (Antony Dovgal, Dmitry) - Fixed bug php#78296 (is_file fails to detect file). (cmb) **EXIF:** - Fixed bug php#78793 (Use-after-free in exif parsing under memory sanitizer). (**CVE-2019-11050**). (Nikita) - Fixed bug php#78910 (Heap-buffer-overflow READ in exif). (**CVE-2019-11047**). (Nikita) **GD:** - Fixed bug php#78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb) **MBString:** - Upgraded bundled Oniguruma to 6.9.4. (cmb) **OPcache:** - Fixed potential ASLR related invalid opline handler issues. (cmb) - Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice). (Tyson Andre) **PCRE:** - Fixed bug php#78853 (preg_match() may return integer > 1). (cmb) **Standard:** - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita) - Fixed bug php#77638 (var_export last seen 2020-06-01 modified 2020-06-02 plugin id 132655 published 2020-01-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132655 title Fedora 31 : php (2019-a54a622670) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-a54a622670. # include("compat.inc"); if (description) { script_id(132655); script_version("1.4"); script_cvs_date("Date: 2020/01/31"); script_cve_id("CVE-2019-11044", "CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11049", "CVE-2019-11050"); script_xref(name:"FEDORA", value:"2019-a54a622670"); script_name(english:"Fedora 31 : php (2019-a54a622670)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "**PHP version 7.3.13** (18 Dec 2019) **Bcmath:** - Fixed bug php#78878 (Buffer underflow in bc_shift_addsub). (**CVE-2019-11046**). (cmb) **Core:** - Fixed bug php#78862 (link() silently truncates after a null byte on Windows). (**CVE-2019-11044**). (cmb) - Fixed bug php#78863 (DirectoryIterator class silently truncates after a null byte). (**CVE-2019-11045**). (cmb) - Fixed bug php#78943 (mail() may release string with refcount==1 twice). (**CVE-2019-11049**). (cmb) - Fixed bug php#78787 (Segfault with trait overriding inherited private shadow property). (Nikita) - Fixed bug php#78868 (Calling __autoload() with incorrect EG(fake_scope) value). (Antony Dovgal, Dmitry) - Fixed bug php#78296 (is_file fails to detect file). (cmb) **EXIF:** - Fixed bug php#78793 (Use-after-free in exif parsing under memory sanitizer). (**CVE-2019-11050**). (Nikita) - Fixed bug php#78910 (Heap-buffer-overflow READ in exif). (**CVE-2019-11047**). (Nikita) **GD:** - Fixed bug php#78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb) **MBString:** - Upgraded bundled Oniguruma to 6.9.4. (cmb) **OPcache:** - Fixed potential ASLR related invalid opline handler issues. (cmb) - Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice). (Tyson Andre) **PCRE:** - Fixed bug php#78853 (preg_match() may return integer > 1). (cmb) **Standard:** - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita) - Fixed bug php#77638 (var_export'ing certain class instances segfaults). (cmb) - Fixed bug php#78840 (imploding $GLOBALS crashes). (cmb) - Fixed bug php#78833 (Integer overflow in pack causes out-of-bound access). (cmb) - Fixed bug php#78814 (strip_tags allows / in tag name => whitelist bypass). (cmb) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-a54a622670" ); script_set_attribute(attribute:"solution", value:"Update the affected php package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:31"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^31([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 31", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC31", reference:"php-7.3.13-1.fc31")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php"); }
NASL family CGI abuses NASL id PHP_7_4_1.NASL description According to its banner, the version of PHP running on the remote web server is 7.3.x prior to 7.3.13 or 7.4.x prior to 7.4.1. It is, therefore, affected by multiple vulnerabilities: - An arbitrary file read vulnerability exists in link() and DirectoryIterator class due to improper handling of embedded \0 byte character and treats them as terminating at that byte. An attacker can exploit this to disclose information in applications checking paths that the code is allowed to access. (CVE-2019-11044 CVE-2019-11045) - An out-of-bounds READ error exists in the bcmath extension due to an input validation error. An unauthenticated, remote attacker can exploit this by supplying a string containing characters that are identified as numeric by the OS but are not ASCII number. This can cause lead to the disclosure of information within some memory locations. (CVE-2019-11046) - An out-of-bounds READ error exists in parsing EXIF information from an image. An unauthenticated, remote attacker can exploit this and supply it iwth data that will cause it to read past the allocated buffer disclosing of information. (CVE-2019-11047 CVE-2019-11050) - A denial of service (DoS) vulnerability exists in mail() due to the double-freeing of certain memory locations. An unauthenticated, remote attacker can exploit this issue, by supplying custom headers, and to cause the application to segfault and stop responding. last seen 2020-06-01 modified 2020-06-02 plugin id 132769 published 2020-01-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132769 title PHP 7.3.x < 7.3.13 / 7.4.x < 7.4.1 Multiple Vulnerabilities
References
- https://bugs.php.net/bug.php?id=78862
- https://security.netapp.com/advisory/ntap-20200103-0002/
- https://www.tenable.com/security/tns-2021-14
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/