Vulnerabilities > CVE-2019-11044

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
php
tenable
fedoraproject
nessus
NVD
Published: 2019-12-23
Updated: 2023-11-07

Summary

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

Vulnerable Configurations

Part Description Count
Application
Php
103
Application
Tenable
7
OS
Fedoraproject
2

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2020-1339.NASL
    descriptionIn PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access. (CVE-2019-11045) In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations. (CVE-2019-11049) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11047) A flaw was discovered in the link function in PHP. When compiled on Windows, it does not correctly handle paths containing NULL bytes. An attacker could abuse this flaw to bypass application checks on file paths. (CVE-2019-11044) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11050) In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren
    last seen2020-06-01
    modified2020-06-02
    plugin id133558
    published2020-02-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133558
    titleAmazon Linux AMI : php72 / php73 (ALAS-2020-1339)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2020-1339.
#

include("compat.inc");

if (description)
{
  script_id(133558);
  script_version("1.2");
  script_cvs_date("Date: 2020/02/12");

  script_cve_id("CVE-2019-11044", "CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11049", "CVE-2019-11050");
  script_xref(name:"ALAS", value:"2020-1339");

  script_name(english:"Amazon Linux AMI : php72 / php73 (ALAS-2020-1339)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Amazon Linux AMI host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP
DirectoryIterator class accepts filenames with embedded \0 byte and
treats them as terminating at that byte. This could lead to security
vulnerabilities, e.g. in applications checking paths that the code is
allowed to access. (CVE-2019-11045)

In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when
supplying custom headers to mail() function, due to mistake introduced
in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is
supplied in lowercase, this can result in double-freeing certain
memory locations. (CVE-2019-11049)

When PHP EXIF extension is parsing EXIF information from an image,
e.g. via exif_read_data() function, in PHP versions 7.2.x below
7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with
data what will cause it to read past the allocated buffer. This may
lead to information disclosure or crash. (CVE-2019-11047)

A flaw was discovered in the link function in PHP. When compiled on
Windows, it does not correctly handle paths containing NULL bytes. An
attacker could abuse this flaw to bypass application checks on file
paths. (CVE-2019-11044)

When PHP EXIF extension is parsing EXIF information from an image,
e.g. via exif_read_data() function, in PHP versions 7.2.x below
7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with
data what will cause it to read past the allocated buffer. This may
lead to information disclosure or crash. (CVE-2019-11050)

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP
bcmath extension functions on some systems, including Windows, can be
tricked into reading beyond the allocated space by supplying it with
string containing characters that are identified as numeric by the OS
but aren't ASCII numbers. This can read to disclosure of the content
of some memory locations. (CVE-2019-11046)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://alas.aws.amazon.com/ALAS-2020-1339.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Run 'yum update php72' to update your system.

Run 'yum update php73' to update your system."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-bcmath");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-cli");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-dba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-dbg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-embedded");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-enchant");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-fpm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-gd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-gmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-imap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-intl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-json");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-ldap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-mbstring");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-mysqlnd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-odbc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-opcache");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pdo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pdo-dblib");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pgsql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-process");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pspell");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-recode");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-snmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-soap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-tidy");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-xml");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-xmlrpc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-bcmath");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-cli");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-dba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-dbg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-embedded");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-enchant");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-fpm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-gd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-gmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-imap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-intl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-json");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-ldap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-mbstring");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-mysqlnd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-odbc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-opcache");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pdo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pdo-dblib");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pgsql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-process");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pspell");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-recode");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-snmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-soap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-tidy");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-xml");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-xmlrpc");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/02/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/10");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Amazon Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "A")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (rpm_check(release:"ALA", reference:"php72-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-bcmath-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-cli-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-common-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-dba-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-dbg-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-debuginfo-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-devel-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-embedded-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-enchant-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-fpm-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-gd-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-gmp-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-imap-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-intl-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-json-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-ldap-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-mbstring-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-mysqlnd-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-odbc-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-opcache-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-pdo-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-pdo-dblib-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-pgsql-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-process-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-pspell-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-recode-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-snmp-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-soap-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-tidy-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-xml-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-xmlrpc-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-bcmath-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-cli-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-common-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-dba-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-dbg-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-debuginfo-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-devel-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-embedded-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-enchant-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-fpm-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-gd-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-gmp-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-imap-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-intl-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-json-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-ldap-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-mbstring-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-mysqlnd-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-odbc-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-opcache-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-pdo-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-pdo-dblib-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-pgsql-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-process-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-pspell-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-recode-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-snmp-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-soap-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-tidy-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-xml-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-xmlrpc-7.3.13-1.22.amzn1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php72 / php72-bcmath / php72-cli / php72-common / php72-dba / etc");
}
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-437D94E271.NASL
    description**PHP version 7.3.13** (18 Dec 2019) **Bcmath:** - Fixed bug php#78878 (Buffer underflow in bc_shift_addsub). (**CVE-2019-11046**). (cmb) **Core:** - Fixed bug php#78862 (link() silently truncates after a null byte on Windows). (**CVE-2019-11044**). (cmb) - Fixed bug php#78863 (DirectoryIterator class silently truncates after a null byte). (**CVE-2019-11045**). (cmb) - Fixed bug php#78943 (mail() may release string with refcount==1 twice). (**CVE-2019-11049**). (cmb) - Fixed bug php#78787 (Segfault with trait overriding inherited private shadow property). (Nikita) - Fixed bug php#78868 (Calling __autoload() with incorrect EG(fake_scope) value). (Antony Dovgal, Dmitry) - Fixed bug php#78296 (is_file fails to detect file). (cmb) **EXIF:** - Fixed bug php#78793 (Use-after-free in exif parsing under memory sanitizer). (**CVE-2019-11050**). (Nikita) - Fixed bug php#78910 (Heap-buffer-overflow READ in exif). (**CVE-2019-11047**). (Nikita) **GD:** - Fixed bug php#78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb) **MBString:** - Upgraded bundled Oniguruma to 6.9.4. (cmb) **OPcache:** - Fixed potential ASLR related invalid opline handler issues. (cmb) - Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice). (Tyson Andre) **PCRE:** - Fixed bug php#78853 (preg_match() may return integer > 1). (cmb) **Standard:** - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita) - Fixed bug php#77638 (var_export
    last seen2020-06-01
    modified2020-06-02
    plugin id132644
    published2020-01-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132644
    titleFedora 30 : php (2019-437d94e271)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2019-437d94e271.
#

include("compat.inc");

if (description)
{
  script_id(132644);
  script_version("1.4");
  script_cvs_date("Date: 2020/01/31");

  script_cve_id("CVE-2019-11044", "CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11049", "CVE-2019-11050");
  script_xref(name:"FEDORA", value:"2019-437d94e271");

  script_name(english:"Fedora 30 : php (2019-437d94e271)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"**PHP version 7.3.13** (18 Dec 2019)

**Bcmath:**

  - Fixed bug php#78878 (Buffer underflow in
    bc_shift_addsub). (**CVE-2019-11046**). (cmb)

**Core:**

  - Fixed bug php#78862 (link() silently truncates after a
    null byte on Windows). (**CVE-2019-11044**). (cmb)

  - Fixed bug php#78863 (DirectoryIterator class silently
    truncates after a null byte). (**CVE-2019-11045**).
    (cmb)

  - Fixed bug php#78943 (mail() may release string with
    refcount==1 twice). (**CVE-2019-11049**). (cmb)

  - Fixed bug php#78787 (Segfault with trait overriding
    inherited private shadow property). (Nikita)

  - Fixed bug php#78868 (Calling __autoload() with incorrect
    EG(fake_scope) value). (Antony Dovgal, Dmitry)

  - Fixed bug php#78296 (is_file fails to detect file).
    (cmb)

**EXIF:**

  - Fixed bug php#78793 (Use-after-free in exif parsing
    under memory sanitizer). (**CVE-2019-11050**). (Nikita)

  - Fixed bug php#78910 (Heap-buffer-overflow READ in exif).
    (**CVE-2019-11047**). (Nikita)

**GD:**

  - Fixed bug php#78849 (GD build broken with -D
    SIGNED_COMPARE_SLOW). (cmb)

**MBString:**

  - Upgraded bundled Oniguruma to 6.9.4. (cmb)

**OPcache:**

  - Fixed potential ASLR related invalid opline handler
    issues. (cmb)

  - Fixed $x = (bool)$x; with opcache (should emit
    undeclared variable notice). (Tyson Andre)

**PCRE:**

  - Fixed bug php#78853 (preg_match() may return integer >
    1). (cmb)

**Standard:**

  - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita)

  - Fixed bug php#77638 (var_export'ing certain class
    instances segfaults). (cmb)

  - Fixed bug php#78840 (imploding $GLOBALS crashes). (cmb)

  - Fixed bug php#78833 (Integer overflow in pack causes
    out-of-bound access). (cmb)

  - Fixed bug php#78814 (strip_tags allows / in tag name =>
    whitelist bypass). (cmb)

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-437d94e271"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected php package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/06");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^30([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC30", reference:"php-7.3.13-1.fc30")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php");
}
  • NASL familyCGI abuses
    NASL idPHP_7_2_26.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.26. It is, therefore, affected by multiple vulnerabilities: - An arbitrary file read vulnerability exists in link() and DirectoryIterator class due to improper handling of embedded \0 byte character and treats them as terminating at that byte. An attacker can exploit this to disclose information in applications checking paths that the code is allowed to access. (CVE-2019-11044 CVE-2019-11045) - An out-of-bounds READ error exists in the bcmath extension due to an input validation error. An unauthenticated, remote attacker can exploit this by supplying a string containing characters that are identified as numeric by the OS but are not ASCII number. This can cause lead to the disclosure of information within some memory locations. (CVE-2019-11046) - An out-of-bounds READ error exists in parsing EXIF information from an image. An unauthenticated, remote attacker can exploit this and supply it iwth data that will cause it to read past the allocated buffer disclosing of information. (CVE-2019-11047)
    last seen2020-06-01
    modified2020-06-02
    plugin id132770
    published2020-01-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132770
    titlePHP 7.2.x < 7.2.26 Multiple Vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(132770);
  script_version("1.4");
  script_cvs_date("Date: 2020/01/31");

  script_cve_id(
    "CVE-2019-11044",
    "CVE-2019-11045",
    "CVE-2019-11046",
    "CVE-2019-11047",
    "CVE-2019-11050"
  );

  script_name(english:"PHP 7.2.x < 7.2.26 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of PHP.");

  script_set_attribute(attribute:"synopsis", value:
"The version of PHP running on the remote web server is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of PHP running on the remote web
server is 7.2.x prior to 7.2.26. It is, therefore, affected by
multiple vulnerabilities:

  - An arbitrary file read vulnerability exists in link() and 
    DirectoryIterator class due to improper handling of embedded 
    \0 byte character and treats them as terminating at that byte. 
    An attacker can exploit this to disclose information in 
    applications checking paths that the code is allowed to access.
    (CVE-2019-11044 CVE-2019-11045)

  - An out-of-bounds READ error exists in the bcmath extension due to
    an input validation error. An unauthenticated, remote attacker 
    can exploit this by supplying a string containing characters that
    are identified as numeric by the OS but are not ASCII number. 
    This can cause lead to the disclosure of information within some
    memory locations. (CVE-2019-11046)

  - An out-of-bounds READ error exists in parsing EXIF information 
    from an image. An unauthenticated, remote attacker 
    can exploit this and supply it iwth data that will cause it to 
    read past the allocated buffer disclosing of information.
    (CVE-2019-11047)");
  script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.2.26");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PHP version 7.2.26 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11050");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/12/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/10");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("php_version.nasl");
  script_require_keys("www/PHP", "installed_sw/PHP", "Settings/ParanoidReport");
  script_require_ports("Services/www", 80);

  exit(0);
}
include('http.inc');
include('vcf.inc');
include('audit.inc');

port = get_http_port(default:80, php:TRUE);
app_info = vcf::get_app_info(app:'PHP', port:port, webapp:TRUE);

backported = get_kb_item('www/php/' + port + '/' + app_info.version + '/backported');

if ((report_paranoia < 2) && backported) audit(AUDIT_BACKPORT_SERVICE, port, 'PHP ' + app_info.version + ' install');

constraints = [
    {'min_version':'7.2.0alpha1', 'fixed_version':'7.2.26'}
    ];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-A54A622670.NASL
    description**PHP version 7.3.13** (18 Dec 2019) **Bcmath:** - Fixed bug php#78878 (Buffer underflow in bc_shift_addsub). (**CVE-2019-11046**). (cmb) **Core:** - Fixed bug php#78862 (link() silently truncates after a null byte on Windows). (**CVE-2019-11044**). (cmb) - Fixed bug php#78863 (DirectoryIterator class silently truncates after a null byte). (**CVE-2019-11045**). (cmb) - Fixed bug php#78943 (mail() may release string with refcount==1 twice). (**CVE-2019-11049**). (cmb) - Fixed bug php#78787 (Segfault with trait overriding inherited private shadow property). (Nikita) - Fixed bug php#78868 (Calling __autoload() with incorrect EG(fake_scope) value). (Antony Dovgal, Dmitry) - Fixed bug php#78296 (is_file fails to detect file). (cmb) **EXIF:** - Fixed bug php#78793 (Use-after-free in exif parsing under memory sanitizer). (**CVE-2019-11050**). (Nikita) - Fixed bug php#78910 (Heap-buffer-overflow READ in exif). (**CVE-2019-11047**). (Nikita) **GD:** - Fixed bug php#78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb) **MBString:** - Upgraded bundled Oniguruma to 6.9.4. (cmb) **OPcache:** - Fixed potential ASLR related invalid opline handler issues. (cmb) - Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice). (Tyson Andre) **PCRE:** - Fixed bug php#78853 (preg_match() may return integer > 1). (cmb) **Standard:** - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita) - Fixed bug php#77638 (var_export
    last seen2020-06-01
    modified2020-06-02
    plugin id132655
    published2020-01-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132655
    titleFedora 31 : php (2019-a54a622670)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2019-a54a622670.
#

include("compat.inc");

if (description)
{
  script_id(132655);
  script_version("1.4");
  script_cvs_date("Date: 2020/01/31");

  script_cve_id("CVE-2019-11044", "CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11049", "CVE-2019-11050");
  script_xref(name:"FEDORA", value:"2019-a54a622670");

  script_name(english:"Fedora 31 : php (2019-a54a622670)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"**PHP version 7.3.13** (18 Dec 2019)

**Bcmath:**

  - Fixed bug php#78878 (Buffer underflow in
    bc_shift_addsub). (**CVE-2019-11046**). (cmb)

**Core:**

  - Fixed bug php#78862 (link() silently truncates after a
    null byte on Windows). (**CVE-2019-11044**). (cmb)

  - Fixed bug php#78863 (DirectoryIterator class silently
    truncates after a null byte). (**CVE-2019-11045**).
    (cmb)

  - Fixed bug php#78943 (mail() may release string with
    refcount==1 twice). (**CVE-2019-11049**). (cmb)

  - Fixed bug php#78787 (Segfault with trait overriding
    inherited private shadow property). (Nikita)

  - Fixed bug php#78868 (Calling __autoload() with incorrect
    EG(fake_scope) value). (Antony Dovgal, Dmitry)

  - Fixed bug php#78296 (is_file fails to detect file).
    (cmb)

**EXIF:**

  - Fixed bug php#78793 (Use-after-free in exif parsing
    under memory sanitizer). (**CVE-2019-11050**). (Nikita)

  - Fixed bug php#78910 (Heap-buffer-overflow READ in exif).
    (**CVE-2019-11047**). (Nikita)

**GD:**

  - Fixed bug php#78849 (GD build broken with -D
    SIGNED_COMPARE_SLOW). (cmb)

**MBString:**

  - Upgraded bundled Oniguruma to 6.9.4. (cmb)

**OPcache:**

  - Fixed potential ASLR related invalid opline handler
    issues. (cmb)

  - Fixed $x = (bool)$x; with opcache (should emit
    undeclared variable notice). (Tyson Andre)

**PCRE:**

  - Fixed bug php#78853 (preg_match() may return integer >
    1). (cmb)

**Standard:**

  - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita)

  - Fixed bug php#77638 (var_export'ing certain class
    instances segfaults). (cmb)

  - Fixed bug php#78840 (imploding $GLOBALS crashes). (cmb)

  - Fixed bug php#78833 (Integer overflow in pack causes
    out-of-bound access). (cmb)

  - Fixed bug php#78814 (strip_tags allows / in tag name =>
    whitelist bypass). (cmb)

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-a54a622670"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected php package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:31");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/06");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^31([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 31", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC31", reference:"php-7.3.13-1.fc31")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php");
}
  • NASL familyCGI abuses
    NASL idPHP_7_4_1.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 7.3.x prior to 7.3.13 or 7.4.x prior to 7.4.1. It is, therefore, affected by multiple vulnerabilities: - An arbitrary file read vulnerability exists in link() and DirectoryIterator class due to improper handling of embedded \0 byte character and treats them as terminating at that byte. An attacker can exploit this to disclose information in applications checking paths that the code is allowed to access. (CVE-2019-11044 CVE-2019-11045) - An out-of-bounds READ error exists in the bcmath extension due to an input validation error. An unauthenticated, remote attacker can exploit this by supplying a string containing characters that are identified as numeric by the OS but are not ASCII number. This can cause lead to the disclosure of information within some memory locations. (CVE-2019-11046) - An out-of-bounds READ error exists in parsing EXIF information from an image. An unauthenticated, remote attacker can exploit this and supply it iwth data that will cause it to read past the allocated buffer disclosing of information. (CVE-2019-11047 CVE-2019-11050) - A denial of service (DoS) vulnerability exists in mail() due to the double-freeing of certain memory locations. An unauthenticated, remote attacker can exploit this issue, by supplying custom headers, and to cause the application to segfault and stop responding.
    last seen2020-06-01
    modified2020-06-02
    plugin id132769
    published2020-01-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132769
    titlePHP 7.3.x < 7.3.13 / 7.4.x < 7.4.1 Multiple Vulnerabilities

References