Vulnerabilities > CVE-2019-11049 - Double Free vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
php
fedoraproject
debian
tenable
CWE-415
critical
nessus
NVD
Published: 2019-12-23
Updated: 2023-11-07

Summary

In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.

Vulnerable Configurations

Part Description Count
Application
Php
34
Application
Tenable
7
OS
Microsoft
1
OS
Fedoraproject
2
OS
Debian
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2020-1339.NASL
    descriptionIn PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access. (CVE-2019-11045) In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations. (CVE-2019-11049) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11047) A flaw was discovered in the link function in PHP. When compiled on Windows, it does not correctly handle paths containing NULL bytes. An attacker could abuse this flaw to bypass application checks on file paths. (CVE-2019-11044) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11050) In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren
    last seen2020-06-01
    modified2020-06-02
    plugin id133558
    published2020-02-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133558
    titleAmazon Linux AMI : php72 / php73 (ALAS-2020-1339)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2020-1339.
#

include("compat.inc");

if (description)
{
  script_id(133558);
  script_version("1.2");
  script_cvs_date("Date: 2020/02/12");

  script_cve_id("CVE-2019-11044", "CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11049", "CVE-2019-11050");
  script_xref(name:"ALAS", value:"2020-1339");

  script_name(english:"Amazon Linux AMI : php72 / php73 (ALAS-2020-1339)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Amazon Linux AMI host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP
DirectoryIterator class accepts filenames with embedded \0 byte and
treats them as terminating at that byte. This could lead to security
vulnerabilities, e.g. in applications checking paths that the code is
allowed to access. (CVE-2019-11045)

In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when
supplying custom headers to mail() function, due to mistake introduced
in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is
supplied in lowercase, this can result in double-freeing certain
memory locations. (CVE-2019-11049)

When PHP EXIF extension is parsing EXIF information from an image,
e.g. via exif_read_data() function, in PHP versions 7.2.x below
7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with
data what will cause it to read past the allocated buffer. This may
lead to information disclosure or crash. (CVE-2019-11047)

A flaw was discovered in the link function in PHP. When compiled on
Windows, it does not correctly handle paths containing NULL bytes. An
attacker could abuse this flaw to bypass application checks on file
paths. (CVE-2019-11044)

When PHP EXIF extension is parsing EXIF information from an image,
e.g. via exif_read_data() function, in PHP versions 7.2.x below
7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with
data what will cause it to read past the allocated buffer. This may
lead to information disclosure or crash. (CVE-2019-11050)

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP
bcmath extension functions on some systems, including Windows, can be
tricked into reading beyond the allocated space by supplying it with
string containing characters that are identified as numeric by the OS
but aren't ASCII numbers. This can read to disclosure of the content
of some memory locations. (CVE-2019-11046)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://alas.aws.amazon.com/ALAS-2020-1339.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Run 'yum update php72' to update your system.

Run 'yum update php73' to update your system."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-bcmath");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-cli");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-dba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-dbg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-embedded");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-enchant");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-fpm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-gd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-gmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-imap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-intl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-json");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-ldap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-mbstring");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-mysqlnd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-odbc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-opcache");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pdo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pdo-dblib");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pgsql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-process");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pspell");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-recode");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-snmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-soap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-tidy");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-xml");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-xmlrpc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-bcmath");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-cli");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-dba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-dbg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-embedded");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-enchant");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-fpm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-gd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-gmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-imap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-intl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-json");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-ldap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-mbstring");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-mysqlnd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-odbc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-opcache");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pdo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pdo-dblib");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pgsql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-process");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pspell");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-recode");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-snmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-soap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-tidy");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-xml");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-xmlrpc");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/02/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/10");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Amazon Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "A")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (rpm_check(release:"ALA", reference:"php72-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-bcmath-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-cli-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-common-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-dba-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-dbg-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-debuginfo-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-devel-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-embedded-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-enchant-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-fpm-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-gd-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-gmp-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-imap-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-intl-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-json-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-ldap-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-mbstring-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-mysqlnd-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-odbc-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-opcache-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-pdo-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-pdo-dblib-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-pgsql-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-process-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-pspell-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-recode-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-snmp-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-soap-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-tidy-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-xml-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php72-xmlrpc-7.2.26-1.19.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-bcmath-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-cli-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-common-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-dba-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-dbg-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-debuginfo-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-devel-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-embedded-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-enchant-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-fpm-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-gd-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-gmp-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-imap-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-intl-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-json-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-ldap-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-mbstring-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-mysqlnd-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-odbc-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-opcache-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-pdo-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-pdo-dblib-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-pgsql-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-process-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-pspell-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-recode-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-snmp-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-soap-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-tidy-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-xml-7.3.13-1.22.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php73-xmlrpc-7.3.13-1.22.amzn1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php72 / php72-bcmath / php72-cli / php72-common / php72-dba / etc");
}
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-437D94E271.NASL
    description**PHP version 7.3.13** (18 Dec 2019) **Bcmath:** - Fixed bug php#78878 (Buffer underflow in bc_shift_addsub). (**CVE-2019-11046**). (cmb) **Core:** - Fixed bug php#78862 (link() silently truncates after a null byte on Windows). (**CVE-2019-11044**). (cmb) - Fixed bug php#78863 (DirectoryIterator class silently truncates after a null byte). (**CVE-2019-11045**). (cmb) - Fixed bug php#78943 (mail() may release string with refcount==1 twice). (**CVE-2019-11049**). (cmb) - Fixed bug php#78787 (Segfault with trait overriding inherited private shadow property). (Nikita) - Fixed bug php#78868 (Calling __autoload() with incorrect EG(fake_scope) value). (Antony Dovgal, Dmitry) - Fixed bug php#78296 (is_file fails to detect file). (cmb) **EXIF:** - Fixed bug php#78793 (Use-after-free in exif parsing under memory sanitizer). (**CVE-2019-11050**). (Nikita) - Fixed bug php#78910 (Heap-buffer-overflow READ in exif). (**CVE-2019-11047**). (Nikita) **GD:** - Fixed bug php#78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb) **MBString:** - Upgraded bundled Oniguruma to 6.9.4. (cmb) **OPcache:** - Fixed potential ASLR related invalid opline handler issues. (cmb) - Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice). (Tyson Andre) **PCRE:** - Fixed bug php#78853 (preg_match() may return integer > 1). (cmb) **Standard:** - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita) - Fixed bug php#77638 (var_export
    last seen2020-06-01
    modified2020-06-02
    plugin id132644
    published2020-01-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132644
    titleFedora 30 : php (2019-437d94e271)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2019-437d94e271.
#

include("compat.inc");

if (description)
{
  script_id(132644);
  script_version("1.4");
  script_cvs_date("Date: 2020/01/31");

  script_cve_id("CVE-2019-11044", "CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11049", "CVE-2019-11050");
  script_xref(name:"FEDORA", value:"2019-437d94e271");

  script_name(english:"Fedora 30 : php (2019-437d94e271)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"**PHP version 7.3.13** (18 Dec 2019)

**Bcmath:**

  - Fixed bug php#78878 (Buffer underflow in
    bc_shift_addsub). (**CVE-2019-11046**). (cmb)

**Core:**

  - Fixed bug php#78862 (link() silently truncates after a
    null byte on Windows). (**CVE-2019-11044**). (cmb)

  - Fixed bug php#78863 (DirectoryIterator class silently
    truncates after a null byte). (**CVE-2019-11045**).
    (cmb)

  - Fixed bug php#78943 (mail() may release string with
    refcount==1 twice). (**CVE-2019-11049**). (cmb)

  - Fixed bug php#78787 (Segfault with trait overriding
    inherited private shadow property). (Nikita)

  - Fixed bug php#78868 (Calling __autoload() with incorrect
    EG(fake_scope) value). (Antony Dovgal, Dmitry)

  - Fixed bug php#78296 (is_file fails to detect file).
    (cmb)

**EXIF:**

  - Fixed bug php#78793 (Use-after-free in exif parsing
    under memory sanitizer). (**CVE-2019-11050**). (Nikita)

  - Fixed bug php#78910 (Heap-buffer-overflow READ in exif).
    (**CVE-2019-11047**). (Nikita)

**GD:**

  - Fixed bug php#78849 (GD build broken with -D
    SIGNED_COMPARE_SLOW). (cmb)

**MBString:**

  - Upgraded bundled Oniguruma to 6.9.4. (cmb)

**OPcache:**

  - Fixed potential ASLR related invalid opline handler
    issues. (cmb)

  - Fixed $x = (bool)$x; with opcache (should emit
    undeclared variable notice). (Tyson Andre)

**PCRE:**

  - Fixed bug php#78853 (preg_match() may return integer >
    1). (cmb)

**Standard:**

  - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita)

  - Fixed bug php#77638 (var_export'ing certain class
    instances segfaults). (cmb)

  - Fixed bug php#78840 (imploding $GLOBALS crashes). (cmb)

  - Fixed bug php#78833 (Integer overflow in pack causes
    out-of-bound access). (cmb)

  - Fixed bug php#78814 (strip_tags allows / in tag name =>
    whitelist bypass). (cmb)

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-437d94e271"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected php package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/06");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^30([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC30", reference:"php-7.3.13-1.fc30")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php");
}
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4626.NASL
    descriptionMultiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or incorrect validation of path names.
    last seen2020-03-17
    modified2020-02-18
    plugin id133733
    published2020-02-18
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133733
    titleDebian DSA-4626-1 : php7.3 - security update
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-4626. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(133733);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20");

  script_cve_id("CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11049", "CVE-2019-11050", "CVE-2020-7059", "CVE-2020-7060");
  script_xref(name:"DSA", value:"4626");

  script_name(english:"Debian DSA-4626-1 : php7.3 - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language which could result in information
disclosure, denial of service or incorrect validation of path names."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/source-package/php7.3"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/buster/php7.3"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2020/dsa-4626"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the php7.3 packages.

For the stable distribution (buster), these problems have been fixed
in version 7.3.14-1~deb10u1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php7.3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/02/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/18");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"10.0", prefix:"libapache2-mod-php7.3", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"libphp7.3-embed", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-bcmath", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-bz2", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-cgi", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-cli", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-common", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-curl", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-dba", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-dev", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-enchant", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-fpm", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-gd", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-gmp", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-imap", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-interbase", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-intl", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-json", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-ldap", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-mbstring", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-mysql", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-odbc", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-opcache", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-pgsql", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-phpdbg", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-pspell", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-readline", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-recode", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-snmp", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-soap", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-sqlite3", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-sybase", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-tidy", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-xml", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-xmlrpc", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-xsl", reference:"7.3.14-1~deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"php7.3-zip", reference:"7.3.14-1~deb10u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-A54A622670.NASL
    description**PHP version 7.3.13** (18 Dec 2019) **Bcmath:** - Fixed bug php#78878 (Buffer underflow in bc_shift_addsub). (**CVE-2019-11046**). (cmb) **Core:** - Fixed bug php#78862 (link() silently truncates after a null byte on Windows). (**CVE-2019-11044**). (cmb) - Fixed bug php#78863 (DirectoryIterator class silently truncates after a null byte). (**CVE-2019-11045**). (cmb) - Fixed bug php#78943 (mail() may release string with refcount==1 twice). (**CVE-2019-11049**). (cmb) - Fixed bug php#78787 (Segfault with trait overriding inherited private shadow property). (Nikita) - Fixed bug php#78868 (Calling __autoload() with incorrect EG(fake_scope) value). (Antony Dovgal, Dmitry) - Fixed bug php#78296 (is_file fails to detect file). (cmb) **EXIF:** - Fixed bug php#78793 (Use-after-free in exif parsing under memory sanitizer). (**CVE-2019-11050**). (Nikita) - Fixed bug php#78910 (Heap-buffer-overflow READ in exif). (**CVE-2019-11047**). (Nikita) **GD:** - Fixed bug php#78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb) **MBString:** - Upgraded bundled Oniguruma to 6.9.4. (cmb) **OPcache:** - Fixed potential ASLR related invalid opline handler issues. (cmb) - Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice). (Tyson Andre) **PCRE:** - Fixed bug php#78853 (preg_match() may return integer > 1). (cmb) **Standard:** - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita) - Fixed bug php#77638 (var_export
    last seen2020-06-01
    modified2020-06-02
    plugin id132655
    published2020-01-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132655
    titleFedora 31 : php (2019-a54a622670)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2019-a54a622670.
#

include("compat.inc");

if (description)
{
  script_id(132655);
  script_version("1.4");
  script_cvs_date("Date: 2020/01/31");

  script_cve_id("CVE-2019-11044", "CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11049", "CVE-2019-11050");
  script_xref(name:"FEDORA", value:"2019-a54a622670");

  script_name(english:"Fedora 31 : php (2019-a54a622670)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"**PHP version 7.3.13** (18 Dec 2019)

**Bcmath:**

  - Fixed bug php#78878 (Buffer underflow in
    bc_shift_addsub). (**CVE-2019-11046**). (cmb)

**Core:**

  - Fixed bug php#78862 (link() silently truncates after a
    null byte on Windows). (**CVE-2019-11044**). (cmb)

  - Fixed bug php#78863 (DirectoryIterator class silently
    truncates after a null byte). (**CVE-2019-11045**).
    (cmb)

  - Fixed bug php#78943 (mail() may release string with
    refcount==1 twice). (**CVE-2019-11049**). (cmb)

  - Fixed bug php#78787 (Segfault with trait overriding
    inherited private shadow property). (Nikita)

  - Fixed bug php#78868 (Calling __autoload() with incorrect
    EG(fake_scope) value). (Antony Dovgal, Dmitry)

  - Fixed bug php#78296 (is_file fails to detect file).
    (cmb)

**EXIF:**

  - Fixed bug php#78793 (Use-after-free in exif parsing
    under memory sanitizer). (**CVE-2019-11050**). (Nikita)

  - Fixed bug php#78910 (Heap-buffer-overflow READ in exif).
    (**CVE-2019-11047**). (Nikita)

**GD:**

  - Fixed bug php#78849 (GD build broken with -D
    SIGNED_COMPARE_SLOW). (cmb)

**MBString:**

  - Upgraded bundled Oniguruma to 6.9.4. (cmb)

**OPcache:**

  - Fixed potential ASLR related invalid opline handler
    issues. (cmb)

  - Fixed $x = (bool)$x; with opcache (should emit
    undeclared variable notice). (Tyson Andre)

**PCRE:**

  - Fixed bug php#78853 (preg_match() may return integer >
    1). (cmb)

**Standard:**

  - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita)

  - Fixed bug php#77638 (var_export'ing certain class
    instances segfaults). (cmb)

  - Fixed bug php#78840 (imploding $GLOBALS crashes). (cmb)

  - Fixed bug php#78833 (Integer overflow in pack causes
    out-of-bound access). (cmb)

  - Fixed bug php#78814 (strip_tags allows / in tag name =>
    whitelist bypass). (cmb)

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-a54a622670"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected php package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:31");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/06");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^31([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 31", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC31", reference:"php-7.3.13-1.fc31")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php");
}
  • NASL familyCGI abuses
    NASL idPHP_7_4_1.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 7.3.x prior to 7.3.13 or 7.4.x prior to 7.4.1. It is, therefore, affected by multiple vulnerabilities: - An arbitrary file read vulnerability exists in link() and DirectoryIterator class due to improper handling of embedded \0 byte character and treats them as terminating at that byte. An attacker can exploit this to disclose information in applications checking paths that the code is allowed to access. (CVE-2019-11044 CVE-2019-11045) - An out-of-bounds READ error exists in the bcmath extension due to an input validation error. An unauthenticated, remote attacker can exploit this by supplying a string containing characters that are identified as numeric by the OS but are not ASCII number. This can cause lead to the disclosure of information within some memory locations. (CVE-2019-11046) - An out-of-bounds READ error exists in parsing EXIF information from an image. An unauthenticated, remote attacker can exploit this and supply it iwth data that will cause it to read past the allocated buffer disclosing of information. (CVE-2019-11047 CVE-2019-11050) - A denial of service (DoS) vulnerability exists in mail() due to the double-freeing of certain memory locations. An unauthenticated, remote attacker can exploit this issue, by supplying custom headers, and to cause the application to segfault and stop responding.
    last seen2020-06-01
    modified2020-06-02
    plugin id132769
    published2020-01-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132769
    titlePHP 7.3.x < 7.3.13 / 7.4.x < 7.4.1 Multiple Vulnerabilities

References