ID CVE-2014-8142
Summary Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.
References
Vulnerable Configurations
  • PHP 5.4.35
    cpe:2.3:a:php:php:5.4.35
  • PHP 5.5.0 -
    cpe:2.3:a:php:php:5.5.0
  • PHP 5.5.0 alpha1
    cpe:2.3:a:php:php:5.5.0:alpha1
  • PHP 5.5.0 alpha2
    cpe:2.3:a:php:php:5.5.0:alpha2
  • PHP 5.5.0 alpha3
    cpe:2.3:a:php:php:5.5.0:alpha3
  • PHP 5.5.0 alpha4
    cpe:2.3:a:php:php:5.5.0:alpha4
  • PHP 5.5.0 alpha5
    cpe:2.3:a:php:php:5.5.0:alpha5
  • PHP 5.5.0 alpha6
    cpe:2.3:a:php:php:5.5.0:alpha6
  • PHP 5.5.0 beta1
    cpe:2.3:a:php:php:5.5.0:beta1
  • PHP 5.5.0 beta2
    cpe:2.3:a:php:php:5.5.0:beta2
  • PHP 5.5.0 beta3
    cpe:2.3:a:php:php:5.5.0:beta3
  • PHP 5.5.0 beta4
    cpe:2.3:a:php:php:5.5.0:beta4
  • PHP 5.5.0 release candidate 1
    cpe:2.3:a:php:php:5.5.0:rc1
  • PHP 5.5.0 release candidate 2
    cpe:2.3:a:php:php:5.5.0:rc2
  • PHP 5.5.1
    cpe:2.3:a:php:php:5.5.1
  • PHP 5.5.2 -
    cpe:2.3:a:php:php:5.5.2
  • PHP 5.5.3
    cpe:2.3:a:php:php:5.5.3
  • PHP 5.5.4 -
    cpe:2.3:a:php:php:5.5.4
  • PHP 5.5.5 -
    cpe:2.3:a:php:php:5.5.5
  • PHP 5.5.6 -
    cpe:2.3:a:php:php:5.5.6
  • PHP 5.5.7 -
    cpe:2.3:a:php:php:5.5.7
  • PHP 5.5.8 -
    cpe:2.3:a:php:php:5.5.8
  • PHP 5.5.9 -
    cpe:2.3:a:php:php:5.5.9
  • PHP 5.5.10 -
    cpe:2.3:a:php:php:5.5.10
  • PHP 5.5.11 -
    cpe:2.3:a:php:php:5.5.11
  • PHP 5.5.12 -
    cpe:2.3:a:php:php:5.5.12
  • PHP 5.5.13 -
    cpe:2.3:a:php:php:5.5.13
  • PHP 5.5.14 -
    cpe:2.3:a:php:php:5.5.14
  • PHP 5.5.15 -
    cpe:2.3:a:php:php:5.5.15
  • PHP 5.5.16 -
    cpe:2.3:a:php:php:5.5.16
  • PHP 5.5.17 -
    cpe:2.3:a:php:php:5.5.17
  • PHP 5.5.18 -
    cpe:2.3:a:php:php:5.5.18
  • PHP 5.5.19 -
    cpe:2.3:a:php:php:5.5.19
  • PHP 5.6.0 alpha1
    cpe:2.3:a:php:php:5.6.0:alpha1
  • PHP 5.6.0 alpha2
    cpe:2.3:a:php:php:5.6.0:alpha2
  • PHP 5.6.0 alpha3
    cpe:2.3:a:php:php:5.6.0:alpha3
  • PHP 5.6.0 alpha4
    cpe:2.3:a:php:php:5.6.0:alpha4
  • PHP 5.6.0 alpha5
    cpe:2.3:a:php:php:5.6.0:alpha5
  • PHP 5.6.0 beta1
    cpe:2.3:a:php:php:5.6.0:beta1
  • PHP 5.6.0 beta2
    cpe:2.3:a:php:php:5.6.0:beta2
  • PHP 5.6.0 beta3
    cpe:2.3:a:php:php:5.6.0:beta3
  • PHP 5.6.0 beta4
    cpe:2.3:a:php:php:5.6.0:beta4
  • PHP 5.6.0 -
    cpe:2.3:a:php:php:5.6.0
  • PHP 5.6.1 -
    cpe:2.3:a:php:php:5.6.1
  • PHP 5.6.2
    cpe:2.3:a:php:php:5.6.2
  • PHP 5.6.3 -
    cpe:2.3:a:php:php:5.6.3
CVSS
Base: 7.5 (as of 24-06-2016 - 11:39)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2501-1.NASL
    description Stefan Esser discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-8142, CVE-2015-0231) Brian Carpenter discovered that the PHP CGI component incorrectly handled invalid files. A local attacker could use this issue to obtain sensitive information, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9427) It was discovered that PHP incorrectly handled certain pascal strings in the fileinfo extension. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9652) Alex Eubanks discovered that PHP incorrectly handled EXIF data in JPEG images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-0232) It was discovered that the PHP opcache component incorrectly handled memory. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1351) It was discovered that the PHP PostgreSQL database extension incorrectly handled certain pointers. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1352). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 81399
    published 2015-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81399
    title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : php5 vulnerabilities (USN-2501-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_APACHE2-MOD_PHP53-150212.NASL
    description PHP 5.3 was updated to fix three security issues : - Use-after-free vulnerability allowed remote attackers to execute arbitrary code via a crafted unserialize call that leveraged improper handling of duplicate keys within the serialized properties of an object. (bnc#910659). (CVE-2014-8142) - Use-after-free vulnerability allowed remote attackers to execute arbitrary code via a crafted unserialize call that leveraged improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142. (bnc#910659). (CVE-2015-0231) - The exif_process_unicode function allowed remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image. (bnc#914690). (CVE-2015-0232) Additionally a fix was included that protects against a possible NULL pointer use. (bnc#910659) This non-security issue has been fixed : - Don't ignore default_socket_timeout on outgoing SSL connection (bnc#907519)
    last seen 2019-02-21
    modified 2015-10-05
    plugin id 81507
    published 2015-02-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81507
    title SuSE 11.3 Security Update : php53 (SAT Patch Number 10313)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2014-356-02.NASL
    description New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
    last seen 2019-02-21
    modified 2015-02-04
    plugin id 80205
    published 2014-12-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80205
    title Slackware 14.0 / 14.1 / current : php (SSA:2014-356-02)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-080.NASL
    description Multiple vulnerabilities has been discovered and corrected in php : It was discovered that the file utility contains a flaw in the handling of indirect magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files (CVE-2014-1943). A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code (CVE-2014-2270). The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters (CVE-2013-7345). PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain socket with world-writable permissions by default, which allows any local user to connect to it and execute PHP scripts as the apache user (CVE-2014-0185). A flaw was found in the way file's Composite Document Files (CDF) format parser handle CDF files with many summary info entries. The cdf_unpack_summary_info() function unnecessarily repeatedly read the info from the same offset. This led to many file_printf() calls in cdf_file_property_info(), which caused file to use an excessive amount of CPU time when parsing a specially crafted CDF file (CVE-2014-0237). A flaw was found in the way file parsed property information from Composite Document Files (CDF) files. A property entry with 0 elements triggers an infinite loop (CVE-2014-0238). The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue related to the SPL ArrayObject and SPLObjectStorage Types (CVE-2014-3515). It was discovered that PHP is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query (CVE-2014-4049). A flaw was found in the way file parsed property information from Composite Document Files (CDF) files, where the mconvert() function did not correctly compute the truncated pascal string size (CVE-2014-3478). Multiple flaws were found in the way file parsed property information from Composite Document Files (CDF) files, due to insufficient boundary checks on buffers (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487). The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue that can cause it to leak arbitrary process memory (CVE-2014-4721). Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments (CVE-2014-4698). Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments (CVE-2014-4670). file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule, due to an incomplete fix for CVE-2013-7345 (CVE-2014-3538). Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571 (CVE-2014-3587). Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049 (CVE-2014-3597). An integer overflow flaw in PHP's unserialize() function was reported. If unserialize() were used on untrusted data, this issue could lead to a crash or potentially information disclosure (CVE-2014-3669). A heap corruption issue was reported in PHP's exif_thumbnail() function. A specially crafted JPEG image could cause the PHP interpreter to crash or, potentially, execute arbitrary code (CVE-2014-3670). If client-supplied input was passed to PHP's cURL client as a URL to download, it could return local files from the server due to improper handling of null bytes (PHP#68089). An out-of-bounds read flaw was found in file's donote() function in the way the file utility determined the note headers of a elf file. This could possibly lead to file executable crash (CVE-2014-3710). A use-after-free flaw was found in PHP unserialize(). An untrusted input could cause PHP interpreter to crash or, possibly, execute arbitrary code when processed using unserialize() (CVE-2014-8142). Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP before 5.5.21 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors (CVE-2014-9425). sapi/cgi/cgi_main.c in the CGI component in PHP before 5.5.21, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping (CVE-2014-9427). Use after free vulnerability in unserialize() in PHP before 5.5.21 (CVE-2015-0231). Free called on an uninitialized pointer in php-exif in PHP before 5.5.21 (CVE-2015-0232). The readelf.c source file has been removed from PHP's bundled copy of file's libmagic, eliminating exposure to denial of service issues in ELF file parsing such as CVE-2014-8116, CVE-2014-8117, CVE-2014-9620 and CVE-2014-9621 in PHP's fileinfo module. S. Paraschoudis discovered that PHP incorrectly handled memory in the enchant binding. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2014-9705). Taoguang Chen discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-0273). It was discovered that PHP incorrectly handled memory in the phar extension. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-2301). Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (CVE-2015-0231). The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image (CVE-2015-0232). An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code (CVE-2015-2331). It was discovered that the PHP opcache component incorrectly handled memory. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1351). It was discovered that the PHP PostgreSQL database extension incorrectly handled certain pointers. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1352). PHP contains a bundled copy of the file utility's libmagic library, so it was vulnerable to the libmagic issues. The updated php packages have been patched and upgraded to the 5.5.23 version which is not vulnerable to these issues. The libzip packages has been patched to address the CVE-2015-2331 flaw. A bug in the php zip extension that could cause a crash has been fixed (mga#13820) Additionally the jsonc and timezonedb packages has been upgraded to the latest versions and the PECL packages which requires so has been rebuilt for php-5.5.23.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 82333
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82333
    title Mandriva Linux Security Advisory : php (MDVSA-2015:080)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-163.NASL
    description php5 was updated to fix five security issues. These security issues were fixed : - CVE-2015-0231: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allowed remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (bnc#910659). - CVE-2015-0232: The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allowed remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image (bnc#914690). - CVE-2014-8142: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allowed remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019 (bnc#910659). - CVE-2014-9427: sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap was used to read a .php file, did not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which caused an out-of-bounds read and might (1) allowed remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping (bnc#911664). For openSUSE 13.2 this additional security issue was fixed : - CVE-2014-9426: The apprentice_load function in libmagic/apprentice.c in the Fileinfo component in PHP through 5.6.4 attempted to perform a free operation on a stack-based character array, which allowed remote attackers to cause a denial of service (memory corruption or application crash) or possibly have unspecified other impact via unknown vectors (bnc#911663).
    last seen 2019-02-21
    modified 2015-10-05
    plugin id 81418
    published 2015-02-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81418
    title openSUSE Security Update : php5 (openSUSE-2015-163)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201503-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-201503-03 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker can leverage these vulnerabilities to execute arbitrary code or cause Denial of Service. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 81688
    published 2015-03-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81688
    title GLSA-201503-03 : PHP: Multiple vulnerabilities
  • NASL family Web Servers
    NASL id HPSMH_7_5.NASL
    description According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote web server is prior to 7.5.0. It is, therefore, affected by multiple vulnerabilities : - A flaw exists within the 'mod_deflate' module when handling highly compressed bodies. A remote attacker can exploit this, via a specially crafted request, to exhaust memory and CPU resources, resulting in a denial of service condition. (CVE-2014-0118) - The 'mod_status' module contains a race condition that can be triggered when handling the scoreboard. A remote attacker can exploit this to cause a denial of service, execute arbitrary code, or obtain sensitive credential information. (CVE-2014-0226) - The 'mod_cgid' module lacks a time out mechanism. A remote attacker can exploit this, via a specially crafted request, to cause child processes to linger indefinitely, filling up the scoreboard and resulting in a denial of service vulnerability. (CVE-2014-0231) - A flaw exists in WinNT MPM versions 2.4.1 to 2.4.9 when using the default AcceptFilter. An attacker can exploit this, via specially crafted requests. to create a memory leak, resulting in a denial of service condition. (CVE-2014-3523) - A NULL pointer dereference flaw exists when the SSLv3 option isn't enabled and an SSLv3 ClientHello is received. This allows a remote attacker, using an unexpected handshake, to crash the daemon, resulting in a denial of service. (CVE-2014-3569) - The BIGNUM squaring (BN_sqr) implementation does not properly calculate the square of a BIGNUM value. This allows remote attackers to defeat cryptographic protection mechanisms. (CVE-2014-3570) - A NULL pointer dereference flaw exists in the dtls1_get_record() function when handling DTLS messages. A remote attacker, using a specially crafted DTLS message, can cause a denial of service. (CVE-2014-3571) - A flaw exists with ECDH handshakes when using an ECDSA certificate without a ServerKeyExchange message. This allows a remote attacker to trigger a loss of forward secrecy from the ciphersuite. (CVE-2014-3572) - A use-after-free error exists in the 'process_nested_data' function within 'ext/standard/var_unserializer.re' due to improper handling of duplicate keys within the serialized properties of an object. A remote attacker, using a specially crafted call to the 'unserialize' method, can exploit this flaw to execute arbitrary code on the system. (CVE-2014-8142) - A flaw exists when accepting non-DER variations of certificate signature algorithms and signature encodings due to a lack of enforcement of matches between signed and unsigned portions. A remote attacker, by including crafted data within a certificate's unsigned portion, can bypass fingerprint-based certificate-blacklist protection mechanisms. (CVE-2014-8275) - An out-of-bounds read flaw in file 'cgi_main.c' exists when nmap is used to process an invalid file that begins with a hash character (#) but lacks a newline character. A remote attacker, using a specially crafted PHP file, can exploit this vulnerability to disclose memory contents, cause a denial of service, or possibly execute code. (CVE-2014-9427) - An out-of-bounds read error exists in the Fine Free File component that is bundled with PHP. A remote attacker can exploit this to cause a denial of service condition or the disclosure of sensitive information. (CVE-2014-9652) - A memory corruption issue exists in the Fine Free File component that is bundled with PHP. A remote attacker can exploit this to cause an unspecified impact. (CVE-2014-9653) - A heap buffer overflow condition exists in PHP in the enchant_broker_request_dict() function due to improper validation of user-supplied input. An attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2014-9705) - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0204) - A flaw exists when accepting DH certificates for client authentication without the CertificateVerify message. This allows a remote attacker to authenticate to the service without a private key. (CVE-2015-0205) - A memory leak occurs in dtls1_buffer_record() when handling a saturation of DTLS records containing the same number sequence but for the next epoch. This allows a remote attacker to cause a denial of service. (CVE-2015-0206) - A flaw exists in the DTLSv1_listen() function due to state being preserved in the SSL object from one invocation to the next. A remote attacker can exploit this, via crafted DTLS traffic, to cause a segmentation fault, resulting in a denial of service. (CVE-2015-0207) - A flaw exists in the rsa_item_verify() function due to improper implementation of ASN.1 signature verification. A remote attacker can exploit this, via an ASN.1 signature using the RSA PSS algorithm and invalid parameters, to cause a NULL pointer dereference, resulting in a denial of service. (CVE-2015-0208) - A use-after-free condition exists in the d2i_ECPrivateKey() function due to improper processing of malformed EC private key files during import. A remote attacker can exploit this to dereference or free already freed memory, resulting in a denial of service or other unspecified impact. (CVE-2015-0209) - A use-after-free memory error exists in the process_nested_data() function in 'var_unserializer.re' due to improper handling of duplicate numerical keys within the serialized properties of an object. A remote attacker, using a crafted unserialize method call, can exploit this vulnerability to execute arbitrary code. (CVE-2015-0231) - A flaw exists in the exif_process_unicode() function in 'exif.c' that allows freeing an uninitialized pointer. A remote attacker, using specially crafted EXIF data in a JPEG image, can exploit this to cause a denial of service or to execute arbitrary code. (CVE-2015-0232) - A use-after-free flaw exists in the function php_date_timezone_initialize_from_hash() within the 'ext/date/php_date.c' script. An attacker can exploit this to access sensitive information or crash applications linked to PHP. (CVE-2015-0273) - A flaw exists in the ssl3_client_hello() function due to improper validation of a PRNG seed before proceeding with a handshake, resulting in insufficient entropy and predictable output. This allows a man-in-the-middle attacker to defeat cryptographic protection mechanisms via a brute-force attack, resulting in the disclosure of sensitive information. (CVE-2015-0285) - An invalid read error exists in the ASN1_TYPE_cmp() function due to improperly performed boolean-type comparisons. A remote attacker can exploit this, via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature, to cause an invalid read operation, resulting in a denial of service. (CVE-2015-0286) - A flaw exists in the ASN1_item_ex_d2i() function due to a failure to reinitialize 'CHOICE' and 'ADB' data structures when reusing a structure in ASN.1 parsing. This allows a remote attacker to cause an invalid write operation and memory corruption, resulting in a denial of service. (CVE-2015-0287) - A NULL pointer dereference flaw exists in the X509_to_X509_REQ() function due to improper processing of certificate keys. This allows a remote attacker, via a crafted X.509 certificate, to cause a denial of service. (CVE-2015-0288) - A NULL pointer dereference flaw exists in the PKCS#7 parsing code due to incorrect handling of missing outer ContentInfo. This allows a remote attacker, using an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, to cause a denial of service. (CVE-2015-0289) - A flaw exists with the 'multiblock' feature in the ssl3_write_bytes() function due to improper handling of certain non-blocking I/O cases. This allows a remote attacker to cause failed connections or a segmentation fault, resulting in a denial of service. (CVE-2015-0290) - A NULL pointer dereference flaw exists when handling clients attempting to renegotiate using an invalid signature algorithm extension. A remote attacker can exploit this to cause a denial of service. (CVE-2015-0291) - An integer underflow condition exists in the EVP_DecodeUpdate() function due to improper validation of base64 encoded input when decoding. This allows a remote attacker, using maliciously crafted base64 data, to cause a segmentation fault or memory corruption, resulting in a denial of service or possibly the execution of arbitrary code. (CVE-2015-0292) - A flaw exists in servers that both support SSLv2 and enable export cipher suites due to improper implementation of SSLv2. A remote attacker can exploit this, via a crafted CLIENT-MASTER-KEY message, to cause a denial of service. (CVE-2015-0293) - A flaw exists in the ssl3_get_client_key_exchange() function when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled. This allows a remote attacker, via a ClientKeyExchange message with a length of zero, to cause a denial of service. (CVE-2015-1787) - A cross-site request forgery (XSRF) vulnerability exists due to the lack of a unique token when performing sensitive actions via HTTP requests. (CVE-2015-2134) - A use-after-free error exists in the function phar_rename_archive() in file 'phar_object.c'. A remote attacker, by attempting to rename a phar archive to an already existing file name, can exploit this to cause a denial of service. (CVE-2015-2301) - A use-after-free error exists related to function 'unserialize', which can allow a remote attacker to execute arbitrary code. Note that this issue is due to an incomplete fix for CVE-2014-8142. (CVE-2015-0231) - A filter bypass vulnerability exists due to a flaw in the move_uploaded_file() function in which pathnames are truncated when a NULL byte is encountered. This allows a remote attacker, via a crafted second argument, to bypass intended extension restrictions and create files with unexpected names. (CVE-2015-2348) - A user-after-free error exists in the process_nested_data() function. This allows a remote attacker, via a crafted unserialize call, to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-2787)
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 84923
    published 2015-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84923
    title HP System Management Homepage 7.3.x / 7.4.x < 7.5.0 Multiple Vulnerabilities (FREAK)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-463.NASL
    description Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019 .
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 80414
    published 2015-01-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80414
    title Amazon Linux AMI : php54 (ALAS-2015-463)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-004.NASL
    description Updated php packages fix security vulnerability : A use-after-free flaw was found in PHP unserialize(). An untrusted input could cause PHP interpreter to crash or, possibly, execute arbitrary code when processed using unserialize() (CVE-2014-8142). PHP has been updated to version 5.5.20, which fixes these issues and other bugs.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 80385
    published 2015-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80385
    title Mandriva Linux Security Advisory : php (MDVSA-2015:004)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20150623_PHP_ON_SL7_X.NASL
    description A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, causing it to crash or, possibly, execute arbitrary code. (CVE-2015-3330) A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP's Exif extension. A specially crafted JPEG or TIFF file could cause a PHP application using the exif_read_data() function to crash or, possibly, execute arbitrary code with the privileges of the user running that PHP application. (CVE-2015-0232) An integer overflow flaw leading to a heap-based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-4022) Multiple flaws were discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2014-8142, CVE-2015-0231, CVE-2015-0273, CVE-2015-2787, CVE-2015-4147, CVE-2015-4148, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603) It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2015-2348, CVE-2015-4025, CVE-2015-4026, CVE-2015-3411, CVE-2015-3412, CVE-2015-4598) Multiple flaws were found in the way the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. (CVE-2015-2301, CVE-2015-2783, CVE-2015-3307, CVE-2015-3329, CVE-2015-4021) Multiple flaws were found in PHP's File Information (fileinfo) extension. A remote attacker could cause a PHP application to crash if it used fileinfo to identify type of attacker supplied files. (CVE-2014-9652, CVE-2015-4604, CVE-2015-4605) A heap buffer overflow flaw was found in the enchant_broker_request_dict() function of PHP's enchant extension. An attacker able to make a PHP application enchant dictionaries could possibly cause it to crash. (CVE-2014-9705) A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted GIF file could cause a PHP application using the imagecreatefromgif() function to crash. (CVE-2014-9709) This update also fixes the following bugs : - The libgmp library in some cases terminated unexpectedly with a segmentation fault when being used with other libraries that use the GMP memory management. With this update, PHP no longer changes libgmp memory allocators, which prevents the described crash from occurring. - When using the Open Database Connectivity (ODBC) API, the PHP process in some cases terminated unexpectedly with a segmentation fault. The underlying code has been adjusted to prevent this crash. - Previously, running PHP on a big-endian system sometimes led to memory corruption in the fileinfo module. This update adjusts the behavior of the PHP pointer so that it can be freed without causing memory corruption. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 84394
    published 2015-06-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84394
    title Scientific Linux Security Update : php on SL7.x x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-1058.NASL
    description 22 Jan 2015, PHP 5.6.5 Core : - Upgraded crypt_blowfish to version 1.3. (Leigh) - Fixed bug #60704 (unlink() bug with some files path). - Fixed bug #65419 (Inside trait, self::class != __CLASS__). (Julien) - Fixed bug #68536 (pack for 64bits integer is broken on bigendian). (Remi) - Fixed bug #55541 (errors spawn MessageBox, which blocks test automation). (Anatol) - Fixed bug #68297 (Application Popup provides too few information). (Anatol) - Fixed bug #65769 (localeconv() broken in TS builds). (Anatol) - Fixed bug #65230 (setting locale randomly broken). (Anatol) - Fixed bug #66764 (configure doesn't define EXPANDED_DATADIR / PHP_DATADIR correctly). (Ferenc) - Fixed bug #68583 (Crash in timeout thread). (Anatol) - Fixed bug #65576 (Constructor from trait conflicts with inherited constructor). (dunglas at gmail dot com) - Fixed bug #68676 (Explicit Double Free). (Kalle) - Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). (CVE-2015-0231) (Stefan Esser) CGI : - Fixed bug #68618 (out of bounds read crashes php-cgi). (CVE-2014-9427) (Stas) CLI server : - Fixed bug #68745 (Invalid HTTP requests make web server segfault). (Adam) cURL : - Fixed bug #67643 (curl_multi_getcontent returns ' when CURLOPT_RETURNTRANSFER isn't set). (Jille Timmermans) Date : - Implemented FR #68268 (DatePeriod: Getter for start date, end date and interval). (Marc Bennewitz) EXIF : - Fixed bug #68799: Free called on uninitialized pointer. (CVE-2015-0232) (Stas) Fileinfo : - Fixed bug #68398 (msooxml matches too many archives). (Anatol) - Fixed bug #68665 (invalid free in libmagic). (Joshua Rogers, Anatol Belski) - Fixed bug #68671 (incorrect expression in libmagic). (Joshua Rogers, Anatol Belski) - Removed readelf.c and related code from libmagic sources (Remi, Anatol) - Fixed bug #68735 (fileinfo out-of-bounds memory access). (Anatol) FPM : - Fixed request #68526 (Implement POSIX Access Control List for UDS). (Remi) - Fixed bug #68751 (listen.allowed_clients is broken). (Remi) GD : - Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (Jan Bee, Remi) - Fixed request #68656 (Report gd library version). (Remi) mbstring : - Fixed bug #68504 (--with-libmbfl configure option not present on Windows). (Ashesh Vashi) Opcache : - Fixed bug #68644 (strlen incorrect : mbstring + func_overload=2 +UTF-8 + Opcache). (Laruence) - Fixed bug #67111 (Memory leak when using 'continue 2' inside two foreach loops). (Nikita) OpenSSL : - Improved handling of OPENSSL_KEYTYPE_EC keys. (Dominic Luechinger) pcntl : - Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler when setting SIG_DFL). (Julien) PCRE : - Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream). (Rainer Jung, Anatol Belski) pgsql : - Fixed bug #68697 (lo_export return -1 on failure). (Ondrej Sury) PDO : - Fixed bug #68371 (PDO#getAttribute() cannot be called with platform-specifi attribute names). (Matteo) PDO_mysql : - Fixed bug #68424 (Add new PDO mysql connection attr to control multi statements option). (peter dot wolanin at acquia dot com) SPL : - Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks the RecursiveIterator). (Paul Garvin) - Fixed bug #68479 (Added escape parameter to SplFileObject::fputcsv). (Salathe) SQLite : - Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2). (Anatol) Streams : - Fixed bug #68532 (convert.base64-encode omits padding bytes). (blaesius at krumedia dot de) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 81190
    published 2015-02-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81190
    title Fedora 21 : php-5.6.5-1.fc21 (2015-1058)
  • NASL family CGI abuses
    NASL id PHP_5_4_36.NASL
    description According to its banner, the version of PHP 5.4.x installed on the remote host is prior to 5.4.36. It is, therefore, affected by a use-after-free error in the 'process_nested_data' function within 'ext/standard/var_unserializer.re' due to improper handling of duplicate keys within the serialized properties of an object. A remote attacker, using a specially crafted call to the 'unserialize' method, can exploit this flaw to execute arbitrary code on the system. Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 80330
    published 2015-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80330
    title PHP 5.4.x < 5.4.36 'process_nested_data' RCE
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-464.NASL
    description Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019 .
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 80415
    published 2015-01-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80415
    title Amazon Linux AMI : php55 (ALAS-2015-464)
  • NASL family CGI abuses
    NASL id PHP_5_6_4.NASL
    description According to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.4. It is, therefore, affected by a use-after-free error in the 'process_nested_data' function within 'ext/standard/var_unserializer.re' due to improper handling of duplicate keys within the serialized properties of an object. A remote attacker, using a specially crafted call to the 'unserialize' method, can exploit this flaw to execute arbitrary code on the system. Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 80332
    published 2015-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80332
    title PHP 5.6.x < 5.6.4 'process_nested_data' RCE
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-1101.NASL
    description 22 Jan 2014, PHP 5.5.21 Core : - Upgraded crypt_blowfish to version 1.3. (Leigh) - Fixed bug #60704 (unlink() bug with some files path). - Fixed bug #65419 (Inside trait, self::class != __CLASS__). (Julien) - Fixed bug #65576 (Constructor from trait conflicts with inherited constructor). (dunglas at gmail dot com) - Fixed bug #55541 (errors spawn MessageBox, which blocks test automation). (Anatol) - Fixed bug #68297 (Application Popup provides too few information). (Anatol) - Fixed bug #65769 (localeconv() broken in TS builds). (Anatol) - Fixed bug #65230 (setting locale randomly broken). (Anatol) - Fixed bug #66764 (configure doesn't define EXPANDED_DATADIR / PHP_DATADIR correctly). (Ferenc) - Fixed bug #68583 (Crash in timeout thread). (Anatol) - Fixed bug #68676 (Explicit Double Free). (Kalle) - Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). (CVE-2015-0231) (Stefan Esser) CGI : - Fixed bug #68618 (out of bounds read crashes php-cgi).(CVE-2014-9427) (Stas) CLI server : - Fixed bug #68745 (Invalid HTTP requests make web server segfault). (Adam) cURL : - Fixed bug #67643 (curl_multi_getcontent returns ' when CURLOPT_RETURNTRANSFER isn't set). (Jille Timmermans) EXIF : - Fixed bug #68799: Free called on uninitialized pointer. (CVE-2015-0232) (Stas) Fileinfo : - Fixed bug #68671 (incorrect expression in libmagic). (Joshua Rogers, Anatol Belski) - Removed readelf.c and related code from libmagic sources (Remi, Anatol) - Fixed bug #68735 (fileinfo out-of-bounds memory access). (Anatol) FPM : - Fixed bug #68751 (listen.allowed_clients is broken). (Remi) GD : - Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (Jan Bee, Remi) Mbstring : - Fixed bug #68504 (--with-libmbfl configure option not present on Windows). (Ashesh Vashi) Mcrypt : - Fixed possible read after end of buffer and use after free. (Dmitry) Opcache : - Fixed bug #67111 (Memory leak when using 'continue 2' inside two foreach loops). (Nikita) OpenSSL : - Fixed bug #55618 (use case-insensitive cert name matching). (Daniel Lowrey) Pcntl : - Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler when setting SIG_DFL). (Julien) PCRE : - Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream). (Rainer Jung, Anatol Belski) pgsql : - Fixed bug #68697 (lo_export return -1 on failure). (Ondrej Sury) PDO : - Fixed bug #68371 (PDO#getAttribute() cannot be called with platform-specific attribute names). (Matteo) PDO_mysql : - Fixed bug #68424 (Add new PDO mysql connection attr to control multi statements option). (peter dot wolanin at acquia dot com) SPL : - Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks the RecursiveIterator). (Paul Garvin) - Fixed bug #65213 (cannot cast SplFileInfo to boolean) (Tjerk) - Fixed bug #68479 (Added escape parameter to SplFileObject::fputcsv). (Salathe) SQLite : - Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2). (Anatol) Streams : - Fixed bug #68532 (convert.base64-encode omits padding bytes). (blaesius at krumedia dot de) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 81191
    published 2015-02-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81191
    title Fedora 20 : php-5.5.21-1.fc20 (2015-1101)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-17276.NASL
    description 18 Dec 2014, PHP 5.5.20\r\n\r\nCore:\r\n* Fixed bug #68091 (Some Zend headers lack appropriate extern 'C' blocks). (Adam)\r\n* Fixed bug #68185 ('Inconsistent insteadof definition.'- incorrectly triggered). (Julien)\r\n* Fixed bug #68370 ('unset($this)' can make the program crash). (Laruence)\r\n* Fixed bug #68545 (NULL pointer dereference in unserialize.c). (Anatol)\r\n* Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142) (Stefan Esser)\r\n\r\nDate:\r\n* Fixed day_of_week function as it could sometimes return negative values internally. (Derick)\r\n\r\nFPM:\r\n* Fixed bug #68381 (fpm_unix_init_main ignores log_level). (David Zuelke, Remi)\r\n* Fixed bug #68420 (listen=9000 listens to ipv6 localhost instead of all addresses). (Remi)\r\n* Fixed bug #68421 (access.format='%R' doesn't log ipv6 address). (Remi)\r\n* Fixed bug #68423 (PHP-FPM will no longer load all pools). (Remi)\r\n* Fixed bug #68428 (listen.allowed_clients is IPv4 only). (Remi)\r\n* Fixed bug #68452 (php-fpm man page is oudated). (Remi)\r\n* Fixed request #68458 (Change pm.start_servers default warning to notice). (David Zuelke, Remi)\r\n* Fixed bug #68463 (listen.allowed_clients can silently result in no allowed access). (Remi)\r\n* Fixed request #68391 (php-fpm conf files loading order). (Florian Margaine, Remi)\r\n* Fixed bug #68478 (access.log don't use prefix). (Remi)\r\n\r\nMcrypt:\r\n* Fixed possible read after end of buffer and use after free. (Dmitry)\r\n\r\nPDO_pgsql:\r\n* Fixed bug #66584 (Segmentation fault on statement deallocation) (Matteo)\r\n* Fixed bug #67462 (PDO_PGSQL::beginTransaction() wrongly throws exception when not in transaction) (Matteo)\r\n* Fixed bug #68351 (PDO::PARAM_BOOL and ATTR_EMULATE_PREPARES misbehaving) (Matteo)\r\n\r\nzlib:\r\n* Fixed bug #53829 (Compiling PHP with large file support will replace function gzopen by gzopen64) (Sascha Kettler, Matteo) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 80296
    published 2014-12-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80296
    title Fedora 19 : php-5.5.20-2.fc19 (2014-17276)
  • NASL family CGI abuses
    NASL id PHP_5_5_20.NASL
    description According to its banner, the version of PHP 5.5.x installed on the remote host is prior to 5.5.20. It is, therefore, affected by a use-after-free error in the 'process_nested_data' function within 'ext/standard/var_unserializer.re' due to improper handling of duplicate keys within the serialized properties of an object. A remote attacker, using a specially crafted call to the 'unserialize' method, can exploit this flaw to execute arbitrary code on the system. Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 80331
    published 2015-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80331
    title PHP 5.5.x < 5.5.20 'process_nested_data' RCE
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-17241.NASL
    description 18 Dec 2014, PHP 5.6.4\\r\\n\\r\\nCore:\\r\\n* Fixed bug #68091 (Some Zend headers lack appropriate extern 'C' blocks). (Adam)\\r\\n* Fixed bug #68104 (Segfault while pre-evaluating a disabled function). (Laruence)\\r\\n* Fixed bug #68185 ('Inconsistent insteadof definition.'- incorrectly triggered). (Julien)\\r\\n* Fixed bug #68355 (Inconsistency in example php.ini comments). (Chris McCafferty)\\r\\n* Fixed bug #68370 ('unset($this)' can make the program crash). (Laruence)\\r\\n* Fixed bug #68422 (Incorrect argument reflection info for array_multisort()). (Alexander Lisachenko)\\r\\n* Fixed bug #68446 (Array constant not accepted for array parameter default). (Bob, Dmitry)\\r\\n* Fixed bug #68545 (NULL pointer dereference in unserialize.c). (Anatol)\\r\\n* Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142) (Stefan Esser)\\r\\n\\r\\nDate:\\r\\n* Fixed day_of_week function as it could sometimes return negative values internally. (Derick)\\r\\n\\r\\nFPM:\\r\\n* Fixed bug #68381 (fpm_unix_init_main ignores log_level). (David Zuelke, Remi)\\r\\n* Fixed bug #68420 (listen=9000 listens to ipv6 localhost instead of all addresses). (Remi)\\r\\n* Fixed bug #68421 (access.format='%R' doesn't log ipv6 address). (Remi)\\r\\n* Fixed bug #68423 (PHP-FPM will no longer load all pools). (Remi)\\r\\n* Fixed bug #68428 (listen.allowed_clients is IPv4 only). (Remi)\\r\\n* Fixed bug #68452 (php-fpm man page is oudated). (Remi)\\r\\n* Fixed request #68458 (Change pm.start_servers default warning to notice). (David Zuelke, Remi)\\r\\n* Fixed bug #68463 (listen.allowed_clients can silently result in no allowed access). (Remi)\\r\\n* Fixed request #68391 (php-fpm conf files loading order). (Florian Margaine, Remi)\\r\\n* Fixed bug #68478 (access.log don't use prefix). (Remi)\\r\\n\\r\\nGMP:\\r\\n* Fixed bug #68419 (build error with gmp 4.1). (Remi)\\r\\n\\r\\nMcrypt:\\r\\n* Fixed possible read after end of buffer and use after free. (Dmitry)\\r\\n\\r\\nPDO_pgsql:\\r\\n* Fixed bug #67462 (PDO_PGSQL::beginTransaction() wrongly throws exception when not in transaction) (Matteo)\\r\\n* Fixed bug #68351 (PDO::PARAM_BOOL and ATTR_EMULATE_PREPARES misbehaving) (Matteo)\\r\\n\\r\\nSession:\\r\\n* Fixed bug #68331 (Session custom storage callable functions not being called) (Yasuo Ohgaki)\\r\\n\\r\\nSOAP:\\r\\n* Fixed bug #68361 (Segmentation fault on SoapClient::__getTypes). (Laruence)\\r\\n\\r\\nzlib:\\r\\n* Fixed bug #53829 (Compiling PHP with large file support will replace function gzopen by gzopen64) (Sascha Kettler, Matteo) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 80291
    published 2014-12-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80291
    title Fedora 21 : php-5.6.4-2.fc21 (2014-17241)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3117.NASL
    description Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. As announced in DSA 3064-1 it has been decided to follow the stable 5.4.x releases for the Wheezy php5 packages. Consequently the vulnerabilities are addressed by upgrading PHP to a new upstream version 5.4.36, which includes additional bug fixes, new features and possibly incompatible changes. Please refer to the upstream changelog for more information : Two additional patches were applied on top of the imported new upstream version. An out-of-bounds read flaw was fixed which could lead php5-cgi to crash. Moreover a bug with php5-pgsql in combination with PostgreSQL 9.1 was fixed (Debian Bug #773182).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 80308
    published 2015-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80308
    title Debian DSA-3117-1 : php5 - security update
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-1135.NASL
    description Updated php packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, causing it to crash or, possibly, execute arbitrary code. (CVE-2015-3330) A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP's Exif extension. A specially crafted JPEG or TIFF file could cause a PHP application using the exif_read_data() function to crash or, possibly, execute arbitrary code with the privileges of the user running that PHP application. (CVE-2015-0232) An integer overflow flaw leading to a heap-based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-4022) Multiple flaws were discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2014-8142, CVE-2015-0231, CVE-2015-0273, CVE-2015-2787, CVE-2015-4147, CVE-2015-4148, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603) It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2015-2348, CVE-2015-4025, CVE-2015-4026, CVE-2015-3411, CVE-2015-3412, CVE-2015-4598) Multiple flaws were found in the way the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. (CVE-2015-2301, CVE-2015-2783, CVE-2015-3307, CVE-2015-3329, CVE-2015-4021) Multiple flaws were found in PHP's File Information (fileinfo) extension. A remote attacker could cause a PHP application to crash if it used fileinfo to identify type of attacker supplied files. (CVE-2014-9652, CVE-2015-4604, CVE-2015-4605) A heap buffer overflow flaw was found in the enchant_broker_request_dict() function of PHP's enchant extension. An attacker able to make a PHP application enchant dictionaries could possibly cause it to crash. (CVE-2014-9705) A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted GIF file could cause a PHP application using the imagecreatefromgif() function to crash. (CVE-2014-9709) This update also fixes the following bugs : * The libgmp library in some cases terminated unexpectedly with a segmentation fault when being used with other libraries that use the GMP memory management. With this update, PHP no longer changes libgmp memory allocators, which prevents the described crash from occurring. (BZ#1212305) * When using the Open Database Connectivity (ODBC) API, the PHP process in some cases terminated unexpectedly with a segmentation fault. The underlying code has been adjusted to prevent this crash. (BZ#1212299) * Previously, running PHP on a big-endian system sometimes led to memory corruption in the fileinfo module. This update adjusts the behavior of the PHP pointer so that it can be freed without causing memory corruption. (BZ#1212298) All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84345
    published 2015-06-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84345
    title CentOS 7 : php (CESA-2015:1135)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0365-1.NASL
    description php5 was updated to fix four security issues. These security issues were fixed : - CVE-2015-0231: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allowed remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (bnc#910659). - CVE-2014-9427: sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, did not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which caused an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping (bnc#911664). - CVE-2015-0232: The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allowed remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image (bnc#914690). - CVE-2014-8142: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allowed remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019 (bnc#910659). Additionally a fix was included that protects against a possible NULL pointer use (bnc#910659). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-06
    plugin id 119961
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119961
    title SUSE SLES12 Security Update : php5 (SUSE-SU-2015:0365-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-1135.NASL
    description Updated php packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, causing it to crash or, possibly, execute arbitrary code. (CVE-2015-3330) A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP's Exif extension. A specially crafted JPEG or TIFF file could cause a PHP application using the exif_read_data() function to crash or, possibly, execute arbitrary code with the privileges of the user running that PHP application. (CVE-2015-0232) An integer overflow flaw leading to a heap-based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-4022) Multiple flaws were discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2014-8142, CVE-2015-0231, CVE-2015-0273, CVE-2015-2787, CVE-2015-4147, CVE-2015-4148, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603) It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2015-2348, CVE-2015-4025, CVE-2015-4026, CVE-2015-3411, CVE-2015-3412, CVE-2015-4598) Multiple flaws were found in the way the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. (CVE-2015-2301, CVE-2015-2783, CVE-2015-3307, CVE-2015-3329, CVE-2015-4021) Multiple flaws were found in PHP's File Information (fileinfo) extension. A remote attacker could cause a PHP application to crash if it used fileinfo to identify type of attacker supplied files. (CVE-2014-9652, CVE-2015-4604, CVE-2015-4605) A heap buffer overflow flaw was found in the enchant_broker_request_dict() function of PHP's enchant extension. An attacker able to make a PHP application enchant dictionaries could possibly cause it to crash. (CVE-2014-9705) A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted GIF file could cause a PHP application using the imagecreatefromgif() function to crash. (CVE-2014-9709) This update also fixes the following bugs : * The libgmp library in some cases terminated unexpectedly with a segmentation fault when being used with other libraries that use the GMP memory management. With this update, PHP no longer changes libgmp memory allocators, which prevents the described crash from occurring. (BZ#1212305) * When using the Open Database Connectivity (ODBC) API, the PHP process in some cases terminated unexpectedly with a segmentation fault. The underlying code has been adjusted to prevent this crash. (BZ#1212299) * Previously, running PHP on a big-endian system sometimes led to memory corruption in the fileinfo module. This update adjusts the behavior of the PHP pointer so that it can be freed without causing memory corruption. (BZ#1212298) All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84355
    published 2015-06-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84355
    title RHEL 7 : php (RHSA-2015:1135)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-17229.NASL
    description 18 Dec 2014, PHP 5.5.20\\r\\n\\r\\nCore:\\r\\n* Fixed bug #68091 (Some Zend headers lack appropriate extern 'C' blocks). (Adam)\\r\\n* Fixed bug #68185 ('Inconsistent insteadof definition.'- incorrectly triggered). (Julien)\\r\\n* Fixed bug #68370 ('unset($this)' can make the program crash). (Laruence)\\r\\n* Fixed bug #68545 (NULL pointer dereference in unserialize.c). (Anatol)\\r\\n* Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142) (Stefan Esser)\\r\\n\\r\\nDate:\\r\\n* Fixed day_of_week function as it could sometimes return negative values internally. (Derick)\\r\\n\\r\\nFPM:\\r\\n* Fixed bug #68381 (fpm_unix_init_main ignores log_level). (David Zuelke, Remi)\\r\\n* Fixed bug #68420 (listen=9000 listens to ipv6 localhost instead of all addresses). (Remi)\\r\\n* Fixed bug #68421 (access.format='%R' doesn't log ipv6 address). (Remi)\\r\\n* Fixed bug #68423 (PHP-FPM will no longer load all pools). (Remi)\\r\\n* Fixed bug #68428 (listen.allowed_clients is IPv4 only). (Remi)\\r\\n* Fixed bug #68452 (php-fpm man page is oudated). (Remi)\\r\\n* Fixed request #68458 (Change pm.start_servers default warning to notice). (David Zuelke, Remi)\\r\\n* Fixed bug #68463 (listen.allowed_clients can silently result in no allowed access). (Remi)\\r\\n* Fixed request #68391 (php-fpm conf files loading order). (Florian Margaine, Remi)\\r\\n* Fixed bug #68478 (access.log don't use prefix). (Remi)\\r\\n\\r\\nMcrypt:\\r\\n* Fixed possible read after end of buffer and use after free. (Dmitry)\\r\\n\\r\\nPDO_pgsql:\\r\\n* Fixed bug #66584 (Segmentation fault on statement deallocation) (Matteo)\\r\\n* Fixed bug #67462 (PDO_PGSQL::beginTransaction() wrongly throws exception when not in transaction) (Matteo)\\r\\n* Fixed bug #68351 (PDO::PARAM_BOOL and ATTR_EMULATE_PREPARES misbehaving) (Matteo)\\r\\n\\r\\nzlib:\\r\\n* Fixed bug #53829 (Compiling PHP with large file support will replace function gzopen by gzopen64) (Sascha Kettler, Matteo)\\r\\n Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 80290
    published 2014-12-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80290
    title Fedora 20 : php-5.5.20-2.fc20 (2014-17229)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1638-1.NASL
    description This update for php53 to version 5.3.17 fixes the following issues : These security issues were fixed : - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010). - CVE-2016-5094: Don't create strings with lengths outside int range (bnc#982011). - CVE-2016-5095: Don't create strings with lengths outside int range (bnc#982012). - CVE-2016-5096: int/size_t confusion in fread (bsc#982013). - CVE-2016-5114: fpm_log.c memory leak and buffer overflow (bnc#982162). - CVE-2015-8879: The odbc_bindcols function in ext/odbc/php_odbc.c in PHP mishandles driver behavior for SQL_WVARCHAR columns, which allowed remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table (bsc#981050). - CVE-2015-4116: Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP allowed remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation (bsc#980366). - CVE-2015-8874: Stack consumption vulnerability in GD in PHP allowed remote attackers to cause a denial of service via a crafted imagefilltoborder call (bsc#980375). - CVE-2015-8873: Stack consumption vulnerability in Zend/zend_exceptions.c in PHP allowed remote attackers to cause a denial of service (segmentation fault) via recursive method calls (bsc#980373). - CVE-2016-4540: The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c in PHP allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset (bsc#978829). - CVE-2016-4541: The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset (bsc#978829. - CVE-2016-4542: The exif_process_IFD_TAG function in ext/exif/exif.c in PHP did not properly construct spprintf arguments, which allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data (bsc#978830). - CVE-2016-4543: The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP did not validate IFD sizes, which allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data (bsc#978830. - CVE-2016-4544: The exif_process_TIFF_in_JPEG function in ext/exif/exif.c in PHP did not validate TIFF start data, which allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data (bsc#978830. - CVE-2016-4537: The bcpowmod function in ext/bcmath/bcmath.c in PHP accepted a negative integer for the scale argument, which allowed remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call (bsc#978827). - CVE-2016-4538: The bcpowmod function in ext/bcmath/bcmath.c in PHP modified certain data structures without considering whether they are copies of the _zero_, _one_, or _two_ global variable, which allowed remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call (bsc#978827). - CVE-2016-4539: The xml_parse_into_struct function in ext/xml/xml.c in PHP allowed remote attackers to cause a denial of service (buffer under-read and segmentation fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a parser level of zero (bsc#978828). - CVE-2016-4342: ext/phar/phar_object.c in PHP mishandles zero-length uncompressed data, which allowed remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) TAR, (2) ZIP, or (3) PHAR archive (bsc#977991). - CVE-2016-4346: Integer overflow in the str_pad function in ext/standard/string.c in PHP allowed remote attackers to cause a denial of service or possibly have unspecified other impact via a long string, leading to a heap-based buffer overflow (bsc#977994). - CVE-2016-4073: Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP allowed remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted mb_strcut call (bsc#977003). - CVE-2015-8867: The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP incorrectly relied on the deprecated RAND_pseudo_bytes function, which made it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors (bsc#977005). - CVE-2016-4070: Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP allowed remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function (bsc#976997). - CVE-2015-8866: ext/libxml/libxml.c in PHP when PHP-FPM is used, did not isolate each thread from libxml_disable_entity_loader changes in other threads, which allowed remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161 (bsc#976996). - CVE-2015-8838: ext/mysqlnd/mysqlnd.c in PHP used a client SSL option to mean that SSL is optional, which allowed man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152 (bsc#973792). - CVE-2015-8835: The make_http_soap_request function in ext/soap/php_http.c in PHP did not properly retrieve keys, which allowed remote attackers to cause a denial of service (NULL pointer dereference, type confusion, and application crash) or possibly execute arbitrary code via crafted serialized data representing a numerically indexed _cookies array, related to the SoapClient::__call method in ext/soap/soap.c (bsc#973351). - CVE-2016-3141: Use-after-free vulnerability in wddx.c in the WDDX extension in PHP allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element (bsc#969821). - CVE-2016-3142: The phar_parse_zipfile function in zip.c in the PHAR extension in PHP allowed remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid location (bsc#971912). - CVE-2014-9767: Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP ext/zip/ext_zip.cpp in HHVM allowed remote attackers to create arbitrary empty directories via a crafted ZIP archive (bsc#971612). - CVE-2016-3185: The make_http_soap_request function in ext/soap/php_http.c in PHP allowed remote attackers to obtain sensitive information from process memory or cause a denial of service (type confusion and application crash) via crafted serialized _cookies data, related to the SoapClient::__call method in ext/soap/soap.c (bsc#971611). - CVE-2016-2554: Stack-based buffer overflow in ext/phar/tar.c in PHP allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive (bsc#968284). - CVE-2015-7803: The phar_get_entry_data function in ext/phar/util.c in PHP allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a .phar file with a crafted TAR archive entry in which the Link indicator references a file that did not exist (bsc#949961). - CVE-2015-6831: Multiple use-after-free vulnerabilities in SPL in PHP allowed remote attackers to execute arbitrary code via vectors involving (1) ArrayObject, (2) SplObjectStorage, and (3) SplDoublyLinkedList, which are mishandled during unserialization (bsc#942291). - CVE-2015-6833: Directory traversal vulnerability in the PharData class in PHP allowed remote attackers to write to arbitrary files via a .. (dot dot) in a ZIP archive entry that is mishandled during an extractTo call (bsc#942296. - CVE-2015-6836: The SoapClient __call method in ext/soap/soap.c in PHP did not properly manage headers, which allowed remote attackers to execute arbitrary code via crafted serialized data that triggers a 'type confusion' in the serialize_function_call function (bsc#945428). - CVE-2015-6837: The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP when libxml2 is used, did not consider the possibility of a NULL valuePop return value proceeding with a free operation during initial error checking, which allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6838 (bsc#945412). - CVE-2015-6838: The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP when libxml2 is used, did not consider the possibility of a NULL valuePop return value proceeding with a free operation after the principal argument loop, which allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837 (bsc#945412). - CVE-2015-5590: Stack-based buffer overflow in the phar_fix_filepath function in ext/phar/phar.c in PHP allowed remote attackers to cause a denial of service or possibly have unspecified other impact via a large length value, as demonstrated by mishandling of an e-mail attachment by the imap PHP extension (bsc#938719). - CVE-2015-5589: The phar_convert_to_other function in ext/phar/phar_object.c in PHP did not validate a file pointer a close operation, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted TAR archive that is mishandled in a Phar::convertToData call (bsc#938721). - CVE-2015-4602: The __PHP_Incomplete_Class function in ext/standard/incomplete_class.c in PHP allowed remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to a 'type confusion' issue (bsc#935224). - CVE-2015-4599: The SoapFault::__toString method in ext/soap/soap.c in PHP allowed remote attackers to obtain sensitive information, cause a denial of service (application crash), or possibly execute arbitrary code via an unexpected data type, related to a 'type confusion' issue (bsc#935226). - CVE-2015-4600: The SoapClient implementation in PHP allowed remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to 'type confusion' issues in the (1) SoapClient::__getLastRequest, (2) SoapClient::__getLastResponse, (3) SoapClient::__getLastRequestHeaders, (4) SoapClient::__getLastResponseHeaders, (5) SoapClient::__getCookies, and (6) SoapClient::__setCookie methods (bsc#935226). - CVE-2015-4601: PHP allowed remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to 'type confusion' issues in (1) ext/soap/php_encoding.c, (2) ext/soap/php_http.c, and (3) ext/soap/soap.c, a different issue than CVE-2015-4600 (bsc#935226. - CVE-2015-4603: The exception::getTraceAsString function in Zend/zend_exceptions.c in PHP allowed remote attackers to execute arbitrary code via an unexpected data type, related to a 'type confusion' issue (bsc#935234). - CVE-2015-4644: The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP did not validate token extraction for table names, which might allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1352 (bsc#935274). - CVE-2015-4643: Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP allowed remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4022 (bsc#935275). - CVE-2015-3411: PHP did not ensure that pathnames lack %00 sequences, which might have allowed remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename\0.xml attack that bypasses an intended configuration in which client users may read only .xml files (bsc#935227). - CVE-2015-3412: PHP did not ensure that pathnames lack %00 sequences, which might have allowed remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension (bsc#935229). - CVE-2015-4598: PHP did not ensure that pathnames lack %00 sequences, which might have allowed remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as demonstrated by a filename\0.html attack that bypasses an intended configuration in which client users may write to only .html files (bsc#935232). - CVE-2015-4148: The do_soap_call function in ext/soap/soap.c in PHP did not verify that the uri property is a string, which allowed remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a 'type confusion' issue (bsc#933227). - CVE-2015-4024: Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP allowed remote attackers to cause a denial of service (CPU consumption) via crafted form data that triggers an improper order-of-growth outcome (bsc#931421). - CVE-2015-4026: The pcntl_exec implementation in PHP truncates a pathname upon encountering a \x00 character, which might allowed remote attackers to bypass intended extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243 (bsc#931776). - CVE-2015-4022: Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP allowed remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow (bsc#931772). - CVE-2015-4021: The phar_parse_tarfile function in ext/phar/tar.c in PHP did not verify that the first character of a filename is different from the \0 character, which allowed remote attackers to cause a denial of service (integer underflow and memory corruption) via a crafted entry in a tar archive (bsc#931769). - CVE-2015-3329: Multiple stack-based buffer overflows in the phar_set_inode function in phar_internal.h in PHP allowed remote attackers to execute arbitrary code via a crafted length value in a (1) tar, (2) phar, or (3) ZIP archive (bsc#928506). - CVE-2015-2783: ext/phar/phar.c in PHP allowed remote attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read and application crash) via a crafted length value in conjunction with crafted serialized data in a phar archive, related to the phar_parse_metadata and phar_parse_pharfile functions (bsc#928511). - CVE-2015-2787: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP allowed remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231 (bsc#924972). - CVE-2014-9709: The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP allowed remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function (bsc#923945). - CVE-2015-2301: Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file (bsc#922452). - CVE-2015-2305: Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) 32-bit platforms might have allowed context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow (bsc#921950). - CVE-2014-9705: Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP allowed remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries (bsc#922451). - CVE-2015-0273: Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP allowed remote attackers to execute arbitrary code via crafted serialized input containing a (1) R or (2) r type specifier in (a) DateTimeZone data handled by the php_date_timezone_initialize_from_hash function or (b) DateTime data handled by the php_date_initialize_from_hash function (bsc#918768). - CVE-2014-9652: The mconvert function in softmagic.c in file as used in the Fileinfo component in PHP did not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allowed remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file (bsc#917150). - CVE-2014-8142: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP allowed remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019 (bsc#910659). - CVE-2015-0231: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP allowed remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (bsc#910659). - CVE-2014-8142: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP allowed remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019 (bsc#910659). - CVE-2015-0232: The exif_process_unicode function in ext/exif/exif.c in PHP allowed remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image (bsc#914690). - CVE-2014-3670: The exif_ifd_make_value function in exif.c in the EXIF extension in PHP operates on floating-point arrays incorrectly, which allowed remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted JPEG image with TIFF thumbnail data that is improperly handled by the exif_thumbnail function (bsc#902357). - CVE-2014-3669: Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP allowed remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value (bsc#902360). - CVE-2014-3668: Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP allowed remote attackers to cause a denial of service (application crash) via (1) a crafted first argument to the xmlrpc_set_type function or (2) a crafted argument to the xmlrpc_decode function, related to an out-of-bounds read operation (bsc#902368). - CVE-2014-5459: The PEAR_REST class in REST.php in PEAR in PHP allowed local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to the retrieveCacheFirst and useLocalCache functions (bsc#893849). - CVE-2014-3597: Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP allowed remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049 (bsc#893853). - CVE-2014-4670: Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP allowed context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments (bsc#886059). - CVE-2014-4698: Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP allowed context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments (bsc#886060). - CVE-2014-4721: The phpinfo implementation in ext/standard/info.c in PHP did not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allowed context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a 'type confusion' vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php (bsc#885961). - CVE-2014-0207: The cdf_read_short_sector function in cdf.c in file as used in the Fileinfo component in PHP allowed remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file (bsc#884986). - CVE-2014-3478: Buffer overflow in the mconvert function in softmagic.c in file as used in the Fileinfo component in PHP allowed remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion (bsc#884987). - CVE-2014-3479: The cdf_check_stream_offset function in cdf.c in file as used in the Fileinfo component in PHP relies on incorrect sector-size data, which allowed remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file (bsc#884989). - CVE-2014-3480: The cdf_count_chain function in cdf.c in file as used in the Fileinfo component in PHP did not properly validate sector-count data, which allowed remote attackers to cause a denial of service (application crash) via a crafted CDF file (bsc#884990). - CVE-2014-3487: The cdf_read_property_info function in file as used in the Fileinfo component in PHP did not properly validate a stream offset, which allowed remote attackers to cause a denial of service (application crash) via a crafted CDF file (bsc#884991). - CVE-2014-3515: The SPL component in PHP incorrectly anticipates that certain data structures will have the array data type after unserialization, which allowed remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to 'type confusion' issues in (1) ArrayObject and (2) SPLObjectStorage (bsc#884992). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93161
    published 2016-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93161
    title SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1638-1) (BACKRONYM)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-1135.NASL
    description From Red Hat Security Advisory 2015:1135 : Updated php packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, causing it to crash or, possibly, execute arbitrary code. (CVE-2015-3330) A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP's Exif extension. A specially crafted JPEG or TIFF file could cause a PHP application using the exif_read_data() function to crash or, possibly, execute arbitrary code with the privileges of the user running that PHP application. (CVE-2015-0232) An integer overflow flaw leading to a heap-based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-4022) Multiple flaws were discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2014-8142, CVE-2015-0231, CVE-2015-0273, CVE-2015-2787, CVE-2015-4147, CVE-2015-4148, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603) It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2015-2348, CVE-2015-4025, CVE-2015-4026, CVE-2015-3411, CVE-2015-3412, CVE-2015-4598) Multiple flaws were found in the way the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. (CVE-2015-2301, CVE-2015-2783, CVE-2015-3307, CVE-2015-3329, CVE-2015-4021) Multiple flaws were found in PHP's File Information (fileinfo) extension. A remote attacker could cause a PHP application to crash if it used fileinfo to identify type of attacker supplied files. (CVE-2014-9652, CVE-2015-4604, CVE-2015-4605) A heap buffer overflow flaw was found in the enchant_broker_request_dict() function of PHP's enchant extension. An attacker able to make a PHP application enchant dictionaries could possibly cause it to crash. (CVE-2014-9705) A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted GIF file could cause a PHP application using the imagecreatefromgif() function to crash. (CVE-2014-9709) This update also fixes the following bugs : * The libgmp library in some cases terminated unexpectedly with a segmentation fault when being used with other libraries that use the GMP memory management. With this update, PHP no longer changes libgmp memory allocators, which prevents the described crash from occurring. (BZ#1212305) * When using the Open Database Connectivity (ODBC) API, the PHP process in some cases terminated unexpectedly with a segmentation fault. The underlying code has been adjusted to prevent this crash. (BZ#1212299) * Previously, running PHP on a big-endian system sometimes led to memory corruption in the fileinfo module. This update adjusts the behavior of the PHP pointer so that it can be freed without causing memory corruption. (BZ#1212298) All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 84351
    published 2015-06-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84351
    title Oracle Linux 7 : php (ELSA-2015-1135)
packetstorm via4
redhat via4
advisories
  • rhsa
    id RHSA-2015:1053
  • rhsa
    id RHSA-2015:1066
  • rhsa
    id RHSA-2015:1135
rpms
  • php-0:5.4.16-36.el7_1
  • php-bcmath-0:5.4.16-36.el7_1
  • php-cli-0:5.4.16-36.el7_1
  • php-common-0:5.4.16-36.el7_1
  • php-dba-0:5.4.16-36.el7_1
  • php-devel-0:5.4.16-36.el7_1
  • php-embedded-0:5.4.16-36.el7_1
  • php-enchant-0:5.4.16-36.el7_1
  • php-fpm-0:5.4.16-36.el7_1
  • php-gd-0:5.4.16-36.el7_1
  • php-intl-0:5.4.16-36.el7_1
  • php-ldap-0:5.4.16-36.el7_1
  • php-mbstring-0:5.4.16-36.el7_1
  • php-mysql-0:5.4.16-36.el7_1
  • php-mysqlnd-0:5.4.16-36.el7_1
  • php-odbc-0:5.4.16-36.el7_1
  • php-pdo-0:5.4.16-36.el7_1
  • php-pgsql-0:5.4.16-36.el7_1
  • php-process-0:5.4.16-36.el7_1
  • php-pspell-0:5.4.16-36.el7_1
  • php-recode-0:5.4.16-36.el7_1
  • php-snmp-0:5.4.16-36.el7_1
  • php-soap-0:5.4.16-36.el7_1
  • php-xml-0:5.4.16-36.el7_1
  • php-xmlrpc-0:5.4.16-36.el7_1
refmap via4
bid 71791
confirm
debian DSA-3117
gentoo GLSA-201503-03
hp
  • HPSBMU03380
  • HPSBMU03409
  • HPSBUX03337
  • SSRT102066
suse
  • SUSE-SU-2015:0365
  • openSUSE-SU-2015:0325
Last major update 30-12-2016 - 21:59
Published 20-12-2014 - 06:59
Back to Top