| nessus
via4
|
| NASL family | Amazon Linux Local Security Checks | | NASL id | ALA_ALAS-2015-475.NASL | | description | sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x
through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a
.php file, does not properly consider the mapping's length during
processing of an invalid file that begins with a # character and lacks
a newline character, which causes an out-of-bounds read and might (1)
allow remote attackers to obtain sensitive information from php-cgi
process memory by leveraging the ability to upload a .php file or (2)
trigger unexpected code execution if a valid PHP script is present in
memory locations adjacent to the mapping. (CVE-2014-9427)
Use-after-free vulnerability in the process_nested_data function in
ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before
5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute
arbitrary code via a crafted unserialize call that leverages improper
handling of duplicate numerical keys within the serialized properties
of an object. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2014-8142 . (CVE-2015-0231)
The exif_process_unicode function in ext/exif/exif.c in PHP before
5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote
attackers to execute arbitrary code or cause a denial of service
(uninitialized pointer free and application crash) via crafted EXIF
data in a JPEG image. (CVE-2015-0232) | | last seen | 2019-01-16 | | modified | 2018-04-18 | | plugin id | 81321 | | published | 2015-02-13 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81321 | | title | Amazon Linux AMI : php54 (ALAS-2015-475) |
| NASL family | Web Servers | | NASL id | HPSMH_7_5.NASL | | description | According to the web server's banner, the version of HP System
Management Homepage (SMH) hosted on the remote web server is prior to
7.5.0. It is, therefore, affected by multiple vulnerabilities :
- A flaw exists within the 'mod_deflate' module when
handling highly compressed bodies. A remote attacker can
exploit this, via a specially crafted request, to
exhaust memory and CPU resources, resulting in a denial
of service condition. (CVE-2014-0118)
- The 'mod_status' module contains a race condition that
can be triggered when handling the scoreboard. A remote
attacker can exploit this to cause a denial of service,
execute arbitrary code, or obtain sensitive credential
information. (CVE-2014-0226)
- The 'mod_cgid' module lacks a time out mechanism. A
remote attacker can exploit this, via a specially
crafted request, to cause child processes to linger
indefinitely, filling up the scoreboard and resulting in
a denial of service vulnerability. (CVE-2014-0231)
- A flaw exists in WinNT MPM versions 2.4.1 to 2.4.9 when
using the default AcceptFilter. An attacker can exploit
this, via specially crafted requests. to create a memory
leak, resulting in a denial of service condition.
(CVE-2014-3523)
- A NULL pointer dereference flaw exists when the SSLv3
option isn't enabled and an SSLv3 ClientHello is
received. This allows a remote attacker, using an
unexpected handshake, to crash the daemon, resulting in
a denial of service. (CVE-2014-3569)
- The BIGNUM squaring (BN_sqr) implementation does not
properly calculate the square of a BIGNUM value. This
allows remote attackers to defeat cryptographic
protection mechanisms. (CVE-2014-3570)
- A NULL pointer dereference flaw exists in the
dtls1_get_record() function when handling DTLS messages.
A remote attacker, using a specially crafted DTLS
message, can cause a denial of service. (CVE-2014-3571)
- A flaw exists with ECDH handshakes when using an ECDSA
certificate without a ServerKeyExchange message. This
allows a remote attacker to trigger a loss of forward
secrecy from the ciphersuite. (CVE-2014-3572)
- A use-after-free error exists in the
'process_nested_data' function within
'ext/standard/var_unserializer.re' due to improper
handling of duplicate keys within the serialized
properties of an object. A remote attacker, using a
specially crafted call to the 'unserialize' method, can
exploit this flaw to execute arbitrary code on the
system. (CVE-2014-8142)
- A flaw exists when accepting non-DER variations of
certificate signature algorithms and signature encodings
due to a lack of enforcement of matches between signed
and unsigned portions. A remote attacker, by including
crafted data within a certificate's unsigned portion,
can bypass fingerprint-based certificate-blacklist
protection mechanisms. (CVE-2014-8275)
- An out-of-bounds read flaw in file 'cgi_main.c' exists
when nmap is used to process an invalid file that begins
with a hash character (#) but lacks a newline character.
A remote attacker, using a specially crafted PHP file,
can exploit this vulnerability to disclose memory
contents, cause a denial of service, or possibly execute
code. (CVE-2014-9427)
- An out-of-bounds read error exists in the Fine Free File
component that is bundled with PHP. A remote attacker
can exploit this to cause a denial of service condition
or the disclosure of sensitive information.
(CVE-2014-9652)
- A memory corruption issue exists in the Fine Free File
component that is bundled with PHP. A remote attacker
can exploit this to cause an unspecified impact.
(CVE-2014-9653)
- A heap buffer overflow condition exists in PHP in the
enchant_broker_request_dict() function due to improper
validation of user-supplied input. An attacker can
exploit this to cause a denial of service condition or
the execution of arbitrary code. (CVE-2014-9705)
- A security feature bypass vulnerability, known as FREAK
(Factoring attack on RSA-EXPORT Keys), exists due to the
support of weak EXPORT_RSA cipher suites with keys less
than or equal to 512 bits. A man-in-the-middle attacker
may be able to downgrade the SSL/TLS connection to use
EXPORT_RSA cipher suites which can be factored in a
short amount of time, allowing the attacker to intercept
and decrypt the traffic. (CVE-2015-0204)
- A flaw exists when accepting DH certificates for client
authentication without the CertificateVerify message.
This allows a remote attacker to authenticate to the
service without a private key. (CVE-2015-0205)
- A memory leak occurs in dtls1_buffer_record()
when handling a saturation of DTLS records containing
the same number sequence but for the next epoch. This
allows a remote attacker to cause a denial of service.
(CVE-2015-0206)
- A flaw exists in the DTLSv1_listen() function due to
state being preserved in the SSL object from one
invocation to the next. A remote attacker can exploit
this, via crafted DTLS traffic, to cause a segmentation
fault, resulting in a denial of service.
(CVE-2015-0207)
- A flaw exists in the rsa_item_verify() function due to
improper implementation of ASN.1 signature verification.
A remote attacker can exploit this, via an ASN.1
signature using the RSA PSS algorithm and invalid
parameters, to cause a NULL pointer dereference,
resulting in a denial of service. (CVE-2015-0208)
- A use-after-free condition exists in the
d2i_ECPrivateKey() function due to improper processing
of malformed EC private key files during import. A
remote attacker can exploit this to dereference or free
already freed memory, resulting in a denial of service
or other unspecified impact. (CVE-2015-0209)
- A use-after-free memory error exists in the
process_nested_data() function in 'var_unserializer.re'
due to improper handling of duplicate numerical keys
within the serialized properties of an object. A remote
attacker, using a crafted unserialize method call, can
exploit this vulnerability to execute arbitrary code.
(CVE-2015-0231)
- A flaw exists in the exif_process_unicode() function in
'exif.c' that allows freeing an uninitialized pointer. A
remote attacker, using specially crafted EXIF data in a
JPEG image, can exploit this to cause a denial of
service or to execute arbitrary code. (CVE-2015-0232)
- A use-after-free flaw exists in the function
php_date_timezone_initialize_from_hash() within the
'ext/date/php_date.c' script. An attacker can exploit
this to access sensitive information or crash
applications linked to PHP. (CVE-2015-0273)
- A flaw exists in the ssl3_client_hello() function due to
improper validation of a PRNG seed before proceeding
with a handshake, resulting in insufficient entropy and
predictable output. This allows a man-in-the-middle
attacker to defeat cryptographic protection mechanisms
via a brute-force attack, resulting in the disclosure of
sensitive information. (CVE-2015-0285)
- An invalid read error exists in the ASN1_TYPE_cmp()
function due to improperly performed boolean-type
comparisons. A remote attacker can exploit this, via a
crafted X.509 certificate to an endpoint that uses the
certificate-verification feature, to cause an invalid
read operation, resulting in a denial of service.
(CVE-2015-0286)
- A flaw exists in the ASN1_item_ex_d2i() function due to
a failure to reinitialize 'CHOICE' and 'ADB' data
structures when reusing a structure in ASN.1 parsing.
This allows a remote attacker to cause an invalid write
operation and memory corruption, resulting in a denial
of service. (CVE-2015-0287)
- A NULL pointer dereference flaw exists in the
X509_to_X509_REQ() function due to improper processing
of certificate keys. This allows a remote attacker, via
a crafted X.509 certificate, to cause a denial of
service. (CVE-2015-0288)
- A NULL pointer dereference flaw exists in the PKCS#7
parsing code due to incorrect handling of missing outer
ContentInfo. This allows a remote attacker, using an
application that processes arbitrary PKCS#7 data and
providing malformed data with ASN.1 encoding, to cause
a denial of service. (CVE-2015-0289)
- A flaw exists with the 'multiblock' feature in the
ssl3_write_bytes() function due to improper handling of
certain non-blocking I/O cases. This allows a remote
attacker to cause failed connections or a segmentation
fault, resulting in a denial of service. (CVE-2015-0290)
- A NULL pointer dereference flaw exists when handling
clients attempting to renegotiate using an invalid
signature algorithm extension. A remote attacker can
exploit this to cause a denial of service.
(CVE-2015-0291)
- An integer underflow condition exists in the
EVP_DecodeUpdate() function due to improper validation
of base64 encoded input when decoding. This allows a
remote attacker, using maliciously crafted base64 data,
to cause a segmentation fault or memory corruption,
resulting in a denial of service or possibly the
execution of arbitrary code. (CVE-2015-0292)
- A flaw exists in servers that both support SSLv2 and
enable export cipher suites due to improper
implementation of SSLv2. A remote attacker can exploit
this, via a crafted CLIENT-MASTER-KEY message, to cause
a denial of service. (CVE-2015-0293)
- A flaw exists in the ssl3_get_client_key_exchange()
function when client authentication and an ephemeral
Diffie-Hellman ciphersuite are enabled. This allows a
remote attacker, via a ClientKeyExchange message with a
length of zero, to cause a denial of service.
(CVE-2015-1787)
- A cross-site request forgery (XSRF) vulnerability exists
due to the lack of a unique token when performing
sensitive actions via HTTP requests. (CVE-2015-2134)
- A use-after-free error exists in the function
phar_rename_archive() in file 'phar_object.c'. A remote
attacker, by attempting to rename a phar archive to an
already existing file name, can exploit this to cause
a denial of service. (CVE-2015-2301)
- A use-after-free error exists related to function
'unserialize', which can allow a remote attacker to
execute arbitrary code. Note that this issue is due to
an incomplete fix for CVE-2014-8142. (CVE-2015-0231)
- A filter bypass vulnerability exists due to a flaw in
the move_uploaded_file() function in which pathnames are
truncated when a NULL byte is encountered. This allows a
remote attacker, via a crafted second argument, to
bypass intended extension restrictions and create files
with unexpected names. (CVE-2015-2348)
- A user-after-free error exists in the
process_nested_data() function. This allows a remote
attacker, via a crafted unserialize call, to dereference
already freed memory, resulting in the execution of
arbitrary code. (CVE-2015-2787) | | last seen | 2019-01-16 | | modified | 2018-07-12 | | plugin id | 84923 | | published | 2015-07-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=84923 | | title | HP System Management Homepage 7.3.x / 7.4.x < 7.5.0 Multiple Vulnerabilities (FREAK) |
| NASL family | Mandriva Local Security Checks | | NASL id | MANDRIVA_MDVSA-2015-080.NASL | | description | Multiple vulnerabilities has been discovered and corrected in php :
It was discovered that the file utility contains a flaw in the
handling of indirect magic rules in the libmagic library, which leads
to an infinite recursion when trying to determine the file type of
certain files (CVE-2014-1943).
A flaw was found in the way the file utility determined the type of
Portable Executable (PE) format files, the executable format used on
Windows. A malicious PE file could cause the file utility to crash or,
potentially, execute arbitrary code (CVE-2014-2270).
The BEGIN regular expression in the awk script detector in
magic/Magdir/commands in file before 5.15 uses multiple wildcards with
unlimited repetitions, which allows context-dependent attackers to
cause a denial of service (CPU consumption) via a crafted ASCII file
that triggers a large amount of backtracking, as demonstrated via a
file with many newline characters (CVE-2013-7345).
PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain
socket with world-writable permissions by default, which allows any
local user to connect to it and execute PHP scripts as the apache user
(CVE-2014-0185).
A flaw was found in the way file's Composite Document Files (CDF)
format parser handle CDF files with many summary info entries. The
cdf_unpack_summary_info() function unnecessarily repeatedly read the
info from the same offset. This led to many file_printf() calls in
cdf_file_property_info(), which caused file to use an excessive amount
of CPU time when parsing a specially crafted CDF file (CVE-2014-0237).
A flaw was found in the way file parsed property information from
Composite Document Files (CDF) files. A property entry with 0 elements
triggers an infinite loop (CVE-2014-0238).
The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type
Confusion issue related to the SPL ArrayObject and SPLObjectStorage
Types (CVE-2014-3515).
It was discovered that PHP is vulnerable to a heap-based buffer
overflow in the DNS TXT record parsing. A malicious server or
man-in-the-middle attacker could possibly use this flaw to execute
arbitrary code as the PHP interpreter if a PHP application uses
dns_get_record() to perform a DNS query (CVE-2014-4049).
A flaw was found in the way file parsed property information from
Composite Document Files (CDF) files, where the mconvert() function
did not correctly compute the truncated pascal string size
(CVE-2014-3478).
Multiple flaws were found in the way file parsed property information
from Composite Document Files (CDF) files, due to insufficient
boundary checks on buffers (CVE-2014-0207, CVE-2014-3479,
CVE-2014-3480, CVE-2014-3487).
The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type
Confusion issue that can cause it to leak arbitrary process memory
(CVE-2014-4721).
Use-after-free vulnerability in ext/spl/spl_array.c in the SPL
component in PHP through 5.5.14 allows context-dependent attackers to
cause a denial of service or possibly have unspecified other impact
via crafted ArrayIterator usage within applications in certain
web-hosting environments (CVE-2014-4698).
Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL
component in PHP through 5.5.14 allows context-dependent attackers to
cause a denial of service or possibly have unspecified other impact
via crafted iterator usage within applications in certain web-hosting
environments (CVE-2014-4670).
file before 5.19 does not properly restrict the amount of data read
during a regex search, which allows remote attackers to cause a denial
of service (CPU consumption) via a crafted file that triggers
backtracking during processing of an awk rule, due to an incomplete
fix for CVE-2013-7345 (CVE-2014-3538).
Integer overflow in the cdf_read_property_info function in cdf.c in
file through 5.19, as used in the Fileinfo component in PHP before
5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a
denial of service (application crash) via a crafted CDF file. NOTE:
this vulnerability exists because of an incomplete fix for
CVE-2012-1571 (CVE-2014-3587).
Multiple buffer overflows in the php_parserr function in
ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow
remote DNS servers to cause a denial of service (application crash) or
possibly execute arbitrary code via a crafted DNS record, related to
the dns_get_record function and the dn_expand function. NOTE: this
issue exists because of an incomplete fix for CVE-2014-4049
(CVE-2014-3597).
An integer overflow flaw in PHP's unserialize() function was reported.
If unserialize() were used on untrusted data, this issue could lead to
a crash or potentially information disclosure (CVE-2014-3669).
A heap corruption issue was reported in PHP's exif_thumbnail()
function. A specially crafted JPEG image could cause the PHP
interpreter to crash or, potentially, execute arbitrary code
(CVE-2014-3670).
If client-supplied input was passed to PHP's cURL client as a URL to
download, it could return local files from the server due to improper
handling of null bytes (PHP#68089).
An out-of-bounds read flaw was found in file's donote() function in
the way the file utility determined the note headers of a elf file.
This could possibly lead to file executable crash (CVE-2014-3710).
A use-after-free flaw was found in PHP unserialize(). An untrusted
input could cause PHP interpreter to crash or, possibly, execute
arbitrary code when processed using unserialize() (CVE-2014-8142).
Double free vulnerability in the zend_ts_hash_graceful_destroy
function in zend_ts_hash.c in the Zend Engine in PHP before 5.5.21
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via unknown vectors (CVE-2014-9425).
sapi/cgi/cgi_main.c in the CGI component in PHP before 5.5.21, when
mmap is used to read a .php file, does not properly consider the
mapping's length during processing of an invalid file that begins with
a # character and lacks a newline character, which causes an
out-of-bounds read and might allow remote attackers to obtain
sensitive information from php-cgi process memory by leveraging the
ability to upload a .php file or trigger unexpected code execution if
a valid PHP script is present in memory locations adjacent to the
mapping (CVE-2014-9427).
Use after free vulnerability in unserialize() in PHP before 5.5.21
(CVE-2015-0231).
Free called on an uninitialized pointer in php-exif in PHP before
5.5.21 (CVE-2015-0232).
The readelf.c source file has been removed from PHP's bundled copy of
file's libmagic, eliminating exposure to denial of service issues in
ELF file parsing such as CVE-2014-8116, CVE-2014-8117, CVE-2014-9620
and CVE-2014-9621 in PHP's fileinfo module.
S. Paraschoudis discovered that PHP incorrectly handled memory in the
enchant binding. A remote attacker could use this issue to cause PHP
to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2014-9705).
Taoguang Chen discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code
(CVE-2015-0273).
It was discovered that PHP incorrectly handled memory in the phar
extension. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code (CVE-2015-2301).
Use-after-free vulnerability in the process_nested_data function in
ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before
5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute
arbitrary code via a crafted unserialize call that leverages improper
handling of duplicate numerical keys within the serialized properties
of an object. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2014-8142 (CVE-2015-0231).
The exif_process_unicode function in ext/exif/exif.c in PHP before
5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote
attackers to execute arbitrary code or cause a denial of service
(uninitialized pointer free and application crash) via crafted EXIF
data in a JPEG image (CVE-2015-0232).
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way libzip, which is embedded in PHP, processed certain
ZIP archives. If an attacker were able to supply a specially crafted
ZIP archive to an application using libzip, it could cause the
application to crash or, possibly, execute arbitrary code
(CVE-2015-2331).
It was discovered that the PHP opcache component incorrectly handled
memory. A remote attacker could possibly use this issue to cause PHP
to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2015-1351).
It was discovered that the PHP PostgreSQL database extension
incorrectly handled certain pointers. A remote attacker could possibly
use this issue to cause PHP to crash, resulting in a denial of
service, or possibly execute arbitrary code (CVE-2015-1352).
PHP contains a bundled copy of the file utility's libmagic library, so
it was vulnerable to the libmagic issues.
The updated php packages have been patched and upgraded to the 5.5.23
version which is not vulnerable to these issues. The libzip packages
has been patched to address the CVE-2015-2331 flaw.
A bug in the php zip extension that could cause a crash has been fixed
(mga#13820)
Additionally the jsonc and timezonedb packages has been upgraded to
the latest versions and the PECL packages which requires so has been
rebuilt for php-5.5.23. | | last seen | 2019-01-16 | | modified | 2018-11-15 | | plugin id | 82333 | | published | 2015-03-30 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82333 | | title | Mandriva Linux Security Advisory : php (MDVSA-2015:080) |
| NASL family | CGI abuses | | NASL id | PHP_5_4_37.NASL | | description | According to its banner, the version of PHP 5.4.x installed on the
remote host is prior to 5.4.37. It is, therefore, affected by multiple
vulnerabilities:
- The CGI component has an out-of-bounds read flaw in file
'cgi_main.c' when nmap is used to process an invalid
file that begins with a hash character (#) but lacks a
newline character. A remote attacker, using a specially
crafted PHP file, can exploit this vulnerability to
disclose memory contents, cause a denial of service, or
possibly execute code. (CVE-2014-9427)
- A use-after-free memory error exists in the function
'process_nested_data' within 'var_unserializer.re' due
to the improper handling of duplicate numerical keys
within the serialized properties of an object. A remote
attacker, using a crafted unserialize method call, can
exploit this vulnerability to execute arbitrary code.
(CVE-2015-0231)
- A flaw exists in function 'exif_process_unicode' within
'exif.c' that allows freeing an uninitialized pointer. A
remote attacker, using specially crafted EXIF data in a
JPEG image, can exploit this to cause a denial of
service or to execute arbitrary code. (CVE-2015-0232)
Note that Nessus has not attempted to exploit these issues but has
instead relied only on the application's self-reported version number. | | last seen | 2019-01-16 | | modified | 2018-07-24 | | plugin id | 81080 | | published | 2015-01-29 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81080 | | title | PHP 5.4.x < 5.4.37 Multiple Vulnerabilities |
| NASL family | Ubuntu Local Security Checks | | NASL id | UBUNTU_USN-2501-1.NASL | | description | Stefan Esser discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2014-8142, CVE-2015-0231)
Brian Carpenter discovered that the PHP CGI component incorrectly
handled invalid files. A local attacker could use this issue to obtain
sensitive information, or possibly execute arbitrary code. This issue
only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9427)
It was discovered that PHP incorrectly handled certain pascal strings
in the fileinfo extension. A remote attacker could possibly use this
issue to cause PHP to crash, resulting in a denial of service. This
issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9652)
Alex Eubanks discovered that PHP incorrectly handled EXIF data in JPEG
images. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2015-0232)
It was discovered that the PHP opcache component incorrectly handled
memory. A remote attacker could possibly use this issue to cause PHP
to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu
14.10. (CVE-2015-1351)
It was discovered that the PHP PostgreSQL database extension
incorrectly handled certain pointers. A remote attacker could possibly
use this issue to cause PHP to crash, resulting in a denial of
service, or possibly execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1352).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2018-12-01 | | plugin id | 81399 | | published | 2015-02-18 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81399 | | title | Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : php5 vulnerabilities (USN-2501-1) |
| NASL family | MacOS X Local Security Checks | | NASL id | MACOSX_10_11.NASL | | description | The remote host is running a version of Mac OS X that is 10.6.8 or
later but prior to 10.11. It is, therefore, affected by multiple
vulnerabilities in the following components :
- Address Book
- AirScan
- apache_mod_php
- Apple Online Store Kit
- AppleEvents
- Audio
- bash
- Certificate Trust Policy
- CFNetwork Cookies
- CFNetwork FTPProtocol
- CFNetwork HTTPProtocol
- CFNetwork Proxies
- CFNetwork SSL
- CoreCrypto
- CoreText
- Dev Tools
- Disk Images
- dyld
- EFI
- Finder
- Game Center
- Heimdal
- ICU
- Install Framework Legacy
- Intel Graphics Driver
- IOAudioFamily
- IOGraphics
- IOHIDFamily
- IOStorageFamily
- Kernel
- libc
- libpthread
- libxpc
- Login Window
- lukemftpd
- Mail
- Multipeer Connectivity
- NetworkExtension
- Notes
- OpenSSH
- OpenSSL
- procmail
- remote_cmds
- removefile
- Ruby
- Safari
- Safari Downloads
- Safari Extensions
- Safari Safe Browsing
- Security
- SMB
- SQLite
- Telephony
- Terminal
- tidy
- Time Machine
- WebKit
- WebKit CSS
- WebKit JavaScript Bindings
- WebKit Page Loading
- WebKit Plug-ins
Note that successful exploitation of the most serious issues can
result in arbitrary code execution. | | last seen | 2019-01-16 | | modified | 2018-07-14 | | plugin id | 86270 | | published | 2015-10-05 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=86270 | | title | Mac OS X < 10.11 Multiple Vulnerabilities (GHOST) |
| NASL family | SuSE Local Security Checks | | NASL id | OPENSUSE-2015-163.NASL | | description | php5 was updated to fix five security issues.
These security issues were fixed :
- CVE-2015-0231: Use-after-free vulnerability in the
process_nested_data function in
ext/standard/var_unserializer.re in PHP before 5.4.37,
5.5.x before 5.5.21, and 5.6.x before 5.6.5 allowed
remote attackers to execute arbitrary code via a crafted
unserialize call that leverages improper handling of
duplicate numerical keys within the serialized
properties of an object. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2014-8142
(bnc#910659).
- CVE-2015-0232: The exif_process_unicode function in
ext/exif/exif.c in PHP before 5.4.37, 5.5.x before
5.5.21, and 5.6.x before 5.6.5 allowed remote attackers
to execute arbitrary code or cause a denial of service
(uninitialized pointer free and application crash) via
crafted EXIF data in a JPEG image (bnc#914690).
- CVE-2014-8142: Use-after-free vulnerability in the
process_nested_data function in
ext/standard/var_unserializer.re in PHP before 5.4.36,
5.5.x before 5.5.20, and 5.6.x before 5.6.4 allowed
remote attackers to execute arbitrary code via a crafted
unserialize call that leverages improper handling of
duplicate keys within the serialized properties of an
object, a different vulnerability than CVE-2004-1019
(bnc#910659).
- CVE-2014-9427: sapi/cgi/cgi_main.c in the CGI component
in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x
through 5.6.4, when mmap was used to read a .php file,
did not properly consider the mapping's length during
processing of an invalid file that begins with a #
character and lacks a newline character, which caused an
out-of-bounds read and might (1) allowed remote
attackers to obtain sensitive information from php-cgi
process memory by leveraging the ability to upload a
.php file or (2) trigger unexpected code execution if a
valid PHP script is present in memory locations adjacent
to the mapping (bnc#911664).
For openSUSE 13.2 this additional security issue was fixed :
- CVE-2014-9426: The apprentice_load function in
libmagic/apprentice.c in the Fileinfo component in PHP
through 5.6.4 attempted to perform a free operation on a
stack-based character array, which allowed remote
attackers to cause a denial of service (memory
corruption or application crash) or possibly have
unspecified other impact via unknown vectors
(bnc#911663). | | last seen | 2019-01-16 | | modified | 2015-10-05 | | plugin id | 81418 | | published | 2015-02-20 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81418 | | title | openSUSE Security Update : php5 (openSUSE-2015-163) |
| NASL family | Gentoo Local Security Checks | | NASL id | GENTOO_GLSA-201606-10.NASL | | description | The remote host is affected by the vulnerability described in GLSA-201606-10
(PHP: Multiple vulnerabilities)
Multiple vulnerabilities have been discovered in PHP. Please review the
CVE identifiers referenced below for details.
Impact :
An attacker can possibly execute arbitrary code or create a Denial of
Service condition.
Workaround :
There is no known workaround at this time. | | last seen | 2019-01-16 | | modified | 2016-10-10 | | plugin id | 91704 | | published | 2016-06-20 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=91704 | | title | GLSA-201606-10 : PHP: Multiple vulnerabilities |
| NASL family | Gentoo Local Security Checks | | NASL id | GENTOO_GLSA-201503-03.NASL | | description | The remote host is affected by the vulnerability described in GLSA-201503-03
(PHP: Multiple vulnerabilities)
Multiple vulnerabilities have been discovered in PHP. Please review the
CVE identifiers referenced below for details.
Impact :
A remote attacker can leverage these vulnerabilities to execute
arbitrary code or cause Denial of Service.
Workaround :
There is no known workaround at this time. | | last seen | 2019-01-16 | | modified | 2018-12-05 | | plugin id | 81688 | | published | 2015-03-09 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81688 | | title | GLSA-201503-03 : PHP: Multiple vulnerabilities |
| NASL family | Mandriva Local Security Checks | | NASL id | MANDRIVA_MDVSA-2015-032.NASL | | description | Multiple vulnerabilities have been discovered and corrected in php :
sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x
through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a
.php file, does not properly consider the mapping's length during
processing of an invalid file that begins with a # character and lacks
a newline character, which causes an out-of-bounds read and might (1)
allow remote attackers to obtain sensitive information from php-cgi
process memory by leveraging the ability to upload a .php file or (2)
trigger unexpected code execution if a valid PHP script is present in
memory locations adjacent to the mapping (CVE-2014-9427).
Use-after-free vulnerability in the process_nested_data function in
ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before
5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute
arbitrary code via a crafted unserialize call that leverages improper
handling of duplicate numerical keys within the serialized properties
of an object. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2014-8142 (CVE-2015-0231).
The exif_process_unicode function in ext/exif/exif.c in PHP before
5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote
attackers to execute arbitrary code or cause a denial of service
(uninitialized pointer free and application crash) via crafted EXIF
data in a JPEG image (CVE-2015-0232).
The updated php packages have been upgraded to the 5.5.21 version
which is not vulnerable to these issues.
Additionally, the timezonedb package has been upgraded to the latest
2015.1 version, the php-suhosin package has been upgraded to the
latest 0.9.37.1 and the PECL packages which requires so has been
rebuilt for php-5.5.21. | | last seen | 2019-01-16 | | modified | 2019-01-02 | | plugin id | 81198 | | published | 2015-02-06 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81198 | | title | Mandriva Linux Security Advisory : php (MDVSA-2015:032) |
| NASL family | Fedora Local Security Checks | | NASL id | FEDORA_2015-1101.NASL | | description | 22 Jan 2014, PHP 5.5.21
Core :
- Upgraded crypt_blowfish to version 1.3. (Leigh)
- Fixed bug #60704 (unlink() bug with some files path).
- Fixed bug #65419 (Inside trait, self::class !=
__CLASS__). (Julien)
- Fixed bug #65576 (Constructor from trait conflicts
with inherited constructor). (dunglas at gmail dot
com)
- Fixed bug #55541 (errors spawn MessageBox, which
blocks test automation). (Anatol)
- Fixed bug #68297 (Application Popup provides too few
information). (Anatol)
- Fixed bug #65769 (localeconv() broken in TS builds).
(Anatol)
- Fixed bug #65230 (setting locale randomly broken).
(Anatol)
- Fixed bug #66764 (configure doesn't define
EXPANDED_DATADIR / PHP_DATADIR correctly). (Ferenc)
- Fixed bug #68583 (Crash in timeout thread). (Anatol)
- Fixed bug #68676 (Explicit Double Free). (Kalle)
- Fixed bug #68710 (Use After Free Vulnerability in
PHP's unserialize()). (CVE-2015-0231) (Stefan Esser)
CGI :
- Fixed bug #68618 (out of bounds read crashes
php-cgi).(CVE-2014-9427) (Stas)
CLI server :
- Fixed bug #68745 (Invalid HTTP requests make web server
segfault). (Adam)
cURL :
- Fixed bug #67643 (curl_multi_getcontent returns ' when
CURLOPT_RETURNTRANSFER isn't set). (Jille Timmermans)
EXIF :
- Fixed bug #68799: Free called on uninitialized pointer.
(CVE-2015-0232) (Stas)
Fileinfo :
- Fixed bug #68671 (incorrect expression in libmagic).
(Joshua Rogers, Anatol Belski)
- Removed readelf.c and related code from libmagic
sources (Remi, Anatol)
- Fixed bug #68735 (fileinfo out-of-bounds memory
access). (Anatol)
FPM :
- Fixed bug #68751 (listen.allowed_clients is broken).
(Remi)
GD :
- Fixed bug #68601 (buffer read overflow in gd_gif_in.c).
(Jan Bee, Remi)
Mbstring :
- Fixed bug #68504 (--with-libmbfl configure option not
present on Windows). (Ashesh Vashi)
Mcrypt :
- Fixed possible read after end of buffer and use after
free. (Dmitry)
Opcache :
- Fixed bug #67111 (Memory leak when using 'continue 2'
inside two foreach loops). (Nikita)
OpenSSL :
- Fixed bug #55618 (use case-insensitive cert name
matching). (Daniel Lowrey)
Pcntl :
- Fixed bug #60509 (pcntl_signal doesn't decrease
ref-count of old handler when setting SIG_DFL). (Julien)
PCRE :
- Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream).
(Rainer Jung, Anatol Belski)
pgsql :
- Fixed bug #68697 (lo_export return -1 on failure).
(Ondrej Sury)
PDO :
- Fixed bug #68371 (PDO#getAttribute() cannot be called
with platform-specific attribute names). (Matteo)
PDO_mysql :
- Fixed bug #68424 (Add new PDO mysql connection attr to
control multi statements option). (peter dot wolanin at
acquia dot com)
SPL :
- Fixed bug #66405
(RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks
the RecursiveIterator). (Paul Garvin)
- Fixed bug #65213 (cannot cast SplFileInfo to boolean)
(Tjerk)
- Fixed bug #68479 (Added escape parameter to
SplFileObject::fputcsv). (Salathe)
SQLite :
- Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2).
(Anatol)
Streams :
- Fixed bug #68532 (convert.base64-encode omits padding
bytes). (blaesius at krumedia dot de)
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2015-10-19 | | plugin id | 81191 | | published | 2015-02-06 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81191 | | title | Fedora 20 : php-5.5.21-1.fc20 (2015-1101) |
| NASL family | CGI abuses | | NASL id | PHP_5_6_5.NASL | | description | According to its banner, the version of PHP 5.6.x installed on the
remote host is prior to 5.6.5. It is, therefore, affected by multiple
vulnerabilities:
- An out-of-bounds read flaw in file 'cgi_main.c' exists
when nmap is used to process an invalid file that begins
with a hash character (#) but lacks a newline character.
A remote attacker, using a specially crafted PHP file,
can exploit this vulnerability to disclose memory
contents, cause a denial of service, or possibly execute
code. (CVE-2014-9427)
- An out-of-bounds read issue exists in the GetCode_()
function in 'gd_gif_in.c'. This allows a remote attacker
to disclose memory contents. (CVE-2014-9709)
- A use-after-free memory error exists in the
process_nested_data() function in 'var_unserializer.re'
due to improper handling of duplicate numerical keys
within the serialized properties of an object. A remote
attacker, using a crafted unserialize method call, can
exploit this vulnerability to execute arbitrary code.
(CVE-2015-0231)
- A flaw exists in the exif_process_unicode() function in
'exif.c' that allows freeing an uninitialized pointer. A
remote attacker, using specially crafted EXIF data in a
JPEG image, can exploit this to cause a denial of
service or to execute arbitrary code. (CVE-2015-0232)
Note that Nessus has not attempted to exploit these issues but has
instead relied only on the application's self-reported version number. | | last seen | 2019-01-16 | | modified | 2018-07-24 | | plugin id | 81082 | | published | 2015-01-29 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81082 | | title | PHP 5.6.x < 5.6.5 Multiple Vulnerabilities |
| NASL family | Mandriva Local Security Checks | | NASL id | MANDRIVA_MDVSA-2015-079.NASL | | description | Multiple vulnerabilities has been discovered and corrected in php :
S. Paraschoudis discovered that PHP incorrectly handled memory in the
enchant binding. A remote attacker could use this issue to cause PHP
to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2014-9705).
Taoguang Chen discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code
(CVE-2015-0273).
It was discovered that PHP incorrectly handled memory in the phar
extension. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code (CVE-2015-2301).
Use-after-free vulnerability in the process_nested_data function in
ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before
5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute
arbitrary code via a crafted unserialize call that leverages improper
handling of duplicate numerical keys within the serialized properties
of an object. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2014-8142 (CVE-2015-0231).
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way libzip, which is embedded in PHP, processed certain
ZIP archives. If an attacker were able to supply a specially crafted
ZIP archive to an application using libzip, it could cause the
application to crash or, possibly, execute arbitrary code
(CVE-2015-2331).
It was discovered that the PHP opcache component incorrectly handled
memory. A remote attacker could possibly use this issue to cause PHP
to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2015-1351).
It was discovered that the PHP PostgreSQL database extension
incorrectly handled certain pointers. A remote attacker could possibly
use this issue to cause PHP to crash, resulting in a denial of
service, or possibly execute arbitrary code (CVE-2015-1352).
The updated php packages have been patched and upgraded to the 5.5.23
version which is not vulnerable to these issues. The libzip packages
has been patched to address the CVE-2015-2331 flaw.
Additionally the php-xdebug package has been upgraded to the latest
2.3.2 and the PECL packages which requires so has been rebuilt for
php-5.5.23. | | last seen | 2019-01-16 | | modified | 2018-11-15 | | plugin id | 82332 | | published | 2015-03-30 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82332 | | title | Mandriva Linux Security Advisory : php (MDVSA-2015:079) |
| NASL family | Red Hat Local Security Checks | | NASL id | REDHAT-RHSA-2015-1135.NASL | | description | Updated php packages that fix multiple security issues and several
bugs are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
PHP is an HTML-embedded scripting language commonly used with the
Apache HTTP Server.
A flaw was found in the way the PHP module for the Apache httpd web
server handled pipelined requests. A remote attacker could use this
flaw to trigger the execution of a PHP script in a deinitialized
interpreter, causing it to crash or, possibly, execute arbitrary code.
(CVE-2015-3330)
A flaw was found in the way PHP parsed multipart HTTP POST requests. A
specially crafted request could cause PHP to use an excessive amount
of CPU time. (CVE-2015-4024)
An uninitialized pointer use flaw was found in PHP's Exif extension. A
specially crafted JPEG or TIFF file could cause a PHP application
using the exif_read_data() function to crash or, possibly, execute
arbitrary code with the privileges of the user running that PHP
application. (CVE-2015-0232)
An integer overflow flaw leading to a heap-based buffer overflow was
found in the way PHP's FTP extension parsed file listing FTP server
responses. A malicious FTP server could use this flaw to cause a PHP
application to crash or, possibly, execute arbitrary code.
(CVE-2015-4022)
Multiple flaws were discovered in the way PHP performed object
unserialization. Specially crafted input processed by the
unserialize() function could cause a PHP application to crash or,
possibly, execute arbitrary code. (CVE-2014-8142, CVE-2015-0231,
CVE-2015-0273, CVE-2015-2787, CVE-2015-4147, CVE-2015-4148,
CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602,
CVE-2015-4603)
It was found that certain PHP functions did not properly handle file
names containing a NULL character. A remote attacker could possibly
use this flaw to make a PHP script access unexpected files and bypass
intended file system access restrictions. (CVE-2015-2348,
CVE-2015-4025, CVE-2015-4026, CVE-2015-3411, CVE-2015-3412,
CVE-2015-4598)
Multiple flaws were found in the way the way PHP's Phar extension
parsed Phar archives. A specially crafted archive could cause PHP to
crash or, possibly, execute arbitrary code when opened.
(CVE-2015-2301, CVE-2015-2783, CVE-2015-3307, CVE-2015-3329,
CVE-2015-4021)
Multiple flaws were found in PHP's File Information (fileinfo)
extension. A remote attacker could cause a PHP application to crash if
it used fileinfo to identify type of attacker supplied files.
(CVE-2014-9652, CVE-2015-4604, CVE-2015-4605)
A heap buffer overflow flaw was found in the
enchant_broker_request_dict() function of PHP's enchant extension. An
attacker able to make a PHP application enchant dictionaries could
possibly cause it to crash. (CVE-2014-9705)
A buffer over-read flaw was found in the GD library used by the PHP gd
extension. A specially crafted GIF file could cause a PHP application
using the imagecreatefromgif() function to crash. (CVE-2014-9709)
This update also fixes the following bugs :
* The libgmp library in some cases terminated unexpectedly with a
segmentation fault when being used with other libraries that use the
GMP memory management. With this update, PHP no longer changes libgmp
memory allocators, which prevents the described crash from occurring.
(BZ#1212305)
* When using the Open Database Connectivity (ODBC) API, the PHP
process in some cases terminated unexpectedly with a segmentation
fault. The underlying code has been adjusted to prevent this crash.
(BZ#1212299)
* Previously, running PHP on a big-endian system sometimes led to
memory corruption in the fileinfo module. This update adjusts the
behavior of the PHP pointer so that it can be freed without causing
memory corruption. (BZ#1212298)
All php users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing
the updated packages, the httpd daemon must be restarted for the
update to take effect. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 84355 | | published | 2015-06-24 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=84355 | | title | RHEL 7 : php (RHSA-2015:1135) |
| NASL family | SuSE Local Security Checks | | NASL id | SUSE_SU-2015-0365-1.NASL | | description | php5 was updated to fix four security issues.
These security issues were fixed :
- CVE-2015-0231: Use-after-free vulnerability in the
process_nested_data function in
ext/standard/var_unserializer.re in PHP before 5.4.37,
5.5.x before 5.5.21, and 5.6.x before 5.6.5 allowed
remote attackers to execute arbitrary code via a crafted
unserialize call that leverages improper handling of
duplicate numerical keys within the serialized
properties of an object. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2014-8142
(bnc#910659).
- CVE-2014-9427: sapi/cgi/cgi_main.c in the CGI component
in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x
through 5.6.4, when mmap is used to read a .php file,
did not properly consider the mapping's length during
processing of an invalid file that begins with a #
character and lacks a newline character, which caused an
out-of-bounds read and might (1) allow remote attackers
to obtain sensitive information from php-cgi process
memory by leveraging the ability to upload a .php file
or (2) trigger unexpected code execution if a valid PHP
script is present in memory locations adjacent to the
mapping (bnc#911664).
- CVE-2015-0232: The exif_process_unicode function in
ext/exif/exif.c in PHP before 5.4.37, 5.5.x before
5.5.21, and 5.6.x before 5.6.5 allowed remote attackers
to execute arbitrary code or cause a denial of service
(uninitialized pointer free and application crash) via
crafted EXIF data in a JPEG image (bnc#914690).
- CVE-2014-8142: Use-after-free vulnerability in the
process_nested_data function in
ext/standard/var_unserializer.re in PHP before 5.4.36,
5.5.x before 5.5.20, and 5.6.x before 5.6.4 allowed
remote attackers to execute arbitrary code via a crafted
unserialize call that leverages improper handling of
duplicate keys within the serialized properties of an
object, a different vulnerability than CVE-2004-1019
(bnc#910659).
Additionally a fix was included that protects against a possible NULL
pointer use (bnc#910659).
The update package also includes non-security fixes. See advisory for
details.
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | | last seen | 2019-02-07 | | modified | 2019-02-06 | | plugin id | 119961 | | published | 2019-01-02 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=119961 | | title | SUSE SLES12 Security Update : php5 (SUSE-SU-2015:0365-1) |
| NASL family | Amazon Linux Local Security Checks | | NASL id | ALA_ALAS-2015-507.NASL | | description | A use-after-free flaw was found in the way PHP's unserialize()
function processed data. If a remote attacker was able to pass crafted
input to PHP's unserialize() function, they could cause the PHP
interpreter to crash or, possibly, execute arbitrary code.
(CVE-2015-0231)
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way libzip, which is also embedded in PHP, processed
certain ZIP archives. If an attacker were able to supply a specially
crafted ZIP archive to an application using libzip, it could cause the
application to crash or, possibly, execute arbitrary code.
(CVE-2015-2331)
Integer overflow in the regcomp implementation in the Henry Spencer
BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as
used in NetBSD through 6.1.5 and other products, might allow
context-dependent attackers to execute arbitrary code via a large
regular expression that leads to a heap-based buffer overflow.
(CVE-2015-2305) | | last seen | 2019-01-16 | | modified | 2018-04-18 | | plugin id | 82835 | | published | 2015-04-17 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82835 | | title | Amazon Linux AMI : php55 (ALAS-2015-507) |
| NASL family | CGI abuses | | NASL id | PHP_5_6_7.NASL | | description | According to its banner, the version of PHP 5.6.x installed on the
remote host is prior to 5.6.7. It is, therefore, affected by multiple
vulnerabilities :
- A use-after-free error exists related to function
'unserialize', which can allow a remote attacker to
execute arbitrary code. Note that this issue is due to
an incomplete fix for CVE-2014-8142. (CVE-2015-0231)
- An integer overflow error exists in function 'regcomp'
in the Henry Spencer regex library, due to improper
validation of user-supplied input. An attacker can
exploit this to cause a denial of service or to execute
arbitrary code. (CVE-2015-2305)
- An integer overflow error exists in the '_zip_cdir_new'
function, due to improper validation of user-supplied
input. An attacker, using a crafted ZIP archive, can
exploit this to cause a denial of service or to execute
arbitrary code. (CVE-2015-2331)
- A filter bypass vulnerability exists due to a flaw in
the move_uploaded_file() function in which pathnames are
truncated when a NULL byte is encountered. This allows a
remote attacker, via a crafted second argument, to
bypass intended extension restrictions and create files
with unexpected names. (CVE-2015-2348)
- A user-after-free error exists in the
process_nested_data() function. This allows a remote
attacker, via a crafted unserialize call, to dereference
already freed memory, resulting in the execution of
arbitrary code. (CVE-2015-2787)
Note that Nessus has not attempted to exploit these issues but has
instead relied only on the application's self-reported version number. | | last seen | 2019-01-16 | | modified | 2018-07-24 | | plugin id | 82027 | | published | 2015-03-24 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82027 | | title | PHP 5.6.x < 5.6.7 Multiple Vulnerabilities |
| NASL family | Debian Local Security Checks | | NASL id | DEBIAN_DSA-3195.NASL | | description | Multiple vulnerabilities have been discovered in the PHP language :
- CVE-2015-2305
Guido Vranken discovered a heap overflow in the ereg
extension (only applicable to 32 bit systems).
- CVE-2014-9705
Buffer overflow in the enchant extension.
- CVE-2015-0231
Stefan Esser discovered a use-after-free in the
unserialisation of objects.
- CVE-2015-0232
Alex Eubanks discovered incorrect memory management in
the exif extension.
- CVE-2015-0273
Use-after-free in the unserialisation of DateTimeZone. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 81926 | | published | 2015-03-19 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81926 | | title | Debian DSA-3195-1 : php5 - security update |
| NASL family | Amazon Linux Local Security Checks | | NASL id | ALA_ALAS-2015-506.NASL | | description | A use-after-free flaw was found in the way PHP's unserialize()
function processed data. If a remote attacker was able to pass crafted
input to PHP's unserialize() function, they could cause the PHP
interpreter to crash or, possibly, execute arbitrary code.
(CVE-2015-0231)
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way libzip, which is also embedded in PHP, processed
certain ZIP archives. If an attacker were able to supply a specially
crafted ZIP archive to an application using libzip, it could cause the
application to crash or, possibly, execute arbitrary code.
(CVE-2015-2331)
Integer overflow in the regcomp implementation in the Henry Spencer
BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as
used in NetBSD through 6.1.5 and other products, might allow
context-dependent attackers to execute arbitrary code via a large
regular expression that leads to a heap-based buffer overflow.
(CVE-2015-2305) | | last seen | 2019-01-16 | | modified | 2018-04-18 | | plugin id | 82834 | | published | 2015-04-17 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82834 | | title | Amazon Linux AMI : php54 (ALAS-2015-506) |
| NASL family | Oracle Linux Local Security Checks | | NASL id | ORACLELINUX_ELSA-2015-1135.NASL | | description | From Red Hat Security Advisory 2015:1135 :
Updated php packages that fix multiple security issues and several
bugs are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
PHP is an HTML-embedded scripting language commonly used with the
Apache HTTP Server.
A flaw was found in the way the PHP module for the Apache httpd web
server handled pipelined requests. A remote attacker could use this
flaw to trigger the execution of a PHP script in a deinitialized
interpreter, causing it to crash or, possibly, execute arbitrary code.
(CVE-2015-3330)
A flaw was found in the way PHP parsed multipart HTTP POST requests. A
specially crafted request could cause PHP to use an excessive amount
of CPU time. (CVE-2015-4024)
An uninitialized pointer use flaw was found in PHP's Exif extension. A
specially crafted JPEG or TIFF file could cause a PHP application
using the exif_read_data() function to crash or, possibly, execute
arbitrary code with the privileges of the user running that PHP
application. (CVE-2015-0232)
An integer overflow flaw leading to a heap-based buffer overflow was
found in the way PHP's FTP extension parsed file listing FTP server
responses. A malicious FTP server could use this flaw to cause a PHP
application to crash or, possibly, execute arbitrary code.
(CVE-2015-4022)
Multiple flaws were discovered in the way PHP performed object
unserialization. Specially crafted input processed by the
unserialize() function could cause a PHP application to crash or,
possibly, execute arbitrary code. (CVE-2014-8142, CVE-2015-0231,
CVE-2015-0273, CVE-2015-2787, CVE-2015-4147, CVE-2015-4148,
CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602,
CVE-2015-4603)
It was found that certain PHP functions did not properly handle file
names containing a NULL character. A remote attacker could possibly
use this flaw to make a PHP script access unexpected files and bypass
intended file system access restrictions. (CVE-2015-2348,
CVE-2015-4025, CVE-2015-4026, CVE-2015-3411, CVE-2015-3412,
CVE-2015-4598)
Multiple flaws were found in the way the way PHP's Phar extension
parsed Phar archives. A specially crafted archive could cause PHP to
crash or, possibly, execute arbitrary code when opened.
(CVE-2015-2301, CVE-2015-2783, CVE-2015-3307, CVE-2015-3329,
CVE-2015-4021)
Multiple flaws were found in PHP's File Information (fileinfo)
extension. A remote attacker could cause a PHP application to crash if
it used fileinfo to identify type of attacker supplied files.
(CVE-2014-9652, CVE-2015-4604, CVE-2015-4605)
A heap buffer overflow flaw was found in the
enchant_broker_request_dict() function of PHP's enchant extension. An
attacker able to make a PHP application enchant dictionaries could
possibly cause it to crash. (CVE-2014-9705)
A buffer over-read flaw was found in the GD library used by the PHP gd
extension. A specially crafted GIF file could cause a PHP application
using the imagecreatefromgif() function to crash. (CVE-2014-9709)
This update also fixes the following bugs :
* The libgmp library in some cases terminated unexpectedly with a
segmentation fault when being used with other libraries that use the
GMP memory management. With this update, PHP no longer changes libgmp
memory allocators, which prevents the described crash from occurring.
(BZ#1212305)
* When using the Open Database Connectivity (ODBC) API, the PHP
process in some cases terminated unexpectedly with a segmentation
fault. The underlying code has been adjusted to prevent this crash.
(BZ#1212299)
* Previously, running PHP on a big-endian system sometimes led to
memory corruption in the fileinfo module. This update adjusts the
behavior of the PHP pointer so that it can be freed without causing
memory corruption. (BZ#1212298)
All php users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing
the updated packages, the httpd daemon must be restarted for the
update to take effect. | | last seen | 2019-01-16 | | modified | 2018-07-18 | | plugin id | 84351 | | published | 2015-06-24 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=84351 | | title | Oracle Linux 7 : php (ELSA-2015-1135) |
| NASL family | Fedora Local Security Checks | | NASL id | FEDORA_2015-1058.NASL | | description | 22 Jan 2015, PHP 5.6.5
Core :
- Upgraded crypt_blowfish to version 1.3. (Leigh)
- Fixed bug #60704 (unlink() bug with some files path).
- Fixed bug #65419 (Inside trait, self::class !=
__CLASS__). (Julien)
- Fixed bug #68536 (pack for 64bits integer is broken on
bigendian). (Remi)
- Fixed bug #55541 (errors spawn MessageBox, which
blocks test automation). (Anatol)
- Fixed bug #68297 (Application Popup provides too few
information). (Anatol)
- Fixed bug #65769 (localeconv() broken in TS builds).
(Anatol)
- Fixed bug #65230 (setting locale randomly broken).
(Anatol)
- Fixed bug #66764 (configure doesn't define
EXPANDED_DATADIR / PHP_DATADIR correctly). (Ferenc)
- Fixed bug #68583 (Crash in timeout thread). (Anatol)
- Fixed bug #65576 (Constructor from trait conflicts
with inherited constructor). (dunglas at gmail dot
com)
- Fixed bug #68676 (Explicit Double Free). (Kalle)
- Fixed bug #68710 (Use After Free Vulnerability in
PHP's unserialize()). (CVE-2015-0231) (Stefan Esser)
CGI :
- Fixed bug #68618 (out of bounds read crashes php-cgi).
(CVE-2014-9427) (Stas)
CLI server :
- Fixed bug #68745 (Invalid HTTP requests make web server
segfault). (Adam)
cURL :
- Fixed bug #67643 (curl_multi_getcontent returns ' when
CURLOPT_RETURNTRANSFER isn't set). (Jille Timmermans)
Date :
- Implemented FR #68268 (DatePeriod: Getter for start
date, end date and interval). (Marc Bennewitz)
EXIF :
- Fixed bug #68799: Free called on uninitialized pointer.
(CVE-2015-0232) (Stas)
Fileinfo :
- Fixed bug #68398 (msooxml matches too many archives).
(Anatol)
- Fixed bug #68665 (invalid free in libmagic). (Joshua
Rogers, Anatol Belski)
- Fixed bug #68671 (incorrect expression in libmagic).
(Joshua Rogers, Anatol Belski)
- Removed readelf.c and related code from libmagic
sources (Remi, Anatol)
- Fixed bug #68735 (fileinfo out-of-bounds memory
access). (Anatol)
FPM :
- Fixed request #68526 (Implement POSIX Access Control
List for UDS). (Remi)
- Fixed bug #68751 (listen.allowed_clients is broken).
(Remi)
GD :
- Fixed bug #68601 (buffer read overflow in gd_gif_in.c).
(Jan Bee, Remi)
- Fixed request #68656 (Report gd library version).
(Remi)
mbstring :
- Fixed bug #68504 (--with-libmbfl configure option not
present on Windows). (Ashesh Vashi)
Opcache :
- Fixed bug #68644 (strlen incorrect : mbstring +
func_overload=2 +UTF-8 + Opcache). (Laruence)
- Fixed bug #67111 (Memory leak when using 'continue 2'
inside two foreach loops). (Nikita)
OpenSSL :
- Improved handling of OPENSSL_KEYTYPE_EC keys. (Dominic
Luechinger)
pcntl :
- Fixed bug #60509 (pcntl_signal doesn't decrease
ref-count of old handler when setting SIG_DFL). (Julien)
PCRE :
- Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream).
(Rainer Jung, Anatol Belski)
pgsql :
- Fixed bug #68697 (lo_export return -1 on failure).
(Ondrej Sury)
PDO :
- Fixed bug #68371 (PDO#getAttribute() cannot be called
with platform-specifi attribute names). (Matteo)
PDO_mysql :
- Fixed bug #68424 (Add new PDO mysql connection attr to
control multi statements option). (peter dot wolanin at
acquia dot com)
SPL :
- Fixed bug #66405
(RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks
the RecursiveIterator). (Paul Garvin)
- Fixed bug #68479 (Added escape parameter to
SplFileObject::fputcsv). (Salathe)
SQLite :
- Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2).
(Anatol)
Streams :
- Fixed bug #68532 (convert.base64-encode omits padding
bytes). (blaesius at krumedia dot de)
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2015-10-19 | | plugin id | 81190 | | published | 2015-02-06 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81190 | | title | Fedora 21 : php-5.6.5-1.fc21 (2015-1058) |
| NASL family | SuSE Local Security Checks | | NASL id | SUSE_SU-2016-1638-1.NASL | | description | This update for php53 to version 5.3.17 fixes the following issues :
These security issues were fixed :
- CVE-2016-5093: get_icu_value_internal out-of-bounds read
(bnc#982010).
- CVE-2016-5094: Don't create strings with lengths outside
int range (bnc#982011).
- CVE-2016-5095: Don't create strings with lengths outside
int range (bnc#982012).
- CVE-2016-5096: int/size_t confusion in fread
(bsc#982013).
- CVE-2016-5114: fpm_log.c memory leak and buffer overflow
(bnc#982162).
- CVE-2015-8879: The odbc_bindcols function in
ext/odbc/php_odbc.c in PHP mishandles driver behavior
for SQL_WVARCHAR columns, which allowed remote attackers
to cause a denial of service (application crash) in
opportunistic circumstances by leveraging use of the
odbc_fetch_array function to access a certain type of
Microsoft SQL Server table (bsc#981050).
- CVE-2015-4116: Use-after-free vulnerability in the
spl_ptr_heap_insert function in ext/spl/spl_heap.c in
PHP allowed remote attackers to execute arbitrary code
by triggering a failed SplMinHeap::compare operation
(bsc#980366).
- CVE-2015-8874: Stack consumption vulnerability in GD in
PHP allowed remote attackers to cause a denial of
service via a crafted imagefilltoborder call
(bsc#980375).
- CVE-2015-8873: Stack consumption vulnerability in
Zend/zend_exceptions.c in PHP allowed remote attackers
to cause a denial of service (segmentation fault) via
recursive method calls (bsc#980373).
- CVE-2016-4540: The grapheme_stripos function in
ext/intl/grapheme/grapheme_string.c in PHP allowed
remote attackers to cause a denial of service
(out-of-bounds read) or possibly have unspecified other
impact via a negative offset (bsc#978829).
- CVE-2016-4541: The grapheme_strpos function in
ext/intl/grapheme/grapheme_string.c in PHP allowed
remote attackers to cause a denial of service
(out-of-bounds read) or possibly have unspecified other
impact via a negative offset (bsc#978829.
- CVE-2016-4542: The exif_process_IFD_TAG function in
ext/exif/exif.c in PHP did not properly construct
spprintf arguments, which allowed remote attackers to
cause a denial of service (out-of-bounds read) or
possibly have unspecified other impact via crafted
header data (bsc#978830).
- CVE-2016-4543: The exif_process_IFD_in_JPEG function in
ext/exif/exif.c in PHP did not validate IFD sizes, which
allowed remote attackers to cause a denial of service
(out-of-bounds read) or possibly have unspecified other
impact via crafted header data (bsc#978830.
- CVE-2016-4544: The exif_process_TIFF_in_JPEG function in
ext/exif/exif.c in PHP did not validate TIFF start data,
which allowed remote attackers to cause a denial of
service (out-of-bounds read) or possibly have
unspecified other impact via crafted header data
(bsc#978830.
- CVE-2016-4537: The bcpowmod function in
ext/bcmath/bcmath.c in PHP accepted a negative integer
for the scale argument, which allowed remote attackers
to cause a denial of service or possibly have
unspecified other impact via a crafted call
(bsc#978827).
- CVE-2016-4538: The bcpowmod function in
ext/bcmath/bcmath.c in PHP modified certain data
structures without considering whether they are copies
of the _zero_, _one_, or _two_ global variable, which
allowed remote attackers to cause a denial of service or
possibly have unspecified other impact via a crafted
call (bsc#978827).
- CVE-2016-4539: The xml_parse_into_struct function in
ext/xml/xml.c in PHP allowed remote attackers to cause a
denial of service (buffer under-read and segmentation
fault) or possibly have unspecified other impact via
crafted XML data in the second argument, leading to a
parser level of zero (bsc#978828).
- CVE-2016-4342: ext/phar/phar_object.c in PHP mishandles
zero-length uncompressed data, which allowed remote
attackers to cause a denial of service (heap memory
corruption) or possibly have unspecified other impact
via a crafted (1) TAR, (2) ZIP, or (3) PHAR archive
(bsc#977991).
- CVE-2016-4346: Integer overflow in the str_pad function
in ext/standard/string.c in PHP allowed remote attackers
to cause a denial of service or possibly have
unspecified other impact via a long string, leading to a
heap-based buffer overflow (bsc#977994).
- CVE-2016-4073: Multiple integer overflows in the
mbfl_strcut function in
ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP allowed
remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code
via a crafted mb_strcut call (bsc#977003).
- CVE-2015-8867: The openssl_random_pseudo_bytes function
in ext/openssl/openssl.c in PHP incorrectly relied on
the deprecated RAND_pseudo_bytes function, which made it
easier for remote attackers to defeat cryptographic
protection mechanisms via unspecified vectors
(bsc#977005).
- CVE-2016-4070: Integer overflow in the
php_raw_url_encode function in ext/standard/url.c in PHP
allowed remote attackers to cause a denial of service
(application crash) via a long string to the
rawurlencode function (bsc#976997).
- CVE-2015-8866: ext/libxml/libxml.c in PHP when PHP-FPM
is used, did not isolate each thread from
libxml_disable_entity_loader changes in other threads,
which allowed remote attackers to conduct XML External
Entity (XXE) and XML Entity Expansion (XEE) attacks via
a crafted XML document, a related issue to CVE-2015-5161
(bsc#976996).
- CVE-2015-8838: ext/mysqlnd/mysqlnd.c in PHP used a
client SSL option to mean that SSL is optional, which
allowed man-in-the-middle attackers to spoof servers via
a cleartext-downgrade attack, a related issue to
CVE-2015-3152 (bsc#973792).
- CVE-2015-8835: The make_http_soap_request function in
ext/soap/php_http.c in PHP did not properly retrieve
keys, which allowed remote attackers to cause a denial
of service (NULL pointer dereference, type confusion,
and application crash) or possibly execute arbitrary
code via crafted serialized data representing a
numerically indexed _cookies array, related to the
SoapClient::__call method in ext/soap/soap.c
(bsc#973351).
- CVE-2016-3141: Use-after-free vulnerability in wddx.c in
the WDDX extension in PHP allowed remote attackers to
cause a denial of service (memory corruption and
application crash) or possibly have unspecified other
impact by triggering a wddx_deserialize call on XML data
containing a crafted var element (bsc#969821).
- CVE-2016-3142: The phar_parse_zipfile function in zip.c
in the PHAR extension in PHP allowed remote attackers to
obtain sensitive information from process memory or
cause a denial of service (out-of-bounds read and
application crash) by placing a PK\x05\x06 signature at
an invalid location (bsc#971912).
- CVE-2014-9767: Directory traversal vulnerability in the
ZipArchive::extractTo function in ext/zip/php_zip.c in
PHP ext/zip/ext_zip.cpp in HHVM allowed remote attackers
to create arbitrary empty directories via a crafted ZIP
archive (bsc#971612).
- CVE-2016-3185: The make_http_soap_request function in
ext/soap/php_http.c in PHP allowed remote attackers to
obtain sensitive information from process memory or
cause a denial of service (type confusion and
application crash) via crafted serialized _cookies data,
related to the SoapClient::__call method in
ext/soap/soap.c (bsc#971611).
- CVE-2016-2554: Stack-based buffer overflow in
ext/phar/tar.c in PHP allowed remote attackers to cause
a denial of service (application crash) or possibly have
unspecified other impact via a crafted TAR archive
(bsc#968284).
- CVE-2015-7803: The phar_get_entry_data function in
ext/phar/util.c in PHP allowed remote attackers to cause
a denial of service (NULL pointer dereference and
application crash) via a .phar file with a crafted TAR
archive entry in which the Link indicator references a
file that did not exist (bsc#949961).
- CVE-2015-6831: Multiple use-after-free vulnerabilities
in SPL in PHP allowed remote attackers to execute
arbitrary code via vectors involving (1) ArrayObject,
(2) SplObjectStorage, and (3) SplDoublyLinkedList, which
are mishandled during unserialization (bsc#942291).
- CVE-2015-6833: Directory traversal vulnerability in the
PharData class in PHP allowed remote attackers to write
to arbitrary files via a .. (dot dot) in a ZIP archive
entry that is mishandled during an extractTo call
(bsc#942296.
- CVE-2015-6836: The SoapClient __call method in
ext/soap/soap.c in PHP did not properly manage headers,
which allowed remote attackers to execute arbitrary code
via crafted serialized data that triggers a 'type
confusion' in the serialize_function_call function
(bsc#945428).
- CVE-2015-6837: The xsl_ext_function_php function in
ext/xsl/xsltprocessor.c in PHP when libxml2 is used, did
not consider the possibility of a NULL valuePop return
value proceeding with a free operation during initial
error checking, which allowed remote attackers to cause
a denial of service (NULL pointer dereference and
application crash) via a crafted XML document, a
different vulnerability than CVE-2015-6838 (bsc#945412).
- CVE-2015-6838: The xsl_ext_function_php function in
ext/xsl/xsltprocessor.c in PHP when libxml2 is used, did
not consider the possibility of a NULL valuePop return
value proceeding with a free operation after the
principal argument loop, which allowed remote attackers
to cause a denial of service (NULL pointer dereference
and application crash) via a crafted XML document, a
different vulnerability than CVE-2015-6837 (bsc#945412).
- CVE-2015-5590: Stack-based buffer overflow in the
phar_fix_filepath function in ext/phar/phar.c in PHP
allowed remote attackers to cause a denial of service or
possibly have unspecified other impact via a large
length value, as demonstrated by mishandling of an
e-mail attachment by the imap PHP extension
(bsc#938719).
- CVE-2015-5589: The phar_convert_to_other function in
ext/phar/phar_object.c in PHP did not validate a file
pointer a close operation, which allowed remote
attackers to cause a denial of service (segmentation
fault) or possibly have unspecified other impact via a
crafted TAR archive that is mishandled in a
Phar::convertToData call (bsc#938721).
- CVE-2015-4602: The __PHP_Incomplete_Class function in
ext/standard/incomplete_class.c in PHP allowed remote
attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via an
unexpected data type, related to a 'type confusion'
issue (bsc#935224).
- CVE-2015-4599: The SoapFault::__toString method in
ext/soap/soap.c in PHP allowed remote attackers to
obtain sensitive information, cause a denial of service
(application crash), or possibly execute arbitrary code
via an unexpected data type, related to a 'type
confusion' issue (bsc#935226).
- CVE-2015-4600: The SoapClient implementation in PHP
allowed remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code
via an unexpected data type, related to 'type confusion'
issues in the (1) SoapClient::__getLastRequest, (2)
SoapClient::__getLastResponse, (3)
SoapClient::__getLastRequestHeaders, (4)
SoapClient::__getLastResponseHeaders, (5)
SoapClient::__getCookies, and (6)
SoapClient::__setCookie methods (bsc#935226).
- CVE-2015-4601: PHP allowed remote attackers to cause a
denial of service (application crash) or possibly
execute arbitrary code via an unexpected data type,
related to 'type confusion' issues in (1)
ext/soap/php_encoding.c, (2) ext/soap/php_http.c, and
(3) ext/soap/soap.c, a different issue than
CVE-2015-4600 (bsc#935226.
- CVE-2015-4603: The exception::getTraceAsString function
in Zend/zend_exceptions.c in PHP allowed remote
attackers to execute arbitrary code via an unexpected
data type, related to a 'type confusion' issue
(bsc#935234).
- CVE-2015-4644: The php_pgsql_meta_data function in
pgsql.c in the PostgreSQL (aka pgsql) extension in PHP
did not validate token extraction for table names, which
might allowed remote attackers to cause a denial of
service (NULL pointer dereference and application crash)
via a crafted name. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2015-1352
(bsc#935274).
- CVE-2015-4643: Integer overflow in the ftp_genlist
function in ext/ftp/ftp.c in PHP allowed remote FTP
servers to execute arbitrary code via a long reply to a
LIST command, leading to a heap-based buffer overflow.
NOTE: this vulnerability exists because of an incomplete
fix for CVE-2015-4022 (bsc#935275).
- CVE-2015-3411: PHP did not ensure that pathnames lack
%00 sequences, which might have allowed remote attackers
to read or write to arbitrary files via crafted input to
an application that calls (1) a DOMDocument load method,
(2) the xmlwriter_open_uri function, (3) the finfo_file
function, or (4) the hash_hmac_file function, as
demonstrated by a filename\0.xml attack that bypasses an
intended configuration in which client users may read
only .xml files (bsc#935227).
- CVE-2015-3412: PHP did not ensure that pathnames lack
%00 sequences, which might have allowed remote attackers
to read arbitrary files via crafted input to an
application that calls the stream_resolve_include_path
function in ext/standard/streamsfuncs.c, as demonstrated
by a filename\0.extension attack that bypasses an
intended configuration in which client users may read
files with only one specific extension (bsc#935229).
- CVE-2015-4598: PHP did not ensure that pathnames lack
%00 sequences, which might have allowed remote attackers
to read or write to arbitrary files via crafted input to
an application that calls (1) a DOMDocument save method
or (2) the GD imagepsloadfont function, as demonstrated
by a filename\0.html attack that bypasses an intended
configuration in which client users may write to only
.html files (bsc#935232).
- CVE-2015-4148: The do_soap_call function in
ext/soap/soap.c in PHP did not verify that the uri
property is a string, which allowed remote attackers to
obtain sensitive information by providing crafted
serialized data with an int data type, related to a
'type confusion' issue (bsc#933227).
- CVE-2015-4024: Algorithmic complexity vulnerability in
the multipart_buffer_headers function in main/rfc1867.c
in PHP allowed remote attackers to cause a denial of
service (CPU consumption) via crafted form data that
triggers an improper order-of-growth outcome
(bsc#931421).
- CVE-2015-4026: The pcntl_exec implementation in PHP
truncates a pathname upon encountering a \x00 character,
which might allowed remote attackers to bypass intended
extension restrictions and execute files with unexpected
names via a crafted first argument. NOTE: this
vulnerability exists because of an incomplete fix for
CVE-2006-7243 (bsc#931776).
- CVE-2015-4022: Integer overflow in the ftp_genlist
function in ext/ftp/ftp.c in PHP allowed remote FTP
servers to execute arbitrary code via a long reply to a
LIST command, leading to a heap-based buffer overflow
(bsc#931772).
- CVE-2015-4021: The phar_parse_tarfile function in
ext/phar/tar.c in PHP did not verify that the first
character of a filename is different from the \0
character, which allowed remote attackers to cause a
denial of service (integer underflow and memory
corruption) via a crafted entry in a tar archive
(bsc#931769).
- CVE-2015-3329: Multiple stack-based buffer overflows in
the phar_set_inode function in phar_internal.h in PHP
allowed remote attackers to execute arbitrary code via a
crafted length value in a (1) tar, (2) phar, or (3) ZIP
archive (bsc#928506).
- CVE-2015-2783: ext/phar/phar.c in PHP allowed remote
attackers to obtain sensitive information from process
memory or cause a denial of service (buffer over-read
and application crash) via a crafted length value in
conjunction with crafted serialized data in a phar
archive, related to the phar_parse_metadata and
phar_parse_pharfile functions (bsc#928511).
- CVE-2015-2787: Use-after-free vulnerability in the
process_nested_data function in
ext/standard/var_unserializer.re in PHP allowed remote
attackers to execute arbitrary code via a crafted
unserialize call that leverages use of the unset
function within an __wakeup function, a related issue to
CVE-2015-0231 (bsc#924972).
- CVE-2014-9709: The GetCode_ function in gd_gif_in.c in
GD 2.1.1 and earlier, as used in PHP allowed remote
attackers to cause a denial of service (buffer over-read
and application crash) via a crafted GIF image that is
improperly handled by the gdImageCreateFromGif function
(bsc#923945).
- CVE-2015-2301: Use-after-free vulnerability in the
phar_rename_archive function in phar_object.c in PHP
allowed remote attackers to cause a denial of service or
possibly have unspecified other impact via vectors that
trigger an attempted renaming of a Phar archive to the
name of an existing file (bsc#922452).
- CVE-2015-2305: Integer overflow in the regcomp
implementation in the Henry Spencer BSD regex library
(aka rxspencer) 32-bit platforms might have allowed
context-dependent attackers to execute arbitrary code
via a large regular expression that leads to a
heap-based buffer overflow (bsc#921950).
- CVE-2014-9705: Heap-based buffer overflow in the
enchant_broker_request_dict function in
ext/enchant/enchant.c in PHP allowed remote attackers to
execute arbitrary code via vectors that trigger creation
of multiple dictionaries (bsc#922451).
- CVE-2015-0273: Multiple use-after-free vulnerabilities
in ext/date/php_date.c in PHP allowed remote attackers
to execute arbitrary code via crafted serialized input
containing a (1) R or (2) r type specifier in (a)
DateTimeZone data handled by the
php_date_timezone_initialize_from_hash function or (b)
DateTime data handled by the
php_date_initialize_from_hash function (bsc#918768).
- CVE-2014-9652: The mconvert function in softmagic.c in
file as used in the Fileinfo component in PHP did not
properly handle a certain string-length field during a
copy of a truncated version of a Pascal string, which
might allowed remote attackers to cause a denial of
service (out-of-bounds memory access and application
crash) via a crafted file (bsc#917150).
- CVE-2014-8142: Use-after-free vulnerability in the
process_nested_data function in
ext/standard/var_unserializer.re in PHP allowed remote
attackers to execute arbitrary code via a crafted
unserialize call that leverages improper handling of
duplicate keys within the serialized properties of an
object, a different vulnerability than CVE-2004-1019
(bsc#910659).
- CVE-2015-0231: Use-after-free vulnerability in the
process_nested_data function in
ext/standard/var_unserializer.re in PHP allowed remote
attackers to execute arbitrary code via a crafted
unserialize call that leverages improper handling of
duplicate numerical keys within the serialized
properties of an object. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2014-8142
(bsc#910659).
- CVE-2014-8142: Use-after-free vulnerability in the
process_nested_data function in
ext/standard/var_unserializer.re in PHP allowed remote
attackers to execute arbitrary code via a crafted
unserialize call that leverages improper handling of
duplicate keys within the serialized properties of an
object, a different vulnerability than CVE-2004-1019
(bsc#910659).
- CVE-2015-0232: The exif_process_unicode function in
ext/exif/exif.c in PHP allowed remote attackers to
execute arbitrary code or cause a denial of service
(uninitialized pointer free and application crash) via
crafted EXIF data in a JPEG image (bsc#914690).
- CVE-2014-3670: The exif_ifd_make_value function in
exif.c in the EXIF extension in PHP operates on
floating-point arrays incorrectly, which allowed remote
attackers to cause a denial of service (heap memory
corruption and application crash) or possibly execute
arbitrary code via a crafted JPEG image with TIFF
thumbnail data that is improperly handled by the
exif_thumbnail function (bsc#902357).
- CVE-2014-3669: Integer overflow in the object_custom
function in ext/standard/var_unserializer.c in PHP
allowed remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code
via an argument to the unserialize function that
triggers calculation of a large length value
(bsc#902360).
- CVE-2014-3668: Buffer overflow in the date_from_ISO8601
function in the mkgmtime implementation in
libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP
allowed remote attackers to cause a denial of service
(application crash) via (1) a crafted first argument to
the xmlrpc_set_type function or (2) a crafted argument
to the xmlrpc_decode function, related to an
out-of-bounds read operation (bsc#902368).
- CVE-2014-5459: The PEAR_REST class in REST.php in PEAR
in PHP allowed local users to write to arbitrary files
via a symlink attack on a (1) rest.cachefile or (2)
rest.cacheid file in /tmp/pear/cache/, related to the
retrieveCacheFirst and useLocalCache functions
(bsc#893849).
- CVE-2014-3597: Multiple buffer overflows in the
php_parserr function in ext/standard/dns.c in PHP
allowed remote DNS servers to cause a denial of service
(application crash) or possibly execute arbitrary code
via a crafted DNS record, related to the dns_get_record
function and the dn_expand function. NOTE: this issue
exists because of an incomplete fix for CVE-2014-4049
(bsc#893853).
- CVE-2014-4670: Use-after-free vulnerability in
ext/spl/spl_dllist.c in the SPL component in PHP allowed
context-dependent attackers to cause a denial of service
or possibly have unspecified other impact via crafted
iterator usage within applications in certain
web-hosting environments (bsc#886059).
- CVE-2014-4698: Use-after-free vulnerability in
ext/spl/spl_array.c in the SPL component in PHP allowed
context-dependent attackers to cause a denial of service
or possibly have unspecified other impact via crafted
ArrayIterator usage within applications in certain
web-hosting environments (bsc#886060).
- CVE-2014-4721: The phpinfo implementation in
ext/standard/info.c in PHP did not ensure use of the
string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE,
PHP_AUTH_USER, and PHP_SELF variables, which might
allowed context-dependent attackers to obtain sensitive
information from process memory by using the integer
data type with crafted values, related to a 'type
confusion' vulnerability, as demonstrated by reading a
private SSL key in an Apache HTTP Server web-hosting
environment with mod_ssl and a PHP 5.3.x mod_php
(bsc#885961).
- CVE-2014-0207: The cdf_read_short_sector function in
cdf.c in file as used in the Fileinfo component in PHP
allowed remote attackers to cause a denial of service
(assertion failure and application exit) via a crafted
CDF file (bsc#884986).
- CVE-2014-3478: Buffer overflow in the mconvert function
in softmagic.c in file as used in the Fileinfo component
in PHP allowed remote attackers to cause a denial of
service (application crash) via a crafted Pascal string
in a FILE_PSTRING conversion (bsc#884987).
- CVE-2014-3479: The cdf_check_stream_offset function in
cdf.c in file as used in the Fileinfo component in PHP
relies on incorrect sector-size data, which allowed
remote attackers to cause a denial of service
(application crash) via a crafted stream offset in a CDF
file (bsc#884989).
- CVE-2014-3480: The cdf_count_chain function in cdf.c in
file as used in the Fileinfo component in PHP did not
properly validate sector-count data, which allowed
remote attackers to cause a denial of service
(application crash) via a crafted CDF file (bsc#884990).
- CVE-2014-3487: The cdf_read_property_info function in
file as used in the Fileinfo component in PHP did not
properly validate a stream offset, which allowed remote
attackers to cause a denial of service (application
crash) via a crafted CDF file (bsc#884991).
- CVE-2014-3515: The SPL component in PHP incorrectly
anticipates that certain data structures will have the
array data type after unserialization, which allowed
remote attackers to execute arbitrary code via a crafted
string that triggers use of a Hashtable destructor,
related to 'type confusion' issues in (1) ArrayObject
and (2) SPLObjectStorage (bsc#884992).
The update package also includes non-security fixes. See advisory for
details.
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2018-11-29 | | plugin id | 93161 | | published | 2016-08-29 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=93161 | | title | SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1638-1) (BACKRONYM) |
| NASL family | CGI abuses | | NASL id | PHP_5_5_23.NASL | | description | According to its banner, the version of PHP 5.5.x installed on the
remote host is prior to 5.5.23. It is, therefore, affected by multiple
vulnerabilities :
- A use-after-free error exists related to function
'unserialize', which can allow a remote attacker to
execute arbitrary code. Note that this issue is due to
an incomplete fix for CVE-2014-8142. (CVE-2015-0231)
- An integer overflow error exists in function 'regcomp'
in the Henry Spencer regex library, due to improper
validation of user-supplied input. An attacker can
exploit this to cause a denial of service or to execute
arbitrary code. (CVE-2015-2305)
- An integer overflow error exists in the '_zip_cdir_new'
function, due to improper validation of user-supplied
input. An attacker, using a crafted ZIP archive, can
exploit this to cause a denial of service or to execute
arbitrary code. (CVE-2015-2331)
- A filter bypass vulnerability exists due to a flaw in
the move_uploaded_file() function in which pathnames are
truncated when a NULL byte is encountered. This allows a
remote attacker, via a crafted second argument, to
bypass intended extension restrictions and create files
with unexpected names. (CVE-2015-2348)
- A user-after-free error exists in the
process_nested_data() function. This allows a remote
attacker, via a crafted unserialize call, to dereference
already freed memory, resulting in the execution of
arbitrary code. (CVE-2015-2787)
Note that Nessus has not attempted to exploit these issues but has
instead relied only on the application's self-reported version number. | | last seen | 2019-01-16 | | modified | 2018-07-24 | | plugin id | 82026 | | published | 2015-03-24 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82026 | | title | PHP 5.5.x < 5.5.23 Multiple Vulnerabilities |
| NASL family | SuSE Local Security Checks | | NASL id | SUSE_11_APACHE2-MOD_PHP53-150212.NASL | | description | PHP 5.3 was updated to fix three security issues :
- Use-after-free vulnerability allowed remote attackers to
execute arbitrary code via a crafted unserialize call
that leveraged improper handling of duplicate keys
within the serialized properties of an object.
(bnc#910659). (CVE-2014-8142)
- Use-after-free vulnerability allowed remote attackers to
execute arbitrary code via a crafted unserialize call
that leveraged improper handling of duplicate numerical
keys within the serialized properties of an object.
NOTE: this vulnerability exists because of an incomplete
fix for CVE-2014-8142. (bnc#910659). (CVE-2015-0231)
- The exif_process_unicode function allowed remote
attackers to execute arbitrary code or cause a denial of
service (uninitialized pointer free and application
crash) via crafted EXIF data in a JPEG image.
(bnc#914690). (CVE-2015-0232)
Additionally a fix was included that protects against a possible NULL
pointer use. (bnc#910659)
This non-security issue has been fixed :
- Don't ignore default_socket_timeout on outgoing SSL
connection (bnc#907519) | | last seen | 2019-01-16 | | modified | 2015-10-05 | | plugin id | 81507 | | published | 2015-02-25 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81507 | | title | SuSE 11.3 Security Update : php53 (SAT Patch Number 10313) |
| NASL family | Amazon Linux Local Security Checks | | NASL id | ALA_ALAS-2015-474.NASL | | description | sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x
through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a
.php file, does not properly consider the mapping's length during
processing of an invalid file that begins with a # character and lacks
a newline character, which causes an out-of-bounds read and might (1)
allow remote attackers to obtain sensitive information from php-cgi
process memory by leveraging the ability to upload a .php file or (2)
trigger unexpected code execution if a valid PHP script is present in
memory locations adjacent to the mapping. (CVE-2014-9427)
Use-after-free vulnerability in the process_nested_data function in
ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before
5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute
arbitrary code via a crafted unserialize call that leverages improper
handling of duplicate numerical keys within the serialized properties
of an object. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2014-8142 . (CVE-2015-0231)
The exif_process_unicode function in ext/exif/exif.c in PHP before
5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote
attackers to execute arbitrary code or cause a denial of service
(uninitialized pointer free and application crash) via crafted EXIF
data in a JPEG image. (CVE-2015-0232) | | last seen | 2019-01-16 | | modified | 2018-04-18 | | plugin id | 81320 | | published | 2015-02-13 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81320 | | title | Amazon Linux AMI : php55 (ALAS-2015-474) |
| NASL family | CentOS Local Security Checks | | NASL id | CENTOS_RHSA-2015-1135.NASL | | description | Updated php packages that fix multiple security issues and several
bugs are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
PHP is an HTML-embedded scripting language commonly used with the
Apache HTTP Server.
A flaw was found in the way the PHP module for the Apache httpd web
server handled pipelined requests. A remote attacker could use this
flaw to trigger the execution of a PHP script in a deinitialized
interpreter, causing it to crash or, possibly, execute arbitrary code.
(CVE-2015-3330)
A flaw was found in the way PHP parsed multipart HTTP POST requests. A
specially crafted request could cause PHP to use an excessive amount
of CPU time. (CVE-2015-4024)
An uninitialized pointer use flaw was found in PHP's Exif extension. A
specially crafted JPEG or TIFF file could cause a PHP application
using the exif_read_data() function to crash or, possibly, execute
arbitrary code with the privileges of the user running that PHP
application. (CVE-2015-0232)
An integer overflow flaw leading to a heap-based buffer overflow was
found in the way PHP's FTP extension parsed file listing FTP server
responses. A malicious FTP server could use this flaw to cause a PHP
application to crash or, possibly, execute arbitrary code.
(CVE-2015-4022)
Multiple flaws were discovered in the way PHP performed object
unserialization. Specially crafted input processed by the
unserialize() function could cause a PHP application to crash or,
possibly, execute arbitrary code. (CVE-2014-8142, CVE-2015-0231,
CVE-2015-0273, CVE-2015-2787, CVE-2015-4147, CVE-2015-4148,
CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602,
CVE-2015-4603)
It was found that certain PHP functions did not properly handle file
names containing a NULL character. A remote attacker could possibly
use this flaw to make a PHP script access unexpected files and bypass
intended file system access restrictions. (CVE-2015-2348,
CVE-2015-4025, CVE-2015-4026, CVE-2015-3411, CVE-2015-3412,
CVE-2015-4598)
Multiple flaws were found in the way the way PHP's Phar extension
parsed Phar archives. A specially crafted archive could cause PHP to
crash or, possibly, execute arbitrary code when opened.
(CVE-2015-2301, CVE-2015-2783, CVE-2015-3307, CVE-2015-3329,
CVE-2015-4021)
Multiple flaws were found in PHP's File Information (fileinfo)
extension. A remote attacker could cause a PHP application to crash if
it used fileinfo to identify type of attacker supplied files.
(CVE-2014-9652, CVE-2015-4604, CVE-2015-4605)
A heap buffer overflow flaw was found in the
enchant_broker_request_dict() function of PHP's enchant extension. An
attacker able to make a PHP application enchant dictionaries could
possibly cause it to crash. (CVE-2014-9705)
A buffer over-read flaw was found in the GD library used by the PHP gd
extension. A specially crafted GIF file could cause a PHP application
using the imagecreatefromgif() function to crash. (CVE-2014-9709)
This update also fixes the following bugs :
* The libgmp library in some cases terminated unexpectedly with a
segmentation fault when being used with other libraries that use the
GMP memory management. With this update, PHP no longer changes libgmp
memory allocators, which prevents the described crash from occurring.
(BZ#1212305)
* When using the Open Database Connectivity (ODBC) API, the PHP
process in some cases terminated unexpectedly with a segmentation
fault. The underlying code has been adjusted to prevent this crash.
(BZ#1212299)
* Previously, running PHP on a big-endian system sometimes led to
memory corruption in the fileinfo module. This update adjusts the
behavior of the PHP pointer so that it can be freed without causing
memory corruption. (BZ#1212298)
All php users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing
the updated packages, the httpd daemon must be restarted for the
update to take effect. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 84345 | | published | 2015-06-24 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=84345 | | title | CentOS 7 : php (CESA-2015:1135) |
| NASL family | CGI abuses | | NASL id | PHP_5_4_39.NASL | | description | According to its banner, the version of PHP 5.4.x installed on the
remote host is prior to 5.4.39. It is, therefore, affected by multiple
vulnerabilities :
- A use-after-free error exists related to function
'unserialize', which can allow a remote attacker to
execute arbitrary code. Note that this issue is due to
an incomplete fix for CVE-2014-8142. (CVE-2015-0231)
- An integer overflow error exists in function 'regcomp'
in the Henry Spencer regex library, due to improper
validation of user-supplied input. An attacker can
exploit this to cause a denial of service or to execute
arbitrary code. (CVE-2015-2305)
- An integer overflow error exists in the '_zip_cdir_new'
function, due to improper validation of user-supplied
input. An attacker, using a crafted ZIP archive, can
exploit this to cause a denial of service or to execute
arbitrary code. (CVE-2015-2331)
- A filter bypass vulnerability exists due to a flaw in
the move_uploaded_file() function in which pathnames are
truncated when a NULL byte is encountered. This allows a
remote attacker, via a crafted second argument, to
bypass intended extension restrictions and create files
with unexpected names. (CVE-2015-2348)
- A user-after-free error exists in the
process_nested_data() function. This allows a remote
attacker, via a crafted unserialize call, to dereference
already freed memory, resulting in the execution of
arbitrary code. (CVE-2015-2787)
Note that Nessus has not attempted to exploit these issues but has
instead relied only on the application's self-reported version number. | | last seen | 2019-01-16 | | modified | 2018-07-24 | | plugin id | 82025 | | published | 2015-03-24 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82025 | | title | PHP 5.4.x < 5.4.39 Multiple Vulnerabilities |
| NASL family | FreeBSD Local Security Checks | | NASL id | FREEBSD_PKG_742563D4D77611E4B5954061861086C1.NASL | | description | The PHP project reports :
The PHP development team announces the immediate availability of PHP
5.6.7. Several bugs have been fixed as well as CVE-2015-0231,
CVE-2015-2305 and CVE-2015-2331. All PHP 5.6 users are encouraged to
upgrade to this version.
The PHP development team announces the immediate availability of PHP
5.5.23. Several bugs have been fixed as well as CVE-2015-0231,
CVE-2015-2305 and CVE-2015-2331. All PHP 5.5 users are encouraged to
upgrade to this version.
The PHP development team announces the immediate availability of PHP
5.4.39. Six security-related bugs were fixed in this release,
including CVE-2015-0231, CVE-2015-2305 and CVE-2015-2331. All PHP 5.4
users are encouraged to upgrade to this version. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 82514 | | published | 2015-04-02 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82514 | | title | FreeBSD : Several vulnerabilities found in PHP (742563d4-d776-11e4-b595-4061861086c1) |
| NASL family | Scientific Linux Local Security Checks | | NASL id | SL_20150623_PHP_ON_SL7_X.NASL | | description | A flaw was found in the way the PHP module for the Apache httpd web
server handled pipelined requests. A remote attacker could use this
flaw to trigger the execution of a PHP script in a deinitialized
interpreter, causing it to crash or, possibly, execute arbitrary code.
(CVE-2015-3330)
A flaw was found in the way PHP parsed multipart HTTP POST requests. A
specially crafted request could cause PHP to use an excessive amount
of CPU time. (CVE-2015-4024)
An uninitialized pointer use flaw was found in PHP's Exif extension. A
specially crafted JPEG or TIFF file could cause a PHP application
using the exif_read_data() function to crash or, possibly, execute
arbitrary code with the privileges of the user running that PHP
application. (CVE-2015-0232)
An integer overflow flaw leading to a heap-based buffer overflow was
found in the way PHP's FTP extension parsed file listing FTP server
responses. A malicious FTP server could use this flaw to cause a PHP
application to crash or, possibly, execute arbitrary code.
(CVE-2015-4022)
Multiple flaws were discovered in the way PHP performed object
unserialization. Specially crafted input processed by the
unserialize() function could cause a PHP application to crash or,
possibly, execute arbitrary code. (CVE-2014-8142, CVE-2015-0231,
CVE-2015-0273, CVE-2015-2787, CVE-2015-4147, CVE-2015-4148,
CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602,
CVE-2015-4603)
It was found that certain PHP functions did not properly handle file
names containing a NULL character. A remote attacker could possibly
use this flaw to make a PHP script access unexpected files and bypass
intended file system access restrictions. (CVE-2015-2348,
CVE-2015-4025, CVE-2015-4026, CVE-2015-3411, CVE-2015-3412,
CVE-2015-4598)
Multiple flaws were found in the way the way PHP's Phar extension
parsed Phar archives. A specially crafted archive could cause PHP to
crash or, possibly, execute arbitrary code when opened.
(CVE-2015-2301, CVE-2015-2783, CVE-2015-3307, CVE-2015-3329,
CVE-2015-4021)
Multiple flaws were found in PHP's File Information (fileinfo)
extension. A remote attacker could cause a PHP application to crash if
it used fileinfo to identify type of attacker supplied files.
(CVE-2014-9652, CVE-2015-4604, CVE-2015-4605)
A heap buffer overflow flaw was found in the
enchant_broker_request_dict() function of PHP's enchant extension. An
attacker able to make a PHP application enchant dictionaries could
possibly cause it to crash. (CVE-2014-9705)
A buffer over-read flaw was found in the GD library used by the PHP gd
extension. A specially crafted GIF file could cause a PHP application
using the imagecreatefromgif() function to crash. (CVE-2014-9709)
This update also fixes the following bugs :
- The libgmp library in some cases terminated unexpectedly
with a segmentation fault when being used with other
libraries that use the GMP memory management. With this
update, PHP no longer changes libgmp memory allocators,
which prevents the described crash from occurring.
- When using the Open Database Connectivity (ODBC) API,
the PHP process in some cases terminated unexpectedly
with a segmentation fault. The underlying code has been
adjusted to prevent this crash.
- Previously, running PHP on a big-endian system sometimes
led to memory corruption in the fileinfo module. This
update adjusts the behavior of the PHP pointer so that
it can be freed without causing memory corruption.
After installing the updated packages, the httpd daemon must be
restarted for the update to take effect. | | last seen | 2019-01-16 | | modified | 2018-12-28 | | plugin id | 84394 | | published | 2015-06-25 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=84394 | | title | Scientific Linux Security Update : php on SL7.x x86_64 |
| NASL family | CGI abuses | | NASL id | PHP_5_5_21.NASL | | description | According to its banner, the version of PHP 5.5.x installed on the
remote host is prior to 5.5.21. It is, therefore, affected by multiple
vulnerabilities:
- An out-of-bounds read flaw in file 'cgi_main.c' exists
when nmap is used to process an invalid file that begins
with a hash character (#) but lacks a newline character.
A remote attacker, using a specially crafted PHP file,
can exploit this vulnerability to disclose memory
contents, cause a denial of service, or possibly execute
code. (CVE-2014-9427)
- An out-of-bounds read issue exists in the GetCode_()
function in 'gd_gif_in.c'. This allows a remote attacker
to disclose memory contents. (CVE-2014-9709)
- A use-after-free memory error exists in the
process_nested_data() function in 'var_unserializer.re'
due to improper handling of duplicate numerical keys
within the serialized properties of an object. A remote
attacker, using a crafted unserialize method call, can
exploit this vulnerability to execute arbitrary code.
(CVE-2015-0231)
- A flaw exists in the exif_process_unicode() function in
'exif.c' that allows freeing an uninitialized pointer. A
remote attacker, using specially crafted EXIF data in a
JPEG image, can exploit this to cause a denial of
service or to execute arbitrary code. (CVE-2015-0232)
Note that Nessus has not attempted to exploit these issues but has
instead relied only on the application's self-reported version number. | | last seen | 2019-01-16 | | modified | 2018-07-24 | | plugin id | 81081 | | published | 2015-01-29 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81081 | | title | PHP 5.5.x < 5.5.21 Multiple Vulnerabilities |
| NASL family | Amazon Linux Local Security Checks | | NASL id | ALA_ALAS-2015-508.NASL | | description | A use-after-free flaw was found in the way PHP's unserialize()
function processed data. If a remote attacker was able to pass crafted
input to PHP's unserialize() function, they could cause the PHP
interpreter to crash or, possibly, execute arbitrary code.
(CVE-2015-0231)
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way libzip, which is also embedded in PHP, processed
certain ZIP archives. If an attacker were able to supply a specially
crafted ZIP archive to an application using libzip, it could cause the
application to crash or, possibly, execute arbitrary code.
(CVE-2015-2331)
Integer overflow in the regcomp implementation in the Henry Spencer
BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as
used in NetBSD through 6.1.5 and other products, might allow
context-dependent attackers to execute arbitrary code via a large
regular expression that leads to a heap-based buffer overflow.
(CVE-2015-2305) | | last seen | 2019-01-16 | | modified | 2018-04-18 | | plugin id | 82836 | | published | 2015-04-17 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82836 | | title | Amazon Linux AMI : php56 (ALAS-2015-508) |
| NASL family | Slackware Local Security Checks | | NASL id | SLACKWARE_SSA_2015-111-10.NASL | | description | New php packages are available for Slackware 14.0, 14.1, and -current
to fix security issues. | | last seen | 2019-01-16 | | modified | 2016-05-19 | | plugin id | 82923 | | published | 2015-04-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82923 | | title | Slackware 14.0 / 14.1 / current : php (SSA:2015-111-10) |
|
