ID CVE-2015-1351
Summary Use-after-free vulnerability in the _zend_shared_memdup function in zend_shared_alloc.c in the OPcache extension in PHP through 5.6.7 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
References
Vulnerable Configurations
  • cpe:2.3:a:oracle:secure_backup:12.1.0.1.0
    cpe:2.3:a:oracle:secure_backup:12.1.0.1.0
  • Apple Mac OS X 10.6.8
    cpe:2.3:o:apple:mac_os_x:10.6.8
  • PHP 5.6.7
    cpe:2.3:a:php:php:5.6.7
  • Oracle Linux 6.0
    cpe:2.3:o:oracle:linux:6.0
  • Oracle Linux 7.0
    cpe:2.3:o:oracle:linux:7.0
  • Oracle Solaris 11.2
    cpe:2.3:o:oracle:solaris:11.2
CVSS
Base: 7.5 (as of 01-11-2016 - 14:34)
Impact:
Exploitability:
CWE CWE-416
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2501-1.NASL
    description Stefan Esser discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-8142, CVE-2015-0231) Brian Carpenter discovered that the PHP CGI component incorrectly handled invalid files. A local attacker could use this issue to obtain sensitive information, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9427) It was discovered that PHP incorrectly handled certain pascal strings in the fileinfo extension. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9652) Alex Eubanks discovered that PHP incorrectly handled EXIF data in JPEG images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-0232) It was discovered that the PHP opcache component incorrectly handled memory. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1351) It was discovered that the PHP PostgreSQL database extension incorrectly handled certain pointers. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1352). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 81399
    published 2015-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81399
    title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : php5 vulnerabilities (USN-2501-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-080.NASL
    description Multiple vulnerabilities has been discovered and corrected in php : It was discovered that the file utility contains a flaw in the handling of indirect magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files (CVE-2014-1943). A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code (CVE-2014-2270). The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters (CVE-2013-7345). PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain socket with world-writable permissions by default, which allows any local user to connect to it and execute PHP scripts as the apache user (CVE-2014-0185). A flaw was found in the way file's Composite Document Files (CDF) format parser handle CDF files with many summary info entries. The cdf_unpack_summary_info() function unnecessarily repeatedly read the info from the same offset. This led to many file_printf() calls in cdf_file_property_info(), which caused file to use an excessive amount of CPU time when parsing a specially crafted CDF file (CVE-2014-0237). A flaw was found in the way file parsed property information from Composite Document Files (CDF) files. A property entry with 0 elements triggers an infinite loop (CVE-2014-0238). The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue related to the SPL ArrayObject and SPLObjectStorage Types (CVE-2014-3515). It was discovered that PHP is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query (CVE-2014-4049). A flaw was found in the way file parsed property information from Composite Document Files (CDF) files, where the mconvert() function did not correctly compute the truncated pascal string size (CVE-2014-3478). Multiple flaws were found in the way file parsed property information from Composite Document Files (CDF) files, due to insufficient boundary checks on buffers (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487). The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue that can cause it to leak arbitrary process memory (CVE-2014-4721). Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments (CVE-2014-4698). Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments (CVE-2014-4670). file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule, due to an incomplete fix for CVE-2013-7345 (CVE-2014-3538). Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571 (CVE-2014-3587). Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049 (CVE-2014-3597). An integer overflow flaw in PHP's unserialize() function was reported. If unserialize() were used on untrusted data, this issue could lead to a crash or potentially information disclosure (CVE-2014-3669). A heap corruption issue was reported in PHP's exif_thumbnail() function. A specially crafted JPEG image could cause the PHP interpreter to crash or, potentially, execute arbitrary code (CVE-2014-3670). If client-supplied input was passed to PHP's cURL client as a URL to download, it could return local files from the server due to improper handling of null bytes (PHP#68089). An out-of-bounds read flaw was found in file's donote() function in the way the file utility determined the note headers of a elf file. This could possibly lead to file executable crash (CVE-2014-3710). A use-after-free flaw was found in PHP unserialize(). An untrusted input could cause PHP interpreter to crash or, possibly, execute arbitrary code when processed using unserialize() (CVE-2014-8142). Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP before 5.5.21 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors (CVE-2014-9425). sapi/cgi/cgi_main.c in the CGI component in PHP before 5.5.21, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping (CVE-2014-9427). Use after free vulnerability in unserialize() in PHP before 5.5.21 (CVE-2015-0231). Free called on an uninitialized pointer in php-exif in PHP before 5.5.21 (CVE-2015-0232). The readelf.c source file has been removed from PHP's bundled copy of file's libmagic, eliminating exposure to denial of service issues in ELF file parsing such as CVE-2014-8116, CVE-2014-8117, CVE-2014-9620 and CVE-2014-9621 in PHP's fileinfo module. S. Paraschoudis discovered that PHP incorrectly handled memory in the enchant binding. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2014-9705). Taoguang Chen discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-0273). It was discovered that PHP incorrectly handled memory in the phar extension. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-2301). Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (CVE-2015-0231). The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image (CVE-2015-0232). An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code (CVE-2015-2331). It was discovered that the PHP opcache component incorrectly handled memory. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1351). It was discovered that the PHP PostgreSQL database extension incorrectly handled certain pointers. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1352). PHP contains a bundled copy of the file utility's libmagic library, so it was vulnerable to the libmagic issues. The updated php packages have been patched and upgraded to the 5.5.23 version which is not vulnerable to these issues. The libzip packages has been patched to address the CVE-2015-2331 flaw. A bug in the php zip extension that could cause a crash has been fixed (mga#13820) Additionally the jsonc and timezonedb packages has been upgraded to the latest versions and the PECL packages which requires so has been rebuilt for php-5.5.23.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 82333
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82333
    title Mandriva Linux Security Advisory : php (MDVSA-2015:080)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-6195.NASL
    description 16 Apr 2015, **PHP 5.6.8** Core : - Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence) - Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters). (Tjerk) - Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai) - Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) - Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString). (Stas) - Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values). (Juan Basso) - Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing). (Nikita) - Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita) - Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability). (Stas) - Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (Stas) Apache2handler : - Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (Gerrit Venema) cURL : - Implemented FR#69278 (HTTP2 support). (Masaki Kagaya) - Fixed bug #68739 (Missing break / control flow). (Laruence) - Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence) Date : - Fixed bug #69336 (Issues with 'last day of '). (Derick Rethans) Enchant : - Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds). (Anatol) Ereg : - Fixed bug #68740 (NULL pointer Dereference). (Laruence) Fileinfo : - Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (Anatol Belski) Filter : - Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used). (Jeff Welch) - Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127). (Jeff Welch) OPCache : - Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function). (Laruence) - Fixed bug #69281 (opcache_is_script_cached no longer works). (danack) - Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence) OpenSSL - Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts) (Chris Wright) - Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly) (Daniel Lowrey) - Fixed bug #69215 (Crypto servers should send client CA list) (Daniel Lowrey) - Add a check for RAND_egd to allow compiling against LibreSSL (Leigh) Phar : - Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar). (Mike) - Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike) - Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike) - Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing '.tar'). (Mike) - Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas) - Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (Stas) Postgres : - Fixed bug #68741 (NULL pointer dereference). (CVE-2015-1352) (Laruence) SPL : - Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc). (adam dot scarr at 99designs dot com) SOAP : - Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)). (Laruence) Sqlite3 : - Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception). (Dan Ackroyd) - Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3). (Anatol) - Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 83018
    published 2015-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83018
    title Fedora 22 : php-5.6.8-1.fc22 (2015-6195)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-079.NASL
    description Multiple vulnerabilities has been discovered and corrected in php : S. Paraschoudis discovered that PHP incorrectly handled memory in the enchant binding. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2014-9705). Taoguang Chen discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-0273). It was discovered that PHP incorrectly handled memory in the phar extension. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-2301). Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (CVE-2015-0231). An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code (CVE-2015-2331). It was discovered that the PHP opcache component incorrectly handled memory. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1351). It was discovered that the PHP PostgreSQL database extension incorrectly handled certain pointers. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1352). The updated php packages have been patched and upgraded to the 5.5.23 version which is not vulnerable to these issues. The libzip packages has been patched to address the CVE-2015-2331 flaw. Additionally the php-xdebug package has been upgraded to the latest 2.3.2 and the PECL packages which requires so has been rebuilt for php-5.5.23.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 82332
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82332
    title Mandriva Linux Security Advisory : php (MDVSA-2015:079)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_11.NASL
    description The remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components : - Address Book - AirScan - apache_mod_php - Apple Online Store Kit - AppleEvents - Audio - bash - Certificate Trust Policy - CFNetwork Cookies - CFNetwork FTPProtocol - CFNetwork HTTPProtocol - CFNetwork Proxies - CFNetwork SSL - CoreCrypto - CoreText - Dev Tools - Disk Images - dyld - EFI - Finder - Game Center - Heimdal - ICU - Install Framework Legacy - Intel Graphics Driver - IOAudioFamily - IOGraphics - IOHIDFamily - IOStorageFamily - Kernel - libc - libpthread - libxpc - Login Window - lukemftpd - Mail - Multipeer Connectivity - NetworkExtension - Notes - OpenSSH - OpenSSL - procmail - remote_cmds - removefile - Ruby - Safari - Safari Downloads - Safari Extensions - Safari Safe Browsing - Security - SMB - SQLite - Telephony - Terminal - tidy - Time Machine - WebKit - WebKit CSS - WebKit JavaScript Bindings - WebKit Page Loading - WebKit Plug-ins Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 86270
    published 2015-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86270
    title Mac OS X < 10.11 Multiple Vulnerabilities (GHOST)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2015-111-10.NASL
    description New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
    last seen 2019-02-21
    modified 2016-05-19
    plugin id 82923
    published 2015-04-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82923
    title Slackware 14.0 / 14.1 / current : php (SSA:2015-111-10)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-511.NASL
    description A use-after-free flaw was found in PHP's OPcache extension. This flaw could possibly lead to a disclosure of portion of server memory. (CVE-2015-1351) A NULL pointer dereference flaw was found in PHP's pgsql extension. A specially crafted table name passed to function as pg_insert() or pg_select() could cause a PHP application to crash. (CVE-2015-1352) A buffer overflow flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. (CVE-2015-3329)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 82858
    published 2015-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82858
    title Amazon Linux AMI : php56 (ALAS-2015-511)
  • NASL family CGI abuses
    NASL id PHP_5_5_24.NASL
    description According to its banner, the version of PHP 5.5.x running on the remote web server is prior to 5.5.24. It is, therefore, affected by multiple vulnerabilities : - An unspecified use-after-free error exists in the _zend_shared_memdup() function within file ext/opcache/zend_shared_alloc.c that allows an unauthenticated, remote attacker to have an unspecified impact. (CVE-2015-1351) - A NULL pointer dereference flaw exists in the build_tablename() function within file pgsql.c in the PostgreSQL extension due to a failure to validate token extraction for table names. An authenticated, remote attacker can exploit this, via a crafted name, to cause a denial of service condition. (CVE-2015-1352) - An out-of-bounds read error exists in the Phar component due to improper validation of user-supplied input when handling phar parsing during unserialize() function calls. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the disclosure of memory contents. (CVE-2015-2783) - A memory corruption issue exists in the phar_parse_metadata() function in file ext/phar/phar.c due to improper validation of user-supplied input when parsing a specially crafted TAR archive. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-3307) - Multiple stack-based buffer overflow conditions exist in the phar_set_inode() function in file phar_internal.h when handling archive files, such as tar, zip, or phar files. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or the execution or arbitrary code. (CVE-2015-3329) - A flaw exists in the Apache2handler SAPI component when handling pipelined HTTP requests that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-3330) - A flaw exists in multiple functions due to a failure to check for NULL byte (%00) sequences in a path when processing or reading a file. An unauthenticated, remote attacker can exploit this, via specially crafted input to an application calling those functions, to bypass intended restrictions and disclose potentially sensitive information. (CVE-2015-3411, CVE-2015-3412) - A type confusion error exists in multiple functions within file ext/soap/soap.c that is triggered when calling unserialize(). An unauthenticated, remote attacker can exploit this to disclose memory contents, cause a denial of service condition, or execute arbitrary code. (CVE-2015-4599, CVE-2015-4600) - Multiple type confusion errors exist within files ext/soap/php_encoding.c, ext/soap/php_http.c, and ext/soap/soap.c that allow an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4601) - A type confusion error exists in the __PHP_Incomplete_Class() function within file ext/standard/incomplete_class.c that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4602) - A type confusion error exists in the exception::getTraceAsString() function within file Zend/zend_exceptions.c that allows a remote attacker to execute arbitrary code. (CVE-2015-4603) - A denial of service vulnerability exists due to a flaw in the bundled libmagic library, specifically in the mget() function within file softmagic.c. The function fails to maintain a certain pointer relationship. An unauthenticated, remote attacker can exploit this, via a crafted string, to crash the application. (CVE-2015-4604) - A denial of service vulnerability exists due to a flaw in the bundled libmagic library, specifically in the mcopy() function within file softmagic.c. The function fails to properly handle an offset that exceeds 'bytecnt'. An unauthenticated, remote attacker can exploit this, via a crafted string, to crash the application. (CVE-2015-4605) - A flaw exists in the ZEND_VM_HELPER_EX() function within file /Zend/zend_vm_def.h when handling a __get() function call. An unauthenticated, remote attacker can exploit this to cause a cause a denial of service condition. - A type confusion error exists in the php_stream_url_wrap_http_ex() function within file ext/standard/http_fopen_wrapper.c that allows an unauthenticated, remote attacker to execute arbitrary code. - A use-after-free error exists in the php_curl() function within file ext/curl/interface.c that allows an unauthenticated, remote attacker to execute arbitrary code. - A use-after-free error exists in the SPL component, specifically in the spl_object_storage_get_gc() function within file ext/spl/spl_observer.c. An unauthenticated, remote attacker can exploit this to execute arbitrary code. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 83034
    published 2015-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83034
    title PHP 5.5.x < 5.5.24 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-6399.NASL
    description 16 Apr 2015, **PHP 5.5.24** Apache2handler : - Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (Gerrit Venema) Core : - Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence) - Fixed bug #67626 (User exceptions not properly handled in streams). (Julian) - Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters). (Tjerk) - Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai) - Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) - Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString). (Stas) - Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing). (Nikita) - Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita) - Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability). (Stas) - Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (Stas) Curl : - Implemented FR#69278 (HTTP2 support). (Masaki Kagaya) - Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence) Date : - Export date_get_immutable_ce so that it can be used by extensions. (Derick Rethans) - Fixed bug #69336 (Issues with 'last day of '). (Derick Rethans) Enchant : - Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds). (Anatol) Fileinfo : - Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (Anatol Belski) Filter : - Fixed bug #69202 (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used). (Jeff Welch) - Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127). (Jeff Welch) Mbstring : - Fixed bug #68846 (False detection of CJK Unified Ideographs Extension E). (Masaki Kagaya) OPCache - Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence) - Fixed bug #69281 (opcache_is_script_cached no longer works). (danack) OpenSSL : - Fixed bug #67403 (Add signatureType to openssl_x509_parse). - Add a check for RAND_egd to allow compiling against LibreSSL (Leigh) Phar : - Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar). (Mike) - Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike) - Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike) - Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing '.tar'). (Mike) - Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas) - Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (Stas) Postgres : - Fixed bug #68741 (NULL pointer dereference). (CVE-2015-1352) (Laruence) SPL : - Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc). (adam dot scarr at 99designs dot com) SOAP : - Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)). (thomas at shadowweb dot org, Laruence) SQLITE : - Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception). (Dan Ackroyd) - Fixed bug #69287 (Upgrade bundled sqlite to 3.8.8.3). (Anatol) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 83093
    published 2015-04-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83093
    title Fedora 20 : php-5.5.24-1.fc20 (2015-6399)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-6407.NASL
    description 16 Apr 2015, **PHP 5.6.8** Core : - Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence) - Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters). (Tjerk) - Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai) - Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) - Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString). (Stas) - Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values). (Juan Basso) - Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing). (Nikita) - Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita) - Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability). (Stas) - Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (Stas) Apache2handler : - Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (Gerrit Venema) cURL : - Implemented FR#69278 (HTTP2 support). (Masaki Kagaya) - Fixed bug #68739 (Missing break / control flow). (Laruence) - Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence) Date : - Fixed bug #69336 (Issues with 'last day of '). (Derick Rethans) Enchant : - Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds). (Anatol) Ereg : - Fixed bug #68740 (NULL pointer Dereference). (Laruence) Fileinfo : - Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (Anatol Belski) Filter : - Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used). (Jeff Welch) - Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127). (Jeff Welch) OPCache : - Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function). (Laruence) - Fixed bug #69281 (opcache_is_script_cached no longer works). (danack) - Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence) OpenSSL - Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts) (Chris Wright) - Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly) (Daniel Lowrey) - Fixed bug #69215 (Crypto servers should send client CA list) (Daniel Lowrey) - Add a check for RAND_egd to allow compiling against LibreSSL (Leigh) Phar : - Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar). (Mike) - Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike) - Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike) - Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing '.tar'). (Mike) - Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas) - Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (Stas) Postgres : - Fixed bug #68741 (NULL pointer dereference). (CVE-2015-1352) (Laruence) SPL : - Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc). (adam dot scarr at 99designs dot com) SOAP : - Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)). (Laruence) Sqlite3 : - Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception). (Dan Ackroyd) - Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3). (Anatol) - Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 83044
    published 2015-04-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83044
    title Fedora 21 : php-5.6.8-1.fc21 (2015-6407)
  • NASL family CGI abuses
    NASL id PHP_5_6_8.NASL
    description According to its banner, the version of PHP 5.6.x running on the remote web server is prior to 5.6.8. It is, therefore, affected by multiple vulnerabilities : - An unspecified use-after-free error exists in the _zend_shared_memdup() function within file ext/opcache/zend_shared_alloc.c that allows an unauthenticated, remote attacker to have an unspecified impact. (CVE-2015-1351) - A NULL pointer dereference flaw exists in the build_tablename() function within file pgsql.c in the PostgreSQL extension due to a failure to validate token extraction for table names. An authenticated, remote attacker can exploit this, via a crafted name, to cause a denial of service condition. (CVE-2015-1352) - An out-of-bounds read error exists in the Phar component due to improper validation of user-supplied input when handling phar parsing during unserialize() function calls. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the disclosure of memory contents. (CVE-2015-2783) - A memory corruption issue exists in the phar_parse_metadata() function in file ext/phar/phar.c due to improper validation of user-supplied input when parsing a specially crafted TAR archive. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-3307) - Multiple stack-based buffer overflow conditions exist in the phar_set_inode() function in file phar_internal.h when handling archive files, such as tar, zip, or phar files. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or the execution or arbitrary code. (CVE-2015-3329) - A flaw exists in the Apache2handler SAPI component when handling pipelined HTTP requests that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-3330) - A flaw exists in multiple functions due to a failure to check for NULL byte (%00) sequences in a path when processing or reading a file. An unauthenticated, remote attacker can exploit this, via specially crafted input to an application calling those functions, to bypass intended restrictions and disclose potentially sensitive information. (CVE-2015-3411, CVE-2015-3412) - A type confusion error exists in multiple functions within file ext/soap/soap.c that is triggered when calling unserialize(). An unauthenticated, remote attacker can exploit this to disclose memory contents, cause a denial of service condition, or execute arbitrary code. (CVE-2015-4599, CVE-2015-4600) - Multiple type confusion errors exist within files ext/soap/php_encoding.c, ext/soap/php_http.c, and ext/soap/soap.c that allow an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4601) - A type confusion error exists in the __PHP_Incomplete_Class() function within file ext/standard/incomplete_class.c that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4602) - A type confusion error exists in the exception::getTraceAsString() function within file Zend/zend_exceptions.c that allows a remote attacker to execute arbitrary code. (CVE-2015-4603) - A denial of service vulnerability exists due to a flaw in the bundled libmagic library, specifically in the mget() function within file softmagic.c. The function fails to maintain a certain pointer relationship. An unauthenticated, remote attacker can exploit this, via a crafted string, to crash the application. (CVE-2015-4604) - A denial of service vulnerability exists due to a flaw in the bundled libmagic library, specifically in the mcopy() function within file softmagic.c. The function fails to properly handle an offset that exceeds 'bytecnt'. An unauthenticated, remote attacker can exploit this, via a crafted string, to crash the application. (CVE-2015-4605) - A use-after-free error exists in the sqlite3_close() function within file /ext/sqlite3/sqlite3.c when closing database connections. An unauthenticated, remote attacker can exploit this to execute arbitrary code. - A flaw exists in the ZEND_VM_HELPER_EX() function within file /Zend/zend_vm_def.h when handling a __get() function call. An unauthenticated, remote attacker can exploit this to cause a cause a denial of service condition. - A type confusion error exists in the php_stream_url_wrap_http_ex() function within file ext/standard/http_fopen_wrapper.c that allows an unauthenticated, remote attacker to execute arbitrary code. - A use-after-free error exists in the php_curl() function within file ext/curl/interface.c that allows an unauthenticated, remote attacker to execute arbitrary code. - A use-after-free error exists in the SPL component, specifically in the spl_object_storage_get_gc() function within file ext/spl/spl_observer.c. An unauthenticated, remote attacker can exploit this to execute arbitrary code. - A NULL pointer dereference flaw exists within file /ext/ereg/regex/regcomp.c that allows an unauthenticated, remote attacker attacker to cause a denial of service condition. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 83035
    published 2015-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83035
    title PHP 5.6.x < 5.6.8 Multiple Vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_1E232A0CEB5711E4B5954061861086C1.NASL
    description The PHP project reports : The PHP development team announces the immediate availability of PHP 5.4.40. 14 security-related bugs were fixed in this release, including CVE-2014-9709, CVE-2015-2301, CVE-2015-2783, CVE-2015-1352. All PHP 5.4 users are encouraged to upgrade to this version. The PHP development team announces the immediate availability of PHP 5.5.24. Several bugs have been fixed, some of them being security related, like CVE-2015-1351 and CVE-2015-1352. All PHP 5.5 users are encouraged to upgrade to this version. The PHP development team announces the immediate availability of PHP 5.6.8. Several bugs have been fixed, some of them being security related, like CVE-2015-1351 and CVE-2015-1352. All PHP 5.6 users are encouraged to upgrade to this version.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 83080
    published 2015-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83080
    title FreeBSD : Several vulnerabilities found in PHP (1e232a0c-eb57-11e4-b595-4061861086c1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-510.NASL
    description A use-after-free flaw was found in PHP's OPcache extension. This flaw could possibly lead to a disclosure of portion of server memory. (CVE-2015-1351) A NULL pointer dereference flaw was found in PHP's pgsql extension. A specially crafted table name passed to function as pg_insert() or pg_select() could cause a PHP application to crash. (CVE-2015-1352) A buffer overflow flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. (CVE-2015-3329)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 82857
    published 2015-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82857
    title Amazon Linux AMI : php55 (ALAS-2015-510)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201606-10.NASL
    description The remote host is affected by the vulnerability described in GLSA-201606-10 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : An attacker can possibly execute arbitrary code or create a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2016-10-10
    plugin id 91704
    published 2016-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91704
    title GLSA-201606-10 : PHP: Multiple vulnerabilities
redhat via4
advisories
  • rhsa
    id RHSA-2015:1053
  • rhsa
    id RHSA-2015:1066
refmap via4
apple APPLE-SA-2015-09-30-3
bid 71929
confirm
gentoo GLSA-201606-10
mandriva MDVSA-2015:079
mlist [oss-security] 20150124 Re: CVE Request: PHP
Last major update 30-12-2016 - 21:59
Published 30-03-2015 - 06:59
Last modified 04-02-2019 - 13:57
Back to Top