ID CVE-2015-7804
Summary Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (uninitialized pointer dereference and application crash) by including the / filename in a .zip PHAR archive.
References
Vulnerable Configurations
  • Apple Mac OS X 10.11.1
    cpe:2.3:o:apple:mac_os_x:10.11.1
  • PHP PHP 5.5.29
    cpe:2.3:a:php:php:5.5.29
  • PHP 5.6.0
    cpe:2.3:a:php:php:5.6.0
  • PHP PHP 5.6.1
    cpe:2.3:a:php:php:5.6.1
  • PHP 5.6.2
    cpe:2.3:a:php:php:5.6.2
  • PHP 5.6.3
    cpe:2.3:a:php:php:5.6.3
  • PHP 5.6.4
    cpe:2.3:a:php:php:5.6.4
  • PHP 5.6.5
    cpe:2.3:a:php:php:5.6.5
  • PHP 5.6.6
    cpe:2.3:a:php:php:5.6.6
  • PHP 5.6.7
    cpe:2.3:a:php:php:5.6.7
  • PHP PHP 5.6.8
    cpe:2.3:a:php:php:5.6.8
  • PHP PHP 5.6.9
    cpe:2.3:a:php:php:5.6.9
  • PHP PHP 5.6.10
    cpe:2.3:a:php:php:5.6.10
  • PHP PHP 5.6.11
    cpe:2.3:a:php:php:5.6.11
  • PHP PHP 5.6.12
    cpe:2.3:a:php:php:5.6.12
  • PHP PHP 5.6.13
    cpe:2.3:a:php:php:5.6.13
CVSS
Base: 6.8 (as of 18-12-2015 - 12:53)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2015-008.NASL
    description The remote host is running a version of Mac OS X 10.9.5 or 10.10.5 that is missing Security Update 2015-005 or 2015-008. It is, therefore, affected by multiple vulnerabilities in the following components : - apache_mod_php - AppSandbox - Bluetooth - CFNetwork HTTPProtocol - Compression - Configuration Profiles - CoreGraphics - CoreMedia Playback - Disk Images - EFI - File Bookmark - Hypervisor - iBooks - ImageIO - Intel Graphics Driver - IOAcceleratorFamily - IOHIDFamily - IOKit SCSI - IOThunderboltFamily - Kernel - kext tools - Keychain Access - libarchive - libc - libexpat - libxml2 - OpenGL - OpenLDAP - OpenSSH - QuickLook - Sandbox - Security - System Integrity Protection Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 87321
    published 2015-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87321
    title Mac OS X Multiple Vulnerabilities (Security Updates 2015-005 / 2015-008)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_C1DA8B756AEF11E59909002590263BF5.NASL
    description PHP reports : Phar : - Fixed bug #69720 (NULL pointer dereference in phar_get_fp_offset()). - Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is '/').
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 86267
    published 2015-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86267
    title FreeBSD : php -- multiple vulnerabilities (c1da8b75-6aef-11e5-9909-002590263bf5)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-034-04.NASL
    description New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
    last seen 2019-02-21
    modified 2016-10-19
    plugin id 88567
    published 2016-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88567
    title Slackware 14.0 / 14.1 / current : php (SSA:2016-034-04)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3380.NASL
    description Two vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. - CVE-2015-7803 The phar extension could crash with a NULL pointer dereference when processing tar archives containing links referring to non-existing files. This could lead to a denial of service. - CVE-2015-7804 The phar extension does not correctly process directory entries found in archive files with the name '/', leading to a denial of service and, potentially, information disclosure. The update for Debian stable (jessie) contains additional bug fixes from PHP upstream version 5.6.14, as described in the upstream changelog : - Note to users of the oldstable distribution (wheezy): PHP 5.4 has reached end-of-life on September 14th, 2015. As a result, there will be no more new upstream releases. The security support of PHP 5.4 in Debian oldstable (wheezy) will be best effort only, and you are strongly advised to upgrade to latest Debian stable release (jessie), which includes PHP 5.6.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 86618
    published 2015-10-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86618
    title Debian DSA-3380-1 : php5 - security update
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_11_2.NASL
    description The remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.2. It is, therefore, affected by multiple vulnerabilities in the following components : - apache_mod_php - AppSandbox - Bluetooth - CFNetwork HTTPProtocol - Compression - Configuration Profiles - CoreGraphics - CoreMedia Playback - Disk Images - EFI - File Bookmark - Hypervisor - iBooks - ImageIO - Intel Graphics Driver - IOAcceleratorFamily - IOHIDFamily - IOKit SCSI - IOThunderboltFamily - Kernel - kext tools - Keychain Access - libarchive - libc - libexpat - libxml2 - OpenGL - OpenLDAP - OpenSSH - QuickLook - Sandbox - Security - System Integrity Protection Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 87314
    published 2015-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87314
    title Mac OS X 10.11.x < 10.11.2 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-100.NASL
    description This update for php5 fixes the following issues : - CVE-2015-7803: Specially crafted .phar files with a crafted TAR archive entry allowed remote attackers to cause a Denial of Service (DoS) [bsc#949961] - CVE-2015-7804: Specially crafted .phar files with a crafted ZIP archive entry referencing a file '/' allowed remote attackers to cause a Denial of Service (DoS) or potentially leak unspecified memory content [bsc#949961] - CVE-2016-1903: Specially crafted image files could allowed remote attackers read unspecified memory when rotating images [bsc#962057]
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 88533
    published 2016-02-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88533
    title openSUSE Security Update : php5 (openSUSE-2016-100)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-341.NASL
    description - CVE-2015-6831 Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely. - CVE-2015-6832 Dangling pointer in the unserialization of ArrayObject items. - CVE-2015-6833 Files extracted from archive may be placed outside of destination directory - CVE-2015-6834 Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely. - CVE-2015-6836 A type confusion occurs within SOAP serialize_function_call due to an insufficient validation of the headers field. In the SoapClient's __call method, the verify_soap_headers_array check is applied only to headers retrieved from zend_parse_parameters; problem is that a few lines later, soap_headers could be updated or even replaced with values from the __default_headers object fields. - CVE-2015-6837 The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that. - CVE-2015-6838 The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that. - CVE-2015-7803 A NULL pointer dereference flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash. - CVE-2015-7804 An uninitialized pointer use flaw was found in the phar_make_dirstream() function of PHP's Phar extension. A specially crafted phar file in the ZIP format with a directory entry with a file name '/ZIP' could cause a PHP application function to crash. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 86794
    published 2015-11-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86794
    title Debian DLA-341-1 : php5 security update
  • NASL family CGI abuses
    NASL id PHP_5_5_30.NASL
    description According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.30. It is, therefore, affected by the following vulnerabilities : - A NULL pointer dereference flaw exists in the phar_get_fp_offset() function in ext/phar/util.c that is triggered when pointing to a non-existent file. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2015-7803) - An uninitialized pointer flaw exists in the phar_make_dirstream() function in ext/phar/dirstream.c that is triggered when handling a zip entry filename that consists of a single forward slash. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or to disclose sensitive information. (CVE-2015-7804) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 86300
    published 2015-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86300
    title PHP 5.5.x < 5.5.30 Multiple Vulnerabilities
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-601.NASL
    description As reported upstream, A NULL pointer dereference flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash. (CVE-2015-7803 ) A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-6834 , CVE-2015-6835 , CVE-2015-6836) A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets. (CVE-2015-6837 , CVE-2015-6838) As reported upstream, an uninitialized pointer use flaw was found in the phar_make_dirstream() function of PHP's Phar extension. A specially crafted phar file in the ZIP format with a directory entry with a file name '/ZIP' could cause a PHP application function to crash. (CVE-2015-7804)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 86495
    published 2015-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86495
    title Amazon Linux AMI : php56 (ALAS-2015-601)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2786-1.NASL
    description It was discovered that the PHP phar extension incorrectly handled certain files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2015-7803, CVE-2015-7804). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 86651
    published 2015-10-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86651
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : php5 vulnerabilities (USN-2786-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-602.NASL
    description As reported upstream, A NULL pointer dereference flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash. (CVE-2015-7803 ) A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-6834 , CVE-2015-6835 , CVE-2015-6836) A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets. (CVE-2015-6837 , CVE-2015-6838) As reported upstream, an uninitialized pointer use flaw was found in the phar_make_dirstream() function of PHP's Phar extension. A specially crafted phar file in the ZIP format with a directory entry with a file name '/ZIP' could cause a PHP application function to crash. (CVE-2015-7804)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 86496
    published 2015-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86496
    title Amazon Linux AMI : php55 (ALAS-2015-602)
  • NASL family Firewalls
    NASL id PFSENSE_SA-15_08.NASL
    description According to its self-reported version number, the remote pfSense install is prior to 2.2.5. It is, therefore, affected by multiple vulnerabilities as stated in the referenced vendor advisories.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 106497
    published 2018-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106497
    title pfSense < 2.2.5 Multiple Vulnerabilities (SA-15_08)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201606-10.NASL
    description The remote host is affected by the vulnerability described in GLSA-201606-10 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : An attacker can possibly execute arbitrary code or create a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2016-10-10
    plugin id 91704
    published 2016-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91704
    title GLSA-201606-10 : PHP: Multiple vulnerabilities
refmap via4
apple APPLE-SA-2015-12-08-3
bid 76959
confirm
debian DSA-3380
gentoo GLSA-201606-10
mlist [oss-security] 20151005 CVE request: issues fixed in PHP 5.6.14 and 5.5.30
slackware SSA:2016-034-04
suse openSUSE-SU-2016:0251
ubuntu USN-2786-1
Last major update 07-12-2016 - 13:25
Published 11-12-2015 - 07:00
Back to Top