ID CVE-2016-1903
Summary The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a large bgd_color argument to the imagerotate function.
References
Vulnerable Configurations
  • PHP 5.5.30
    cpe:2.3:a:php:php:5.5.30
  • PHP 5.6.0 alpha1
    cpe:2.3:a:php:php:5.6.0:alpha1
  • PHP 5.6.0 alpha2
    cpe:2.3:a:php:php:5.6.0:alpha2
  • PHP 5.6.0 alpha3
    cpe:2.3:a:php:php:5.6.0:alpha3
  • PHP 5.6.0 alpha4
    cpe:2.3:a:php:php:5.6.0:alpha4
  • PHP 5.6.0 alpha5
    cpe:2.3:a:php:php:5.6.0:alpha5
  • PHP 5.6.0 beta1
    cpe:2.3:a:php:php:5.6.0:beta1
  • PHP 5.6.0 beta2
    cpe:2.3:a:php:php:5.6.0:beta2
  • PHP 5.6.0 beta3
    cpe:2.3:a:php:php:5.6.0:beta3
  • PHP 5.6.0 beta4
    cpe:2.3:a:php:php:5.6.0:beta4
  • PHP PHP 5.6.1
    cpe:2.3:a:php:php:5.6.1
  • PHP 5.6.2
    cpe:2.3:a:php:php:5.6.2
  • PHP 5.6.3
    cpe:2.3:a:php:php:5.6.3
  • PHP 5.6.4
    cpe:2.3:a:php:php:5.6.4
  • PHP 5.6.5
    cpe:2.3:a:php:php:5.6.5
  • PHP 5.6.6
    cpe:2.3:a:php:php:5.6.6
  • PHP 5.6.7
    cpe:2.3:a:php:php:5.6.7
  • PHP PHP 5.6.8
    cpe:2.3:a:php:php:5.6.8
  • PHP PHP 5.6.9
    cpe:2.3:a:php:php:5.6.9
  • PHP PHP 5.6.10
    cpe:2.3:a:php:php:5.6.10
  • PHP PHP 5.6.11
    cpe:2.3:a:php:php:5.6.11
  • PHP PHP 5.6.12
    cpe:2.3:a:php:php:5.6.12
  • PHP PHP 5.6.13
    cpe:2.3:a:php:php:5.6.13
  • PHP 5.6.14
    cpe:2.3:a:php:php:5.6.14
  • PHP 5.6.15
    cpe:2.3:a:php:php:5.6.15
  • PHP 5.6.16
    cpe:2.3:a:php:php:5.6.16
  • PHP 7.0.0
    cpe:2.3:a:php:php:7.0.0
  • PHP 7.0.1
    cpe:2.3:a:php:php:7.0.1
CVSS
Base: 6.4 (as of 22-01-2016 - 11:43)
Impact:
Exploitability:
CWE CWE-200
CAPEC
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
  • Reusing Session IDs (aka Session Replay)
    This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-157.NASL
    description This update for php5 fixes the following issues : - CVE-2015-7803: Specially crafted .phar files with a crafted TAR archive entry allowed remote attackers to cause a Denial of Service (DoS) [bsc#949961] - CVE-2016-1903: Specially crafted image files could could allow remote attackers read unspecified memory when rotating images [bsc#962057] This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 88611
    published 2016-02-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88611
    title openSUSE Security Update : php5 (openSUSE-2016-157)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2952-1.NASL
    description It was discovered that the PHP Zip extension incorrectly handled directories when processing certain zip files. A remote attacker could possibly use this issue to create arbitrary directories. (CVE-2014-9767) It was discovered that the PHP Soap client incorrectly validated data types. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-8835, CVE-2016-3185) It was discovered that the PHP MySQL native driver incorrectly handled TLS connections to MySQL databases. A man in the middle attacker could possibly use this issue to downgrade and snoop on TLS connections. This vulnerability is known as BACKRONYM. (CVE-2015-8838) It was discovered that PHP incorrectly handled the imagerotate function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-1903) Hans Jerry Illikainen discovered that the PHP phar extension incorrectly handled certain tar archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-2554) It was discovered that the PHP WDDX extension incorrectly handled certain malformed XML data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-3141) It was discovered that the PHP phar extension incorrectly handled certain zip files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2016-3142) It was discovered that the PHP libxml_disable_entity_loader() setting was shared between threads. When running under PHP-FPM, this could result in XML external entity injection and entity expansion issues. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (No CVE number) It was discovered that the PHP openssl_random_pseudo_bytes() function did not return cryptographically strong pseudo-random bytes. (No CVE number) It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP php_snmp_error() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE number pending) It was discovered that the PHP rawurlencode() function incorrectly handled large strings. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE number pending) It was discovered that the PHP phar extension incorrectly handled certain filenames in archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP mb_strcut() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 90677
    published 2016-04-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90677
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : php5 vulnerabilities (USN-2952-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2952-2.NASL
    description USN-2952-1 fixed vulnerabilities in PHP. One of the backported patches caused a regression in the PHP Soap client. This update fixes the problem. We apologize for the inconvenience. It was discovered that the PHP Zip extension incorrectly handled directories when processing certain zip files. A remote attacker could possibly use this issue to create arbitrary directories. (CVE-2014-9767) It was discovered that the PHP Soap client incorrectly validated data types. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-8835, CVE-2016-3185) It was discovered that the PHP MySQL native driver incorrectly handled TLS connections to MySQL databases. A man in the middle attacker could possibly use this issue to downgrade and snoop on TLS connections. This vulnerability is known as BACKRONYM. (CVE-2015-8838) It was discovered that PHP incorrectly handled the imagerotate function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-1903) Hans Jerry Illikainen discovered that the PHP phar extension incorrectly handled certain tar archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-2554) It was discovered that the PHP WDDX extension incorrectly handled certain malformed XML data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-3141) It was discovered that the PHP phar extension incorrectly handled certain zip files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2016-3142) It was discovered that the PHP libxml_disable_entity_loader() setting was shared between threads. When running under PHP-FPM, this could result in XML external entity injection and entity expansion issues. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (No CVE number) It was discovered that the PHP openssl_random_pseudo_bytes() function did not return cryptographically strong pseudo-random bytes. (No CVE number) It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP php_snmp_error() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE number pending) It was discovered that the PHP rawurlencode() function incorrectly handled large strings. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE number pending) It was discovered that the PHP phar extension incorrectly handled certain filenames in archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP mb_strcut() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 90825
    published 2016-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90825
    title Ubuntu 15.10 : php5 regression (USN-2952-2)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-034-04.NASL
    description New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
    last seen 2019-02-21
    modified 2016-10-19
    plugin id 88567
    published 2016-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88567
    title Slackware 14.0 / 14.1 / current : php (SSA:2016-034-04)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-0284-1.NASL
    description This update for php5 fixes the following issues : - CVE-2015-7803: Specially crafted .phar files with a crafted TAR archive entry allowed remote attackers to cause a Denial of Service (DoS) [bsc#949961] - CVE-2016-1903: Specially crafted image files could could allow remote attackers read unspecified memory when rotating images [bsc#962057] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 119973
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119973
    title SUSE SLES12 Security Update : php5 (SUSE-SU-2016:0284-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-640.NASL
    description The imagerotate function lacked validation of the background color variable, an integer which represents an index of the color palette. A number larger than the length of the color palette could be used in the function, reading beyond the memory of the color palette and causing an information leak.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 87974
    published 2016-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87974
    title Amazon Linux AMI : php56 / php55 (ALAS-2016-640)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-100.NASL
    description This update for php5 fixes the following issues : - CVE-2015-7803: Specially crafted .phar files with a crafted TAR archive entry allowed remote attackers to cause a Denial of Service (DoS) [bsc#949961] - CVE-2015-7804: Specially crafted .phar files with a crafted ZIP archive entry referencing a file '/' allowed remote attackers to cause a Denial of Service (DoS) or potentially leak unspecified memory content [bsc#949961] - CVE-2016-1903: Specially crafted image files could allowed remote attackers read unspecified memory when rotating images [bsc#962057]
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 88533
    published 2016-02-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88533
    title openSUSE Security Update : php5 (openSUSE-2016-100)
  • NASL family CGI abuses
    NASL id PHP_5_5_31.NASL
    description According to its banner, the version of PHP running on the remote host is 5.5.x prior to 5.5.31 or 5.6.x prior to 5.6.17. It is, therefore, affected by multiple vulnerabilities : - An out-of-bounds read error exists in the gdImageRotateInterpolated() function in file gd_interpolation.c when handling background colors. A remote attacker can exploit this to disclose memory contents or crash the application. (CVE-2016-1903) - An unspecified flaw exists in file fpm_log.c in the fpm_log_write() function when handling very long HTTP requests. A local attacker can exploit this to obtain sensitive information, via access to the access log file. (CVE-2016-5114) - A use-after-free error exists in file wddx.c in the php_wddx_pop_element() function when handling WDDX packet deserialization. A remote attacker can exploit this, by dereferencing already freed memory, to execute arbitrary code. - A type confusion flaw exists in file xmlrpc-epi-php.c in the PHP_to_XMLRPC_worker() function. A remote attacker can exploit this to disclose memory contents, crash the application process, or have other impact. - A type confusion flaw exists in file wddx.c when handling WDDX packet deserialization. A remote attacker can exploit this to execute arbitrary code. - A flaw exists in file lsapilib.c when handling requests due to the LSAPI module failing to clear its secrets in child processes. A remote attacker can exploit this to gain access to memory contents, resulting in the disclosure of sensitive information. - A flaw exists in file lsapilib.c in the parseRequest() function due to a failure to properly sanitize input passed through multiple, unspecified parameters. A remote attacker can exploit this to cause a denial of service.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 88679
    published 2016-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88679
    title PHP prior to 5.5.x < 5.5.31 / 5.6.x < 5.6.17 Multiple Vulnerabilities
  • NASL family CGI abuses
    NASL id PHP_7_0_2.NASL
    description According to its banner, the version of PHP running on the remote host is 7.x prior to 7.0.2. It is, therefore, affected by multiple vulnerabilities : - An out-of-bounds read error exists in the gdImageRotateInterpolated() function in file gd_interpolation.c when handling background colors. A remote attacker can exploit this to disclose memory contents or crash the application. (CVE-2016-1903) - An integer overflow condition exists in file exec.c in the escapeshellarg() and escapeshellcmd() functions due to a failure to properly validate user-supplied string input. A remote attacker can exploit this to cause a heap-based overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-1904) - A use-after-free error exists in file wddx.c in the php_wddx_pop_element() function when handling WDDX packet deserialization. A remote attacker can exploit this, by dereferencing already freed memory, to execute arbitrary code. - A type confusion flaw exists in file xmlrpc-epi-php.c in the PHP_to_XMLRPC_worker() function. A remote attacker can exploit this to disclose memory contents, crash the application process, or have other impact. - A type confusion flaw exists in file wddx.c when handling WDDX packet deserialization. A remote attacker can exploit this to execute arbitrary code. - An unspecified flaw exists in file fpm_log.c in the fpm_log_write() function when handling very long HTTP requests. A local attacker can exploit this to obtain sensitive information, via access to the access log file. - A flaw exists in file lsapilib.c when handling requests due to the LSAPI module failing to clear its secrets in child processes. A remote attacker can exploit this to gain access to memory contents, resulting in the disclosure of sensitive information. - A flaw exists in file lsapilib.c in the parseRequest() function due to a failure to properly sanitize input passed through multiple, unspecified parameters. A remote attacker can exploit this to cause a denial of service.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 88680
    published 2016-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88680
    title PHP 7.x < 7.0.2 Multiple Vulnerabilities
redhat via4
advisories
rhsa
id RHSA-2016:2750
refmap via4
bid 79916
confirm
mlist [oss-security] 20160115 [CVE Request] Multiple PHP issues
sectrack 1034608
slackware SSA:2016-034-04
suse
  • openSUSE-SU-2016:0251
  • openSUSE-SU-2016:0366
ubuntu
  • USN-2952-1
  • USN-2952-2
Last major update 07-12-2016 - 13:33
Published 19-01-2016 - 00:59
Last modified 04-01-2018 - 21:30
Back to Top