ID CVE-2016-5096
Summary Integer overflow in the fread function in ext/standard/file.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer in the second argument.
References
Vulnerable Configurations
  • PHP 5.5.35
    cpe:2.3:a:php:php:5.5.35
  • PHP 5.6.0 alpha1
    cpe:2.3:a:php:php:5.6.0:alpha1
  • PHP 5.6.0 alpha2
    cpe:2.3:a:php:php:5.6.0:alpha2
  • PHP 5.6.0 alpha3
    cpe:2.3:a:php:php:5.6.0:alpha3
  • PHP 5.6.0 alpha4
    cpe:2.3:a:php:php:5.6.0:alpha4
  • PHP 5.6.0 alpha5
    cpe:2.3:a:php:php:5.6.0:alpha5
  • PHP 5.6.0 beta1
    cpe:2.3:a:php:php:5.6.0:beta1
  • PHP 5.6.0 beta2
    cpe:2.3:a:php:php:5.6.0:beta2
  • PHP 5.6.0 beta3
    cpe:2.3:a:php:php:5.6.0:beta3
  • PHP 5.6.0 beta4
    cpe:2.3:a:php:php:5.6.0:beta4
  • PHP 5.6.1 -
    cpe:2.3:a:php:php:5.6.1
  • PHP 5.6.2
    cpe:2.3:a:php:php:5.6.2
  • PHP 5.6.3 -
    cpe:2.3:a:php:php:5.6.3
  • PHP 5.6.4 -
    cpe:2.3:a:php:php:5.6.4
  • PHP 5.6.5 -
    cpe:2.3:a:php:php:5.6.5
  • PHP 5.6.6 -
    cpe:2.3:a:php:php:5.6.6
  • PHP 5.6.7 -
    cpe:2.3:a:php:php:5.6.7
  • PHP 5.6.8 -
    cpe:2.3:a:php:php:5.6.8
  • PHP 5.6.9 -
    cpe:2.3:a:php:php:5.6.9
  • PHP 5.6.10 -
    cpe:2.3:a:php:php:5.6.10
  • PHP 5.6.11 -
    cpe:2.3:a:php:php:5.6.11
  • PHP 5.6.12 -
    cpe:2.3:a:php:php:5.6.12
  • PHP 5.6.13 -
    cpe:2.3:a:php:php:5.6.13
  • PHP 5.6.14 -
    cpe:2.3:a:php:php:5.6.14
  • PHP 5.6.15 -
    cpe:2.3:a:php:php:5.6.15
  • PHP 5.6.16 -
    cpe:2.3:a:php:php:5.6.16
  • PHP 5.6.17 -
    cpe:2.3:a:php:php:5.6.17
  • PHP 5.6.18 -
    cpe:2.3:a:php:php:5.6.18
  • PHP 5.6.19 -
    cpe:2.3:a:php:php:5.6.19
  • PHP 5.6.20 -
    cpe:2.3:a:php:php:5.6.20
  • PHP 5.6.21 -
    cpe:2.3:a:php:php:5.6.21
CVSS
Base: 7.5 (as of 08-08-2016 - 16:26)
Impact:
Exploitability:
CWE CWE-190
CAPEC
  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_11_6.NASL
    description The remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.6. It is, therefore, affected by multiple vulnerabilities in the following components : - apache_mod_php - Audio - bsdiff - CFNetwork - CoreGraphics - FaceTime - Graphics Drivers - ImageIO - Intel Graphics Driver - IOHIDFamily - IOKit - IOSurface - Kernel - libc++abi - libexpat - LibreSSL - libxml2 - libxslt - Login Window - OpenSSL - QuickTime - Safari Login AutoFill - Sandbox Profiles Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 92496
    published 2016-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92496
    title Mac OS X 10.11.x < 10.11.6 Multiple Vulnerabilities
  • NASL family CGI abuses
    NASL id PHP_5_5_36.NASL
    description According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.36. It is, therefore, affected by multiple vulnerabilities : - An out-of-bounds read error exists in the _gdContributionsCalc() function within file ext/gd/libgd/gd_interpolation.c. An unauthenticated, remote attacker can exploit this to disclose sensitive information or crash the process linked against the library. (CVE-2013-7456) - An uninitialized pointer flaw exists in the phar_make_dirstream() function within file ext/phar/dirstream.c due to improper handling of ././@LongLink files. An unauthenticated, remote attacker can exploit this, via a specially crafted TAR file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4343) - An out-of-bounds read error exists in the get_icu_value_internal() function within file ext/intl/locale/locale_methods.c due to improper handling of user-supplied input. An unauthenticated, remote attacker can exploit this to disclose sensitive information or crash the process linked against the library. (CVE-2016-5093) - An integer overflow condition exists in the php_html_entities() and php_filter_full_special_chars() functions within file ext/standard/html.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2016-5094) - An integer underflow condition exists in file ext/standard/file.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a NULL write, resulting in crashing the process linked against the library. (CVE-2016-5096) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 91441
    published 2016-06-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91441
    title PHP 5.5.x < 5.5.36 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1633-1.NASL
    description This update for php5 fixes the following issues : - CVE-2013-7456: imagescale out-of-bounds read (bnc#982009). - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010). - CVE-2016-5094: Don't create strings with lengths outside of valid range (bnc#982011). - CVE-2016-5095: Don't create strings with lengths outside of valid range (bnc#982012). - CVE-2016-5096: int/size_t confusion in fread (bsc#982013). - CVE-2015-8877: The gdImageScaleTwoPass function in gd_interpolation.c in the GD Graphics Library (aka libgd) as used in PHP used inconsistent allocate and free approaches, which allowed remote attackers to cause a denial of service (memory consumption) via a crafted call, as demonstrated by a call to the PHP imagescale function (bsc#981061). - CVE-2015-8876: Zend/zend_exceptions.c in PHP did not validate certain Exception objects, which allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger unintended method execution via crafted serialized data (bsc#981049). - CVE-2015-8879: The odbc_bindcols function in ext/odbc/php_odbc.c in PHP mishandles driver behavior for SQL_WVARCHAR columns, which allowed remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table (bsc#981050). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 93160
    published 2016-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93160
    title SUSE SLED12 / SLES12 Security Update : php5 (SUSE-SU-2016:1633-1)
  • NASL family CGI abuses
    NASL id PHP_5_6_22.NASL
    description According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.22. It is, therefore, affected by multiple vulnerabilities : - An out-of-bounds read error exists in the _gdContributionsCalc() function within file ext/gd/libgd/gd_interpolation.c. An unauthenticated, remote attacker can exploit this to disclose sensitive information or crash the process linked against the library. (CVE-2013-7456) - An out-of-bounds read error exists in the get_icu_value_internal() function within file ext/intl/locale/locale_methods.c due to improper handling of user-supplied input. An unauthenticated, remote attacker can exploit this to disclose sensitive information or crash the process linked against the library. (CVE-2016-5093) - An integer overflow condition exists in the php_html_entities() and php_filter_full_special_chars() functions within file ext/standard/html.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2016-5094) - An integer underflow condition exists in file ext/standard/file.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a NULL write, resulting in crashing the process linked against the library. (CVE-2016-5096) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 91442
    published 2016-06-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91442
    title PHP 5.6.x < 5.6.22 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-703.NASL
    description This update for php5 fixes the following issues : - CVE-2013-7456: imagescale out-of-bounds read (bnc#982009). - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010). - CVE-2016-5094: Don't create strings with lengths outside int range (bnc#982011). - CVE-2016-5095: Don't create strings with lengths outside int range (bnc#982012). - CVE-2016-5096: int/size_t confusion in fread (bsc#982013). - CVE-2016-5114: fpm_log.c memory leak and buffer overflow (bnc#982162). - CVE-2015-8877: The gdImageScaleTwoPass function in gd_interpolation.c in the GD Graphics Library (aka libgd), as used in PHP, used inconsistent allocate and free approaches, which allowed remote attackers to cause a denial of service (memory consumption) via a crafted call, as demonstrated by a call to the PHP imagescale function (bsc#981061). - CVE-2015-8876: Zend/zend_exceptions.c in PHP did not validate certain Exception objects, which allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger unintended method execution via crafted serialized data (bsc#981049). - CVE-2015-8879: The odbc_bindcols function in ext/odbc/php_odbc.c in PHP mishandled driver behavior for SQL_WVARCHAR columns, which allowed remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table Aliased: (bsc#981050). - CVE-2015-4116: Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP allowed remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation (bsc#980366). - CVE-2015-8874: Stack consumption vulnerability in GD in PHP allowed remote attackers to cause a denial of service via a crafted imagefilltoborder call (bsc#980375). - CVE-2015-8873: Stack consumption vulnerability in Zend/zend_exceptions.c in PHP allowed remote attackers to cause a denial of service (segmentation fault) via recursive method calls (bsc#980373). - CVE-2016-3074: Integer signedness error in GD Graphics Library (aka libgd or libgd2) allowed remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow (bsc#976775).
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 91585
    published 2016-06-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91585
    title openSUSE Security Update : php5 (openSUSE-2016-703)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL43449212.NASL
    description Integer overflow in the fread function in ext/standard/file.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer in the second argument. (CVE-2016-5096)
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 92959
    published 2016-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92959
    title F5 Networks BIG-IP : PHP vulnerability (K43449212)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2016-004.NASL
    description The remote host is running a version of Mac OS X that is 10.9.5 or 10.10.5 and is missing Security Update 2016-004. It is, therefore, affected by multiple vulnerabilities in the following components : - apache_mod_php (affects 10.10.5 only) - CoreGraphics - ImageIO - libxml2 - libxslt Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 92497
    published 2016-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92497
    title Mac OS X 10.9.5 and 10.10.5 Multiple Vulnerabilities (Security Update 2016-004)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-776.NASL
    description This update for php5 fixes the following issues : - CVE-2013-7456: imagescale out-of-bounds read (bnc#982009). - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010). - CVE-2016-5094: Don't create strings with lengths outside of valid range (bnc#982011). - CVE-2016-5095: Don't create strings with lengths outside of valid range (bnc#982012). - CVE-2016-5096: int/size_t confusion in fread (bsc#982013). - CVE-2015-8877: The gdImageScaleTwoPass function in gd_interpolation.c in the GD Graphics Library (aka libgd) as used in PHP used inconsistent allocate and free approaches, which allowed remote attackers to cause a denial of service (memory consumption) via a crafted call, as demonstrated by a call to the PHP imagescale function (bsc#981061). - CVE-2015-8876: Zend/zend_exceptions.c in PHP did not validate certain Exception objects, which allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger unintended method execution via crafted serialized data (bsc#981049). - CVE-2015-8879: The odbc_bindcols function in ext/odbc/php_odbc.c in PHP mishandles driver behavior for SQL_WVARCHAR columns, which allowed remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table (bsc#981050). This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 91869
    published 2016-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91869
    title openSUSE Security Update : php5 (openSUSE-2016-776)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3045-1.NASL
    description It was discovered that PHP incorrectly handled certain SplMinHeap::compare operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-4116) It was discovered that PHP incorrectly handled recursive method calls. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8873) It was discovered that PHP incorrectly validated certain Exception objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8876) It was discovered that PHP header() function performed insufficient filtering for Internet Explorer. A remote attacker could possibly use this issue to perform a XSS attack. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8935) It was discovered that PHP incorrectly handled certain locale operations. An attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5093) It was discovered that the PHP php_html_entities() function incorrectly handled certain string lengths. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5094, CVE-2016-5095) It was discovered that the PHP fread() function incorrectly handled certain lengths. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5096) It was discovered that the PHP FastCGI Process Manager (FPM) SAPI incorrectly handled memory in the access logging feature. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly expose sensitive information. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5114) It was discovered that PHP would not protect applications from contents of the HTTP_PROXY environment variable when based on the contents of the Proxy header from HTTP requests. A remote attacker could possibly use this issue in combination with scripts that honour the HTTP_PROXY variable to redirect outgoing HTTP requests. (CVE-2016-5385) Hans Jerry Illikainen discovered that the PHP bzread() function incorrectly performed error handling. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-5399) It was discovered that certain PHP multibyte string functions incorrectly handled memory. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-5768) It was discovered that the PHP Mcrypt extension incorrectly handled memory. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5769) It was discovered that the PHP garbage collector incorrectly handled certain objects when unserializing malicious data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue was only addressed in Ubuntu Ubuntu 14.04 LTS. (CVE-2016-5771, CVE-2016-5773) It was discovered that PHP incorrectly handled memory when unserializing malicious xml data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5772) It was discovered that the PHP php_url_parse_ex() function incorrectly handled string termination. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-6288) It was discovered that PHP incorrectly handled path lengths when extracting certain Zip archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6289) It was discovered that PHP incorrectly handled session deserialization. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6290) It was discovered that PHP incorrectly handled exif headers when processing certain JPEG images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6291, CVE-2016-6292) It was discovered that PHP incorrectly handled certain locale operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6294) It was discovered that the PHP garbage collector incorrectly handled certain objects when unserializing SNMP data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6295) It was discovered that the PHP xmlrpc_encode_request() function incorrectly handled certain lengths. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6296) It was discovered that the PHP php_stream_zip_opener() function incorrectly handled memory. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6297). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 92699
    published 2016-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92699
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : php5, php7.0 vulnerabilities (USN-3045-1) (httpoxy)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-B967AC1A74.NASL
    description 26 May 2016, **PHP 5.6.22** **Core:** - Fixed bug #72172 (zend_hex_strtod should not use strlen). (bwitz at hotmail dot com ) - Fixed bug #72114 (Integer underflow / arbitrary null write in fread/gzread). (Stas) - Fixed bug #72135 (Integer Overflow in php_html_entities). (Stas) **GD:** - Fixed bug #72227 (imagescale out-of-bounds read). (Stas) **Intl:** - Fixed bug #64524 (Add intl.use_exceptions to php.ini-*). (Anatol) - Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (Stas) **Postgres:** - Fixed bug #72151 (mysqli_fetch_object changed behaviour). (Anatol) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92149
    published 2016-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92149
    title Fedora 24 : php (2016-b967ac1a74)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3602.NASL
    description Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.22, which includes additional bug fixes. Please refer to the upstream changelog for more information : - https://php.net/ChangeLog-5.php#5.6.21 - https://php.net/ChangeLog-5.php#5.6.22
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 91615
    published 2016-06-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91615
    title Debian DSA-3602-1 : php5 - security update
  • NASL family