The SQLite functionality in PHP before 5.3.15 allows remote attackers to bypass the open_basedir protection mechanism via unspecified vectors.

According to its self-reported version number and configuration, the remote Juniper Junos device is affected by multiple vulnerabilities in the included PHP version :

  - An unspecified flaw exists in the SQLite extension     that allows an unauthenticated, remote attacker to     bypass the 'open_basedir' constraint. (CVE-2012-3365)

  - A heap-based buffer overflow condition exists in file     ext/xml/xml.c due to not properly considering parsing     depth. An unauthenticated, remote attacker can exploit     this issue, via a specially crafted XML document that is     processed by the xml_parse_into_struct() function, to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2013-4113)

  - A memory corruption issue exists in the PHP OpenSSL     extension in the openssl_x509_parse() function due to     improper sanitization of user-supplied input when     parsing 'notBefore' and 'notAfter' timestamps in X.509     certificates. An unauthenticated, remote attacker can     exploit this issue, via a specially crafted certificate,     to cause a denial of service condition or the execution     of arbitrary code. (CVE-2013-6420)

  - A double-free error exists in the     zend_ts_hash_graceful_destroy() function within file     Zend/zend_ts_hash.c that allows an unauthenticated,     remote attacker to cause a denial of service condition.
    (CVE-2014-9425)

The remote Solaris system is missing necessary patches to address security updates :

  - Session fixation vulnerability in the Sessions subsystem     in PHP before 5.5.2 allows remote attackers to hijack     web sessions by specifying a session ID. (CVE-2011-4718)

  - Unspecified vulnerability in the _php_stream_scandir     function in the stream implementation in PHP before     5.3.15 and 5.4.x before 5.4.5 has unknown impact and     remote attack vectors, related to an 'overflow.'     (CVE-2012-2688)

  - The SQLite functionality in PHP before 5.3.15 allows     remote attackers to bypass the open_basedir protection     mechanism via unspecified vectors. (CVE-2012-3365)

  - ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before     5.4.13 does not validate the relationship between the     soap.wsdl_cache_dir directive and the open_basedir     directive, which allows remote attackers to bypass     intended access restrictions by triggering the creation     of cached SOAP WSDL files in an arbitrary directory.
    (CVE-2013-1635)

  - The SOAP parser in PHP before 5.3.23 and 5.4.x before     5.4.13 allows remote attackers to read arbitrary files     via a SOAP WSDL file containing an XML external entity     declaration in conjunction with an entity reference,     related to an XML External Entity (XXE) issue in the     soap_xmlParseFile and soap_xmlParseMemory functions.
    NOTE: this vulnerability exists because of an incorrect     fix for CVE-2013-1824. (CVE-2013-1643)

  - Heap-based buffer overflow in the php_quot_print_encode     function in ext/ standard/quot_print.c in PHP before     5.3.26 and 5.4.x before 5.4.16 allows remote attackers     to cause a denial of service (application crash) or     possibly have unspecified other impact via a crafted     argument to the quoted_printable_encode function.
    (CVE-2013-2110)

  - ext/xml/xml.c in PHP before 5.3.27 does not properly     consider parsing depth, which allows remote attackers to     cause a denial of service (heap memory corruption) or     possibly have unspecified other impact via a crafted     document that is processed by the xml_parse_into_struct     function. (CVE-2013-4113)

  - The openssl_x509_parse function in openssl.c in the     OpenSSL module in PHP before 5.4.18 and 5.5.x before     5.5.2 does not properly handle a '\0' character in a     domain name in the Subject Alternative Name field of an     X.509 certificate, which allows man-in-the-middle     attackers to spoof arbitrary SSL servers via a crafted     certificate issued by a legitimate Certification     Authority, a related issue to CVE-2009-2408.
    (CVE-2013-4248)

  - Integer overflow in the SdnToJewish function in jewish.c     in the Calendar component in PHP before 5.3.26 and 5.4.x     before 5.4.16 allows context-dependent attackers to     cause a denial of service (application hang) via a large     argument to the jdtojewish function. (CVE-2013-4635)

  - The mget function in libmagic/softmagic.c in the     Fileinfo component in PHP 5.4.x before 5.4.16 allows     remote attackers to cause a denial of service (invalid     pointer dereference and application crash) via an MP3     file that triggers incorrect MIME type detection during     access to an finfo object. (CVE-2013-4636)

Three security issues were fixed in php5 :

CVE-2012-2688: php5: potential overflow in _php_stream_scandir CVE-2012-3365: open_basedir bypass via SQLite extension Also a out of band read sql denial of service was fixed (bnc#769785)

Three security bugs have been fixed in PHP5.

  - php5: potential overflow in _php_stream_scandir.
    (CVE-2012-2688)

  - open_basedir bypass via SQLite extension.
    (CVE-2012-3365)

  - An out of band read sql denial of service has been fixed     (bnc#769785). (CVE-2012-3450)

This update fixes two security issues of PHP5 :

  - Potential overflow in _php_stream_scandir.
    (CVE-2012-2688)

  - open_basedir bypass via SQLite extension.
    (CVE-2012-3365)

The remote host is affected by the vulnerability described in GLSA-201209-03 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could execute arbitrary code with the privileges of       the process, cause a Denial of Service condition, obtain sensitive       information, create arbitrary files, conduct directory traversal attacks,       bypass protection mechanisms, or perform further attacks with unspecified       impact.
  Workaround :

    There is no known workaround at this time.

MITRE CVE team reports :

The SQLite functionality in PHP before 5.3.15 allows remote attackers to bypass the open_basedir protection mechanism via unspecified vectors.

Multiple vulnerabilities has been discovered and corrected in php :

Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an overflow (CVE-2012-2688).

The SQLite functionality in PHP before 5.3.15 allows remote attackers to bypass the open_basedir protection mechanism via unspecified vectors (CVE-2012-3365).

pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x before 5.4.4 does not properly determine the end of the query string during parsing of prepared statements, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted parameter value (CVE-2012-3450).

The updated packages have been upgraded to the 5.3.15 version which is not vulnerable to these issues.

Additionally the php-timezonedb packages has been upgraded to the latest version as well.

PHP versions 5.3.x earlier than 5.3.15 are affected by the following vulnerabilities.

  - - An unspecified overflow vulnerability exists in the function '_php_stream_scandir' in the file 'main/streams/streams.c'. (CVE-2012-2688)

  - An unspecified error exists that can allow the 'open_basedir' constraint to be bypassed. (CVE-2012-3365)

According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.15, and is, therefore, potentially affected by the following vulnerabilities : 

  - An unspecified overflow vulnerability exists in the     function '_php_stream_scandir' in the file     'main/streams/streams.c'. (CVE-2012-2688)

  - An unspecified error exists that can allow the     'open_basedir' constraint to be bypassed.
    (CVE-2012-3365)

ID	Name	Product	Family	Severity
102079	Juniper Junos PHP multiple vulnerabilities (JSA10804)	Nessus	Junos Local Security Checks	high
80736	Oracle Solaris Third-Party Patch Update : php (cve_2013_4113_buffer_errors)	Nessus	Solaris Local Security Checks	critical
74709	openSUSE Security Update : php5 (openSUSE-SU-2012:0976-1)	Nessus	SuSE Local Security Checks	critical
64106	SuSE 11.2 Security Update : PHP5 (SAT Patch Number 6634)	Nessus	SuSE Local Security Checks	critical
64105	SuSE 11.2 Security Update : PHP5 (SAT Patch Number 6634)	Nessus	SuSE Local Security Checks	critical
64101	SuSE 11.1 Security Update : php5 (SAT Patch Number 6627)	Nessus	SuSE Local Security Checks	critical
62236	GLSA-201209-03 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
62208	FreeBSD : php5-sqlite -- open_basedir bypass (ec255bd8-02c6-11e2-92d1-000d601460a4)	Nessus	FreeBSD Local Security Checks	medium
61961	Mandriva Linux Security Advisory : php (MDVSA-2012:108)	Nessus	Mandriva Local Security Checks	critical
801075	PHP 5.3.x < 5.3.15 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	high
6556	PHP 5.3.x < 5.3.15 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	critical
61658	SuSE 10 Security Update : php5 (ZYPP Patch Number 8239)	Nessus	SuSE Local Security Checks	critical
60085	PHP 5.3.x < 5.3.15 Multiple Vulnerabilities	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2012-3365

high

Tenable Plugins

high

critical

critical

critical

critical

critical

critical

medium

critical

high

critical

critical

critical