Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveraging a third-party filter extension that accesses a certain ksep value.

According to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.1. It is, therefore, affected by errors related to the function 'add_post_var' within file 'post_handler.c', the input filters, and the 'efree' function. Input filters that free the 'ksep' variable can also cause an improper 'efree' call. These issues can allow arbitrary code execution.

Note that the scanner has not attempted to exploit these issues but has instead relied only on application's self-reported version number.

PHP version 5.6.0 contains an issue in the Post Handler due to an illegal use of efree() in function add_post_var(). This can be leveraged to cause arbitrary code execution.

According to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.1. It is, therefore, affected by errors related to the function 'add_post_var' within file 'post_handler.c', the input filters, and the 'efree' function. Input filters that free the 'ksep' variable can also cause an improper 'efree' call. These issues can allow arbitrary code execution.

Note that Nessus has not attempted to exploit these issues but has instead relied only on application's self-reported version number.

ID	Name	Product	Family	Severity
98801	PHP 5.6.x < 5.6.1 add_post_var() Code Execution	Web App Scanning	Component Vulnerability	critical
6666	PHP 5.6.0 'efree()' Function RCE	Nessus Network Monitor	Web Servers	high
78082	PHP 5.6.x < 5.6.1 'add_post_var' Code Execution	Nessus	CGI abuses	high

Detections

Analytics

CVE-2014-3622

critical

Tenable Plugins

critical

high

high