The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the phar_analyze_path function in ext/phar/phar.c.

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - php: buffer overflow in handling of long link names in tar phar archives (CVE-2016-2554)

  - php: Uninitialized read in exif_process_IFD_in_TIFF (CVE-2019-9641)

  - The ip2long function in PHP 5.1.4 and earlier may incorrectly validate an arbitrary string and return a     valid network IP address, which allows remote attackers to obtain network information and facilitate other     attacks, as demonstrated using SQL injection in the X-FORWARDED-FOR Header in index.php in MiniBB 2.0.
    NOTE: it could be argued that the ip2long behavior represents a risk for security-relevant issues in a way     that is similar to strcpy's role in buffer overflows, in which case this would be a class of     implementation bugs that would require separate CVE items for each PHP application that uses ip2long in a     security-relevant manner. (CVE-2006-4023)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - php: buffer overflow in handling of long link names in tar phar archives (CVE-2016-2554)

  - php: Heap-based buffer over-read in mbstring regular expression functions (CVE-2019-9023)

  - Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to     hijack web sessions by specifying a session ID. (CVE-2011-4718)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - php: buffer overflow in handling of long link names in tar phar archives (CVE-2016-2554)

  - php: Uninitialized read in exif_process_IFD_in_TIFF (CVE-2019-9641)

  - The ip2long function in PHP 5.1.4 and earlier may incorrectly validate an arbitrary string and return a     valid network IP address, which allows remote attackers to obtain network information and facilitate other     attacks, as demonstrated using SQL injection in the X-FORWARDED-FOR Header in index.php in MiniBB 2.0.
    NOTE: it could be argued that the ip2long behavior represents a risk for security-relevant issues in a way     that is similar to strcpy's role in buffer overflows, in which case this would be a class of     implementation bugs that would require separate CVE items for each PHP application that uses ip2long in a     security-relevant manner. (CVE-2006-4023)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

This plugin has been deprecated as it does not adhere to established standards for this style of check.

According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A use-after-free in onig_new_deluxe() in regext.c in     Oniguruma 6.9.2 allows attackers to potentially cause     information disclosure, denial of service, or possibly     code execution by providing a crafted regular     expression. The attacker provides a pair of a regex     pattern and a string, with a multi-byte encoding that     gets handled by onig_new_deluxe(). Oniguruma issues     often affect Ruby, as well as common optional libraries     for PHP and Rust.(CVE-2019-13224)

  - PHP 7.1.5 has an Out of bounds access in     php_pcre_replace_impl via a crafted preg_replace     call.(CVE-2017-9118)

  - Double free vulnerability in the php_wddx_process_data     function in wddx.c in the WDDX extension in PHP before     5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8     allows remote attackers to cause a denial of service     (application crash) or possibly execute arbitrary code     via crafted XML data that is mishandled in a     wddx_deserialize call.(CVE-2016-5772)

  - When using fgetss() function to read data with     stripping tags, in PHP versions 7.2.x below 7.2.27,     7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible     to supply data that will cause this function to read     past the allocated buffer. This may lead to information     disclosure or crash.(CVE-2020-7059)

  - When using certain mbstring functions to convert     multibyte encodings, in PHP versions 7.2.x below     7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is     possible to supply data that will cause function     mbfl_filt_conv_big5_wchar to read past the allocated     buffer. This may lead to information disclosure or     crash.(CVE-2020-7060)

  - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15     and 7.4.x below 7.4.3, when using file upload     functionality, if upload progress tracking is enabled,     but session.upload_progress.cleanup is set to 0     (disabled), and the file upload fails, the upload     procedure would try to clean up data that does not     exist and encounter null pointer dereference, which     would likely lead to a crash.(CVE-2020-7062)

  - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15     and 7.4.x below 7.4.3, when creating PHAR archive using     PharData::buildFromIterator() function, the files are     added with default permissions (0666, or all access)     even if the original files on the filesystem were with     more restrictive permissions. This may result in files     having more lax permissions than intended when such     archive is extracted.(CVE-2020-7063)

  - Format string vulnerability in the php_snmp_error     function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x     before 5.6.20, and 7.x before 7.0.5 allows remote     attackers to execute arbitrary code via format string     specifiers in an SNMP::get call.(CVE-2016-4071)

  - The Phar extension in PHP before 5.5.34, 5.6.x before     5.6.20, and 7.x before 7.0.5 allows remote attackers to     execute arbitrary code via a crafted filename, as     demonstrated by mishandling of \0 characters by the     phar_analyze_path function in     ext/phar/phar.c.(CVE-2016-4072)

  - Multiple integer overflows in the mbfl_strcut function     in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before     5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow     remote attackers to cause a denial of service     (application crash) or possibly execute arbitrary code     via a crafted mb_strcut call.(CVE-2016-4073)

  - In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7,     ext/intl/msgformat/msgformat_parse.c does not restrict     the locale length, which allows remote attackers to     cause a denial of service (stack-based buffer overflow     and application crash) or possibly have unspecified     other impact within International Components for     Unicode (ICU) for C/C++ via a long first argument to     the msgfmt_parse_message function.(CVE-2017-11362)

  - When processing certain files, PHP EXIF extension in     versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and     7.3.x below 7.3.5 can be caused to read past allocated     buffer in exif_process_IFD_TAG function. This may lead     to information disclosure or crash.(CVE-2019-11036)

  - Function iconv_mime_decode_headers() in PHP versions     7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below     7.3.6 may perform out-of-buffer read due to integer     overflow when parsing MIME headers. This may lead to     information disclosure or crash.(CVE-2019-11039)

  - In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18     and 7.4.x below 7.4.6, when HTTP file uploads are     allowed, supplying overly long filenames or field names     could lead PHP engine to try to allocate oversized     memory storage, hit the memory limit and stop     processing the request, without cleaning up temporary     files created by upload request. This potentially could     lead to accumulation of uncleaned temporary files     exhausting the disk space on the target     server.(CVE-2019-11048)

  - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13     and 7.4.0, PHP DirectoryIterator class accepts     filenames with embedded \0 byte and treats them as     terminating at that byte. This could lead to security     vulnerabilities, e.g. in applications checking paths     that the code is allowed to access.(CVE-2019-11045)

  - When PHP EXIF extension is parsing EXIF information     from an image, e.g. via exif_read_data() function, in     PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and     7.4.0 it is possible to supply it with data what will     cause it to read past the allocated buffer. This may     lead to information disclosure or     crash.(CVE-2019-11047)

  - When PHP EXIF extension is parsing EXIF information     from an image, e.g. via exif_read_data() function, in     PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and     7.4.0 it is possible to supply it with data what will     cause it to read past the allocated buffer. This may     lead to information disclosure or     crash.(CVE-2019-11050)

  - Oniguruma through 6.9.3, as used in PHP 7.3.x and other     products, has a heap-based buffer over-read in     str_lower_case_match in regexec.c.(CVE-2019-19246)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - PHP 7.1.5 has an Out of bounds access in     php_pcre_replace_impl via a crafted preg_replace     call.(CVE-2017-9118)

  - When using fgetss() function to read data with     stripping tags, in PHP versions 7.2.x below 7.2.27,     7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible     to supply data that will cause this function to read     past the allocated buffer. This may lead to information     disclosure or crash.(CVE-2020-7059)

  - When using certain mbstring functions to convert     multibyte encodings, in PHP versions 7.2.x below     7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is     possible to supply data that will cause function     mbfl_filt_conv_big5_wchar to read past the allocated     buffer. This may lead to information disclosure or     crash.(CVE-2020-7060)

  - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15     and 7.4.x below 7.4.3, when using file upload     functionality, if upload progress tracking is enabled,     but session.upload_progress.cleanup is set to 0     (disabled), and the file upload fails, the upload     procedure would try to clean up data that does not     exist and encounter null pointer dereference, which     would likely lead to a crash.(CVE-2020-7062)

  - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15     and 7.4.x below 7.4.3, when creating PHAR archive using     PharData::buildFromIterator() function, the files are     added with default permissions (0666, or all access)     even if the original files on the filesystem were with     more restrictive permissions. This may result in files     having more lax permissions than intended when such     archive is extracted.(CVE-2020-7063)

  - Double free vulnerability in the php_wddx_process_data     function in wddx.c in the WDDX extension in PHP before     5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8     allows remote attackers to cause a denial of service     (application crash) or possibly execute arbitrary code     via crafted XML data that is mishandled in a     wddx_deserialize call.(CVE-2016-5772)

  - In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18     and 7.4.x below 7.4.6, when HTTP file uploads are     allowed, supplying overly long filenames or field names     could lead PHP engine to try to allocate oversized     memory storage, hit the memory limit and stop     processing the request, without cleaning up temporary     files created by upload request. This potentially could     lead to accumulation of uncleaned temporary files     exhausting the disk space on the target     server.(CVE-2019-11048)

  - Function iconv_mime_decode_headers() in PHP versions     7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below     7.3.6 may perform out-of-buffer read due to integer     overflow when parsing MIME headers. This may lead to     information disclosure or crash.(CVE-2019-11039)

  - Format string vulnerability in the php_snmp_error     function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x     before 5.6.20, and 7.x before 7.0.5 allows remote     attackers to execute arbitrary code via format string     specifiers in an SNMP::get call.(CVE-2016-4071)

  - Multiple integer overflows in the mbfl_strcut function     in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before     5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow     remote attackers to cause a denial of service     (application crash) or possibly execute arbitrary code     via a crafted mb_strcut call.(CVE-2016-4073)

  - In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7,     ext/intl/msgformat/msgformat_parse.c does not restrict     the locale length, which allows remote attackers to     cause a denial of service (stack-based buffer overflow     and application crash) or possibly have unspecified     other impact within International Components for     Unicode (ICU) for C/C++ via a long first argument to     the msgfmt_parse_message function.(CVE-2017-11362)

  - When processing certain files, PHP EXIF extension in     versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and     7.3.x below 7.3.5 can be caused to read past allocated     buffer in exif_process_IFD_TAG function. This may lead     to information disclosure or crash.(CVE-2019-11036)

  - The Phar extension in PHP before 5.5.34, 5.6.x before     5.6.20, and 7.x before 7.0.5 allows remote attackers to     execute arbitrary code via a crafted filename, as     demonstrated by mishandling of \0 characters by the     phar_analyze_path function in     ext/phar/phar.c.(CVE-2016-4072)

  - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13     and 7.4.0, PHP DirectoryIterator class accepts     filenames with embedded \0 byte and treats them as     terminating at that byte. This could lead to security     vulnerabilities, e.g. in applications checking paths     that the code is allowed to access.(CVE-2019-11045)

  - When PHP EXIF extension is parsing EXIF information     from an image, e.g. via exif_read_data() function, in     PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and     7.4.0 it is possible to supply it with data what will     cause it to read past the allocated buffer. This may     lead to information disclosure or     crash.(CVE-2019-11047)

  - When PHP EXIF extension is parsing EXIF information     from an image, e.g. via exif_read_data() function, in     PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and     7.4.0 it is possible to supply it with data what will     cause it to read past the allocated buffer. This may     lead to information disclosure or     crash.(CVE-2019-11050)

  - Oniguruma through 6.9.3, as used in PHP 7.3.x and other     products, has a heap-based buffer over-read in     str_lower_case_match in regexec.c.(CVE-2019-19246)

  - In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17     and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC     support (uncommon), urldecode() function can be made to     access locations past the allocated memory, due to     erroneously using signed numbers as array     indexes.(CVE-2020-7067)

  - In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16     and 7.4.x below 7.4.4, while parsing EXIF data with     exif_read_data() function, it is possible for malicious     data to cause PHP to read one byte of uninitialized     memory. This could potentially lead to information     disclosure or crash.(CVE-2020-7064)

  - In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16     and 7.4.x below 7.4.4, while using get_headers() with     user-supplied URL, if the URL contains zero (\0)     character, the URL will be silently truncated at it.
    This may cause some software to make incorrect     assumptions about the target of the get_headers() and     possibly send some information to a wrong     server.(CVE-2020-7066)

  - A use-after-free in onig_new_deluxe() in regext.c in     Oniguruma 6.9.2 allows attackers to potentially cause     information disclosure, denial of service, or possibly     code execution by providing a crafted regular     expression. The attacker provides a pair of a regex     pattern and a string, with a multi-byte encoding that     gets handled by onig_new_deluxe(). Oniguruma issues     often affect Ruby, as well as common optional libraries     for PHP and Rust.(CVE-2019-13224)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.5. It is, therefore, affected by multiple vulnerabilities :

 - A buffer over-write condition exists in the finfo_open() function due to improper validation of magic files. An unauthenticated, remote attacker can exploit this, via a crafted file, to cause a denial of service or to execute arbitrary code.

 - A flaw exists in the php_snmp_error() function within file ext/snmp/snmp.c that is triggered when handling format string specifiers. An unauthenticated, remote attacker can exploit this, via a crafted SNMP object, to cause a denial of service or to execute arbitrary code.

 - An invalid memory write error exists when handling the path of phar file names that allows an attacker to have an unspecified impact.

 - A flaw exists in the mbfl_strcut() function within file ext/mbstring/libmbfl/mbfl/mbfilter.c when handling negative parameter values. An unauthenticated, remote attacker can exploit this to cause a denial of service.

 - An integer overflow condition exists in the php_raw_url_encode() function within file ext/standard/url.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.20. It is, therefore, affected by multiple vulnerabilities :

 - A buffer over-write condition exists in the finfo_open() function due to improper validation of magic files. An unauthenticated, remote attacker can exploit this, via a crafted file, to cause a denial of service or to execute arbitrary code.

 - A flaw exists in the php_snmp_error() function within file ext/snmp/snmp.c that is triggered when handling format string specifiers. An unauthenticated, remote attacker can exploit this, via a crafted SNMP object, to cause a denial of service or to execute arbitrary code.

 - An invalid memory write error exists when handling the path of phar file names that allows an attacker to have an unspecified impact.

 - A flaw exists in the mbfl_strcut() function within file ext/mbstring/libmbfl/mbfl/mbfilter.c when handling negative parameter values. An unauthenticated, remote attacker can exploit this to cause a denial of service.

 - An integer overflow condition exists in the php_raw_url_encode() function within file ext/standard/url.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201611-22 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    An attacker can possibly execute arbitrary code or create a Denial of       Service condition.
  Workaround :

    There is no known workaround at this time.

According to its banner, the version of HP System Management Homepage (SMH) hosted on the remote web server is prior to 7.6. It is, therefore, affected by the following vulnerabilities :

  - A heap buffer overflow condition exists in OpenSSL in     the EVP_EncodeUpdate() function within file     crypto/evp/encode.c that is triggered when handling     a large amount of input data. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition. (CVE-2016-2105)

  - A heap buffer overflow condition exists in OpenSSL in     the EVP_EncryptUpdate() function within file     crypto/evp/evp_enc.c that is triggered when handling a     large amount of input data after a previous call occurs     to the same function with a partial block. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-2106)

  - Multiple flaws exist OpenSSL in the     aesni_cbc_hmac_sha1_cipher() function in file     crypto/evp/e_aes_cbc_hmac_sha1.c and the     aesni_cbc_hmac_sha256_cipher() function in file     crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered     when the connection uses an AES-CBC cipher and AES-NI     is supported by the server. A man-in-the-middle attacker     can exploit these to conduct a padding oracle attack,     resulting in the ability to decrypt the network traffic.
    (CVE-2016-2107)

  - Multiple unspecified flaws exist in OpenSSL in the d2i     BIO functions when reading ASN.1 data from a BIO due to     invalid encoding causing a large allocation of memory.
    An unauthenticated, remote attacker can exploit these to     cause a denial of service condition through resource     exhaustion. (CVE-2016-2109)

  - A certificate validation bypass vulnerability exists in     cURL and libcurl due to improper validation of TLS     certificates. A man-in-the-middle attacker can exploit     this, via a spoofed certificate that appears valid, to     disclose or manipulate transmitted data. (CVE-2016-3739)

  - An integer overflow condition exists in PHP in the     php_raw_url_encode() function within file     ext/standard/url.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to have an unspecified impact.
    (CVE-2016-4070)     
  - A flaw exists in PHP in the php_snmp_error() function     within file ext/snmp/snmp.c that is triggered when     handling format string specifiers. An unauthenticated,     remote attacker can exploit this, via a crafted SNMP     object, to cause a denial of service or to execute     arbitrary code. (CVE-2016-4071)

  - An invalid memory write error exists in PHP when     handling the path of phar file names that allows an     attacker to have an unspecified impact. (CVE-2016-4072)

  - A remote code execution vulnerability exists in PHP in     phar_object.c due to improper handling of zero-length     uncompressed data. An unauthenticated, remote attacker     can exploit this, via a specially crafted TAR, ZIP, or     PHAR file, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2016-4342)

  - A remote code execution vulnerability exists in PHP in     the phar_make_dirstream() function within file     ext/phar/dirstream.c due to improper handling of     ././@LongLink files. An unauthenticated, remote attacker     can exploit this, via a specially crafted TAR file, to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-4343)

  - A cross-site scripting (XSS) vulnerability exists due to     improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to execute arbitrary script     code in a user's browser session. (CVE-2016-4393)

  - An unspecified HTTP Strict Transport Security (HSTS)     bypass vulnerability exists that allows authenticated,     remote attackers to disclose sensitive information.
    (CVE-2016-4394)

  - A remote code execution vulnerability exists due to an     overflow condition in the mod_smh_config.so library     caused by improper validation of user-supplied input     when parsing the admin-group parameter supplied to the     /proxy/SetSMHData endpoint. An unauthenticated, remote     attacker can exploit this, via a specially crafted     request, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2016-4395)

  - A remote code execution vulnerability exists due to an     overflow condition in the mod_smh_config.so library     caused by improper validation of user-supplied input     when parsing the TKN parameter supplied to the     /Proxy/SSO endpoint. An unauthenticated, remote     attacker can exploit this, via a specially crafted     request, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2016-4396)

  - An out-of-bounds read error exists in PHP in the     php_str2num() function in bcmath.c when handling     negative scales. An unauthenticated, remote attacker can     exploit this, via a crafted call, to cause a denial of     service condition or the disclosure of memory contents.
    (CVE-2016-4537)

  - A flaw exists in PHP the bcpowmod() function in bcmath.c     due to modifying certain data structures without     considering whether they are copies of the _zero_,
    _one_, or _two_ global variables. An unauthenticated,     remote attacker can exploit this, via a crafted call, to     cause a denial of service condition. (CVE-2016-4538)

  - A flaw exists in PHP in the xml_parse_into_struct()     function in xml.c when handling specially crafted XML     contents. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.
    (CVE-2016-4539)

  - Multiple out-of-bounds read errors exist in PHP within     file ext/intl/grapheme/grapheme_string.c when handling     negative offsets in the zif_grapheme_stripos() and     zif_grapheme_strpos() functions. An unauthenticated,     remote attacker can exploit these issues to cause a     denial of service condition or disclose memory contents.
    (CVE-2016-4540, CVE-2016-4541)

  - A flaw exists in PHP in the exif_process_IFD_TAG()     function in exif.c due to improper construction of     spprintf arguments. An unauthenticated, remote attacker     can exploit this, via crafted header data, to cause an     out-of-bounds read error, resulting in a denial of     service condition or the disclosure of memory contents.
    (CVE-2016-4542)

  - A flaw exists in PHP in the exif_process_IFD_in_JPEG()     function in exif.c due to improper validation of IFD     sizes. An unauthenticated, remote attacker can exploit     this, via crafted header data, to cause an out-of-bounds     read error, resulting in a denial of service condition     or the disclosure of memory contents. (CVE-2016-4543)

  - A man-in-the-middle vulnerability exists, known as     'httpoxy', in the Apache Tomcat, Apache HTTP Server, and     PHP components due to a failure to properly resolve     namespace conflicts in accordance with RFC 3875 section     4.1.18. The HTTP_PROXY environment variable is set based     on untrusted user data in the 'Proxy' header of HTTP     requests. The HTTP_PROXY environment variable is used by     some web client libraries to specify a remote proxy     server. A remote attacker can exploit this, via a     crafted 'Proxy' header in an HTTP request, to redirect     an application's internal HTTP traffic to an arbitrary     proxy server where it may be observed or manipulated.
    (CVE-2016-5385, CVE-2016-5387, CVE-2016-5388)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is running a version of Mac OS X version 10.11.x prior to 10.11.5 and is affected by multiple vulnerabilities in the following components :

 - AMD
 - apache_mod_php
 - AppleGraphicsControl
 - AppleGraphicsPowerManagement
 - ATS
 - Audio
 - Captive Network Assistant
 - CFNetwork Proxies
 - CommonCrypto
 - CoreCapture
 - CoreStorage
 - Crash Reporter
 - Disk Images
 - Disk Utility
 - Graphics Drivers
 - ImageIO
 - Intel Graphics Driver
 - IOAcceleratorFamily
 - IOAudioFamily
 - IOFireWireFamily
 - IOHIDFamilyKernel
 - libc
 - libxml2
 - libxslt
 - MapKit
 - Messages
 - Multi-Touch
 - NVIDIA Graphics Drivers
 - OpenGL
 - QuickTime
 - SceneKit
 - Screen Lock
 - Tcl

- CVE-2015-8865 The file_check_mem function in funcs.c in     file before 5.23, as used in the Fileinfo component in     PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before     7.0.5, mishandles continuation-level jumps, which allows     context-dependent attackers to cause a denial of service     (buffer overflow and application crash) or possibly     execute arbitrary code via a crafted magic file.

  - CVE-2015-8866 libxml_disable_entity_loader setting is     shared between threads ext/libxml/libxml.c in PHP before     5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used,     does not isolate each thread from     libxml_disable_entity_loader changes in other threads,     which allows remote attackers to conduct XML External     Entity (XXE) and XML Entity Expansion (XEE) attacks via     a crafted XML document, a related issue to     CVE-2015-5161.

  - CVE-2015-8878 main/php_open_temporary_file.c in PHP     before 5.5.28 and 5.6.x before 5.6.12 does not ensure     thread safety, which allows remote attackers to cause a     denial of service (race condition and heap memory     corruption) by leveraging an application that performs     many temporary-file accesses.

  - CVE-2015-8879 The odbc_bindcols function in     ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles     driver behavior for SQL_WVARCHAR columns, which allows     remote attackers to cause a denial of service     (application crash) in opportunistic circumstances by     leveraging use of the odbc_fetch_array function to     access a certain type of Microsoft SQL Server table.

  - CVE-2016-4070 Integer overflow in the php_raw_url_encode     function in ext/standard/url.c in PHP before 5.5.34,     5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote     attackers to cause a denial of service (application     crash) via a long string to the rawurlencode function.

  - CVE-2016-4071 Format string vulnerability in the     php_snmp_error function in ext/snmp/snmp.c in PHP before     5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows     remote attackers to execute arbitrary code via format     string specifiers in an SNMP::get call.

  - CVE-2016-4072 The Phar extension in PHP before 5.5.34,     5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote     attackers to execute arbitrary code via a crafted     filename, as demonstrated by mishandling of \0     characters by the phar_analyze_path function in     ext/phar/phar.c.

  - CVE-2016-4073 Multiple integer overflows in the     mbfl_strcut function in     ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before     5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow     remote attackers to cause a denial of service     (application crash) or possibly execute arbitrary code     via a crafted mb_strcut call.

  - CVE-2016-4343 The phar_make_dirstream function in     ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before     7.0.3 mishandles zero-size ././@LongLink files, which     allows remote attackers to cause a denial of service     (uninitialized pointer dereference) or possibly have     unspecified other impact via a crafted TAR archive.

  - CVE-2016-4537 The bcpowmod function in     ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before     5.6.21, and 7.x before 7.0.6 accepts a negative integer     for the scale argument, which allows remote attackers to     cause a denial of service or possibly have unspecified     other impact via a crafted call.

  - CVE-2016-4539 The xml_parse_into_struct function in     ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21,     and 7.x before 7.0.6 allows remote attackers to cause a     denial of service (buffer under-read and segmentation     fault) or possibly have unspecified other impact via     crafted XML data in the second argument, leading to a     parser level of zero.

  - CVE-2016-4540

  - CVE-2016-4541 The grapheme_strpos function in     ext/intl/grapheme/grapheme_string.c in before 5.5.35,     5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote     attackers to cause a denial of service (out-of-bounds     read) or possibly have unspecified other impact via a     negative offset.

  - CVE-2016-4542

  - CVE-2016-4543

  - CVE-2016-4544 The exif_process_* function in     ext/exif/exif.c in PHP before 5.5.35, 5.6.x before     5.6.21, and 7.x before 7.0.6 does not validate IFD     sizes, which allows remote attackers to cause a denial     of service (out-of-bounds read) or possibly have     unspecified other impact via crafted header data.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2984-1 advisory.

    It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker     could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute     arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-8865)

    Hans Jerry Illikainen discovered that the PHP Zip extension incorrectly handled certain malformed Zip     archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service,     or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-3078)

    It was discovered that PHP incorrectly handled invalid indexes in the SplDoublyLinkedList class. An     attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute     arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-3132)

    It was discovered that the PHP rawurlencode() function incorrectly handled large strings. A remote     attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only     affected Ubuntu 16.04 LTS. (CVE-2016-4070)

    It was discovered that the PHP php_snmp_error() function incorrectly handled string formatting. A remote     attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute     arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4071)

    It was discovered that the PHP phar extension incorrectly handled certain filenames in archives. A remote     attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute     arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4072)

    It was discovered that the PHP mb_strcut() function incorrectly handled string formatting. A remote     attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute     arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4073)

    It was discovered that the PHP phar extension incorrectly handled certain archive files. A remote attacker     could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute     arbitrary code. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10.
    (CVE-2016-4342, CVE-2016-4343)

    It was discovered that the PHP bcpowmod() function incorrectly handled memory. A remote attacker could use     this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.

    (CVE-2016-4537, CVE-2016-4538)

    It was discovered that the PHP XML parser incorrectly handled certain malformed XML data. A remote     attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or     possibly execute arbitrary code. (CVE-2016-4539)

    It was discovered that certain PHP grapheme functions incorrectly handled negative offsets. A remote     attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service.
    (CVE-2016-4540, CVE-2016-4541)

    It was discovered that PHP incorrectly handled certain malformed EXIF tags. A remote attacker could     possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-4542,     CVE-2016-4543, CVE-2016-4544)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.5. It is, therefore, affected by multiple vulnerabilities in the following components :

  - AMD
  - apache_mod_php
  - AppleGraphicsControl
  - AppleGraphicsPowerManagement
  - Assistant
  - ATS
  - Audio
  - Captive
  - CFNetwork
  - CommonCrypto
  - CoreCapture
  - CoreStorage
  - Crash
  - Disk
  - Disk
  - Driver
  - Drivers
  - Drivers
  - Graphics
  - Graphics
  - Graphics
  - ImageIO
  - Images
  - Intel
  - IOAcceleratorFamily
  - IOAudioFamily
  - IOFireWireFamily
  - IOHIDFamily
  - Kernel
  - libc
  - libxml2
  - libxslt
  - Lock
  - MapKit
  - Messages
  - Multi-Touch
  - Network
  - NVIDIA
  - OpenGL
  - Proxies
  - QuickTime
  - Reporter
  - SceneKit
  - Screen
  - Tcl
  - Utility

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The following security-related issues were resolved :

Buffer over-write in finfo_open with malformed magic file (CVE-2015-8865)

Signedness vulnerability causing heap overflow in libgd (CVE-2016-3074)

Integer overflow in php_raw_url_encode (CVE-2016-4070)

Format string vulnerability in php_snmp_error() (CVE-2016-4071)

Invalid memory write in phar on filename containing \\0 inside name (CVE-2016-4072)

Negative size parameter in memcpy (CVE-2016-4073)

Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development.

The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.20, which includes additional bug fixes. Please refer to the upstream changelog for more information :

  - https://php.net/ChangeLog-5.php#5.6.20

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.5. It is, therefore, affected by multiple vulnerabilities :

  - A buffer over-write condition exists in the finfo_open()     function due to improper validation of magic files. An     unauthenticated, remote attacker can exploit this, via a     crafted file, to cause a denial of service or to execute     arbitrary code.

  - A flaw exists in the php_snmp_error() function within     file ext/snmp/snmp.c that is triggered when handling     format string specifiers. An unauthenticated, remote     attacker can exploit this, via a crafted SNMP object,     to cause a denial of service or to execute arbitrary     code.

  - An invalid memory write error exists when handling     the path of phar file names that allows an attacker     to have an unspecified impact.

  - A flaw exists in the mbfl_strcut() function within file     ext/mbstring/libmbfl/mbfl/mbfilter.c when handling     negative parameter values. An unauthenticated, remote     attacker can exploit this to cause a denial of service.

  - An integer overflow condition exists in the     php_raw_url_encode() function within file     ext/standard/url.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to have an unspecified impact.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.20. It is, therefore, affected by multiple vulnerabilities :

  - A buffer over-write condition exists in the finfo_open()     function due to improper validation of magic files. An     unauthenticated, remote attacker can exploit this, via a     crafted file, to cause a denial of service or to execute     arbitrary code.

  - A flaw exists in the php_snmp_error() function within     file ext/snmp/snmp.c that is triggered when handling     format string specifiers. An unauthenticated, remote     attacker can exploit this, via a crafted SNMP object,     to cause a denial of service or to execute arbitrary     code.

  - An invalid memory write error exists when handling     the path of phar file names that allows an attacker     to have an unspecified impact.

  - A flaw exists in the mbfl_strcut() function within file     ext/mbstring/libmbfl/mbfl/mbfilter.c when handling     negative parameter values. An unauthenticated, remote     attacker can exploit this to cause a denial of service.

  - An integer overflow condition exists in the     php_raw_url_encode() function within file     ext/standard/url.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to have an unspecified impact.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.34. It is, therefore, affected by multiple vulnerabilities :

  - A buffer over-write condition exists in the finfo_open()     function due to improper validation of magic files. An     unauthenticated, remote attacker can exploit this, via a     crafted file, to cause a denial of service or to execute     arbitrary code. (CVE-2015-8865)

  - An integer overflow condition exists in the     php_raw_url_encode() function within file     ext/standard/url.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to have an unspecified impact.
    (CVE-2016-4070)     
  - A flaw exists in the php_snmp_error() function within     file ext/snmp/snmp.c that is triggered when handling     format string specifiers. An unauthenticated, remote     attacker can exploit this, via a crafted SNMP object,     to cause a denial of service or to execute arbitrary     code. (CVE-2016-4071)

  - An invalid memory write error exists when handling     the path of phar file names that allows an attacker     to have an unspecified impact. (CVE-2016-4072)

  - A flaw exists in the mbfl_strcut() function within file     ext/mbstring/libmbfl/mbfl/mbfilter.c when handling     negative parameter values. An unauthenticated, remote     attacker can exploit this to cause a denial of service.
    (CVE-2016-4073)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
198558	RHEL 6 : php (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
198511	RHEL 7 : php (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
198485	RHEL 5 : php (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
196189	RHEL 7 : php (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	critical
196157	RHEL 6 : php (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	critical
196137	RHEL 5 : php (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	critical
142352	EulerOS 2.0 SP2 : php (EulerOS-SA-2020-2384)	Nessus	Huawei Local Security Checks	critical
140834	EulerOS 2.0 SP3 : php (EulerOS-SA-2020-2067)	Nessus	Huawei Local Security Checks	critical
98851	PHP 7.0.x < 7.0.5 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98810	PHP 5.6.x < 5.6.20 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
95421	GLSA-201611-22 : PHP: Multiple vulnerabilities (httpoxy)	Nessus	Gentoo Local Security Checks	critical
94654	HP System Management Homepage < 7.6 Multiple Vulnerabilities (HPSBMU03653) (httpoxy)	Nessus	Web Servers	high
9392	Mac OS X 10.11.x < 10.11.5 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	high
91397	Debian DLA-499-1 : php5 security update	Nessus	Debian Local Security Checks	critical
91320	Ubuntu 14.04 LTS / 16.04 LTS : PHP vulnerabilities (USN-2984-1)	Nessus	Ubuntu Local Security Checks	critical
91228	Mac OS X 10.11.x < 10.11.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
90867	Amazon Linux AMI : php56 / php55 (ALAS-2016-698)	Nessus	Amazon Linux Local Security Checks	critical
90768	Debian DSA-3560-1 : php5 - security update	Nessus	Debian Local Security Checks	critical
90362	PHP 7.0.x < 7.0.5 Multiple Vulnerabilities	Nessus	CGI abuses	critical
90361	PHP 5.6.x < 5.6.20 Multiple Vulnerabilities	Nessus	CGI abuses	critical
90360	PHP 5.5.x < 5.5.34 Multiple Vulnerabilities	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2016-4072

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

high

high

critical

critical

high

critical

critical

critical

critical

critical