PHP 5.x < 5.2.7 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 4779

Synopsis

The remote web server uses a version of PHP that is affected by multiple flaws.

Description

According to its banner, the version of PHP 5.x installed on the remote host is older than 5.2.7. Such versions may be affected by several security issues :

- Missing initialization of 'BG(page_uid)' and 'BG(page_gid)' when PHP is used as an Apache module may allow for bypassing security restrictions due to SAPI 'php_getuid()' overloading.

- Incorrect 'php_value' order for Apache configuration may allow bypassing PHP's 'safe_mode' setting.

- File truncation can occur when calling 'dba_replace()' with an invalid argument.

- The ZipArchive: extractTo() method in the ZipArchive extension fails to filter directory traversal sequences from file names.

- There is a buffer overflow in the bundled PCRE library fixed by 7.8. (CVE-2008-2371)

- A buffer overflow in the 'imageloadfont()' function in 'ext/gd/gd.c' can be triggered when a specially crafted font is given. (CVE-2008-3658)

- There is a buffer overflow in PHP's internal function 'memnstr()', which is exposed to userspace as 'explode()'. (CVE-2008-3659)

- When used as a FastCGI module, PHP segfaults when opening a file whose name contains two dots (eg, 'file..php'). (CVE-2008-3660)

- Multiple directory traversal vulnerabilities in functions such as 'posix_access()', 'chdir()', 'ftok()' may allow a remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 and CVE-2008-2666).

- A buffer overflow may be triggered when processing long message headers in 'php_imap.c' due to use of an obsolete API call. (CVE-2008-2829) - A buffer overflow error exists in the function 'date_from_ISO8601' function within file 'xmlrpc.c' because user-supplied input is improperly validated. This can be exploited by a remote attacker to cause a denial of service or to execute arbitrary code. (CVE-2014-8626)

Solution

Upgrade to version 5.2.7 or higher.

See Also

http://securityreason.com/achievement_securityalert/57

http://securityreason.com/achievement_securityalert/58

http://securityreason.com/achievement_securityalert/59

http://www.sektioneins.de/advisories/SE-2008-06.txt

http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0238.html

http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0239.html

http://www.openwall.com/lists/oss-security/2008/08/08/2

http://www.openwall.com/lists/oss-security/2008/08/13/8

http://archives.neohapsis.com/archives/fulldisclosure/2008-11/0433.html

http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0089.html

http://bugs.php.net/bug.php?id=42862

http://bugs.php.net/bug.php?id=45151

http://bugs.php.net/bug.php?id=45722

http://www.php.net/ChangeLog-5.php#5.2.7

http://www.php.net/releases/5_2_7.php

http://seclists.org/oss-sec/2014/q4/535

Plugin Details

Severity: High

ID: 4779

Family: Web Servers

Published: 11/17/2014

Updated: 3/6/2019

Nessus ID: 35043

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Patch Publication Date: 12/5/2008

Vulnerability Publication Date: 6/19/2008

Reference Information

CVE: CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829, CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5557, CVE-2008-5658, CVE-2014-8626

BID: 32948, 29796, 29797, 30087, 30649, 32625, 33498, 70928