PHP 5.6.x < 5.6.8 Multiple Vulnerabilities

critical Web App Scanning Plugin ID 98831

Synopsis

PHP 5.6.x < 5.6.8 Multiple Vulnerabilities

Description

According to its banner, the version of PHP 5.6.x running on the remote web server is prior to 5.6.8. It is, therefore, affected by multiple vulnerabilities :

- An unspecified use-after-free error exists in the _zend_shared_memdup() function within file ext/opcache/zend_shared_alloc.c that allows an unauthenticated, remote attacker to have an unspecified impact. (CVE-2015-1351)

- A NULL pointer dereference flaw exists in the build_tablename() function within file pgsql.c in the PostgreSQL extension due to a failure to validate token extraction for table names. An authenticated, remote attacker can exploit this, via a crafted name, to cause a denial of service condition. (CVE-2015-1352)

- An out-of-bounds read error exists in the Phar component due to improper validation of user-supplied input when handling phar parsing during unserialize() function calls. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the disclosure of memory contents. (CVE-2015-2783)

- A memory corruption issue exists in the phar_parse_metadata() function in file ext/phar/phar.c due to improper validation of user-supplied input when parsing a specially crafted TAR archive. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-3307)

- Multiple stack-based buffer overflow conditions exist in the phar_set_inode() function in file phar_internal.h when handling archive files, such as tar, zip, or phar files. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or the execution or arbitrary code. (CVE-2015-3329)

- A flaw exists in the Apache2handler SAPI component when handling pipelined HTTP requests that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-3330)

- A flaw exists in multiple functions due to a failure to check for NULL byte (%00) sequences in a path when processing or reading a file. An unauthenticated, remote attacker can exploit this, via specially crafted input to an application calling those functions, to bypass intended restrictions and disclose potentially sensitive information. (CVE-2015-3411, CVE-2015-3412)

- A type confusion error exists in multiple functions within file ext/soap/soap.c that is triggered when calling unserialize(). An unauthenticated, remote attacker can exploit this to disclose memory contents, cause a denial of service condition, or execute arbitrary code. (CVE-2015-4599, CVE-2015-4600)

- Multiple type confusion errors exist within files ext/soap/php_encoding.c, ext/soap/php_http.c, and ext/soap/soap.c that allow an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4601)

- A type confusion error exists in the __PHP_Incomplete_Class() function within file ext/standard/incomplete_class.c that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4602)

- A type confusion error exists in the exception::getTraceAsString() function within file Zend/zend_exceptions.c that allows a remote attacker to execute arbitrary code. (CVE-2015-4603)

- A denial of service vulnerability exists due to a flaw in the bundled libmagic library, specifically in the mget() function within file softmagic.c. The function fails to maintain a certain pointer relationship. An unauthenticated, remote attacker can exploit this, via a crafted string, to crash the application. (CVE-2015-4604)

- A denial of service vulnerability exists due to a flaw in the bundled libmagic library, specifically in the mcopy() function within file softmagic.c. The function fails to properly handle an offset that exceeds 'bytecnt'. An unauthenticated, remote attacker can exploit this, via a crafted string, to crash the application. (CVE-2015-4605)

- A use-after-free error exists in the sqlite3_close() function within file /ext/sqlite3/sqlite3.c when closing database connections. An unauthenticated, remote attacker can exploit this to execute arbitrary code.

- A flaw exists in the ZEND_VM_HELPER_EX() function within file /Zend/zend_vm_def.h when handling a __get() function call. An unauthenticated, remote attacker can exploit this to cause a cause a denial of service condition.

- A type confusion error exists in the php_stream_url_wrap_http_ex() function within file ext/standard/http_fopen_wrapper.c that allows an unauthenticated, remote attacker to execute arbitrary code.

- A use-after-free error exists in the php_curl() function within file ext/curl/interface.c that allows an unauthenticated, remote attacker to execute arbitrary code.

- A use-after-free error exists in the SPL component, specifically in the spl_object_storage_get_gc() function within file ext/spl/spl_observer.c. An unauthenticated, remote attacker can exploit this to execute arbitrary code.

- A NULL pointer dereference flaw exists within file /ext/ereg/regex/regcomp.c that allows an unauthenticated, remote attacker attacker to cause a denial of service condition.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to PHP version 5.6.8 or later.

See Also

http://php.net/ChangeLog-5.php#5.6.8

Plugin Details

Severity: Critical

ID: 98831

Type: remote

Published: 1/9/2019

Updated: 10/30/2023

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2015-4599

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2015-1351

Vulnerability Information

CPE: cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/30/2015

Vulnerability Publication Date: 3/30/2015

Reference Information

CVE: CVE-2015-1351, CVE-2015-1352, CVE-2015-2783, CVE-2015-3307, CVE-2015-3329, CVE-2015-3330, CVE-2015-3411, CVE-2015-3412, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603, CVE-2015-4604, CVE-2015-4605

BID: 71929, 71932, 74204, 74239, 74240, 74413, 74703, 75233, 75241, 75246, 75249, 75250, 75251, 75252, 75255

CWE: 119, 121, 125, 20, 200, 254, 416, 476, 626, 665, 843

OWASP: 2010-A4, 2010-A6, 2013-A4, 2013-A5, 2013-A9, 2017-A5, 2017-A6, 2017-A9, 2021-A1, 2021-A3, 2021-A6

WASC: Buffer Overflow, Improper Input Handling, Information Leakage

CAPEC: 10, 100, 101, 104, 108, 109, 110, 116, 120, 123, 13, 135, 136, 14, 153, 169, 182, 209, 22, 224, 23, 230, 231, 24, 250, 261, 267, 28, 285, 287, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 3, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 31, 310, 312, 313, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 42, 43, 44, 45, 46, 47, 472, 473, 497, 508, 52, 53, 540, 573, 574, 575, 576, 577, 588, 59, 60, 616, 63, 64, 643, 646, 651, 67, 7, 71, 72, 73, 78, 79, 8, 80, 81, 83, 85, 88, 9

DISA STIG: APSC-DV-000460, APSC-DV-002560, APSC-DV-002590, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.12.6.1, 27001-A.14.1.1, 27001-A.14.2.5, 27001-A.14.2.7, 27001-A.14.2.9, 27001-A.15.1.2

NIST: sp800_53-CM-6b, sp800_53-SA-4(3), sp800_53-SI-10, sp800_53-SI-15, sp800_53-SI-16

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.1.3, 4.0.2-8.3.4

PCI-DSS: 3.2-6.2, 3.2-6.5, 3.2-6.5.1, 3.2-6.5.2, 3.2-6.5.8, 3.2-8.1, 3.2-8.4.3