| VID |
22518 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.6.
- A NULL pointer can be dereferenced in the function '_zip_name_locate()' when processing empty archives and can lead to application crashes or code execution. Exploitation requires the 'ZIPARCHIVE::FL_UNCHANGED' setting to be in use. (CVE-2011-0421)
- A variable casting error exists in the Exif extention which can allow denial of service attacks when handling crafted 'Image File Directory' (IFD) header values in the PHP function 'exif_read_data()'. Exploitation requires a 64bit system and a config setting 'memory_limit' above 4GB or unlimited. (CVE-2011-0708)
- An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read()' and can allow arbitrary code execution. (CVE-2011-1092)
- Errors exist in the file 'phar/phar_object.c' in which calls to 'zend_throw_exception_ex()' pass data as a string format parameter. This can lead to memory corruption when handling PHP archives (phar). (CVE-2011-1153)
- A buffer overflow error exists in the C function 'xbuf_format_converter' when the PHP configuration value for 'precision' is set to a large value and can lead to application crashes. (CVE-2011-1464)
- An integer overflow error exists in the C function 'SdnToJulian()' in the Calendar extension and can lead to application crashes. (CVE-2011-1466)
- An unspecified error exists in the implementation of the PHP function 'numfmt_set_symbol()' and PHP method 'NumberFormatter::setSymbol()' in the Intl extension. This error can lead to application crashes. (CVE-2011-1467)
- Multiple memory leaks exist in the OpenSSL extension in the PHP functions 'openssl_encrypt' and 'openssl_decrypt'. (CVE-2011-1468)
- An unspecified error exists in the Streams component when accessing FTP URLs with an HTTP proxy. (CVE-2011-1469)
- An integer signedness error and an unspecified error exist in the Zip extension and can lead to denial of service via certain ziparchive streams. (CVE-2011-1470, CVE-2011-1471)
- An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGI Process Manager' (FPM) SAPI.
* Note: This check solely relied on the version number of the remote WebLogic server to assess this vulnerability, so this might be a false positive.
* References:
http://bugs.php.net/bug.php?id=54193
http://bugs.php.net/bug.php?id=54055
http://bugs.php.net/bug.php?id=53885
http://bugs.php.net/bug.php?id=53574
http://bugs.php.net/bug.php?id=53512
http://bugs.php.net/bug.php?id=54060
http://bugs.php.net/bug.php?id=54061
http://bugs.php.net/bug.php?id=54092
http://bugs.php.net/bug.php?id=53579
http://bugs.php.net/bug.php?id=49072
http://openwall.com/lists/oss-security/2011/02/14/1
http://www.php.net/releases/5_3_6.php
http://www.rooibo.com/2011/03/12/integer-overflow-en-php-2/
* Platforms Affected:
Before PHP 5.3.6
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of PHP (5.3.6 or later), available from the PHP Web site at http://www.php.net |
| Related URL |
CVE-2011-0421,CVE-2011-0708,CVE-2011-1092,CVE-2011-1153,CVE-2011-1464,CVE-2011-1466,CVE-2011-1467,CVE-2011-1468,CVE-2011-1469,CVE-2011-1470 (CVE) |
| Related URL |
46354,46365,46786,46854 (SecurityFocus) |
| Related URL |
(ISS) |
|
