| VID |
22529 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.7. The new versions resolve the following issues :
- A stack buffer overflow in socket_connect() (CVE-2011-1938)
- A use-after-free vulnerability in substr_replace() (CVE-2011-1148)
- A code execution vulnerability in ZipArchive::addGlob()
(CVE-2011-1657)
- crypt_blowfish was updated to 1.2. (CVE-2011-2483)
- Multiple null pointer dereferences
- An unspecified crash in error_log()
- A buffer overflow in crypt()
* Note: This check solely relied on the version number of the remote WebLogic server to assess this vulnerability, so this might be a false positive.
* References:
http://securityreason.com/achievement_securityalert/101
http://securityreason.com/exploitalert/10738
https://bugs.php.net/bug.php?id=54238
https://bugs.php.net/bug.php?id=54681
https://bugs.php.net/bug.php?id=54939
http://www.php.net/releases/5_3_7.php
* Platforms Affected:
PHP 5.3.x Prior to 5.3.7
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of PHP (5.3.7 or later), available from the Mozilla Web site at http://www.php.net/downloads.php |
| Related URL |
CVE-2011-1148,CVE-2011-1657,CVE-2011-1938,CVE-2011-2202,CVE-2011-2483 (CVE) |
| Related URL |
46843,47950,48259,49241,49249,49252 (SecurityFocus) |
| Related URL |
(ISS) |
|
