| VID |
22743 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.26. It is, therefore, affected by multiple vulnerabilities :
- A flaw exists in ext/standard/var_unserializer.re when destroying deserialized objects due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a deserialize call that references a partially constructed object, to corrupt memory, resulting in a denial of service condition. (CVE-2016-7411)
- An heap buffer overflow condition exists in the php_mysqlnd_rowp_read_text_protocol_aux() function within file ext/mysqlnd/mysqlnd_wireprotocol.c due to a failure to verify that a BIT field has the UNSIGNED_FLAG flag. An unauthenticated, remote attacker can exploit this, via specially crafted field metadata, to cause a denial of service condition. (CVE-2016-7412)
- A use-after-free error exists in the wddx_stack_destroy() function within file ext/wddx/wddx.c when deserializing recordset elements. An unauthenticated, remote attacker can exploit this, via a specially crafted wddxPacket XML document, to cause a denial of service condition. (CVE-2016-7413)
- An out-of-bounds access error exists in the phar_parse_zipfile() function within file ext/phar/zip.c due to a failure to ensure that the uncompressed_filesize field is large enough. An unauthenticated, remote attacker can exploit this, via a specially crafted archive, to cause a denial of service condition. (CVE-2016-7414)
- A stack-based buffer overflow condition exists in the ICU4C library, specifically within file common/locid.cpp in the the msgfmt_format_message() function, due to a failure to properly restrict the locale length provided to the Locale class. An unauthenticated, remote attacker can exploit this, via a long first argument to a MessageFormatter::formatMessage() function call, to cause a denial of service condition. (CVE-2016-7416)
- A flaw exists in the spl_array_get_dimension_ptr_ptr() function within file ext/spl/spl_array.c due to a failure to properly validate the return value and data type when deserializing SplArray. An unauthenticated, remote attacker can exploit this, via specially crafted serialized data, to cause a denial of service condition. (CVE-2016-7417)
- An out-of-bounds read error exists in the php_wddx_push_element() function within file ext/wddx/wddx.c when handling an incorrect boolean element, which leads to mishandling the wddx_deserialize() call. An unauthenticated, remote attacker can exploit this, via a specially crafted wddxPacket XML document, to cause a denial of service condition. (CVE-2016-7418)
* Note: This check solely relied on the version number of the remote PHP to assess this vulnerability, so this might be a false positive.
* References:
https://secure.php.net/ChangeLog-5.php#5.6.26
* Platforms Affected:
PHP Prior to 5.6.26
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of PHP (5.6.26 or later), available from the PHP web site at http://www.php.net/downloads.php |
| Related URL |
CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 (CVE) |
| Related URL |
93004,93005,93006,93007,93008,93009,93011 (SecurityFocus) |
| Related URL |
(ISS) |
|
