7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.723 High
EPSS
Percentile
98.1%
According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.40. It is, therefore, affected by multiple vulnerabilities:
An integer underflow condition exists in _gdContributionsAlloc function in gd_interpolation.c. An unauthenticated, remote attacker can have unspecified impact via vectors related to decrementing the u variable. (CVE-2016-10166)
A heap-based buffer overflow condition exists in gdImageColorMatch due to improper calculation of the allocated buffer size. An attacker can exploit this, via calling imagecolormatch function with crafted image data as parameters.
(CVE-2019-6977)
A heap-based buffer over-read exists in the xmlrpc_decode function due to improper validation of input data. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a heap out-of-bounds read or read-after-free condition, which could result in a complete system compromise. (CVE-2019-9020)
A heap-based buffer over-read exists in the PHAR reading functions in the PHAR extension, due to improper implementation of memory operations. An unauthenticated, remote attacker can exploit this, via persuading a user to parse a specially crafted file name on the targeted system, to disclose sensitive information. (CVE-2019-9021)
Multiple heap-based buffer over-read instances exist in mbstring regular expression functions due to improper implementation of memory operations. An unauthenticated, remote attacker can exploit this by sending a specially crafted regular expression that contains multibyte sequences, to cause a condition that could allow the attacker to completely compromise the target system. (CVE-2019-9023)
An out-of-bounds read error exists in the xmlrpc_decode function due to improper implementation of memory operations. An unauthenticated, remote attacker can exploit this, via a hostile XMLRPC server to cause PHP to read from memory outside of allocated areas. (CVE-2019-9024)
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(121602);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/31");
script_cve_id(
"CVE-2016-10166",
"CVE-2019-6977",
"CVE-2019-9020",
"CVE-2019-9021",
"CVE-2019-9023",
"CVE-2019-9024"
);
script_bugtraq_id(95869, 106731, 107156);
script_name(english:"PHP 5.6.x < 5.6.40 Multiple vulnerabilities.");
script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote host is affected by
multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its banner, the version of PHP running on the remote web
server is 5.6.x prior to 5.6.40. It is, therefore, affected by
multiple vulnerabilities:
- An integer underflow condition exists in _gdContributionsAlloc
function in gd_interpolation.c. An unauthenticated, remote attacker
can have unspecified impact via vectors related to decrementing
the u variable. (CVE-2016-10166)
- A heap-based buffer overflow condition exists in
gdImageColorMatch due to improper calculation of the allocated
buffer size. An attacker can exploit this, via calling
imagecolormatch function with crafted image data as parameters.
(CVE-2019-6977)
- A heap-based buffer over-read exists in the xmlrpc_decode function
due to improper validation of input data. An unauthenticated, remote
attacker can exploit this, via a specially crafted request, to cause
a heap out-of-bounds read or read-after-free condition, which could
result in a complete system compromise. (CVE-2019-9020)
- A heap-based buffer over-read exists in the PHAR reading functions
in the PHAR extension, due to improper implementation of memory
operations. An unauthenticated, remote attacker can exploit this,
via persuading a user to parse a specially crafted file name on the
targeted system, to disclose sensitive information. (CVE-2019-9021)
- Multiple heap-based buffer over-read instances exist in mbstring
regular expression functions due to improper implementation of
memory operations. An unauthenticated, remote attacker can exploit
this by sending a specially crafted regular expression that contains
multibyte sequences, to cause a condition that could allow the
attacker to completely compromise the target system. (CVE-2019-9023)
- An out-of-bounds read error exists in the xmlrpc_decode function
due to improper implementation of memory operations. An
unauthenticated, remote attacker can exploit this, via a hostile
XMLRPC server to cause PHP to read from memory outside of allocated
areas. (CVE-2019-9024)");
script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-5.php#5.6.40");
script_set_attribute(attribute:"solution", value:
"Upgrade to PHP version 5.6.40 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-10166");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/10");
script_set_attribute(attribute:"patch_publication_date", value:"2019/01/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/06");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("php_version.nasl");
script_require_keys("www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include('audit.inc');
include('global_settings.inc');
include('misc_func.inc');
include('http.inc');
include('webapp_func.inc');
fix = '5.6.40';
minver = '5.6.0alpha1';
regexes = make_array(
-3, 'alpha(\\d+)',
-2, 'beta(\\d+)',
-1, 'RC(\\d+)'
);
port = get_http_port(default:80, php:TRUE);
php = get_php_from_kb(
port : port,
exit_on_fail : TRUE
);
ver = php["ver"];
source = php["src"];
backported = get_kb_item('www/php/' + port + '/' + ver + '/backported');
if ((report_paranoia < 2) && backported)
audit(AUDIT_BACKPORT_SERVICE, port, 'PHP ' + ver + ' install');
vulnerable = ver_compare(minver:minver, ver:ver, fix:fix, regexes:regexes);
if (isnull(vulnerable)) exit(1, 'The version of PHP ' + ver + ' is not within the checked ranges.');
if (vulnerable > -1) audit(AUDIT_LISTEN_NOT_VULN, 'PHP', port, ver);
report =
'\n Version source : ' + source +
'\n Installed version : ' + ver +
'\n Fixed version : ' + fix +
'\n';
security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10166
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6977
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9020
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9021
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9023
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9024
php.net/ChangeLog-5.php#5.6.40
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.723 High
EPSS
Percentile
98.1%