Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.PHP_5_6_25.NASL
HistoryAug 23, 2016 - 12:00 a.m.

PHP 5.6.x < 5.6.25 Multiple Vulnerabilities

2016-08-2300:00:00
This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
157
JSON

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.25. It is, therefore, affected by multiple vulnerabilities :

  • An unspecified flaw exists in the object_common2() function in var_unserializer.c that occurs when handling objects during deserialization. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-7124)

  • An unspecified flaw exists in session.c that occurs when handling session names. An unauthenticated, remote attacker can exploit this to inject arbitrary data into sessions. (CVE-2016-7125)

  • An integer truncation flaw exists in the select_colors() function in gd_topal.c that is triggered when handling the number of colors. An unauthenticated, remote attacker can exploit to cause a heap-based buffer overflow, resulting in the execution of arbitrary code.
    (CVE-2016-7126)

  • An indexing flaw exists in the imagegammacorrect() function in gd.c that occurs when handling negative gamma values. An unauthenticated, remote attacker can exploit this to write a NULL to an arbitrary memory location, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-7127)

  • A flaw exists in the exif_process_IFD_in_TIFF() function in exif.c that occurs when handling TIFF image content.
    An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2016-7128)

  • A flaw exists in the php_wddx_process_data() function in wddx.c that occurs when deserializing invalid dateTime values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.
    (CVE-2016-7129)

  • A NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c that is triggered during the handling of Base64 binary values.
    An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7130)

  • A NULL pointer dereference flaw exists in the php_wddx_deserialize_ex() function in wddx.c that occurs during the handling of invalid XML content. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7131)

  • An unspecified NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. CVE-2016-7132)

  • An integer overflow condition exists in the php_snmp_parse_oid() function in snmp.c. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in the execution of arbitrary code.

  • An overflow condition exists in the sql_regcase() function in ereg.c due to improper handling of overly long strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.

  • An integer overflow condition exists in the php_base64_encode() function in base64.c that occurs when handling overly long strings. An unauthenticated, remote attacker can exploit this to execute arbitrary code.

  • An integer overflow condition exists in the php_quot_print_encode() function in quot_print.c that occurs when handling overly long strings. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow condition, resulting in the execution of arbitrary code.

  • A use-after-free error exists in the unserialize() function in var.c. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code.

  • A flaw exists in the php_ftp_fopen_connect() function in ftp_fopen_wrapper.c that allows a man-in-the-middle attacker to silently downgrade to regular FTP even if a secure method has been requested.

  • An integer overflow condition exists in the php_url_encode() function in url.c that occurs when handling overly long strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.

  • An integer overflow condition exists in the php_uuencode() function in uuencode.c. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.

  • An integer overflow condition exists in the bzdecompress() function in bz2.c. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.

  • An integer overflow condition exists in the curl_escape() function in interface.c that occurs when handling overly long escaped strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(93077);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id(
    "CVE-2016-7124",
    "CVE-2016-7125",
    "CVE-2016-7126",
    "CVE-2016-7127",
    "CVE-2016-7128",
    "CVE-2016-7129",
    "CVE-2016-7130",
    "CVE-2016-7131",
    "CVE-2016-7132"
  );
  script_bugtraq_id(
    92552,
    92564,
    92755,
    92756,
    92757,
    92758,
    92764,
    92767,
    92768
  );

  script_name(english:"PHP 5.6.x < 5.6.25 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The version of PHP running on the remote web server is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of PHP running on the remote web
server is 5.6.x prior to 5.6.25. It is, therefore, affected by
multiple vulnerabilities :

  - An unspecified flaw exists in the object_common2()
    function in var_unserializer.c that occurs when handling
    objects during deserialization. An unauthenticated,
    remote attacker can exploit this to execute arbitrary
    code. (CVE-2016-7124)

  - An unspecified flaw exists in session.c that occurs
    when handling session names. An unauthenticated, remote
    attacker can exploit this to inject arbitrary data into
    sessions. (CVE-2016-7125)

  - An integer truncation flaw exists in the select_colors()
    function in gd_topal.c that is triggered when handling
    the number of colors. An unauthenticated, remote
    attacker can exploit to cause a heap-based buffer
    overflow, resulting in the execution of arbitrary code.
    (CVE-2016-7126)

  - An indexing flaw exists in the imagegammacorrect()
    function in gd.c that occurs when handling negative
    gamma values. An unauthenticated, remote attacker can
    exploit this to write a NULL to an arbitrary memory
    location, resulting in a denial of service condition or
    the execution of arbitrary code. (CVE-2016-7127)

  - A flaw exists in the exif_process_IFD_in_TIFF() function
    in exif.c that occurs when handling TIFF image content.
    An unauthenticated, remote attacker can exploit this to
    disclose memory contents. (CVE-2016-7128)

  - A flaw exists in the php_wddx_process_data() function in
    wddx.c that occurs when deserializing invalid dateTime
    values. An unauthenticated, remote attacker can exploit
    this to cause a denial of service condition.
    (CVE-2016-7129)

  - A NULL pointer dereference flaw exists in the
    php_wddx_pop_element() function in wddx.c that is
    triggered during the handling of Base64 binary values.
    An unauthenticated, remote attacker can exploit this to
    cause a denial of service condition. (CVE-2016-7130)

  - A NULL pointer dereference flaw exists in the
    php_wddx_deserialize_ex() function in wddx.c that occurs
    during the handling of invalid XML content. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition. (CVE-2016-7131)

  - An unspecified NULL pointer dereference flaw exists in
    the php_wddx_pop_element() function in wddx.c. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition. CVE-2016-7132)

  - An integer overflow condition exists in the
    php_snmp_parse_oid() function in snmp.c. An
    unauthenticated, remote attacker can exploit this to
    cause a heap-based buffer overflow, resulting in the
    execution of arbitrary code.

  - An overflow condition exists in the sql_regcase()
    function in ereg.c due to improper handling of overly
    long strings. An unauthenticated, remote attacker
    can exploit this to corrupt memory, resulting in the
    execution of arbitrary code.

  - An integer overflow condition exists in the
    php_base64_encode() function in base64.c that occurs
    when handling overly long strings. An unauthenticated,
    remote attacker can exploit this to execute arbitrary
    code.

  - An integer overflow condition exists in the
    php_quot_print_encode() function in quot_print.c that
    occurs when handling overly long strings. An
    unauthenticated, remote attacker can exploit this to
    cause a heap-based buffer overflow condition, resulting
    in the execution of arbitrary code.

  - A use-after-free error exists in the unserialize()
    function in var.c. An unauthenticated, remote attacker
    can exploit this to dereference already freed memory,
    resulting in the execution of arbitrary code.

  - A flaw exists in the php_ftp_fopen_connect() function in
    ftp_fopen_wrapper.c that allows a man-in-the-middle
    attacker to silently downgrade to regular FTP even if a
    secure method has been requested.

  - An integer overflow condition exists in the
    php_url_encode() function in url.c that occurs when
    handling overly long strings. An unauthenticated, remote
    attacker can exploit this to corrupt memory, resulting
    in the execution of arbitrary code.

  - An integer overflow condition exists in the
    php_uuencode() function in uuencode.c. An
    unauthenticated, remote attacker can exploit this to
    corrupt memory, resulting in the execution of arbitrary
    code.

  - An integer overflow condition exists in the
    bzdecompress() function in bz2.c. An unauthenticated,
    remote attacker can exploit this to corrupt memory,
    resulting in the execution of arbitrary code.

  - An integer overflow condition exists in the
    curl_escape() function in interface.c that occurs when
    handling overly long escaped strings. An
    unauthenticated, remote attacker can exploit this to
    corrupt memory, resulting in the execution of arbitrary
    code.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-5.php#5.6.25");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PHP version 5.6.25 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-7124");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/08/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/23");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("php_version.nasl");
  script_require_keys("www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:80, php:TRUE);

php = get_php_from_kb(
  port : port,
  exit_on_fail : TRUE
);

version = php["ver"];
source = php["src"];

backported = get_kb_item('www/php/'+port+'/'+version+'/backported');

if (report_paranoia < 2 && backported)
  audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");

# Check that it is the correct version of PHP
if (version =~ "^5(\.6)?$")
  audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version);
if (version !~ "^5\.6\.") audit(AUDIT_NOT_DETECT, "PHP version 5.6.x", port);

if (version =~ "^5\.6\." && ver_compare(ver:version, fix:"5.6.25", strict:FALSE) < 0){
  security_report_v4(
  port  : port,
  extra :
    '\n  Version source    : ' + source +
    '\n  Installed version : ' + version +
    '\n  Fixed version     : 5.6.25' +
    '\n',
  severity:SECURITY_HOLE
  );
}
else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);
VendorProductVersionCPE
phpphpcpe:/a:php:php

Related

openvas 23
nessus 23
suse 7
slackware 1
ibm 4
f5 8
debian 3
cloudfoundry 1
ubuntu 1
ubuntucve 9
osv 2
prion 9
debiancve 9
redhatcve 9
cve 9
seebug 1
hackerone 1
gentoo 1
veracode 57
redhat 1
rosalinux 1
cloudlinux 1
openvas
openvas
PHP Multiple Vulnerabilities - 02 (Sep 2016) - Linux
2016-09-12 00:00:00
PHP Multiple Vulnerabilities - 02 (Sep 2016) - Windows
2016-09-12 00:00:00
openSUSE: Security Advisory for php5 (openSUSE-SU-2016:2337-1)
2016-09-20 00:00:00
nessus
nessus
Tenable SecurityCenter PHP < 5.6.25 Multiple Vulnerabilities (TNS-2016-09)
2017-06-26 00:00:00
openSUSE Security Update : php5 (openSUSE-2016-1095)
2016-09-20 00:00:00
PHP 7.0.x < 7.0.10 Multiple Vulnerabilities
2016-08-23 00:00:00
suse
suse
Security update for php5 (important)
2016-09-19 19:09:23
Security update for php53 (important)
2016-10-05 18:12:21
Security update for php53 (important)
2016-09-16 21:09:09
slackware
slackware
[slackware-security] php
2016-09-08 22:38:27
ibm
ibm
Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple php vulnerabilities
2018-06-18 01:34:05
Security Bulletin: Vulnerabilities in OpenSSL and PHP affect IBM Tealeaf Customer Experience (CVE-2016-2107, CVE-2016-6290, CVE-2016-7125)
2018-06-16 20:05:19
Security Bulletin: Multiple security issues in IBM Tealeaf Customer Experience on Cloud Network Capture Add-On
2018-06-16 20:06:28
f5
f5
SOL30216728 - Multiple PHP vulnerabilities
2016-11-01 00:00:00
K30216728 : Multiple PHP vulnerabilities
2016-11-02 00:00:00
K89002224 : PHP vulnerability CVE-2016-7127
2016-12-07 00:00:00
debian
debian
[SECURITY] [DSA 3689-1] php5 security update
2016-10-08 13:53:04
[SECURITY] [DSA 3689-1] php5 security update
2016-10-08 13:53:04
[SECURITY] [DLA 749-1] php5 security update
2016-12-16 21:48:18
cloudfoundry
cloudfoundry
USN-3095-1 PHP vulnerabilities | Cloud Foundry
2016-10-04 00:00:00
ubuntu
ubuntu
PHP vulnerabilities
2016-10-04 00:00:00
ubuntucve
ubuntucve
CVE-2016-7132
2016-09-11 00:00:00
CVE-2016-7126
2016-09-12 00:00:00
CVE-2016-7127
2016-09-11 00:00:00
osv
osv
php5 - security update
2016-12-16 00:00:00
php5 - security update
2016-09-18 00:00:00
prion
prion
Out-of-bounds
2016-09-12 01:59:00
Design/Logic Flaw
2016-09-12 01:59:00
Null pointer dereference
2016-09-12 01:59:00
debiancve
debiancve
CVE-2016-7126
2016-09-12 01:59:00
CVE-2016-7129
2016-09-12 01:59:00
CVE-2016-7131
2016-09-12 01:59:00
redhatcve
redhatcve
CVE-2016-7126
2016-09-09 13:18:47
CVE-2016-7124
2020-04-08 17:15:47
CVE-2016-7130
2016-09-09 13:19:15
cve
cve
CVE-2016-7126
2016-09-12 01:59:00
CVE-2016-7127
2016-09-12 01:59:00
CVE-2016-7131
2016-09-12 01:59:00
seebug
seebug
SugarCRM v6. 5. 23 PHP deserialize an object injection vulnerability
2016-09-12 00:00:00
hackerone
hackerone
Internet Bug Bounty: Memory Leakage In exif_process_IFD_in_TIFF (CVE-2016-7128)
2016-08-18 01:06:22
gentoo
gentoo
PHP: Multiple vulnerabilities
2016-11-30 00:00:00
veracode
veracode
Arbitrary Code Execution
2019-05-02 06:02:23
Denial Of Service (DoS) Through Memory Corruption
2019-05-02 06:02:24
Denial Of Service (DoS)
2019-05-02 06:02:17
redhat
redhat
(RHSA-2016:2750) Moderate: rh-php56 security, bug fix, and enhancement update
2016-11-15 11:13:31
rosalinux
rosalinux
Advisory ROSA-SA-2021-1950
2021-07-02 17:57:45
cloudlinux
cloudlinux
Fix of 227 CVE
2020-10-15 12:00:00
JSON
Related for PHP_5_6_25.NASL
openvas23nessus23suse7slackware1ibm4f58debian3cloudfoundry1ubuntu1ubuntucve9osv2prion9debiancve9redhatcve9cve9seebug1hackerone1gentoo1veracode57redhat1rosalinux1cloudlinux1