Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.PHP_7_1_25.NASL
HistoryDec 19, 2018 - 12:00 a.m.

PHP 7.1.x < 7.1.25 Multiple vulnerabilities

2018-12-1900:00:00
This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
390
JSON

According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.25. It is, therefore, affected by multiple vulnerabilities:

  • An arbitrary command injection vulnerability exists in the imap_open function due to improper filters for mailbox names prior to passing them to rsh or ssh commands. An authenticated, remote attacker can exploit this by sending a specially crafted IMAP server name to cause the execution of arbitrary commands on the target system. (CVE-2018-19518)

  • A heap buffer over-read exists in the phar_parse_pharfile function.
    An unauthenticated, remote attacker can exploit this to read allocated or unallocated memory past the actual data when trying to parse a .phar file. (CVE-2018-20783)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(119765);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/05/26");

  script_cve_id("CVE-2018-19518", "CVE-2018-20783");
  script_bugtraq_id(106018, 107121);

  script_name(english:"PHP 7.1.x < 7.1.25 Multiple vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote host is affected by
 multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of PHP running on the remote web
server is 7.1.x prior to 7.1.25. It is, therefore, affected by
multiple vulnerabilities:

  - An arbitrary command injection vulnerability exists in the
  imap_open function due to improper filters for mailbox names prior
  to passing them to rsh or ssh commands. An authenticated, remote
  attacker can exploit this by sending a specially crafted IMAP server
  name to cause the execution of arbitrary commands on the target
  system. (CVE-2018-19518)

  - A heap buffer over-read exists in the phar_parse_pharfile function.
  An unauthenticated, remote attacker can exploit this to read
  allocated or unallocated memory past the actual data when trying to
  parse a .phar file. (CVE-2018-20783)");
  script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.1.25");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PHP version 7.1.25 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-19518");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-20783");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'php imap_open Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/12/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/19");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("php_version.nasl");
  script_require_keys("www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:80, php:TRUE);

php = get_php_from_kb(
  port : port,
  exit_on_fail : TRUE
);

version = php["ver"];
source = php["src"];

backported = get_kb_item('www/php/'+port+'/'+version+'/backported');

if (report_paranoia < 2 && backported)
  audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");

# Check that it is the correct version of PHP
if (version =~ "^7(\.1)?$") audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version);
if (version !~ "^7\.1\.") audit(AUDIT_NOT_DETECT, "PHP version 7.1.x", port);

fix = "7.1.25";
if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
{
  report =
    '\n  Version source    : ' + source +
    '\n  Installed version : ' + version +
    '\n  Fixed version     : ' + fix +
    '\n';
  security_report_v4(port:port, extra:report, severity:SECURITY_HOLE );
}
else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);
VendorProductVersionCPE
phpphpcpe:/a:php:php

Related

nessus 45
osv 9
openvas 21
prion 3
debian 4
veracode 2
debiancve 3
attackerkb 1
suse 6
wallarmlab 1
cve 4
ibm 3
ubuntucve 3
alpinelinux 3
checkpoint_advisories 1
mageia 1
ubuntu 2
redhatcve 3
hackerone 1
fedora 2
f5 2
amazon 1
gentoo 1
redhat 3
almalinux 1
oraclelinux 1
rocky 1
rosalinux 1
nessus
nessus
PHP 7.2.x < 7.2.13 Multiple vulnerabilities
2018-12-19 00:00:00
PHP 7.0.x < 7.0.33 Multiple vulnerabilities
2019-03-13 00:00:00
PHP 7.3.x < 7.3.0 Multiple vulnerabilities
2019-01-31 00:00:00
osv
osv
php5 - security update
2018-12-16 00:00:00
uw-imap - security update
2021-12-29 00:00:00
CVE-2018-19518
2018-11-25 10:29:00
openvas
openvas
PHP Multiple Vulnerabilities - Dec18 (Linux)
2018-12-11 00:00:00
PHP Multiple Vulnerabilities - Dec18 (Windows)
2018-12-11 00:00:00
openSUSE: Security Advisory for Recommended (openSUSE-SU-2018:4038-1)
2018-12-10 00:00:00
prion
prion
Input validation
2018-11-25 10:29:00
Design/Logic Flaw
2019-02-21 19:29:00
Heap overflow
2019-02-22 23:29:00
debian
debian
[SECURITY] [DLA 2866-1] uw-imap security update
2021-12-29 17:12:17
[SECURITY] [DLA 1700-1] uw-imap security update
2019-03-01 13:26:16
[SECURITY] [DLA 1608-1] php5 security update
2018-12-17 01:56:08
veracode
veracode
Information Disclosure
2019-08-20 00:10:41
Remote Code Execution (RCE)
2020-09-21 06:25:14
debiancve
debiancve
CVE-2018-20783
2019-02-21 19:29:00
CVE-2018-19518
2018-11-25 10:29:00
CVE-2019-9021
2019-02-22 23:29:00
attackerkb
attackerkb
CVE-2018-19518
2018-11-25 00:00:00
suse
suse
Recommended update for php7 (moderate)
2018-12-08 00:11:09
Recommended update for php5 (moderate)
2018-12-08 00:19:13
Security update for php5 (moderate)
2019-04-23 00:00:00
wallarmlab
wallarmlab
RCE in PHP or how to bypass disable_functions in PHP installations
2018-12-06 17:32:24
cve
cve
CVE-2018-19518
2018-11-25 10:29:00
CVE-2018-20783
2019-02-21 19:29:00
CVE-2018-1000859
2018-12-06 17:15:00
ibm
ibm
Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerability in PHP.
2023-12-07 22:45:07
Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerability in PHP (CVE-2018-19518)
2020-01-08 21:42:21
Security Bulletin: API Connect's Developer Portal is impacted by vulnerabilities in PHP
2020-03-03 02:43:43
ubuntucve
ubuntucve
CVE-2018-19518
2018-11-25 00:00:00
CVE-2018-20783
2019-02-21 00:00:00
CVE-2019-9021
2019-02-22 00:00:00
alpinelinux
alpinelinux
CVE-2018-19518
2018-11-25 10:29:00
CVE-2018-20783
2019-02-21 19:29:00
CVE-2019-9021
2019-02-22 23:29:00
checkpoint_advisories
checkpoint_advisories
PHP IMAP imap_open Command Injection (CVE-2018-19518)
2022-11-17 00:00:00
mageia
mageia
Updated php packages fix security vulnerability
2018-12-20 23:17:27
ubuntu
ubuntu
UW IMAP vulnerability
2019-10-21 00:00:00
PHP vulnerabilities
2019-05-22 00:00:00
redhatcve
redhatcve
CVE-2018-19518
2018-11-28 10:19:59
CVE-2018-20783
2020-01-19 09:40:43
CVE-2019-9021
2019-10-29 04:03:55
hackerone
hackerone
Internet Bug Bounty: Heap Buffer Overflow (READ: 4) in phar_parse_pharfile
2019-01-09 22:03:25
fedora
fedora
[SECURITY] Fedora 28 Update: php-7.2.13-2.fc28
2018-12-17 02:28:09
[SECURITY] Fedora 29 Update: php-7.2.13-2.fc29
2018-12-17 19:12:53
f5
f5
K03544225 : PHP vulnerabilities CVE-2018-19518 and CVE-2018-19935
2019-01-08 00:00:00
K50602063 : PHP vulnerability CVE-2019-9021
2019-02-28 00:00:00
amazon
amazon
Medium: php56, php70, php71, php72
2019-01-09 22:58:00
gentoo
gentoo
PHP: Multiple vulnerabilities
2020-03-26 00:00:00
redhat
redhat
(RHSA-2020:1624) Moderate: php:7.2 security, bug fix, and enhancement update
2020-04-28 08:57:54
(RHSA-2019:3299) Critical: rh-php72-php security update
2019-11-01 12:22:19
(RHSA-2019:2519) Moderate: rh-php71-php security, bug fix, and enhancement update
2019-08-19 08:09:18
almalinux
almalinux
Moderate: php:7.2 security, bug fix, and enhancement update
2020-04-28 08:57:54
oraclelinux
oraclelinux
php:7.2 security, bug fix, and enhancement update
2020-05-05 00:00:00
rocky
rocky
php:7.2 security, bug fix, and enhancement update
2020-04-28 08:57:54
rosalinux
rosalinux
Advisory ROSA-SA-2021-1950
2021-07-02 17:57:45
JSON
Related for PHP_7_1_25.NASL
nessus45osv9openvas21prion3debian4veracode2debiancve3attackerkb1suse6wallarmlab1cve4ibm3ubuntucve3alpinelinux3checkpoint_advisories1mageia1ubuntu2redhatcve3hackerone1fedora2f52amazon1gentoo1redhat3almalinux1oraclelinux1rocky1rosalinux1