According to its banner, the version of PHP running on the remote web server is either 7.2.x prior to 7.2.28, 7.3.x prior to 7.3.15, or 7.4.x prior to 7.4.3. It is, therefore, affected by multiple vulnerabilities:
A heap-based buffer overflow condition exists in phar_extract_file() function due to incorrect loop termination. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2020-7061)
A denial of service (DoS) vulnerability exists in PHP SessionUpload Progress functions due to Null Pointer Dereference. An unauthenticated, remote attacker can exploit this issue to cause the php service to stop responding. (CVE-2020-7062)
An Insecure File Permissions on the buildFromIterator function gives all access permission to Tar files. (CVE-2020-7063)
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(134162);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/25");
script_cve_id("CVE-2020-7061", "CVE-2020-7062", "CVE-2020-7063");
script_name(english:"PHP 7.2.x < 7.2.28 / PHP 7.3.x < 7.3.15 / 7.4.x < 7.4.3 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The version of PHP running on the remote web server is affected by
multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its banner, the version of PHP running on the remote web
server is either 7.2.x prior to 7.2.28, 7.3.x prior to 7.3.15, or
7.4.x prior to 7.4.3. It is, therefore, affected by multiple vulnerabilities:
- A heap-based buffer overflow condition exists in phar_extract_file()
function due to incorrect loop termination. An unauthenticated, remote
attacker can exploit this to cause a denial of service condition or the
execution of arbitrary code. (CVE-2020-7061)
- A denial of service (DoS) vulnerability exists in PHP SessionUpload
Progress functions due to Null Pointer Dereference. An unauthenticated,
remote attacker can exploit this issue to cause the php service to stop
responding. (CVE-2020-7062)
- An Insecure File Permissions on the buildFromIterator function gives all
access permission to Tar files. (CVE-2020-7063)");
script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.2.28");
script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.3.15");
script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.4.3");
script_set_attribute(attribute:"solution", value:
"Upgrade to PHP version 7.2.28, 7.3.15, 7.4.3 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-7061");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/20");
script_set_attribute(attribute:"patch_publication_date", value:"2020/02/20");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/28");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("php_version.nasl");
script_require_keys("www/PHP", "installed_sw/PHP");
script_require_ports("Services/www", 80);
exit(0);
}
include('http.inc');
include('vcf.inc');
include('audit.inc');
port = get_http_port(default:80, php:TRUE);
app_info = vcf::get_app_info(app:'PHP', port:port, webapp:TRUE);
backported = get_kb_item('www/php/' + port + '/' + app_info.version + '/backported');
if ((report_paranoia < 2) && backported) audit(AUDIT_BACKPORT_SERVICE, port, 'PHP ' + app_info.version + ' install');
constraints = [
{'min_version':'7.2.0alpha1', 'fixed_version':'7.2.28'},
{'min_version':'7.3.0alpha1', 'fixed_version':'7.3.15'},
{'min_version':'7.4.0alpha1', 'fixed_version':'7.4.3'}
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);