PHP 5.6.x < 5.6.11 Multiple Vulnerabilities (BACKRONYM)

According to its banner, the version of PHP 5.6.x running on the remote web server is prior to 5.6.11. It is, therefore, affected by multiple vulnerabilities :

• A security feature bypass vulnerability, known as ‘BACKRONYM’, exists due to a failure to properly enforce the requirement of an SSL/TLS connection when the --ssl client option is used. A man-in-the-middle attacker can exploit this flaw to coerce the client to downgrade to an unencrypted connection, allowing the attacker to disclose data from the database or manipulate database queries. (CVE-2015-3152)

• A flaw exists in the PHP Connector/C component due to a failure to properly enforce the requirement of an SSL/TLS connection when the --ssl client option is used. A man-in-the-middle attacker can exploit this to downgrade the connection to plain HTTP when HTTPS is expected. (CVE-2015-8838) - A use-after-free error exists in the spl_recursive_it_move_forward_ex() function. An attacker can exploit this to dereference already freed memory, potentially allowing the execution of arbitrary code.

• A use-after-free error exists in the sqlite3SafetyCheckSickOrOk() function. An attacker can exploit this to dereference already freed memory, potentially allowing the execution of arbitrary code.

• The ‘!’ character is not treated as a special character when delayed variable substitution is enabled. The functions escapeshellcmd() and escapeshellarg() are unable to properly sanitize arguments containing ‘!’. An attacker can exploit this to execute arbitrary commands.

• A double-free flaw exists in zend_vm_execute.h due to improper handling of certain code. An attacker can exploit this flaw to crash a PHP application, resulting in a denial of service condition.

Note that the scanner has not tested for these issues but has instead relied only on the application’s self-reported version number.