PHP Server Side Request Forgery Security Bypass Vulnerability (Windows)
2017-04-18T00:00:00
ID OPENVAS:1361412562310108139 Type openvas Reporter Copyright (c) 2017 Greenbone Networks GmbH Modified 2018-10-19T00:00:00
Description
This host is installed with PHP and is prone
to a security bypass vulnerability.
###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_php_97178_win.nasl 11982 2018-10-19 08:49:21Z mmartin $
#
# PHP Server Side Request Forgery Security Bypass Vulnerability (Windows)
#
# Authors:
# Christian Fischer <christian.fischer@greenbone.net>
#
# Copyright:
# Copyright (c) 2017 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
CPE = "cpe:/a:php:php";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.108139");
script_version("$Revision: 11982 $");
script_cve_id("CVE-2017-7272");
script_bugtraq_id(97178);
script_tag(name:"cvss_base", value:"5.8");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:N");
script_tag(name:"last_modification", value:"$Date: 2018-10-19 10:49:21 +0200 (Fri, 19 Oct 2018) $");
script_tag(name:"creation_date", value:"2017-04-18 06:00:00 +0200 (Tue, 18 Apr 2017)");
script_name("PHP Server Side Request Forgery Security Bypass Vulnerability (Windows)");
script_copyright("Copyright (c) 2017 Greenbone Networks GmbH");
script_category(ACT_GATHER_INFO);
script_family("Web application abuses");
script_dependencies("gb_php_detect.nasl", "os_detection.nasl");
script_mandatory_keys("php/installed", "Host/runs_windows");
script_xref(name:"URL", value:"http://www.php.net/ChangeLog-7.php");
script_xref(name:"URL", value:"http://bugs.php.net/74216");
script_tag(name:"summary", value:"This host is installed with PHP and is prone
to a security bypass vulnerability.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"The flaw exists due to the php_wddx_pop_element
function in ext/wddx/wddx.c via an inapplicable class name in a wddxPacket XML document,
leading to mishandling in a wddx_deserialize call.");
script_tag(name:"impact", value:"An attacker can exploit this issue to bypass security
restrictions and perform unauthorized actions. This may aid in further attacks.");
script_tag(name:"affected", value:"PHP versions 7.0.x before 7.0.18 and 7.1.x before 7.1.4.");
script_tag(name:"solution", value:"Upgrade to PHP version 7.0.18, 7.1.4
or later.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"remote_banner");
exit(0);
}
include("version_func.inc");
include("host_details.inc");
if( isnull( port = get_app_port( cpe:CPE ) ) ) exit( 0 );
if( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );
if( version_in_range( version:vers, test_version:"7.0", test_version2:"7.0.17" ) ) {
vuln = TRUE;
fix = "7.0.18";
}
if( vers =~ "^7\.1") {
if( version_is_less( version:vers, test_version:"7.1.4" ) ) {
vuln = TRUE;
fix = "7.1.4";
}
}
if( vuln ) {
report = report_fixed_ver( installed_version:vers, fixed_version:fix );
security_message( port:port, data:report );
exit( 0 );
}
exit( 99 );
{"id": "OPENVAS:1361412562310108139", "type": "openvas", "bulletinFamily": "scanner", "title": "PHP Server Side Request Forgery Security Bypass Vulnerability (Windows)", "description": "This host is installed with PHP and is prone\n to a security bypass vulnerability.", "published": "2017-04-18T00:00:00", "modified": "2018-10-19T00:00:00", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108139", "reporter": "Copyright (c) 2017 Greenbone Networks GmbH", "references": ["http://www.php.net/ChangeLog-7.php", "http://bugs.php.net/74216"], "cvelist": ["CVE-2017-7272"], "lastseen": "2019-05-29T18:34:26", "viewCount": 8, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-7272"]}, {"type": "seebug", "idList": ["SSV:92911"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-875.NASL", "EULEROS_SA-2020-1542.NASL", "EULEROS_SA-2020-1350.NASL", "EULEROS_SA-2020-1124.NASL", "EULEROS_SA-2020-1172.NASL", "SUSE_SU-2017-1709-1.NASL", "SUSE_SU-2017-1585-1.NASL", "EULEROS_SA-2019-2438.NASL", "DEBIAN_DLA-1490.NASL", "EULEROS_SA-2019-2649.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108138", "OPENVAS:1361412562311220201350", "OPENVAS:1361412562311220192438", "OPENVAS:1361412562311220201124", "OPENVAS:1361412562311220201172", "OPENVAS:1361412562310890875", "OPENVAS:1361412562311220201542", "OPENVAS:1361412562311220192649", "OPENVAS:1361412562310891490"]}, {"type": "suse", "idList": ["SUSE-SU-2017:1709-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142013"]}, {"type": "debian", "idList": ["DEBIAN:DLA-875-1:2D95B", "DEBIAN:DLA-1490-1:AB1B2"]}], "modified": "2019-05-29T18:34:26", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2019-05-29T18:34:26", "rev": 2}, "vulnersScore": 5.6}, "pluginID": "1361412562310108139", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_php_97178_win.nasl 11982 2018-10-19 08:49:21Z mmartin $\n#\n# PHP Server Side Request Forgery Security Bypass Vulnerability (Windows)\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:php:php\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108139\");\n script_version(\"$Revision: 11982 $\");\n script_cve_id(\"CVE-2017-7272\");\n script_bugtraq_id(97178);\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 10:49:21 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-18 06:00:00 +0200 (Tue, 18 Apr 2017)\");\n script_name(\"PHP Server Side Request Forgery Security Bypass Vulnerability (Windows)\");\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_php_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"php/installed\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"http://www.php.net/ChangeLog-7.php\");\n script_xref(name:\"URL\", value:\"http://bugs.php.net/74216\");\n\n script_tag(name:\"summary\", value:\"This host is installed with PHP and is prone\n to a security bypass vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to the php_wddx_pop_element\n function in ext/wddx/wddx.c via an inapplicable class name in a wddxPacket XML document,\n leading to mishandling in a wddx_deserialize call.\");\n\n script_tag(name:\"impact\", value:\"An attacker can exploit this issue to bypass security\n restrictions and perform unauthorized actions. This may aid in further attacks.\");\n\n script_tag(name:\"affected\", value:\"PHP versions 7.0.x before 7.0.18 and 7.1.x before 7.1.4.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to PHP version 7.0.18, 7.1.4\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( isnull( port = get_app_port( cpe:CPE ) ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version_in_range( version:vers, test_version:\"7.0\", test_version2:\"7.0.17\" ) ) {\n vuln = TRUE;\n fix = \"7.0.18\";\n}\n\nif( vers =~ \"^7\\.1\") {\n if( version_is_less( version:vers, test_version:\"7.1.4\" ) ) {\n vuln = TRUE;\n fix = \"7.1.4\";\n }\n}\n\nif( vuln ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:fix );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "naslFamily": "Web application abuses"}
{"cve": [{"lastseen": "2021-02-02T06:36:49", "description": "PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 4.0}, "published": "2017-03-27T17:59:00", "title": "CVE-2017-7272", "type": "cve", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7272"], "modified": "2018-02-26T02:29:00", "cpe": ["cpe:/a:php:php:7.1.3"], "id": "CVE-2017-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7272", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:php:php:7.1.3:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T12:00:09", "description": "For historical reasons, fsockopen() accepts the port and hostname\r\nseparately: fsockopen('127.0.0.1', 80)\r\n\r\nHowever, with the introdcution of stream transports in PHP 4.3,\r\nit became possible to include the port in the hostname specifier:\r\n\r\nfsockopen('127.0.0.1:80')\r\nOr more formally: fsockopen('tcp://127.0.0.1:80')\r\n\r\nConfusing results when these two forms are combined, however.\r\nfsockopen('127.0.0.1:80', 443) results in fsockopen() attempting\r\nto connect to '127.0.0.1:80:443' which any reasonable stack would\r\nconsider invalid.\r\n\r\nUnfortunately, PHP parses the address looking for the first colon\r\n(with special handling for IPv6, don't worry) and calls atoi()\r\nfrom there. atoi() in turn, simply stops parsing at the first\r\nnon-numeric character and returns the value so far.\r\n\r\nThe end result is that the explicitly supplied port is treated\r\nas ignored garbage, rather than producing an error.\r\n\r\nThis diff replaces atoi() with strtol() and inspects the\r\nstop character. If additional \"garbage\" of any kind is found,\r\nit fails and returns an error.", "published": "2017-04-06T00:00:00", "type": "seebug", "title": "PHP Server Side Request Forgery Security Bypass Vulnerability\uff08CVE-2017-7272\uff09", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7272"], "modified": "2017-04-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92911", "id": "SSV:92911", "sourceData": "", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": ""}], "openvas": [{"lastseen": "2019-05-29T18:34:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7272"], "description": "This host is installed with PHP and is prone\n to a security bypass vulnerability.", "modified": "2018-10-12T00:00:00", "published": "2017-04-18T00:00:00", "id": "OPENVAS:1361412562310108138", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108138", "type": "openvas", "title": "PHP Server Side Request Forgery Security Bypass Vulnerability (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_php_97178_lin.nasl 11874 2018-10-12 11:28:04Z mmartin $\n#\n# PHP Server Side Request Forgery Security Bypass Vulnerability (Linux)\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:php:php\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108138\");\n script_version(\"$Revision: 11874 $\");\n script_cve_id(\"CVE-2017-7272\");\n script_bugtraq_id(97178);\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:28:04 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-18 06:00:00 +0200 (Tue, 18 Apr 2017)\");\n script_name(\"PHP Server Side Request Forgery Security Bypass Vulnerability (Linux)\");\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_php_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"php/installed\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"http://www.php.net/ChangeLog-7.php\");\n script_xref(name:\"URL\", value:\"http://bugs.php.net/74216\");\n\n script_tag(name:\"summary\", value:\"This host is installed with PHP and is prone\n to a security bypass vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to the php_wddx_pop_element\n function in ext/wddx/wddx.c via an inapplicable class name in a wddxPacket XML document,\n leading to mishandling in a wddx_deserialize call.\");\n\n script_tag(name:\"impact\", value:\"An attacker can exploit this issue to bypass security\n restrictions and perform unauthorized actions. This may aid in further attacks.\");\n\n script_tag(name:\"affected\", value:\"PHP versions 7.0.x before 7.0.18 and 7.1.x before 7.1.4.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to PHP version 7.0.18, 7.1.4\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( isnull( port = get_app_port( cpe:CPE ) ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version_in_range( version:vers, test_version:\"7.0\", test_version2:\"7.0.17\" ) ) {\n vuln = TRUE;\n fix = \"7.0.18\";\n}\n\nif( vers =~ \"^7\\.1\") {\n if( version_is_less( version:vers, test_version:\"7.1.4\" ) ) {\n vuln = TRUE;\n fix = \"7.1.4\";\n }\n}\n\nif( vuln ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:fix );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-01-29T20:10:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7272", "CVE-2018-14851", "CVE-2018-14883"], "description": "Two vulnerabilities have been discovered in php5, a server-side,\nHTML-embedded scripting language. One (CVE-2018-14851) results in a\npotential denial of service (out-of-bounds read and application crash)\nvia a crafted JPEG file. The other (CVE-2018-14883) is an Integer\nOverflow that leads to a heap-based buffer over-read.\n\nAdditionally, a previously introduced patch for CVE-2017-7272 was found\nto negatively affect existing PHP applications (#890266). As a result\nof the negative effects and the fact that the security team has marked\nthe CVE in question as ", "modified": "2020-01-29T00:00:00", "published": "2018-09-03T00:00:00", "id": "OPENVAS:1361412562310891490", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891490", "type": "openvas", "title": "Debian LTS: Security Advisory for php5 (DLA-1490-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891490\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-7272\", \"CVE-2018-14851\", \"CVE-2018-14883\");\n script_name(\"Debian LTS: Security Advisory for php5 (DLA-1490-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-09-03 00:00:00 +0200 (Mon, 03 Sep 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/09/msg00000.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_tag(name:\"affected\", value:\"php5 on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n5.6.37+dfsg-0+deb8u1.\n\nWe recommend that you upgrade your php5 packages.\");\n\n script_tag(name:\"summary\", value:\"Two vulnerabilities have been discovered in php5, a server-side,\nHTML-embedded scripting language. One (CVE-2018-14851) results in a\npotential denial of service (out-of-bounds read and application crash)\nvia a crafted JPEG file. The other (CVE-2018-14883) is an Integer\nOverflow that leads to a heap-based buffer over-read.\n\nAdditionally, a previously introduced patch for CVE-2017-7272 was found\nto negatively affect existing PHP applications (#890266). As a result\nof the negative effects and the fact that the security team has marked\nthe CVE in question as 'ignore, ' the patch has been dropped.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libapache2-mod-php5\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libapache2-mod-php5filter\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libphp5-embed\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-pear\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-cgi\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-cli\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-common\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-curl\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-dbg\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-dev\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-enchant\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-fpm\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-gd\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-gmp\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-imap\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-interbase\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-intl\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-ldap\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-mcrypt\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-mysql\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-mysqlnd\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-odbc\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-pgsql\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-phpdbg\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-pspell\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-readline\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-recode\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-snmp\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-sqlite\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-sybase\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-tidy\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-xmlrpc\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-xsl\", ver:\"5.6.37+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-01-29T20:09:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7478", "CVE-2017-7272", "CVE-2016-7479", "CVE-2015-8876"], "description": "Several issues have been discovered in PHP (recursive acronym for PHP:\nHypertext Preprocessor), a widely-used open source general-purpose\nscripting language that is especially suited for web development and can\nbe embedded into HTML.\n\nCVE-2016-7478:\nZend/zend_exceptions.c in PHP allows remote attackers to\ncause a denial of service (infinite loop) via a crafted Exception\nobject in serialized data, a related issue to CVE-2015-8876.\n\nCVE-2016-7479:\nDuring the unserialization process, resizing the ", "modified": "2020-01-29T00:00:00", "published": "2018-01-12T00:00:00", "id": "OPENVAS:1361412562310890875", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310890875", "type": "openvas", "title": "Debian LTS: Security Advisory for php5 (DLA-875-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.890875\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2015-8876\", \"CVE-2016-7478\", \"CVE-2016-7479\", \"CVE-2017-7272\");\n script_name(\"Debian LTS: Security Advisory for php5 (DLA-875-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-01-12 00:00:00 +0100 (Fri, 12 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/03/msg00033.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"php5 on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n5.4.45-0+deb7u8.\n\nWe recommend that you upgrade your php5 packages.\");\n\n script_tag(name:\"summary\", value:\"Several issues have been discovered in PHP (recursive acronym for PHP:\nHypertext Preprocessor), a widely-used open source general-purpose\nscripting language that is especially suited for web development and can\nbe embedded into HTML.\n\nCVE-2016-7478:\nZend/zend_exceptions.c in PHP allows remote attackers to\ncause a denial of service (infinite loop) via a crafted Exception\nobject in serialized data, a related issue to CVE-2015-8876.\n\nCVE-2016-7479:\nDuring the unserialization process, resizing the 'properties' hash\ntable of a serialized object may lead to use-after-free. A remote\nattacker may exploit this bug to gain the ability of arbitrary code\nexecution. Even though the property table issue only affects PHP 7\nthis change also prevents a wide range of other __wakeup() based\nattacks.\n\nCVE-2017-7272:\nThe fsockopen() function will use the port number which is defined\nin hostname instead of the port number passed to the second\nparameter of the function. This misbehavior may introduce another\nattack vector for an already known application vulnerability (e.g.\nServer Side Request Forgery).\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libapache2-mod-php5\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libapache2-mod-php5filter\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libphp5-embed\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-pear\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-cgi\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-cli\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-common\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-curl\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-dbg\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-dev\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-enchant\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-fpm\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-gd\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-gmp\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-imap\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-interbase\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-intl\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-ldap\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-mcrypt\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-mysql\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-mysqlnd\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-odbc\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-pgsql\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-pspell\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-recode\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-snmp\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-sqlite\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-sybase\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-tidy\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-xmlrpc\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-xsl\", ver:\"5.4.45-0+deb7u8\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-04T16:49:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-11050", "CVE-2019-19204", "CVE-2017-7272", "CVE-2019-11046", "CVE-2019-19246", "CVE-2019-16163", "CVE-2019-11045", "CVE-2019-11047"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-03-02T00:00:00", "published": "2020-02-25T00:00:00", "id": "OPENVAS:1361412562311220201172", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201172", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for php (EulerOS-SA-2020-1172)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1172\");\n script_version(\"2020-03-02T09:20:48+0000\");\n script_cve_id(\"CVE-2017-7272\", \"CVE-2019-11045\", \"CVE-2019-11046\", \"CVE-2019-11047\", \"CVE-2019-11050\", \"CVE-2019-16163\", \"CVE-2019-19204\", \"CVE-2019-19246\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-02 09:20:48 +0000 (Mon, 02 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-25 13:57:50 +0000 (Tue, 25 Feb 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for php (EulerOS-SA-2020-1172)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP8\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1172\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1172\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'php' package(s) announced via the EulerOS-SA-2020-1172 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.(CVE-2019-19204)\n\nOniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.(CVE-2019-16163)\n\nOniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c.(CVE-2019-19246)\n\nPHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function.(CVE-2017-7272)\n\nIn PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \\0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.(CVE-2019-11045)\n\nIn PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.(CVE-2019-11046)\n\nWhen PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11047)\n\nWhen PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11050)\");\n\n script_tag(name:\"affected\", value:\"'php' package(s) on Huawei EulerOS V2.0SP8.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP8\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"php\", rpm:\"php~7.2.10~1.h13.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-cli\", rpm:\"php-cli~7.2.10~1.h13.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-common\", rpm:\"php-common~7.2.10~1.h13.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-fpm\", rpm:\"php-fpm~7.2.10~1.h13.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-gd\", rpm:\"php-gd~7.2.10~1.h13.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-ldap\", rpm:\"php-ldap~7.2.10~1.h13.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-odbc\", rpm:\"php-odbc~7.2.10~1.h13.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-pdo\", rpm:\"php-pdo~7.2.10~1.h13.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-process\", rpm:\"php-process~7.2.10~1.h13.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-recode\", rpm:\"php-recode~7.2.10~1.h13.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-soap\", rpm:\"php-soap~7.2.10~1.h13.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-xml\", rpm:\"php-xml~7.2.10~1.h13.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-xmlrpc\", rpm:\"php-xmlrpc~7.2.10~1.h13.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2020-04-07T16:58:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-11050", "CVE-2019-19204", "CVE-2017-7272", "CVE-2019-11046", "CVE-2019-19246", "CVE-2019-16163", "CVE-2019-11045", "CVE-2019-11047"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-04-03T00:00:00", "published": "2020-04-01T00:00:00", "id": "OPENVAS:1361412562311220201350", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201350", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for php (EulerOS-SA-2020-1350)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1350\");\n script_version(\"2020-04-03T06:07:41+0000\");\n script_cve_id(\"CVE-2017-7272\", \"CVE-2019-11045\", \"CVE-2019-11046\", \"CVE-2019-11047\", \"CVE-2019-11050\", \"CVE-2019-16163\", \"CVE-2019-19204\", \"CVE-2019-19246\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-03 06:07:41 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-01 13:54:33 +0000 (Wed, 01 Apr 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for php (EulerOS-SA-2020-1350)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.6\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1350\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1350\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'php' package(s) announced via the EulerOS-SA-2020-1350 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11050)\n\nIn PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.(CVE-2019-11046)\n\nIn PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \\0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.(CVE-2019-11045)\n\nWhen PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11047)\n\nPHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function.(CVE-2017-7272)\n\nOniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.(CVE-2019-16163)\n\nOniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c.(CVE-2019-19246)\n\nAn issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.(CVE-2019-19204)\");\n\n script_tag(name:\"affected\", value:\"'php' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.6.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.6.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"php\", rpm:\"php~7.2.10~1.h13.eulerosv2r8\", rls:\"EULEROSVIRTARM64-3.0.6.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-cli\", rpm:\"php-cli~7.2.10~1.h13.eulerosv2r8\", rls:\"EULEROSVIRTARM64-3.0.6.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-common\", rpm:\"php-common~7.2.10~1.h13.eulerosv2r8\", rls:\"EULEROSVIRTARM64-3.0.6.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2020-05-08T09:01:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10397", "CVE-2019-11050", "CVE-2019-19204", "CVE-2017-7272", "CVE-2017-16642", "CVE-2019-19246", "CVE-2019-11047", "CVE-2017-11145", "CVE-2016-7412"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-05-04T00:00:00", "published": "2020-04-30T00:00:00", "id": "OPENVAS:1361412562311220201542", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201542", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for php (EulerOS-SA-2020-1542)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1542\");\n script_version(\"2020-05-04T12:56:06+0000\");\n script_cve_id(\"CVE-2016-10397\", \"CVE-2016-7412\", \"CVE-2017-11145\", \"CVE-2017-16642\", \"CVE-2017-7272\", \"CVE-2019-11047\", \"CVE-2019-11050\", \"CVE-2019-19204\", \"CVE-2019-19246\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-04 12:56:06 +0000 (Mon, 04 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-30 12:13:02 +0000 (Thu, 30 Apr 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for php (EulerOS-SA-2020-1542)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.2\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1542\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1542\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'php' package(s) announced via the EulerOS-SA-2020-1542 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the 'chunked' value were not being correctly rejected. The impact was limited but if combined with the 'http-reuse always' setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification).(CVE-2017-16642)\n\nIn PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.(CVE-2017-11145)\n\next/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.(CVE-2016-10397)\n\nDouble free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP through 5.5.20 and 5.6.x through 5.6.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.(CVE-2016-7412)\n\nOniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c.(CVE-2019-19246)\n\nWhen PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11047)\n\nmain/php_open_temporary_file.c in PHP before 5.5.28 and 5.6.x before 5.6.12 does not ensure thread safety, which allows remote attackers to cause a denial of service (race condition and heap memory corruption) by leveraging an application that performs many temporary-file accesses.(CVE-2017-7272)\n\nWhen PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'php' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.2.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.2.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"php\", rpm:\"php~5.4.16~45.h29\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-cli\", rpm:\"php-cli~5.4.16~45.h29\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-common\", rpm:\"php-common~5.4.16~45.h29\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-26T16:48:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10397", "CVE-2017-7272", "CVE-2017-16642", "CVE-2016-7411", "CVE-2019-19246", "CVE-2019-11045", "CVE-2019-11047", "CVE-2017-11145", "CVE-2016-7412"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-24T00:00:00", "published": "2020-02-24T00:00:00", "id": "OPENVAS:1361412562311220201124", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201124", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for php (EulerOS-SA-2020-1124)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1124\");\n script_version(\"2020-02-24T09:06:59+0000\");\n script_cve_id(\"CVE-2016-10397\", \"CVE-2016-7411\", \"CVE-2016-7412\", \"CVE-2017-11145\", \"CVE-2017-16642\", \"CVE-2017-7272\", \"CVE-2019-11045\", \"CVE-2019-11047\", \"CVE-2019-19246\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-24 09:06:59 +0000 (Mon, 24 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-24 09:06:59 +0000 (Mon, 24 Feb 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for php (EulerOS-SA-2020-1124)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1124\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1124\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'php' package(s) announced via the EulerOS-SA-2020-1124 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata.(CVE-2016-7412)\n\next/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.(CVE-2016-7411)\n\nIn PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:80?@good.example.com/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c).(CVE-2016-10397)\n\nIn PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: the correct fix is in the e8b7698f5ee757ce2c8bd10a192a491a498f891c commit, not the bd77ac90d3bdf31ce2a5251ad92e9e75 gist.(CVE-2017-11145)\n\nIn PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.(CVE-2017-16642)\n\nIn PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \\0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.(CVE-2019-11045)\n\nOniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c.(CVE-2019-19246)\n\nPHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specifi ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'php' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"php\", rpm:\"php~5.4.16~45.h27.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-cli\", rpm:\"php-cli~5.4.16~45.h27.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-common\", rpm:\"php-common~5.4.16~45.h27.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-gd\", rpm:\"php-gd~5.4.16~45.h27.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-ldap\", rpm:\"php-ldap~5.4.16~45.h27.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-mysql\", rpm:\"php-mysql~5.4.16~45.h27.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-odbc\", rpm:\"php-odbc~5.4.16~45.h27.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-pdo\", rpm:\"php-pdo~5.4.16~45.h27.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-pgsql\", rpm:\"php-pgsql~5.4.16~45.h27.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-process\", rpm:\"php-process~5.4.16~45.h27.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-recode\", rpm:\"php-recode~5.4.16~45.h27.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-soap\", rpm:\"php-soap~5.4.16~45.h27.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-xml\", rpm:\"php-xml~5.4.16~45.h27.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-xmlrpc\", rpm:\"php-xmlrpc~5.4.16~45.h27.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:36:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10397", "CVE-2014-9767", "CVE-2017-9224", "CVE-2016-7414", "CVE-2017-12933", "CVE-2014-9912", "CVE-2016-6288", "CVE-2011-4718", "CVE-2017-9228", "CVE-2017-9226", "CVE-2016-4540", "CVE-2015-8879", "CVE-2016-9935", "CVE-2016-3185", "CVE-2018-10545", "CVE-2017-11143", "CVE-2018-5712", "CVE-2017-9229", "CVE-2015-8382", "CVE-2015-8867", "CVE-2016-7125", "CVE-2016-4543", "CVE-2016-4542", "CVE-2017-9227", "CVE-2016-4541", "CVE-2019-11041", "CVE-2017-11628", "CVE-2017-7272", "CVE-2016-2554", "CVE-2018-14851", "CVE-2019-11042", "CVE-2015-8835", "CVE-2017-16642", "CVE-2015-6833", "CVE-2016-4070", "CVE-2015-8874", "CVE-2016-6292", "CVE-2016-9934", "CVE-2015-6831", "CVE-2017-11147", "CVE-2016-6293", "CVE-2019-11040", "CVE-2016-7411", "CVE-2016-4539", "CVE-2016-5093", "CVE-2016-5094", "CVE-2016-7124", "CVE-2016-7480", "CVE-2019-11043", "CVE-2016-6294", "CVE-2016-7128", "CVE-2015-8935", "CVE-2015-7803", "CVE-2016-7418", "CVE-2018-17082", "CVE-2015-5589", "CVE-2016-3141", "CVE-2018-10547", "CVE-2016-6291", "CVE-2017-11144", "CVE-2015-6832", "CVE-2016-3142", "CVE-2015-7804", "CVE-2016-7412"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192438", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192438", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for php (EulerOS-SA-2019-2438)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2438\");\n script_version(\"2020-01-23T12:56:51+0000\");\n script_cve_id(\"CVE-2011-4718\", \"CVE-2014-9767\", \"CVE-2014-9912\", \"CVE-2015-5589\", \"CVE-2015-6831\", \"CVE-2015-6832\", \"CVE-2015-6833\", \"CVE-2015-7803\", \"CVE-2015-7804\", \"CVE-2015-8382\", \"CVE-2015-8835\", \"CVE-2015-8867\", \"CVE-2015-8874\", \"CVE-2015-8879\", \"CVE-2015-8935\", \"CVE-2016-10397\", \"CVE-2016-2554\", \"CVE-2016-3141\", \"CVE-2016-3142\", \"CVE-2016-3185\", \"CVE-2016-4070\", \"CVE-2016-4539\", \"CVE-2016-4540\", \"CVE-2016-4541\", \"CVE-2016-4542\", \"CVE-2016-4543\", \"CVE-2016-5093\", \"CVE-2016-5094\", \"CVE-2016-6288\", \"CVE-2016-6291\", \"CVE-2016-6292\", \"CVE-2016-6293\", \"CVE-2016-6294\", \"CVE-2016-7124\", \"CVE-2016-7125\", \"CVE-2016-7128\", \"CVE-2016-7411\", \"CVE-2016-7412\", \"CVE-2016-7414\", \"CVE-2016-7418\", \"CVE-2016-7480\", \"CVE-2016-9934\", \"CVE-2016-9935\", \"CVE-2017-11143\", \"CVE-2017-11144\", \"CVE-2017-11147\", \"CVE-2017-11628\", \"CVE-2017-12933\", \"CVE-2017-16642\", \"CVE-2017-7272\", \"CVE-2017-9224\", \"CVE-2017-9226\", \"CVE-2017-9227\", \"CVE-2017-9228\", \"CVE-2017-9229\", \"CVE-2018-10545\", \"CVE-2018-10547\", \"CVE-2018-14851\", \"CVE-2018-17082\", \"CVE-2018-5712\", \"CVE-2019-11040\", \"CVE-2019-11041\", \"CVE-2019-11042\", \"CVE-2019-11043\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:56:51 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:56:51 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for php (EulerOS-SA-2019-2438)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2438\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2438\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'php' package(s) announced via the EulerOS-SA-2019-2438 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.(CVE-2019-11043)\n\nThe finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.(CVE-2017-12933)\n\next/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.(CVE-2016-7124)\n\nThe match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))<pipe>(((?:(?:(?:(?:abc<pipe>(?:abcdef))))b)abcdefghi)abc)<pipe>((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.(CVE-2015-8382)\n\nAn issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.(CVE-2018-5712)\n\nexif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.(CVE-2018-14851)\n\nThe SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.(CVE-2016-7480)\n\next/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.(CVE-2016-7411)\n\nThe odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_ ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'php' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"php\", rpm:\"php~5.4.16~42.h63\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-cli\", rpm:\"php-cli~5.4.16~42.h63\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-common\", rpm:\"php-common~5.4.16~42.h63\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-gd\", rpm:\"php-gd~5.4.16~42.h63\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-ldap\", rpm:\"php-ldap~5.4.16~42.h63\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-mysql\", rpm:\"php-mysql~5.4.16~42.h63\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-odbc\", rpm:\"php-odbc~5.4.16~42.h63\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-pdo\", rpm:\"php-pdo~5.4.16~42.h63\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-pgsql\", rpm:\"php-pgsql~5.4.16~42.h63\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-process\", rpm:\"php-process~5.4.16~42.h63\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-recode\", rpm:\"php-recode~5.4.16~42.h63\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-soap\", rpm:\"php-soap~5.4.16~42.h63\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-xml\", rpm:\"php-xml~5.4.16~42.h63\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-xmlrpc\", rpm:\"php-xmlrpc~5.4.16~42.h63\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:37:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10397", "CVE-2014-9767", "CVE-2017-9224", "CVE-2016-7414", "CVE-2017-12933", "CVE-2014-9912", "CVE-2016-6288", "CVE-2011-4718", "CVE-2017-9228", "CVE-2017-9226", "CVE-2016-4540", "CVE-2015-8879", "CVE-2016-9935", "CVE-2016-3185", "CVE-2018-10545", "CVE-2017-11143", "CVE-2018-5712", "CVE-2017-9229", "CVE-2016-7125", "CVE-2016-4543", "CVE-2016-4542", "CVE-2017-9227", "CVE-2016-4541", "CVE-2017-11628", "CVE-2017-7272", "CVE-2016-2554", "CVE-2018-14851", "CVE-2015-8835", "CVE-2017-16642", "CVE-2015-6833", "CVE-2016-4070", "CVE-2015-8874", "CVE-2016-6292", "CVE-2016-9934", "CVE-2015-4116", "CVE-2015-6831", "CVE-2017-11147", "CVE-2016-10159", "CVE-2016-7411", "CVE-2016-4539", "CVE-2016-5093", "CVE-2016-5094", "CVE-2016-7124", "CVE-2016-7480", "CVE-2019-11043", "CVE-2016-6294", "CVE-2016-7128", "CVE-2015-8935", "CVE-2015-7803", "CVE-2016-7418", "CVE-2018-17082", "CVE-2015-8866", "CVE-2016-10161", "CVE-2015-5589", "CVE-2016-3141", "CVE-2018-10547", "CVE-2016-6291", "CVE-2016-10158", "CVE-2017-11144", "CVE-2015-6832", "CVE-2016-3142", "CVE-2018-5711", "CVE-2015-7804", "CVE-2016-7412"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192649", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192649", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for php (EulerOS-SA-2019-2649)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2649\");\n script_version(\"2020-01-23T13:11:07+0000\");\n script_cve_id(\"CVE-2011-4718\", \"CVE-2014-9767\", \"CVE-2014-9912\", \"CVE-2015-4116\", \"CVE-2015-5589\", \"CVE-2015-6831\", \"CVE-2015-6832\", \"CVE-2015-6833\", \"CVE-2015-7803\", \"CVE-2015-7804\", \"CVE-2015-8835\", \"CVE-2015-8866\", \"CVE-2015-8874\", \"CVE-2015-8879\", \"CVE-2015-8935\", \"CVE-2016-10158\", \"CVE-2016-10159\", \"CVE-2016-10161\", \"CVE-2016-10397\", \"CVE-2016-2554\", \"CVE-2016-3141\", \"CVE-2016-3142\", \"CVE-2016-3185\", \"CVE-2016-4070\", \"CVE-2016-4539\", \"CVE-2016-4540\", \"CVE-2016-4541\", \"CVE-2016-4542\", \"CVE-2016-4543\", \"CVE-2016-5093\", \"CVE-2016-5094\", \"CVE-2016-6288\", \"CVE-2016-6291\", \"CVE-2016-6292\", \"CVE-2016-6294\", \"CVE-2016-7124\", \"CVE-2016-7125\", \"CVE-2016-7128\", \"CVE-2016-7411\", \"CVE-2016-7412\", \"CVE-2016-7414\", \"CVE-2016-7418\", \"CVE-2016-7480\", \"CVE-2016-9934\", \"CVE-2016-9935\", \"CVE-2017-11143\", \"CVE-2017-11144\", \"CVE-2017-11147\", \"CVE-2017-11628\", \"CVE-2017-12933\", \"CVE-2017-16642\", \"CVE-2017-7272\", \"CVE-2017-9224\", \"CVE-2017-9226\", \"CVE-2017-9227\", \"CVE-2017-9228\", \"CVE-2017-9229\", \"CVE-2018-10545\", \"CVE-2018-10547\", \"CVE-2018-14851\", \"CVE-2018-17082\", \"CVE-2018-5711\", \"CVE-2018-5712\", \"CVE-2019-11043\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 13:11:07 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 13:11:07 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for php (EulerOS-SA-2019-2649)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2649\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2649\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'php' package(s) announced via the EulerOS-SA-2019-2649 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"** DISPUTED ** Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says 'Not sure if this qualifies as security issue (probably not).'(CVE-2016-4070)\n\nAn issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.(CVE-2018-10547)\n\nAn issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption.(CVE-2017-9228)\n\nAn issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of '\\700' would produce an invalid code point value larger than 0xff in next_state_val(), resulting in an out-of-bounds write memory corruption.(CVE-2017-9226)\n\nAn issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg-dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition.(CVE-2017-9229)\n\nAn issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.(CVE-2017-9224)\n\nAn issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'php' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"php\", rpm:\"php~5.4.16~42.h51\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-cli\", rpm:\"php-cli~5.4.16~42.h51\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-common\", rpm:\"php-common~5.4.16~42.h51\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-gd\", rpm:\"php-gd~5.4.16~42.h51\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-ldap\", rpm:\"php-ldap~5.4.16~42.h51\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-mysql\", rpm:\"php-mysql~5.4.16~42.h51\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-odbc\", rpm:\"php-odbc~5.4.16~42.h51\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-pdo\", rpm:\"php-pdo~5.4.16~42.h51\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-pgsql\", rpm:\"php-pgsql~5.4.16~42.h51\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-process\", rpm:\"php-process~5.4.16~42.h51\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-recode\", rpm:\"php-recode~5.4.16~42.h51\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-soap\", rpm:\"php-soap~5.4.16~42.h51\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-xml\", rpm:\"php-xml~5.4.16~42.h51\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-xmlrpc\", rpm:\"php-xmlrpc~5.4.16~42.h51\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:00:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10397", "CVE-2014-9767", "CVE-2016-7414", "CVE-2017-12933", "CVE-2019-11050", "CVE-2014-9912", "CVE-2016-6288", "CVE-2011-4718", "CVE-2017-9226", "CVE-2016-4540", "CVE-2015-8879", "CVE-2016-9935", "CVE-2016-5772", "CVE-2016-3185", "CVE-2018-10545", "CVE-2017-11143", "CVE-2018-5712", "CVE-2015-8867", "CVE-2019-19204", "CVE-2016-7125", "CVE-2016-4542", "CVE-2019-11041", "CVE-2017-11628", "CVE-2017-7272", "CVE-2016-2554", "CVE-2018-14851", "CVE-2019-11042", "CVE-2017-16642", "CVE-2015-6833", "CVE-2016-4070", "CVE-2015-8874", "CVE-2016-6292", "CVE-2016-9934", "CVE-2015-4116", "CVE-2015-6831", "CVE-2017-11147", "CVE-2016-10159", "CVE-2019-9641", "CVE-2016-4539", "CVE-2016-5093", "CVE-2016-5094", "CVE-2016-7124", "CVE-2016-4073", "CVE-2019-11043", "CVE-2016-6294", "CVE-2016-7128", "CVE-2015-8935", "CVE-2015-7803", "CVE-2016-7418", "CVE-2018-17082", "CVE-2015-8866", "CVE-2019-19246", "CVE-2016-10161", "CVE-2016-3141", "CVE-2018-10547", "CVE-2016-6291", "CVE-2016-10158", "CVE-2019-11047", "CVE-2017-11145", "CVE-2017-11144", "CVE-2015-6832", "CVE-2016-3142", "CVE-2018-5711", "CVE-2015-7804", "CVE-2016-7412"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-07-03T00:00:00", "published": "2020-07-03T00:00:00", "id": "OPENVAS:1361412562311220201747", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201747", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for php (EulerOS-SA-2020-1747)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1747\");\n script_version(\"2020-07-03T06:19:30+0000\");\n script_cve_id(\"CVE-2011-4718\", \"CVE-2014-9767\", \"CVE-2014-9912\", \"CVE-2015-4116\", \"CVE-2015-6831\", \"CVE-2015-6832\", \"CVE-2015-6833\", \"CVE-2015-7803\", \"CVE-2015-7804\", \"CVE-2015-8866\", \"CVE-2015-8867\", \"CVE-2015-8874\", \"CVE-2015-8879\", \"CVE-2015-8935\", \"CVE-2016-10158\", \"CVE-2016-10159\", \"CVE-2016-10161\", \"CVE-2016-10397\", \"CVE-2016-2554\", \"CVE-2016-3141\", \"CVE-2016-3142\", \"CVE-2016-3185\", \"CVE-2016-4070\", \"CVE-2016-4073\", \"CVE-2016-4539\", \"CVE-2016-4540\", \"CVE-2016-4542\", \"CVE-2016-5093\", \"CVE-2016-5094\", \"CVE-2016-5772\", \"CVE-2016-6288\", \"CVE-2016-6291\", \"CVE-2016-6292\", \"CVE-2016-6294\", \"CVE-2016-7124\", \"CVE-2016-7125\", \"CVE-2016-7128\", \"CVE-2016-7412\", \"CVE-2016-7414\", \"CVE-2016-7418\", \"CVE-2016-9934\", \"CVE-2016-9935\", \"CVE-2017-11143\", \"CVE-2017-11144\", \"CVE-2017-11145\", \"CVE-2017-11147\", \"CVE-2017-11628\", \"CVE-2017-12933\", \"CVE-2017-16642\", \"CVE-2017-7272\", \"CVE-2017-9226\", \"CVE-2018-10545\", \"CVE-2018-10547\", \"CVE-2018-14851\", \"CVE-2018-17082\", \"CVE-2018-5711\", \"CVE-2018-5712\", \"CVE-2019-11041\", \"CVE-2019-11042\", \"CVE-2019-11043\", \"CVE-2019-11047\", \"CVE-2019-11050\", \"CVE-2019-19204\", \"CVE-2019-19246\", \"CVE-2019-9641\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-03 06:19:30 +0000 (Fri, 03 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-03 06:19:30 +0000 (Fri, 03 Jul 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for php (EulerOS-SA-2020-1747)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-3\\.0\\.6\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1747\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1747\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'php' package(s) announced via the EulerOS-SA-2020-1747 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11042)\n\nWhen PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11041)\n\nAn issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.(CVE-2018-5712)\n\ngd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.(CVE-2018-5711)\n\nThe Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a 'Transfer-Encoding: chunked' request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.(CVE-2018-17082)\n\nexif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.(CVE-2018-14851)\n\nAn issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.(CVE-2018-10547)\n\nAn issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'php' package(s) on Huawei EulerOS Virtualization 3.0.6.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-3.0.6.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"php\", rpm:\"php~5.4.16~45.h30\", rls:\"EULEROSVIRT-3.0.6.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-cli\", rpm:\"php-cli~5.4.16~45.h30\", rls:\"EULEROSVIRT-3.0.6.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"php-common\", rpm:\"php-common~5.4.16~45.h30\", rls:\"EULEROSVIRT-3.0.6.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2017-06-28T20:15:23", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7272"], "description": "This update for php53 fixes the following issues:\n\n - The fix for CVE-2017-7272 was reverted, as it caused regressions in the\n mysql server connect module. [bsc#1044976] The security fix tried to\n avoid a server side request forgery, and will be submitted when a better\n fix becomes available.\n\n", "edition": 1, "modified": "2017-06-28T18:11:15", "published": "2017-06-28T18:11:15", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-06/msg00039.html", "id": "SUSE-SU-2017:1709-1", "title": "Security update for php53 (important)", "type": "suse", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2021-01-20T14:47:50", "description": "This update for php53 fixes the following issues :\n\n - The fix for CVE-2017-7272 was reverted, as it caused\n regressions in the mysql server connect module.\n [bsc#1044976] The security fix tried to avoid a server\n side request forgery, and will be submitted when a\n better fix becomes available.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "cvss3": {"score": 7.4, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N"}, "published": "2017-06-29T00:00:00", "title": "SUSE SLES11 Security Update : php53 (SUSE-SU-2017:1709-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7272"], "modified": "2017-06-29T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:php53-shmop", "p-cpe:/a:novell:suse_linux:php53-snmp", "p-cpe:/a:novell:suse_linux:php53-sysvsem", "p-cpe:/a:novell:suse_linux:php53-dba", "p-cpe:/a:novell:suse_linux:php53-pear", "p-cpe:/a:novell:suse_linux:php53-xsl", "p-cpe:/a:novell:suse_linux:php53-calendar", "p-cpe:/a:novell:suse_linux:php53-openssl", "p-cpe:/a:novell:suse_linux:php53", "p-cpe:/a:novell:suse_linux:php53-dom", "p-cpe:/a:novell:suse_linux:php53-odbc", "p-cpe:/a:novell:suse_linux:php53-ctype", "p-cpe:/a:novell:suse_linux:php53-zip", "p-cpe:/a:novell:suse_linux:php53-pgsql", "p-cpe:/a:novell:suse_linux:php53-pcntl", "p-cpe:/a:novell:suse_linux:php53-pspell", "p-cpe:/a:novell:suse_linux:apache2-mod_php53", "p-cpe:/a:novell:suse_linux:php53-gmp", "p-cpe:/a:novell:suse_linux:php53-gd", "p-cpe:/a:novell:suse_linux:php53-curl", "p-cpe:/a:novell:suse_linux:php53-gettext", "p-cpe:/a:novell:suse_linux:php53-iconv", "p-cpe:/a:novell:suse_linux:php53-bz2", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:php53-zlib", "p-cpe:/a:novell:suse_linux:php53-bcmath", "p-cpe:/a:novell:suse_linux:php53-fastcgi", "p-cpe:/a:novell:suse_linux:php53-json", "p-cpe:/a:novell:suse_linux:php53-sysvmsg", "p-cpe:/a:novell:suse_linux:php53-mbstring", "p-cpe:/a:novell:suse_linux:php53-ldap", "p-cpe:/a:novell:suse_linux:php53-xmlreader", "p-cpe:/a:novell:suse_linux:php53-suhosin", "p-cpe:/a:novell:suse_linux:php53-ftp", "p-cpe:/a:novell:suse_linux:php53-soap", "p-cpe:/a:novell:suse_linux:php53-sysvshm", "p-cpe:/a:novell:suse_linux:php53-fileinfo", "p-cpe:/a:novell:suse_linux:php53-mcrypt", "p-cpe:/a:novell:suse_linux:php53-intl", "p-cpe:/a:novell:suse_linux:php53-wddx", "p-cpe:/a:novell:suse_linux:php53-xmlrpc", "p-cpe:/a:novell:suse_linux:php53-tokenizer", "p-cpe:/a:novell:suse_linux:php53-pdo", "p-cpe:/a:novell:suse_linux:php53-xmlwriter", "p-cpe:/a:novell:suse_linux:php53-mysql", "p-cpe:/a:novell:suse_linux:php53-exif"], "id": "SUSE_SU-2017-1709-1.NASL", "href": "https://www.tenable.com/plugins/nessus/101107", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1709-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101107);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2017-7272\");\n\n script_name(english:\"SUSE SLES11 Security Update : php53 (SUSE-SU-2017:1709-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for php53 fixes the following issues :\n\n - The fix for CVE-2017-7272 was reverted, as it caused\n regressions in the mysql server connect module.\n [bsc#1044976] The security fix tried to avoid a server\n side request forgery, and will be submitted when a\n better fix becomes available.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1031246\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1044976\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7272/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171709-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?88322559\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t\npatch sdksp4-php53-13179=1\n\nSUSE Linux Enterprise Server 11-SP4:zypper in -t patch\nslessp4-php53-13179=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch\ndbgsp4-php53-13179=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-mod_php53\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-bz2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-calendar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-ctype\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-dom\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-exif\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-fastcgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-fileinfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-ftp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-gettext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-gmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-iconv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-mcrypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-pcntl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-shmop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-suhosin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-sysvmsg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-sysvsem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-sysvshm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-tokenizer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-wddx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-xmlreader\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-xmlwriter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-xsl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-zlib\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"apache2-mod_php53-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-bcmath-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-bz2-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-calendar-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-ctype-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-curl-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-dba-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-dom-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-exif-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-fastcgi-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-fileinfo-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-ftp-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-gd-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-gettext-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-gmp-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-iconv-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-intl-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-json-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-ldap-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-mbstring-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-mcrypt-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-mysql-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-odbc-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-openssl-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-pcntl-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-pdo-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-pear-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-pgsql-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-pspell-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-shmop-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-snmp-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-soap-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-suhosin-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-sysvmsg-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-sysvsem-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-sysvshm-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-tokenizer-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-wddx-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-xmlreader-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-xmlrpc-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-xmlwriter-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-xsl-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-zip-5.3.17-111.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-zlib-5.3.17-111.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php53\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-12T09:39:46", "description": "Two vulnerabilities have been discovered in php5, a server-side,\nHTML-embedded scripting language. One (CVE-2018-14851) results in a\npotential denial of service (out-of-bounds read and application crash)\nvia a crafted JPEG file. The other (CVE-2018-14883) is an Integer\nOverflow that leads to a heap-based buffer over-read.\n\nAdditionally, a previously introduced patch for CVE-2017-7272 was\nfound to negatively affect existing PHP applications (#890266). As a\nresult of the negative effects and the fact that the security team has\nmarked the CVE in question as 'ignore,' the patch has been dropped.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n5.6.37+dfsg-0+deb8u1.\n\nWe recommend that you upgrade your php5 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 20, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-09-04T00:00:00", "title": "Debian DLA-1490-1 : php5 security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7272", "CVE-2018-14851", "CVE-2018-14883"], "modified": "2018-09-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libphp5-embed", "p-cpe:/a:debian:debian_linux:php5-pspell", "p-cpe:/a:debian:debian_linux:php-pear", "p-cpe:/a:debian:debian_linux:php5-xsl", "p-cpe:/a:debian:debian_linux:php5-mcrypt", "p-cpe:/a:debian:debian_linux:php5-gd", "p-cpe:/a:debian:debian_linux:php5-interbase", "p-cpe:/a:debian:debian_linux:php5-mysql", "p-cpe:/a:debian:debian_linux:libapache2-mod-php5filter", "p-cpe:/a:debian:debian_linux:php5-intl", "cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:php5-dbg", "p-cpe:/a:debian:debian_linux:php5-xmlrpc", "p-cpe:/a:debian:debian_linux:php5-dev", "p-cpe:/a:debian:debian_linux:php5-sybase", "p-cpe:/a:debian:debian_linux:php5-mysqlnd", "p-cpe:/a:debian:debian_linux:php5-enchant", "p-cpe:/a:debian:debian_linux:php5-recode", "p-cpe:/a:debian:debian_linux:php5-cli", "p-cpe:/a:debian:debian_linux:php5-cgi", "p-cpe:/a:debian:debian_linux:php5-pgsql", "p-cpe:/a:debian:debian_linux:php5-readline", "p-cpe:/a:debian:debian_linux:php5-sqlite", "p-cpe:/a:debian:debian_linux:php5-odbc", "p-cpe:/a:debian:debian_linux:php5-common", "p-cpe:/a:debian:debian_linux:php5-gmp", "p-cpe:/a:debian:debian_linux:php5-phpdbg", "p-cpe:/a:debian:debian_linux:php5", "p-cpe:/a:debian:debian_linux:php5-curl", "p-cpe:/a:debian:debian_linux:php5-snmp", "p-cpe:/a:debian:debian_linux:php5-imap", "p-cpe:/a:debian:debian_linux:libapache2-mod-php5", "p-cpe:/a:debian:debian_linux:php5-tidy", "p-cpe:/a:debian:debian_linux:php5-ldap", "p-cpe:/a:debian:debian_linux:php5-fpm"], "id": "DEBIAN_DLA-1490.NASL", "href": "https://www.tenable.com/plugins/nessus/112229", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1490-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112229);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2018-14851\", \"CVE-2018-14883\");\n\n script_name(english:\"Debian DLA-1490-1 : php5 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two vulnerabilities have been discovered in php5, a server-side,\nHTML-embedded scripting language. One (CVE-2018-14851) results in a\npotential denial of service (out-of-bounds read and application crash)\nvia a crafted JPEG file. The other (CVE-2018-14883) is an Integer\nOverflow that leads to a heap-based buffer over-read.\n\nAdditionally, a previously introduced patch for CVE-2017-7272 was\nfound to negatively affect existing PHP applications (#890266). As a\nresult of the negative effects and the fact that the security team has\nmarked the CVE in question as 'ignore,' the patch has been dropped.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n5.6.37+dfsg-0+deb8u1.\n\nWe recommend that you upgrade your php5 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/09/msg00000.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/php5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libapache2-mod-php5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libapache2-mod-php5filter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libphp5-embed\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-cgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-enchant\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-fpm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-gmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-interbase\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-mcrypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-mysqlnd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-phpdbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-readline\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-recode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-sqlite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-sybase\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-tidy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-xsl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libapache2-mod-php5\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libapache2-mod-php5filter\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libphp5-embed\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-pear\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-cgi\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-cli\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-common\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-curl\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-dbg\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-dev\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-enchant\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-fpm\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-gd\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-gmp\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-imap\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-interbase\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-intl\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-ldap\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-mcrypt\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-mysql\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-mysqlnd\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-odbc\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-pgsql\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-phpdbg\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-pspell\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-readline\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-recode\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-snmp\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-sqlite\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-sybase\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-tidy\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-xmlrpc\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-xsl\", reference:\"5.6.37+dfsg-0+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T09:44:20", "description": "Several issues have been discovered in PHP (recursive acronym for PHP:\nHypertext Preprocessor), a widely-used open source general-purpose\nscripting language that is especially suited for web development and\ncan be embedded into HTML.\n\nCVE-2016-7478: Zend/zend_exceptions.c in PHP allows remote attackers\nto cause a denial of service (infinite loop) via a crafted Exception\nobject in serialized data, a related issue to CVE-2015-8876.\n\nCVE-2016-7479: During the unserialization process, resizing the\n'properties' hash table of a serialized object may lead to\nuse-after-free. A remote attacker may exploit this bug to gain the\nability of arbitrary code execution. Even though the property table\nissue only affects PHP 7 this change also prevents a wide range of\nother __wakeup() based attacks.\n\nCVE-2017-7272: The fsockopen() function will use the port number which\nis defined in hostname instead of the port number passed to the second\nparameter of the function. This misbehavior may introduce another\nattack vector for an already known application vulnerability (e.g.\nServer Side Request Forgery).\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n5.4.45-0+deb7u8.\n\nWe recommend that you upgrade your php5 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 19, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-28T00:00:00", "title": "Debian DLA-875-1 : php5 security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7478", "CVE-2017-7272", "CVE-2016-7479", "CVE-2015-8876"], "modified": "2017-03-28T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libphp5-embed", "p-cpe:/a:debian:debian_linux:php5-pspell", "p-cpe:/a:debian:debian_linux:php-pear", "p-cpe:/a:debian:debian_linux:php5-xsl", "p-cpe:/a:debian:debian_linux:php5-mcrypt", "p-cpe:/a:debian:debian_linux:php5-gd", "p-cpe:/a:debian:debian_linux:php5-interbase", "p-cpe:/a:debian:debian_linux:php5-mysql", "p-cpe:/a:debian:debian_linux:libapache2-mod-php5filter", "p-cpe:/a:debian:debian_linux:php5-intl", "p-cpe:/a:debian:debian_linux:php5-dbg", "p-cpe:/a:debian:debian_linux:php5-xmlrpc", "p-cpe:/a:debian:debian_linux:php5-dev", "p-cpe:/a:debian:debian_linux:php5-sybase", "p-cpe:/a:debian:debian_linux:php5-mysqlnd", "p-cpe:/a:debian:debian_linux:php5-enchant", "p-cpe:/a:debian:debian_linux:php5-recode", "p-cpe:/a:debian:debian_linux:php5-cli", "p-cpe:/a:debian:debian_linux:php5-cgi", "p-cpe:/a:debian:debian_linux:php5-pgsql", "p-cpe:/a:debian:debian_linux:php5-sqlite", "p-cpe:/a:debian:debian_linux:php5-odbc", "p-cpe:/a:debian:debian_linux:php5-common", "p-cpe:/a:debian:debian_linux:php5-gmp", "p-cpe:/a:debian:debian_linux:php5", "p-cpe:/a:debian:debian_linux:php5-curl", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:php5-snmp", "p-cpe:/a:debian:debian_linux:php5-imap", "p-cpe:/a:debian:debian_linux:libapache2-mod-php5", "p-cpe:/a:debian:debian_linux:php5-tidy", "p-cpe:/a:debian:debian_linux:php5-ldap", "p-cpe:/a:debian:debian_linux:php5-fpm"], "id": "DEBIAN_DLA-875.NASL", "href": "https://www.tenable.com/plugins/nessus/99003", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-875-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99003);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-7478\", \"CVE-2016-7479\", \"CVE-2017-7272\");\n\n script_name(english:\"Debian DLA-875-1 : php5 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several issues have been discovered in PHP (recursive acronym for PHP:\nHypertext Preprocessor), a widely-used open source general-purpose\nscripting language that is especially suited for web development and\ncan be embedded into HTML.\n\nCVE-2016-7478: Zend/zend_exceptions.c in PHP allows remote attackers\nto cause a denial of service (infinite loop) via a crafted Exception\nobject in serialized data, a related issue to CVE-2015-8876.\n\nCVE-2016-7479: During the unserialization process, resizing the\n'properties' hash table of a serialized object may lead to\nuse-after-free. A remote attacker may exploit this bug to gain the\nability of arbitrary code execution. Even though the property table\nissue only affects PHP 7 this change also prevents a wide range of\nother __wakeup() based attacks.\n\nCVE-2017-7272: The fsockopen() function will use the port number which\nis defined in hostname instead of the port number passed to the second\nparameter of the function. This misbehavior may introduce another\nattack vector for an already known application vulnerability (e.g.\nServer Side Request Forgery).\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n5.4.45-0+deb7u8.\n\nWe recommend that you upgrade your php5 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/03/msg00033.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/php5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libapache2-mod-php5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libapache2-mod-php5filter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libphp5-embed\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-cgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-enchant\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-fpm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-gmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-interbase\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-mcrypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-mysqlnd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-recode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-sqlite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-sybase\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-tidy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-xsl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libapache2-mod-php5\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libapache2-mod-php5filter\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libphp5-embed\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php-pear\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-cgi\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-cli\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-common\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-curl\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-dbg\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-dev\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-enchant\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-fpm\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-gd\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-gmp\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-imap\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-interbase\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-intl\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-ldap\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-mcrypt\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-mysql\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-mysqlnd\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-odbc\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-pgsql\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-pspell\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-recode\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-snmp\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-sqlite\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-sybase\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-tidy\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-xmlrpc\", reference:\"5.4.45-0+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"php5-xsl\", reference:\"5.4.45-0+deb7u8\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T14:47:48", "description": "This update for php53 fixes the following issues: This security issue\nwas fixed :\n\n - CVE-2017-7272: PHP enabled potential SSRF in\n applications that accept an fsockopen hostname argument\n with an expectation that the port number is constrained.\n Because a :port syntax was recognized, fsockopen used\n the port number that is specified in the hostname\n argument, instead of the port number in the second\n argument of the function (bsc#1031246)\n\n - CVE-2016-6294: The locale_accept_from_http function in\n ext/intl/locale/locale_methods.c did not properly\n restrict calls to the ICU uloc_acceptLanguageFromHTTP\n function, which allowed remote attackers to cause a\n denial of service (out-of-bounds read) or possibly have\n unspecified other impact via a call with a long argument\n (bsc#1035111).\n\n - CVE-2017-9227: An issue was discovered in Oniguruma\n 6.2.0, as used in mbstring in PHP. A stack out-of-bounds\n read occurs in mbc_enc_len() during regular expression\n searching. Invalid handling of reg->dmin in\n forward_search_range() could result in an invalid\n pointer dereference, as an out-of-bounds read from a\n stack buffer. (bsc#1040883)\n\n - CVE-2017-9226: An issue was discovered in Oniguruma\n 6.2.0, as used in Oniguruma-mod in mbstring in PHP. A\n heap out-of-bounds write or read occurs in\n next_state_val() during regular expression compilation.\n Octal numbers larger than 0xff are not handled correctly\n in fetch_token() and fetch_token_in_cc(). A malformed\n regular expression containing an octal number in the\n form of '\\700' would produce an invalid code point value\n larger than 0xff in next_state_val(), resulting in an\n out-of-bounds write memory corruption. (bsc#1040889)\n\n - CVE-2017-9224: An issue was discovered in Oniguruma\n 6.2.0, as used in Oniguruma-mod in mbstring in PHP. A\n stack out-of-bounds read occurs in match_at() during\n regular expression searching. A logical error involving\n order of validation and access in match_at() could\n result in an out-of-bounds read from a stack buffer.\n (bsc#1040891)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-19T00:00:00", "title": "SUSE SLES11 Security Update : php53 (SUSE-SU-2017:1585-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9224", "CVE-2017-9226", "CVE-2017-9227", "CVE-2017-7272", "CVE-2016-6294"], "modified": "2017-06-19T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:php53-shmop", "p-cpe:/a:novell:suse_linux:php53-snmp", "p-cpe:/a:novell:suse_linux:php53-sysvsem", "p-cpe:/a:novell:suse_linux:php53-dba", "p-cpe:/a:novell:suse_linux:php53-pear", "p-cpe:/a:novell:suse_linux:php53-xsl", "p-cpe:/a:novell:suse_linux:php53-calendar", "p-cpe:/a:novell:suse_linux:php53-openssl", "p-cpe:/a:novell:suse_linux:php53", "p-cpe:/a:novell:suse_linux:php53-dom", "p-cpe:/a:novell:suse_linux:php53-odbc", "p-cpe:/a:novell:suse_linux:php53-ctype", "p-cpe:/a:novell:suse_linux:php53-zip", "p-cpe:/a:novell:suse_linux:php53-pgsql", "p-cpe:/a:novell:suse_linux:php53-pcntl", "p-cpe:/a:novell:suse_linux:php53-pspell", "p-cpe:/a:novell:suse_linux:apache2-mod_php53", "p-cpe:/a:novell:suse_linux:php53-gmp", "p-cpe:/a:novell:suse_linux:php53-gd", "p-cpe:/a:novell:suse_linux:php53-curl", "p-cpe:/a:novell:suse_linux:php53-gettext", "p-cpe:/a:novell:suse_linux:php53-iconv", "p-cpe:/a:novell:suse_linux:php53-bz2", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:php53-zlib", "p-cpe:/a:novell:suse_linux:php53-bcmath", "p-cpe:/a:novell:suse_linux:php53-fastcgi", "p-cpe:/a:novell:suse_linux:php53-json", "p-cpe:/a:novell:suse_linux:php53-sysvmsg", "p-cpe:/a:novell:suse_linux:php53-mbstring", "p-cpe:/a:novell:suse_linux:php53-ldap", "p-cpe:/a:novell:suse_linux:php53-xmlreader", "p-cpe:/a:novell:suse_linux:php53-suhosin", "p-cpe:/a:novell:suse_linux:php53-ftp", "p-cpe:/a:novell:suse_linux:php53-soap", "p-cpe:/a:novell:suse_linux:php53-sysvshm", "p-cpe:/a:novell:suse_linux:php53-fileinfo", "p-cpe:/a:novell:suse_linux:php53-mcrypt", "p-cpe:/a:novell:suse_linux:php53-intl", "p-cpe:/a:novell:suse_linux:php53-wddx", "p-cpe:/a:novell:suse_linux:php53-xmlrpc", "p-cpe:/a:novell:suse_linux:php53-tokenizer", "p-cpe:/a:novell:suse_linux:php53-pdo", "p-cpe:/a:novell:suse_linux:php53-xmlwriter", "p-cpe:/a:novell:suse_linux:php53-mysql", "p-cpe:/a:novell:suse_linux:php53-exif"], "id": "SUSE_SU-2017-1585-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100866", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1585-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100866);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-6294\", \"CVE-2017-7272\", \"CVE-2017-9224\", \"CVE-2017-9226\", \"CVE-2017-9227\");\n\n script_name(english:\"SUSE SLES11 Security Update : php53 (SUSE-SU-2017:1585-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for php53 fixes the following issues: This security issue\nwas fixed :\n\n - CVE-2017-7272: PHP enabled potential SSRF in\n applications that accept an fsockopen hostname argument\n with an expectation that the port number is constrained.\n Because a :port syntax was recognized, fsockopen used\n the port number that is specified in the hostname\n argument, instead of the port number in the second\n argument of the function (bsc#1031246)\n\n - CVE-2016-6294: The locale_accept_from_http function in\n ext/intl/locale/locale_methods.c did not properly\n restrict calls to the ICU uloc_acceptLanguageFromHTTP\n function, which allowed remote attackers to cause a\n denial of service (out-of-bounds read) or possibly have\n unspecified other impact via a call with a long argument\n (bsc#1035111).\n\n - CVE-2017-9227: An issue was discovered in Oniguruma\n 6.2.0, as used in mbstring in PHP. A stack out-of-bounds\n read occurs in mbc_enc_len() during regular expression\n searching. Invalid handling of reg->dmin in\n forward_search_range() could result in an invalid\n pointer dereference, as an out-of-bounds read from a\n stack buffer. (bsc#1040883)\n\n - CVE-2017-9226: An issue was discovered in Oniguruma\n 6.2.0, as used in Oniguruma-mod in mbstring in PHP. A\n heap out-of-bounds write or read occurs in\n next_state_val() during regular expression compilation.\n Octal numbers larger than 0xff are not handled correctly\n in fetch_token() and fetch_token_in_cc(). A malformed\n regular expression containing an octal number in the\n form of '\\700' would produce an invalid code point value\n larger than 0xff in next_state_val(), resulting in an\n out-of-bounds write memory corruption. (bsc#1040889)\n\n - CVE-2017-9224: An issue was discovered in Oniguruma\n 6.2.0, as used in Oniguruma-mod in mbstring in PHP. A\n stack out-of-bounds read occurs in match_at() during\n regular expression searching. A logical error involving\n order of validation and access in match_at() could\n result in an out-of-bounds read from a stack buffer.\n (bsc#1040891)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1031246\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1035111\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1040883\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1040889\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1040891\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-6294/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7272/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9224/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9226/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9227/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171585-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?52357544\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t\npatch sdksp4-php53-13151=1\n\nSUSE Linux Enterprise Server 11-SP4:zypper in -t patch\nslessp4-php53-13151=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch\ndbgsp4-php53-13151=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-mod_php53\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-bz2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-calendar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-ctype\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-dom\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-exif\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-fastcgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-fileinfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-ftp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-gettext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-gmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-iconv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-mcrypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-pcntl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-shmop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-suhosin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-sysvmsg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-sysvsem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-sysvshm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-tokenizer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-wddx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-xmlreader\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-xmlwriter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-xsl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:php53-zlib\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"apache2-mod_php53-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-bcmath-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-bz2-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-calendar-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-ctype-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-curl-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-dba-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-dom-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-exif-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-fastcgi-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-fileinfo-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-ftp-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-gd-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-gettext-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-gmp-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-iconv-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-intl-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-json-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-ldap-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-mbstring-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-mcrypt-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-mysql-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-odbc-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-openssl-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-pcntl-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-pdo-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-pear-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-pgsql-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-pspell-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-shmop-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-snmp-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-soap-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-suhosin-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-sysvmsg-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-sysvsem-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-sysvshm-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-tokenizer-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-wddx-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-xmlreader-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-xmlrpc-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-xmlwriter-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-xsl-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-zip-5.3.17-108.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"php53-zlib-5.3.17-108.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php53\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T09:02:30", "description": "According to the versions of the php packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - An issue was discovered in Oniguruma 6.x before\n 6.9.4_rc2. In the function fetch_interval_quantifier\n (formerly known as fetch_range_quantifier) in\n regparse.c, PFETCH is called without checking PEND.\n This leads to a heap-based buffer\n over-read.(CVE-2019-19204)\n\n - Oniguruma before 6.9.3 allows Stack Exhaustion in\n regcomp.c because of recursion in\n regparse.c.(CVE-2019-16163)\n\n - Oniguruma through 6.9.3, as used in PHP 7.3.x and other\n products, has a heap-based buffer over-read in\n str_lower_case_match in regexec.c.(CVE-2019-19246)\n\n - PHP through 7.1.11 enables potential SSRF in\n applications that accept an fsockopen or pfsockopen\n hostname argument with an expectation that the port\n number is constrained. Because a :port syntax is\n recognized, fsockopen will use the port number that is\n specified in the hostname argument, instead of the port\n number in the second argument of the\n function.(CVE-2017-7272)\n\n - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13\n and 7.4.0, PHP DirectoryIterator class accepts\n filenames with embedded \\0 byte and treats them as\n terminating at that byte. This could lead to security\n vulnerabilities, e.g. in applications checking paths\n that the code is allowed to access.(CVE-2019-11045)\n\n - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13\n and 7.4.0, PHP bcmath extension functions on some\n systems, including Windows, can be tricked into reading\n beyond the allocated space by supplying it with string\n containing characters that are identified as numeric by\n the OS but aren't ASCII numbers. This can read to\n disclosure of the content of some memory\n locations.(CVE-2019-11046)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and\n 7.4.0 it is possible to supply it with data what will\n cause it to read past the allocated buffer. This may\n lead to information disclosure or\n crash.(CVE-2019-11047)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and\n 7.4.0 it is possible to supply it with data what will\n cause it to read past the allocated buffer. This may\n lead to information disclosure or\n crash.(CVE-2019-11050)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 5, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"}, "published": "2020-02-25T00:00:00", "title": "EulerOS 2.0 SP8 : php (EulerOS-SA-2020-1172)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-11050", "CVE-2019-19204", "CVE-2017-7272", "CVE-2019-11046", "CVE-2019-19246", "CVE-2019-16163", "CVE-2019-11045", "CVE-2019-11047"], "modified": "2020-02-25T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:php-common", "p-cpe:/a:huawei:euleros:php-recode", "p-cpe:/a:huawei:euleros:php-fpm", "p-cpe:/a:huawei:euleros:php-odbc", "p-cpe:/a:huawei:euleros:php-process", "p-cpe:/a:huawei:euleros:php-xml", "p-cpe:/a:huawei:euleros:php-soap", "p-cpe:/a:huawei:euleros:php-cli", "p-cpe:/a:huawei:euleros:php", "p-cpe:/a:huawei:euleros:php-ldap", "p-cpe:/a:huawei:euleros:php-xmlrpc", "p-cpe:/a:huawei:euleros:php-pdo", "p-cpe:/a:huawei:euleros:php-gd", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-1172.NASL", "href": "https://www.tenable.com/plugins/nessus/134006", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134006);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-7272\",\n \"CVE-2019-11045\",\n \"CVE-2019-11046\",\n \"CVE-2019-11047\",\n \"CVE-2019-11050\",\n \"CVE-2019-16163\",\n \"CVE-2019-19204\",\n \"CVE-2019-19246\"\n );\n\n script_name(english:\"EulerOS 2.0 SP8 : php (EulerOS-SA-2020-1172)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the php packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - An issue was discovered in Oniguruma 6.x before\n 6.9.4_rc2. In the function fetch_interval_quantifier\n (formerly known as fetch_range_quantifier) in\n regparse.c, PFETCH is called without checking PEND.\n This leads to a heap-based buffer\n over-read.(CVE-2019-19204)\n\n - Oniguruma before 6.9.3 allows Stack Exhaustion in\n regcomp.c because of recursion in\n regparse.c.(CVE-2019-16163)\n\n - Oniguruma through 6.9.3, as used in PHP 7.3.x and other\n products, has a heap-based buffer over-read in\n str_lower_case_match in regexec.c.(CVE-2019-19246)\n\n - PHP through 7.1.11 enables potential SSRF in\n applications that accept an fsockopen or pfsockopen\n hostname argument with an expectation that the port\n number is constrained. Because a :port syntax is\n recognized, fsockopen will use the port number that is\n specified in the hostname argument, instead of the port\n number in the second argument of the\n function.(CVE-2017-7272)\n\n - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13\n and 7.4.0, PHP DirectoryIterator class accepts\n filenames with embedded \\0 byte and treats them as\n terminating at that byte. This could lead to security\n vulnerabilities, e.g. in applications checking paths\n that the code is allowed to access.(CVE-2019-11045)\n\n - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13\n and 7.4.0, PHP bcmath extension functions on some\n systems, including Windows, can be tricked into reading\n beyond the allocated space by supplying it with string\n containing characters that are identified as numeric by\n the OS but aren't ASCII numbers. This can read to\n disclosure of the content of some memory\n locations.(CVE-2019-11046)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and\n 7.4.0 it is possible to supply it with data what will\n cause it to read past the allocated buffer. This may\n lead to information disclosure or\n crash.(CVE-2019-11047)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and\n 7.4.0 it is possible to supply it with data what will\n cause it to read past the allocated buffer. This may\n lead to information disclosure or\n crash.(CVE-2019-11050)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1172\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?01035da3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected php packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-fpm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-recode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"php-7.2.10-1.h13.eulerosv2r8\",\n \"php-cli-7.2.10-1.h13.eulerosv2r8\",\n \"php-common-7.2.10-1.h13.eulerosv2r8\",\n \"php-fpm-7.2.10-1.h13.eulerosv2r8\",\n \"php-gd-7.2.10-1.h13.eulerosv2r8\",\n \"php-ldap-7.2.10-1.h13.eulerosv2r8\",\n \"php-odbc-7.2.10-1.h13.eulerosv2r8\",\n \"php-pdo-7.2.10-1.h13.eulerosv2r8\",\n \"php-process-7.2.10-1.h13.eulerosv2r8\",\n \"php-recode-7.2.10-1.h13.eulerosv2r8\",\n \"php-soap-7.2.10-1.h13.eulerosv2r8\",\n \"php-xml-7.2.10-1.h13.eulerosv2r8\",\n \"php-xmlrpc-7.2.10-1.h13.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2021-01-07T09:03:28", "description": "According to the versions of the php packages installed, the EulerOS\nVirtualization for ARM 64 installation on the remote host is affected\nby the following vulnerabilities :\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and\n 7.4.0 it is possible to supply it with data what will\n cause it to read past the allocated buffer. This may\n lead to information disclosure or\n crash.(CVE-2019-11050)\n\n - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13\n and 7.4.0, PHP bcmath extension functions on some\n systems, including Windows, can be tricked into reading\n beyond the allocated space by supplying it with string\n containing characters that are identified as numeric by\n the OS but aren't ASCII numbers. This can read to\n disclosure of the content of some memory\n locations.(CVE-2019-11046)\n\n - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13\n and 7.4.0, PHP DirectoryIterator class accepts\n filenames with embedded \\0 byte and treats them as\n terminating at that byte. This could lead to security\n vulnerabilities, e.g. in applications checking paths\n that the code is allowed to access.(CVE-2019-11045)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and\n 7.4.0 it is possible to supply it with data what will\n cause it to read past the allocated buffer. This may\n lead to information disclosure or\n crash.(CVE-2019-11047)\n\n - PHP through 7.1.11 enables potential SSRF in\n applications that accept an fsockopen or pfsockopen\n hostname argument with an expectation that the port\n number is constrained. Because a :port syntax is\n recognized, fsockopen will use the port number that is\n specified in the hostname argument, instead of the port\n number in the second argument of the\n function.(CVE-2017-7272)\n\n - Oniguruma before 6.9.3 allows Stack Exhaustion in\n regcomp.c because of recursion in\n regparse.c.(CVE-2019-16163)\n\n - Oniguruma through 6.9.3, as used in PHP 7.3.x and other\n products, has a heap-based buffer over-read in\n str_lower_case_match in regexec.c.(CVE-2019-19246)\n\n - An issue was discovered in Oniguruma 6.x before\n 6.9.4_rc2. In the function fetch_interval_quantifier\n (formerly known as fetch_range_quantifier) in\n regparse.c, PFETCH is called without checking PEND.\n This leads to a heap-based buffer\n over-read.(CVE-2019-19204)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 5, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"}, "published": "2020-04-02T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.6.0 : php (EulerOS-SA-2020-1350)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-11050", "CVE-2019-19204", "CVE-2017-7272", "CVE-2019-11046", "CVE-2019-19246", "CVE-2019-16163", "CVE-2019-11045", "CVE-2019-11047"], "modified": "2020-04-02T00:00:00", "cpe": ["cpe:/o:huawei:euleros:uvp:3.0.6.0", "p-cpe:/a:huawei:euleros:php-common", "p-cpe:/a:huawei:euleros:php-cli", "p-cpe:/a:huawei:euleros:php"], "id": "EULEROS_SA-2020-1350.NASL", "href": "https://www.tenable.com/plugins/nessus/135137", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135137);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-7272\",\n \"CVE-2019-11045\",\n \"CVE-2019-11046\",\n \"CVE-2019-11047\",\n \"CVE-2019-11050\",\n \"CVE-2019-16163\",\n \"CVE-2019-19204\",\n \"CVE-2019-19246\"\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.6.0 : php (EulerOS-SA-2020-1350)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the php packages installed, the EulerOS\nVirtualization for ARM 64 installation on the remote host is affected\nby the following vulnerabilities :\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and\n 7.4.0 it is possible to supply it with data what will\n cause it to read past the allocated buffer. This may\n lead to information disclosure or\n crash.(CVE-2019-11050)\n\n - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13\n and 7.4.0, PHP bcmath extension functions on some\n systems, including Windows, can be tricked into reading\n beyond the allocated space by supplying it with string\n containing characters that are identified as numeric by\n the OS but aren't ASCII numbers. This can read to\n disclosure of the content of some memory\n locations.(CVE-2019-11046)\n\n - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13\n and 7.4.0, PHP DirectoryIterator class accepts\n filenames with embedded \\0 byte and treats them as\n terminating at that byte. This could lead to security\n vulnerabilities, e.g. in applications checking paths\n that the code is allowed to access.(CVE-2019-11045)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and\n 7.4.0 it is possible to supply it with data what will\n cause it to read past the allocated buffer. This may\n lead to information disclosure or\n crash.(CVE-2019-11047)\n\n - PHP through 7.1.11 enables potential SSRF in\n applications that accept an fsockopen or pfsockopen\n hostname argument with an expectation that the port\n number is constrained. Because a :port syntax is\n recognized, fsockopen will use the port number that is\n specified in the hostname argument, instead of the port\n number in the second argument of the\n function.(CVE-2017-7272)\n\n - Oniguruma before 6.9.3 allows Stack Exhaustion in\n regcomp.c because of recursion in\n regparse.c.(CVE-2019-16163)\n\n - Oniguruma through 6.9.3, as used in PHP 7.3.x and other\n products, has a heap-based buffer over-read in\n str_lower_case_match in regexec.c.(CVE-2019-19246)\n\n - An issue was discovered in Oniguruma 6.x before\n 6.9.4_rc2. In the function fetch_interval_quantifier\n (formerly known as fetch_range_quantifier) in\n regparse.c, PFETCH is called without checking PEND.\n This leads to a heap-based buffer\n over-read.(CVE-2019-19204)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1350\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6edb8cba\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected php packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-common\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"php-7.2.10-1.h13.eulerosv2r8\",\n \"php-cli-7.2.10-1.h13.eulerosv2r8\",\n \"php-common-7.2.10-1.h13.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2021-01-07T09:04:14", "description": "According to the versions of the php packages installed, the EulerOS\nVirtualization for ARM 64 installation on the remote host is affected\nby the following vulnerabilities :\n\n - A flaw was found in HAProxy before 2.0.6. In legacy\n mode, messages featuring a transfer-encoding header\n missing the 'chunked' value were not being correctly\n rejected. The impact was limited but if combined with\n the 'http-reuse always' setting, it could be used to\n help construct an HTTP request smuggling attack against\n a vulnerable component employing a lenient parser that\n would ignore the content-length header as soon as it\n saw a transfer-encoding one (even if not entirely valid\n according to the specification).(CVE-2017-16642)\n\n - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x\n before 7.1.11, an error in the date extension's\n timelib_meridian handling of 'front of' and 'back of'\n directives could be used by attackers able to supply\n date strings to leak information from the interpreter,\n related to ext/date/lib/parse_date.c out-of-bounds\n reads affecting the php_parse_date function. NOTE: this\n is a different issue than\n CVE-2017-11145.(CVE-2017-11145)\n\n - ext/standard/var_unserializer.re in PHP before 5.6.26\n mishandles object-deserialization failures, which\n allows remote attackers to cause a denial of service\n (memory corruption) or possibly have unspecified other\n impact via an unserialize call that references a\n partially constructed object.(CVE-2016-10397)\n\n - Double free vulnerability in the\n zend_ts_hash_graceful_destroy function in\n zend_ts_hash.c in the Zend Engine in PHP through 5.5.20\n and 5.6.x through 5.6.4 allows remote attackers to\n cause a denial of service or possibly have unspecified\n other impact via unknown vectors.(CVE-2016-7412)\n\n - Oniguruma through 6.9.3, as used in PHP 7.3.x and other\n products, has a heap-based buffer over-read in\n str_lower_case_match in regexec.c.(CVE-2019-19246)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and\n 7.4.0 it is possible to supply it with data what will\n cause it to read past the allocated buffer. This may\n lead to information disclosure or\n crash.(CVE-2019-11047)\n\n - main/php_open_temporary_file.c in PHP before 5.5.28 and\n 5.6.x before 5.6.12 does not ensure thread safety,\n which allows remote attackers to cause a denial of\n service (race condition and heap memory corruption) by\n leveraging an application that performs many\n temporary-file accesses.(CVE-2017-7272)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and\n 7.4.0 it is possible to supply it with data what will\n cause it to read past the allocated buffer. This may\n lead to information disclosure or\n crash.(CVE-2019-11050)\n\n - An issue was discovered in Oniguruma 6.x before\n 6.9.4_rc2. In the function fetch_interval_quantifier\n (formerly known as fetch_range_quantifier) in\n regparse.c, PFETCH is called without checking PEND.\n This leads to a heap-based buffer\n over-read.(CVE-2019-19204)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 5, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-05-01T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.2.0 : php (EulerOS-SA-2020-1542)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10397", "CVE-2019-11050", "CVE-2019-19204", "CVE-2017-7272", "CVE-2017-16642", "CVE-2019-19246", "CVE-2019-11047", "CVE-2017-11145", "CVE-2016-7412"], "modified": "2020-05-01T00:00:00", "cpe": ["cpe:/o:huawei:euleros:uvp:3.0.2.0", "p-cpe:/a:huawei:euleros:php-common", "p-cpe:/a:huawei:euleros:php-cli", "p-cpe:/a:huawei:euleros:php"], "id": "EULEROS_SA-2020-1542.NASL", "href": "https://www.tenable.com/plugins/nessus/136245", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136245);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-10397\",\n \"CVE-2016-7412\",\n \"CVE-2017-11145\",\n \"CVE-2017-16642\",\n \"CVE-2017-7272\",\n \"CVE-2019-11047\",\n \"CVE-2019-11050\",\n \"CVE-2019-19204\",\n \"CVE-2019-19246\"\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.2.0 : php (EulerOS-SA-2020-1542)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the php packages installed, the EulerOS\nVirtualization for ARM 64 installation on the remote host is affected\nby the following vulnerabilities :\n\n - A flaw was found in HAProxy before 2.0.6. In legacy\n mode, messages featuring a transfer-encoding header\n missing the 'chunked' value were not being correctly\n rejected. The impact was limited but if combined with\n the 'http-reuse always' setting, it could be used to\n help construct an HTTP request smuggling attack against\n a vulnerable component employing a lenient parser that\n would ignore the content-length header as soon as it\n saw a transfer-encoding one (even if not entirely valid\n according to the specification).(CVE-2017-16642)\n\n - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x\n before 7.1.11, an error in the date extension's\n timelib_meridian handling of 'front of' and 'back of'\n directives could be used by attackers able to supply\n date strings to leak information from the interpreter,\n related to ext/date/lib/parse_date.c out-of-bounds\n reads affecting the php_parse_date function. NOTE: this\n is a different issue than\n CVE-2017-11145.(CVE-2017-11145)\n\n - ext/standard/var_unserializer.re in PHP before 5.6.26\n mishandles object-deserialization failures, which\n allows remote attackers to cause a denial of service\n (memory corruption) or possibly have unspecified other\n impact via an unserialize call that references a\n partially constructed object.(CVE-2016-10397)\n\n - Double free vulnerability in the\n zend_ts_hash_graceful_destroy function in\n zend_ts_hash.c in the Zend Engine in PHP through 5.5.20\n and 5.6.x through 5.6.4 allows remote attackers to\n cause a denial of service or possibly have unspecified\n other impact via unknown vectors.(CVE-2016-7412)\n\n - Oniguruma through 6.9.3, as used in PHP 7.3.x and other\n products, has a heap-based buffer over-read in\n str_lower_case_match in regexec.c.(CVE-2019-19246)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and\n 7.4.0 it is possible to supply it with data what will\n cause it to read past the allocated buffer. This may\n lead to information disclosure or\n crash.(CVE-2019-11047)\n\n - main/php_open_temporary_file.c in PHP before 5.5.28 and\n 5.6.x before 5.6.12 does not ensure thread safety,\n which allows remote attackers to cause a denial of\n service (race condition and heap memory corruption) by\n leveraging an application that performs many\n temporary-file accesses.(CVE-2017-7272)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and\n 7.4.0 it is possible to supply it with data what will\n cause it to read past the allocated buffer. This may\n lead to information disclosure or\n crash.(CVE-2019-11050)\n\n - An issue was discovered in Oniguruma 6.x before\n 6.9.4_rc2. In the function fetch_interval_quantifier\n (formerly known as fetch_range_quantifier) in\n regparse.c, PFETCH is called without checking PEND.\n This leads to a heap-based buffer\n over-read.(CVE-2019-19204)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1542\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?97a5d21b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected php packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-common\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"php-5.4.16-45.h29\",\n \"php-cli-5.4.16-45.h29\",\n \"php-common-5.4.16-45.h29\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T09:02:19", "description": "According to the versions of the php packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26\n and 7.x before 7.0.11 does not verify that a BIT field\n has the UNSIGNED_FLAG flag, which allows remote MySQL\n servers to cause a denial of service (heap-based buffer\n overflow) or possibly have unspecified other impact via\n crafted field metadata.(CVE-2016-7412)\n\n - ext/standard/var_unserializer.re in PHP before 5.6.26\n mishandles object-deserialization failures, which\n allows remote attackers to cause a denial of service\n (memory corruption) or possibly have unspecified other\n impact via an unserialize call that references a\n partially constructed object.(CVE-2016-7411)\n\n - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect\n handling of various URI components in the URL parser\n could be used by attackers to bypass hostname-specific\n URL checks, as demonstrated by\n evil.example.com:80#@good.example.com/ and\n evil.example.com:80?@good.example.com/ inputs to the\n parse_url function (implemented in the php_url_parse_ex\n function in ext/standard/url.c).(CVE-2016-10397)\n\n - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x\n before 7.1.7, an error in the date extension's\n timelib_meridian parsing code could be used by\n attackers able to supply date strings to leak\n information from the interpreter, related to\n ext/date/lib/parse_date.c out-of-bounds reads affecting\n the php_parse_date function. NOTE: the correct fix is\n in the e8b7698f5ee757ce2c8bd10a192a491a498f891c commit,\n not the bd77ac90d3bdf31ce2a5251ad92e9e75\n gist.(CVE-2017-11145)\n\n - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x\n before 7.1.11, an error in the date extension's\n timelib_meridian handling of 'front of' and 'back of'\n directives could be used by attackers able to supply\n date strings to leak information from the interpreter,\n related to ext/date/lib/parse_date.c out-of-bounds\n reads affecting the php_parse_date function. NOTE: this\n is a different issue than\n CVE-2017-11145.(CVE-2017-16642)\n\n - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13\n and 7.4.0, PHP DirectoryIterator class accepts\n filenames with embedded \\0 byte and treats them as\n terminating at that byte. This could lead to security\n vulnerabilities, e.g. in applications checking paths\n that the code is allowed to access.(CVE-2019-11045)\n\n - Oniguruma through 6.9.3, as used in PHP 7.3.x and other\n products, has a heap-based buffer over-read in\n str_lower_case_match in regexec.c.(CVE-2019-19246)\n\n - PHP through 7.1.11 enables potential SSRF in\n applications that accept an fsockopen or pfsockopen\n hostname argument with an expectation that the port\n number is constrained. Because a :port syntax is\n recognized, fsockopen will use the port number that is\n specified in the hostname argument, instead of the port\n number in the second argument of the\n function.(CVE-2017-7272)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and\n 7.4.0 it is possible to supply it with data what will\n cause it to read past the allocated buffer. This may\n lead to information disclosure or\n crash.(CVE-2019-11047)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 5, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-02-24T00:00:00", "title": "EulerOS 2.0 SP5 : php (EulerOS-SA-2020-1124)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10397", "CVE-2017-7272", "CVE-2017-16642", "CVE-2016-7411", "CVE-2019-19246", "CVE-2019-11045", "CVE-2019-11047", "CVE-2017-11145", "CVE-2016-7412"], "modified": "2020-02-24T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:php-pgsql", "p-cpe:/a:huawei:euleros:php-common", "p-cpe:/a:huawei:euleros:php-mysql", "p-cpe:/a:huawei:euleros:php-recode", "p-cpe:/a:huawei:euleros:php-odbc", "p-cpe:/a:huawei:euleros:php-process", "p-cpe:/a:huawei:euleros:php-xml", "p-cpe:/a:huawei:euleros:php-soap", "p-cpe:/a:huawei:euleros:php-cli", "p-cpe:/a:huawei:euleros:php", "p-cpe:/a:huawei:euleros:php-ldap", "p-cpe:/a:huawei:euleros:php-xmlrpc", "p-cpe:/a:huawei:euleros:php-pdo", "p-cpe:/a:huawei:euleros:php-gd", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-1124.NASL", "href": "https://www.tenable.com/plugins/nessus/133925", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133925);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-10397\",\n \"CVE-2016-7411\",\n \"CVE-2016-7412\",\n \"CVE-2017-11145\",\n \"CVE-2017-16642\",\n \"CVE-2017-7272\",\n \"CVE-2019-11045\",\n \"CVE-2019-11047\",\n \"CVE-2019-19246\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : php (EulerOS-SA-2020-1124)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the php packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26\n and 7.x before 7.0.11 does not verify that a BIT field\n has the UNSIGNED_FLAG flag, which allows remote MySQL\n servers to cause a denial of service (heap-based buffer\n overflow) or possibly have unspecified other impact via\n crafted field metadata.(CVE-2016-7412)\n\n - ext/standard/var_unserializer.re in PHP before 5.6.26\n mishandles object-deserialization failures, which\n allows remote attackers to cause a denial of service\n (memory corruption) or possibly have unspecified other\n impact via an unserialize call that references a\n partially constructed object.(CVE-2016-7411)\n\n - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect\n handling of various URI components in the URL parser\n could be used by attackers to bypass hostname-specific\n URL checks, as demonstrated by\n evil.example.com:80#@good.example.com/ and\n evil.example.com:80?@good.example.com/ inputs to the\n parse_url function (implemented in the php_url_parse_ex\n function in ext/standard/url.c).(CVE-2016-10397)\n\n - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x\n before 7.1.7, an error in the date extension's\n timelib_meridian parsing code could be used by\n attackers able to supply date strings to leak\n information from the interpreter, related to\n ext/date/lib/parse_date.c out-of-bounds reads affecting\n the php_parse_date function. NOTE: the correct fix is\n in the e8b7698f5ee757ce2c8bd10a192a491a498f891c commit,\n not the bd77ac90d3bdf31ce2a5251ad92e9e75\n gist.(CVE-2017-11145)\n\n - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x\n before 7.1.11, an error in the date extension's\n timelib_meridian handling of 'front of' and 'back of'\n directives could be used by attackers able to supply\n date strings to leak information from the interpreter,\n related to ext/date/lib/parse_date.c out-of-bounds\n reads affecting the php_parse_date function. NOTE: this\n is a different issue than\n CVE-2017-11145.(CVE-2017-16642)\n\n - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13\n and 7.4.0, PHP DirectoryIterator class accepts\n filenames with embedded \\0 byte and treats them as\n terminating at that byte. This could lead to security\n vulnerabilities, e.g. in applications checking paths\n that the code is allowed to access.(CVE-2019-11045)\n\n - Oniguruma through 6.9.3, as used in PHP 7.3.x and other\n products, has a heap-based buffer over-read in\n str_lower_case_match in regexec.c.(CVE-2019-19246)\n\n - PHP through 7.1.11 enables potential SSRF in\n applications that accept an fsockopen or pfsockopen\n hostname argument with an expectation that the port\n number is constrained. Because a :port syntax is\n recognized, fsockopen will use the port number that is\n specified in the hostname argument, instead of the port\n number in the second argument of the\n function.(CVE-2017-7272)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and\n 7.4.0 it is possible to supply it with data what will\n cause it to read past the allocated buffer. This may\n lead to information disclosure or\n crash.(CVE-2019-11047)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1124\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f56d33ce\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected php packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-recode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"php-5.4.16-45.h27.eulerosv2r7\",\n \"php-cli-5.4.16-45.h27.eulerosv2r7\",\n \"php-common-5.4.16-45.h27.eulerosv2r7\",\n \"php-gd-5.4.16-45.h27.eulerosv2r7\",\n \"php-ldap-5.4.16-45.h27.eulerosv2r7\",\n \"php-mysql-5.4.16-45.h27.eulerosv2r7\",\n \"php-odbc-5.4.16-45.h27.eulerosv2r7\",\n \"php-pdo-5.4.16-45.h27.eulerosv2r7\",\n \"php-pgsql-5.4.16-45.h27.eulerosv2r7\",\n \"php-process-5.4.16-45.h27.eulerosv2r7\",\n \"php-recode-5.4.16-45.h27.eulerosv2r7\",\n \"php-soap-5.4.16-45.h27.eulerosv2r7\",\n \"php-xml-5.4.16-45.h27.eulerosv2r7\",\n \"php-xmlrpc-5.4.16-45.h27.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T09:01:38", "description": "According to the versions of the php packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - ** DISPUTED ** Integer overflow in the\n php_raw_url_encode function in ext/standard/url.c in\n PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before\n 7.0.5 allows remote attackers to cause a denial of\n service (application crash) via a long string to the\n rawurlencode function. NOTE: the vendor says 'Not sure\n if this qualifies as security issue (probably\n not).'(CVE-2016-4070)\n\n - An issue was discovered in ext/phar/phar_object.c in\n PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before\n 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS\n on the PHAR 403 and 404 error pages via request data of\n a request for a .phar file. NOTE: this vulnerability\n exists because of an incomplete fix for\n CVE-2018-5712.(CVE-2018-10547)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A heap out-of-bounds write occurs in\n bitset_set_range() during regular expression\n compilation due to an uninitialized variable from an\n incorrect state transition. An incorrect state\n transition in parse_char_class() could create an\n execution path that leaves a critical local variable\n uninitialized until it's used as an index, resulting in\n an out-of-bounds write memory\n corruption.(CVE-2017-9228)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A heap out-of-bounds write or read\n occurs in next_state_val() during regular expression\n compilation. Octal numbers larger than 0xff are not\n handled correctly in fetch_token() and\n fetch_token_in_cc(). A malformed regular expression\n containing an octal number in the form of '\\700' would\n produce an invalid code point value larger than 0xff in\n next_state_val(), resulting in an out-of-bounds write\n memory corruption.(CVE-2017-9226)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A SIGSEGV occurs in\n left_adjust_char_head() during regular expression\n compilation. Invalid handling of reg->dmax in\n forward_search_range() could result in an invalid\n pointer dereference, normally as an immediate\n denial-of-service condition.(CVE-2017-9229)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A stack out-of-bounds read occurs in\n match_at() during regular expression searching. A\n logical error involving order of validation and access\n in match_at() could result in an out-of-bounds read\n from a stack buffer.(CVE-2017-9224)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A stack out-of-bounds read occurs in\n mbc_enc_len() during regular expression searching.\n Invalid handling of reg->dmin in forward_search_range()\n could result in an invalid pointer dereference, as an\n out-of-bounds read from a stack buffer.(CVE-2017-9227)\n\n - An issue was discovered in PHP before 5.6.33, 7.0.x\n before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before\n 7.2.1. There is Reflected XSS on the PHAR 404 error\n page via the URI of a request for a .phar\n file.(CVE-2018-5712)\n\n - An issue was discovered in PHP before 5.6.35, 7.0.x\n before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before\n 7.2.4. Dumpable FPM child processes allow bypassing\n opcache access controls because fpm_unix.c makes a\n PR_SET_DUMPABLE prctl call, allowing one user (in a\n multiuser environment) to obtain sensitive information\n from the process memory of a second user's PHP\n applications by running gcore on the PID of the PHP-FPM\n worker process.(CVE-2018-10545)\n\n - Directory traversal vulnerability in the PharData class\n in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x\n before 5.6.12 allows remote attackers to write to\n arbitrary files via a .. (dot dot) in a ZIP archive\n entry that is mishandled during an extractTo\n call.(CVE-2015-6833)\n\n - Directory traversal vulnerability in the\n ZipArchive::extractTo function in ext/zip/php_zip.c in\n PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x\n before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before\n 3.12.1 allows remote attackers to create arbitrary\n empty directories via a crafted ZIP\n archive.(CVE-2014-9767)\n\n - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP\n before 5.6.37, 7.0.x before 7.0.31, 7.1.x before\n 7.1.20, and 7.2.x before 7.2.8 allows remote attackers\n to cause a denial of service (out-of-bounds read and\n application crash) via a crafted JPEG\n file.(CVE-2018-14851)\n\n - ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x\n before 5.6.6, when PHP-FPM is used, does not isolate\n each thread from libxml_disable_entity_loader changes\n in other threads, which allows remote attackers to\n conduct XML External Entity (XXE) and XML Entity\n Expansion (XEE) attacks via a crafted XML document, a\n related issue to CVE-2015-5161.(CVE-2015-8866)\n\n - ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26\n and 7.x before 7.0.11 does not verify that a BIT field\n has the UNSIGNED_FLAG flag, which allows remote MySQL\n servers to cause a denial of service (heap-based buffer\n overflow) or possibly have unspecified other impact via\n crafted field metadata.(CVE-2016-7412)\n\n - ext/session/session.c in PHP before 5.6.25 and 7.x\n before 7.0.10 skips invalid session names in a way that\n triggers incorrect parsing, which allows remote\n attackers to inject arbitrary-type session data by\n leveraging control of a session name, as demonstrated\n by object injection.(CVE-2016-7125)\n\n - ext/standard/var_unserializer.c in PHP before 5.6.25\n and 7.x before 7.0.10 mishandles certain invalid\n objects, which allows remote attackers to cause a\n denial of service or possibly have unspecified other\n impact via crafted serialized data that leads to a (1)\n __destruct call or (2) magic method\n call.(CVE-2016-7124)\n\n - ext/standard/var_unserializer.re in PHP before 5.6.26\n mishandles object-deserialization failures, which\n allows remote attackers to cause a denial of service\n (memory corruption) or possibly have unspecified other\n impact via an unserialize call that references a\n partially constructed object.(CVE-2016-7411)\n\n - ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before\n 7.0.13 allows remote attackers to cause a denial of\n service (NULL pointer dereference) via crafted\n serialized data in a wddxPacket XML document, as\n demonstrated by a PDORow string.(CVE-2016-9934)\n\n - gd_gif_in.c in the GD Graphics Library (aka libgd), as\n used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x\n before 7.1.13, and 7.2.x before 7.2.1, has an integer\n signedness error that leads to an infinite loop via a\n crafted GIF file, as demonstrated by a call to the\n imagecreatefromgif or imagecreatefromstring PHP\n function. This is related to GetCode_ and\n gdImageCreateFromGifCtx.(CVE-2018-5711)\n\n - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect\n handling of various URI components in the URL parser\n could be used by attackers to bypass hostname-specific\n URL checks, as demonstrated by\n evil.example.com:80#@good.example.com/ and\n evil.example.com:80?@good.example.com/ inputs to the\n parse_url function (implemented in the php_url_parse_ex\n function in ext/standard/url.c).(CVE-2016-10397)\n\n - In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR\n archive handler could be used by attackers supplying\n malicious archive files to crash the PHP interpreter or\n potentially disclose information due to a buffer\n over-read in the phar_parse_pharfile function in\n ext/phar/phar.c.(CVE-2017-11147)\n\n - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x\n before 7.1.7, a stack-based buffer overflow in the\n zend_ini_do_op() function in Zend/zend_ini_parser.c\n could cause a denial of service or potentially allow\n executing code. NOTE: this is only relevant for PHP\n applications that accept untrusted input (instead of\n the system's php.ini file) for the parse_ini_string or\n parse_ini_file function, e.g., a web application for\n syntax validation of php.ini\n directives.(CVE-2017-11628)\n\n - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x\n before 7.1.7, the openssl extension PEM sealing code\n did not check the return value of the OpenSSL sealing\n function, which could lead to a crash of the PHP\n interpreter, related to an interpretation conflict for\n a negative number in ext/openssl/openssl.c, and an\n OpenSSL documentation omission.(CVE-2017-11144)\n\n - In PHP before 5.6.31, an invalid free in the WDDX\n deserialization of boolean parameters could be used by\n attackers able to inject XML for deserialization to\n crash the PHP interpreter, related to an invalid free\n for an empty boolean element in\n ext/wddx/wddx.c.(CVE-2017-11143)\n\n - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x\n before 7.1.11, an error in the date extension's\n timelib_meridian handling of 'front of' and 'back of'\n directives could be used by attackers able to supply\n date strings to leak information from the interpreter,\n related to ext/date/lib/parse_date.c out-of-bounds\n reads affecting the php_parse_date function. NOTE: this\n is a different issue than\n CVE-2017-11145.(CVE-2017-16642)\n\n - In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24\n and 7.3.x below 7.3.11 in certain configurations of FPM\n setup it is possible to cause FPM module to write past\n allocated buffers into the space reserved for FCGI\n protocol data, thus opening the possibility of remote\n code execution.(CVE-2019-11043)\n\n - Integer overflow in the phar_parse_pharfile function in\n ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before\n 7.0.15 allows remote attackers to cause a denial of\n service (memory consumption or application crash) via a\n truncated manifest entry in a PHAR\n archive.(CVE-2016-10159)\n\n - Integer overflow in the php_html_entities function in\n ext/standard/html.c in PHP before 5.5.36 and 5.6.x\n before 5.6.22 allows remote attackers to cause a denial\n of service or possibly have unspecified other impact by\n triggering a large output string from the\n htmlspecialchars function.(CVE-2016-5094)\n\n - Multiple use-after-free vulnerabilities in SPL in PHP\n before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before\n 5.6.12 allow remote attackers to execute arbitrary code\n via vectors involving (1) ArrayObject, (2)\n SplObjectStorage, and (3) SplDoublyLinkedList, which\n are mishandled during unserialization.(CVE-2015-6831)\n\n - Off-by-one error in the phar_parse_zipfile function in\n ext/phar/zip.c in PHP before 5.5.30 and 5.6.x before\n 5.6.14 allows remote attackers to cause a denial of\n service (uninitialized pointer dereference and\n application crash) by including the / filename in a\n .zip PHAR archive.(CVE-2015-7804)\n\n - PHP through 7.1.11 enables potential SSRF in\n applications that accept an fsockopen or pfsockopen\n hostname argument with an expectation that the port\n number is constrained. Because a :port syntax is\n recognized, fsockopen will use the port number that is\n specified in the hostname argument, instead of the port\n number in the second argument of the\n function.(CVE-2017-7272)\n\n - Session fixation vulnerability in the Sessions\n subsystem in PHP before 5.5.2 allows remote attackers\n to hijack web sessions by specifying a session\n ID.(CVE-2011-4718)\n\n - Stack consumption vulnerability in GD in PHP before\n 5.6.12 allows remote attackers to cause a denial of\n service via a crafted imagefilltoborder\n call.(CVE-2015-8874)\n\n - Stack-based buffer overflow in ext/phar/tar.c in PHP\n before 5.5.32, 5.6.x before 5.6.18, and 7.x before\n 7.0.3 allows remote attackers to cause a denial of\n service (application crash) or possibly have\n unspecified other impact via a crafted TAR\n archive.(CVE-2016-2554)\n\n - The Apache2 component in PHP before 5.6.38, 7.0.x\n before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before\n 7.2.10 allows XSS via the body of a 'Transfer-Encoding:\n chunked' request, because the bucket brigade is\n mishandled in the php_handler function in\n sapi/apache2handler/sapi_apache2.c.(CVE-2018-17082)\n\n - The exif_convert_any_to_int function in ext/exif/exif.c\n in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x\n before 7.1.1 allows remote attackers to cause a denial\n of service (application crash) via crafted EXIF data\n that triggers an attempt to divide the minimum\n representable negative integer by -1.(CVE-2016-10158)\n\n - The exif_process_IFD_in_JPEG function in\n ext/exif/exif.c in PHP before 5.5.35, 5.6.x before\n 5.6.21, and 7.x before 7.0.6 does not validate IFD\n sizes, which allows remote attackers to cause a denial\n of service (out-of-bounds read) or possibly have\n unspecified other impact via crafted header\n data.(CVE-2016-4543)\n\n - The exif_process_IFD_in_MAKERNOTE function in\n ext/exif/exif.c in PHP before 5.5.38, 5.6.x before\n 5.6.24, and 7.x before 7.0.9 allows remote attackers to\n cause a denial of service (out-of-bounds array access\n and memory corruption), obtain sensitive information\n from process memory, or possibly have unspecified other\n impact via a crafted JPEG image.(CVE-2016-6291)\n\n - The exif_process_IFD_in_TIFF function in\n ext/exif/exif.c in PHP before 5.6.25 and 7.x before\n 7.0.10 mishandles the case of a thumbnail offset that\n exceeds the file size, which allows remote attackers to\n obtain sensitive information from process memory via a\n crafted TIFF image.(CVE-2016-7128)\n\n - The exif_process_IFD_TAG function in ext/exif/exif.c in\n PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before\n 7.0.6 does not properly construct spprintf arguments,\n which allows remote attackers to cause a denial of\n service (out-of-bounds read) or possibly have\n unspecified other impact via crafted header\n data.(CVE-2016-4542)\n\n - The exif_process_user_comment function in\n ext/exif/exif.c in PHP before 5.5.38, 5.6.x before\n 5.6.24, and 7.x before 7.0.9 allows remote attackers to\n cause a denial of service (NULL pointer dereference and\n application crash) via a crafted JPEG\n image.(CVE-2016-6292)\n\n - The finish_nested_data function in\n ext/standard/var_unserializer.re in PHP before 5.6.31,\n 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to\n a buffer over-read while unserializing untrusted data.\n Exploitation of this issue can have an unspecified\n impact on the integrity of PHP.(CVE-2017-12933)\n\n - The get_icu_disp_value_src_php function in\n ext/intl/locale/locale_methods.c in PHP before 5.3.29,\n 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not\n properly restrict calls to the ICU uresbund.cpp\n component, which allows remote attackers to cause a\n denial of service (buffer overflow) or possibly have\n unspecified other impact via a locale_get_display_name\n call with a long first argument.(CVE-2014-9912)\n\n - The get_icu_value_internal function in\n ext/intl/locale/locale_methods.c in PHP before 5.5.36,\n 5.6.x before 5.6.22, and 7.x before 7.0.7 does not\n ensure the presence of a '\\0' character, which allows\n remote attackers to cause a denial of service\n (out-of-bounds read) or possibly have unspecified other\n impact via a crafted locale_get_primary_language\n call.(CVE-2016-5093)\n\n - The grapheme_stripos function in\n ext/intl/grapheme/grapheme_string.c in PHP before\n 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6\n allows remote attackers to cause a denial of service\n (out-of-bounds read) or possibly have unspecified other\n impact via a negative offset.(CVE-2016-4540)\n\n - The grapheme_strpos function in\n ext/intl/grapheme/grapheme_string.c in PHP before\n 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6\n allows remote attackers to cause a denial of service\n (out-of-bounds read) or possibly have unspecified other\n impact via a negative offset.(CVE-2016-4541)\n\n - The locale_accept_from_http function in\n ext/intl/locale/locale_methods.c in PHP before 5.5.38,\n 5.6.x before 5.6.24, and 7.x before 7.0.9 does not\n properly restrict calls to the ICU\n uloc_acceptLanguageFromHTTP function, which allows\n remote attackers to cause a denial of service\n (out-of-bounds read) or possibly have unspecified other\n impact via a call with a long argument.(CVE-2016-6294)\n\n - The make_http_soap_request function in\n ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before\n 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4\n allows remote attackers to obtain sensitive information\n from process memory or cause a denial of service (type\n confusion and application crash) via crafted serialized\n _cookies data, related to the SoapClient::__call method\n in ext/soap/soap.c.(CVE-2016-3185)\n\n - The make_http_soap_request function in\n ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before\n 5.5.28, and 5.6.x before 5.6.12 does not properly\n retrieve keys, which allows remote attackers to cause a\n denial of service (NULL pointer dereference, type\n confusion, and application crash) or possibly execute\n arbitrary code via crafted serialized data representing\n a numerically indexed _cookies array, related to the\n SoapClient::__call method in\n ext/soap/soap.c.(CVE-2015-8835)\n\n - The object_common1 function in\n ext/standard/var_unserializer.c in PHP before 5.6.30,\n 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows\n remote attackers to cause a denial of service (buffer\n over-read and application crash) via crafted serialized\n data that is mishandled in a finish_nested_data\n call.(CVE-2016-10161)\n\n - The odbc_bindcols function in ext/odbc/php_odbc.c in\n PHP before 5.6.12 mishandles driver behavior for\n SQL_WVARCHAR columns, which allows remote attackers to\n cause a denial of service (application crash) in\n opportunistic circumstances by leveraging use of the\n odbc_fetch_array function to access a certain type of\n Microsoft SQL Server table.(CVE-2015-8879)\n\n - The phar_convert_to_other function in\n ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x\n before 5.5.27, and 5.6.x before 5.6.11 does not\n validate a file pointer before a close operation, which\n allows remote attackers to cause a denial of service\n (segmentation fault) or possibly have unspecified other\n impact via a crafted TAR archive that is mishandled in\n a Phar::convertToData call.(CVE-2015-5589)\n\n - The phar_get_entry_data function in ext/phar/util.c in\n PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote\n attackers to cause a denial of service (NULL pointer\n dereference and application crash) via a .phar file\n with a crafted TAR archive entry in which the Link\n indicator references a file that does not\n exist.(CVE-2015-7803)\n\n - The phar_parse_zipfile function in zip.c in the PHAR\n extension in PHP before 5.5.33 and 5.6.x before 5.6.19\n allows remote attackers to obtain sensitive information\n from process memory or cause a denial of service\n (out-of-bounds read and application crash) by placing a\n PK\\x05\\x06 signature at an invalid\n location.(CVE-2016-3142)\n\n - The php_url_parse_ex function in ext/standard/url.c in\n PHP before 5.5.38 allows remote attackers to cause a\n denial of service (buffer over-read) or possibly have\n unspecified other impact via vectors involving the\n smart_str data type.(CVE-2016-6288)\n\n - The php_wddx_push_element function in ext/wddx/wddx.c\n in PHP before 5.6.26 and 7.x before 7.0.11 allows\n remote attackers to cause a denial of service (invalid\n pointer access and out-of-bounds read) or possibly have\n unspecified other impact via an incorrect boolean\n element in a wddxPacket XML document, leading to\n mishandling in a wddx_deserialize call.(CVE-2016-7418)\n\n - The php_wddx_push_element function in ext/wddx/wddx.c\n in PHP before 5.6.29 and 7.x before 7.0.14 allows\n remote attackers to cause a denial of service\n (out-of-bounds read and memory corruption) or possibly\n have unspecified other impact via an empty boolean\n element in a wddxPacket XML document.(CVE-2016-9935)\n\n - The sapi_header_op function in main/SAPI.c in PHP\n before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before\n 5.6.6 supports deprecated line folding without\n considering browser compatibility, which allows remote\n attackers to conduct cross-site scripting (XSS) attacks\n against Internet Explorer by leveraging (1) %0A%20 or\n (2) %0D%0A%20 mishandling in the header\n function.(CVE-2015-8935)\n\n - The SplObjectStorage unserialize implementation in\n ext/spl/spl_observer.c in PHP before 7.0.12 does not\n verify that a key is an object, which allows remote\n attackers to execute arbitrary code or cause a denial\n of service (uninitialized memory access) via crafted\n serialized data.(CVE-2016-7480)\n\n - The xml_parse_into_struct function in ext/xml/xml.c in\n PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before\n 7.0.6 allows remote attackers to cause a denial of\n service (buffer under-read and segmentation fault) or\n possibly have unspecified other impact via crafted XML\n data in the second argument, leading to a parser level\n of zero.(CVE-2016-4539)\n\n - The ZIP signature-verification feature in PHP before\n 5.6.26 and 7.x before 7.0.11 does not ensure that the\n uncompressed_filesize field is large enough, which\n allows remote attackers to cause a denial of service\n (out-of-bounds memory access) or possibly have\n unspecified other impact via a crafted PHAR archive,\n related to ext/phar/util.c and\n ext/phar/zip.c.(CVE-2016-7414)\n\n - Use-after-free vulnerability in the SPL unserialize\n implementation in ext/spl/spl_array.c in PHP before\n 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12\n allows remote attackers to execute arbitrary code via\n crafted serialized data that triggers misuse of an\n array field.(CVE-2015-6832)\n\n - Use-after-free vulnerability in the spl_ptr_heap_insert\n function in ext/spl/spl_heap.c in PHP before 5.5.27 and\n 5.6.x before 5.6.11 allows remote attackers to execute\n arbitrary code by triggering a failed\n SplMinHeap::compare operation.(CVE-2015-4116)\n\n - Use-after-free vulnerability in wddx.c in the WDDX\n extension in PHP before 5.5.33 and 5.6.x before 5.6.19\n allows remote attackers to cause a denial of service\n (memory corruption and application crash) or possibly\n have unspecified other impact by triggering a\n wddx_deserialize call on XML data containing a crafted\n var element.(CVE-2016-3141)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 9, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-12-18T00:00:00", "title": "EulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10397", "CVE-2014-9767", "CVE-2017-9224", "CVE-2016-7414", "CVE-2017-12933", "CVE-2014-9912", "CVE-2016-6288", "CVE-2015-5161", "CVE-2011-4718", "CVE-2017-9228", "CVE-2017-9226", "CVE-2016-4540", "CVE-2015-8879", "CVE-2016-9935", "CVE-2016-3185", "CVE-2018-10545", "CVE-2017-11143", "CVE-2018-5712", "CVE-2017-9229", "CVE-2016-7125", "CVE-2016-4543", "CVE-2016-4542", "CVE-2017-9227", "CVE-2016-4541", "CVE-2017-11628", "CVE-2017-7272", "CVE-2016-2554", "CVE-2018-14851", "CVE-2015-8835", "CVE-2017-16642", "CVE-2015-6833", "CVE-2016-4070", "CVE-2015-8874", "CVE-2016-6292", "CVE-2016-9934", "CVE-2015-4116", "CVE-2015-6831", "CVE-2017-11147", "CVE-2016-10159", "CVE-2016-7411", "CVE-2016-4539", "CVE-2016-5093", "CVE-2016-5094", "CVE-2016-7124", "CVE-2016-7480", "CVE-2019-11043", "CVE-2016-6294", "CVE-2016-7128", "CVE-2015-8935", "CVE-2015-7803", "CVE-2016-7418", "CVE-2018-17082", "CVE-2015-8866", "CVE-2016-10161", "CVE-2015-5589", "CVE-2016-3141", "CVE-2018-10547", "CVE-2016-6291", "CVE-2016-10158", "CVE-2017-11145", "CVE-2017-11144", "CVE-2015-6832", "CVE-2016-3142", "CVE-2018-5711", "CVE-2015-7804", "CVE-2016-7412"], "modified": "2019-12-18T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:php-pgsql", "p-cpe:/a:huawei:euleros:php-common", "p-cpe:/a:huawei:euleros:php-mysql", "p-cpe:/a:huawei:euleros:php-recode", "p-cpe:/a:huawei:euleros:php-odbc", "p-cpe:/a:huawei:euleros:php-process", "p-cpe:/a:huawei:euleros:php-xml", "p-cpe:/a:huawei:euleros:php-soap", "p-cpe:/a:huawei:euleros:php-cli", "p-cpe:/a:huawei:euleros:php", "p-cpe:/a:huawei:euleros:php-ldap", "p-cpe:/a:huawei:euleros:php-xmlrpc", "p-cpe:/a:huawei:euleros:php-pdo", "p-cpe:/a:huawei:euleros:php-gd", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2649.NASL", "href": "https://www.tenable.com/plugins/nessus/132184", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132184);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2011-4718\",\n \"CVE-2014-9767\",\n \"CVE-2014-9912\",\n \"CVE-2015-4116\",\n \"CVE-2015-5589\",\n \"CVE-2015-6831\",\n \"CVE-2015-6832\",\n \"CVE-2015-6833\",\n \"CVE-2015-7803\",\n \"CVE-2015-7804\",\n \"CVE-2015-8835\",\n \"CVE-2015-8866\",\n \"CVE-2015-8874\",\n \"CVE-2015-8879\",\n \"CVE-2015-8935\",\n \"CVE-2016-10158\",\n \"CVE-2016-10159\",\n \"CVE-2016-10161\",\n \"CVE-2016-10397\",\n \"CVE-2016-2554\",\n \"CVE-2016-3141\",\n \"CVE-2016-3142\",\n \"CVE-2016-3185\",\n \"CVE-2016-4070\",\n \"CVE-2016-4539\",\n \"CVE-2016-4540\",\n \"CVE-2016-4541\",\n \"CVE-2016-4542\",\n \"CVE-2016-4543\",\n \"CVE-2016-5093\",\n \"CVE-2016-5094\",\n \"CVE-2016-6288\",\n \"CVE-2016-6291\",\n \"CVE-2016-6292\",\n \"CVE-2016-6294\",\n \"CVE-2016-7124\",\n \"CVE-2016-7125\",\n \"CVE-2016-7128\",\n \"CVE-2016-7411\",\n \"CVE-2016-7412\",\n \"CVE-2016-7414\",\n \"CVE-2016-7418\",\n \"CVE-2016-7480\",\n \"CVE-2016-9934\",\n \"CVE-2016-9935\",\n \"CVE-2017-11143\",\n \"CVE-2017-11144\",\n \"CVE-2017-11147\",\n \"CVE-2017-11628\",\n \"CVE-2017-12933\",\n \"CVE-2017-16642\",\n \"CVE-2017-7272\",\n \"CVE-2017-9224\",\n \"CVE-2017-9226\",\n \"CVE-2017-9227\",\n \"CVE-2017-9228\",\n \"CVE-2017-9229\",\n \"CVE-2018-10545\",\n \"CVE-2018-10547\",\n \"CVE-2018-14851\",\n \"CVE-2018-17082\",\n \"CVE-2018-5711\",\n \"CVE-2018-5712\",\n \"CVE-2019-11043\"\n );\n script_bugtraq_id(\n 61929,\n 75974\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the php packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - ** DISPUTED ** Integer overflow in the\n php_raw_url_encode function in ext/standard/url.c in\n PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before\n 7.0.5 allows remote attackers to cause a denial of\n service (application crash) via a long string to the\n rawurlencode function. NOTE: the vendor says 'Not sure\n if this qualifies as security issue (probably\n not).'(CVE-2016-4070)\n\n - An issue was discovered in ext/phar/phar_object.c in\n PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before\n 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS\n on the PHAR 403 and 404 error pages via request data of\n a request for a .phar file. NOTE: this vulnerability\n exists because of an incomplete fix for\n CVE-2018-5712.(CVE-2018-10547)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A heap out-of-bounds write occurs in\n bitset_set_range() during regular expression\n compilation due to an uninitialized variable from an\n incorrect state transition. An incorrect state\n transition in parse_char_class() could create an\n execution path that leaves a critical local variable\n uninitialized until it's used as an index, resulting in\n an out-of-bounds write memory\n corruption.(CVE-2017-9228)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A heap out-of-bounds write or read\n occurs in next_state_val() during regular expression\n compilation. Octal numbers larger than 0xff are not\n handled correctly in fetch_token() and\n fetch_token_in_cc(). A malformed regular expression\n containing an octal number in the form of '\\700' would\n produce an invalid code point value larger than 0xff in\n next_state_val(), resulting in an out-of-bounds write\n memory corruption.(CVE-2017-9226)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A SIGSEGV occurs in\n left_adjust_char_head() during regular expression\n compilation. Invalid handling of reg->dmax in\n forward_search_range() could result in an invalid\n pointer dereference, normally as an immediate\n denial-of-service condition.(CVE-2017-9229)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A stack out-of-bounds read occurs in\n match_at() during regular expression searching. A\n logical error involving order of validation and access\n in match_at() could result in an out-of-bounds read\n from a stack buffer.(CVE-2017-9224)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A stack out-of-bounds read occurs in\n mbc_enc_len() during regular expression searching.\n Invalid handling of reg->dmin in forward_search_range()\n could result in an invalid pointer dereference, as an\n out-of-bounds read from a stack buffer.(CVE-2017-9227)\n\n - An issue was discovered in PHP before 5.6.33, 7.0.x\n before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before\n 7.2.1. There is Reflected XSS on the PHAR 404 error\n page via the URI of a request for a .phar\n file.(CVE-2018-5712)\n\n - An issue was discovered in PHP before 5.6.35, 7.0.x\n before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before\n 7.2.4. Dumpable FPM child processes allow bypassing\n opcache access controls because fpm_unix.c makes a\n PR_SET_DUMPABLE prctl call, allowing one user (in a\n multiuser environment) to obtain sensitive information\n from the process memory of a second user's PHP\n applications by running gcore on the PID of the PHP-FPM\n worker process.(CVE-2018-10545)\n\n - Directory traversal vulnerability in the PharData class\n in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x\n before 5.6.12 allows remote attackers to write to\n arbitrary files via a .. (dot dot) in a ZIP archive\n entry that is mishandled during an extractTo\n call.(CVE-2015-6833)\n\n - Directory traversal vulnerability in the\n ZipArchive::extractTo function in ext/zip/php_zip.c in\n PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x\n before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before\n 3.12.1 allows remote attackers to create arbitrary\n empty directories via a crafted ZIP\n archive.(CVE-2014-9767)\n\n - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP\n before 5.6.37, 7.0.x before 7.0.31, 7.1.x before\n 7.1.20, and 7.2.x before 7.2.8 allows remote attackers\n to cause a denial of service (out-of-bounds read and\n application crash) via a crafted JPEG\n file.(CVE-2018-14851)\n\n - ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x\n before 5.6.6, when PHP-FPM is used, does not isolate\n each thread from libxml_disable_entity_loader changes\n in other threads, which allows remote attackers to\n conduct XML External Entity (XXE) and XML Entity\n Expansion (XEE) attacks via a crafted XML document, a\n related issue to CVE-2015-5161.(CVE-2015-8866)\n\n - ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26\n and 7.x before 7.0.11 does not verify that a BIT field\n has the UNSIGNED_FLAG flag, which allows remote MySQL\n servers to cause a denial of service (heap-based buffer\n overflow) or possibly have unspecified other impact via\n crafted field metadata.(CVE-2016-7412)\n\n - ext/session/session.c in PHP before 5.6.25 and 7.x\n before 7.0.10 skips invalid session names in a way that\n triggers incorrect parsing, which allows remote\n attackers to inject arbitrary-type session data by\n leveraging control of a session name, as demonstrated\n by object injection.(CVE-2016-7125)\n\n - ext/standard/var_unserializer.c in PHP before 5.6.25\n and 7.x before 7.0.10 mishandles certain invalid\n objects, which allows remote attackers to cause a\n denial of service or possibly have unspecified other\n impact via crafted serialized data that leads to a (1)\n __destruct call or (2) magic method\n call.(CVE-2016-7124)\n\n - ext/standard/var_unserializer.re in PHP before 5.6.26\n mishandles object-deserialization failures, which\n allows remote attackers to cause a denial of service\n (memory corruption) or possibly have unspecified other\n impact via an unserialize call that references a\n partially constructed object.(CVE-2016-7411)\n\n - ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before\n 7.0.13 allows remote attackers to cause a denial of\n service (NULL pointer dereference) via crafted\n serialized data in a wddxPacket XML document, as\n demonstrated by a PDORow string.(CVE-2016-9934)\n\n - gd_gif_in.c in the GD Graphics Library (aka libgd), as\n used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x\n before 7.1.13, and 7.2.x before 7.2.1, has an integer\n signedness error that leads to an infinite loop via a\n crafted GIF file, as demonstrated by a call to the\n imagecreatefromgif or imagecreatefromstring PHP\n function. This is related to GetCode_ and\n gdImageCreateFromGifCtx.(CVE-2018-5711)\n\n - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect\n handling of various URI components in the URL parser\n could be used by attackers to bypass hostname-specific\n URL checks, as demonstrated by\n evil.example.com:80#@good.example.com/ and\n evil.example.com:80?@good.example.com/ inputs to the\n parse_url function (implemented in the php_url_parse_ex\n function in ext/standard/url.c).(CVE-2016-10397)\n\n - In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR\n archive handler could be used by attackers supplying\n malicious archive files to crash the PHP interpreter or\n potentially disclose information due to a buffer\n over-read in the phar_parse_pharfile function in\n ext/phar/phar.c.(CVE-2017-11147)\n\n - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x\n before 7.1.7, a stack-based buffer overflow in the\n zend_ini_do_op() function in Zend/zend_ini_parser.c\n could cause a denial of service or potentially allow\n executing code. NOTE: this is only relevant for PHP\n applications that accept untrusted input (instead of\n the system's php.ini file) for the parse_ini_string or\n parse_ini_file function, e.g., a web application for\n syntax validation of php.ini\n directives.(CVE-2017-11628)\n\n - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x\n before 7.1.7, the openssl extension PEM sealing code\n did not check the return value of the OpenSSL sealing\n function, which could lead to a crash of the PHP\n interpreter, related to an interpretation conflict for\n a negative number in ext/openssl/openssl.c, and an\n OpenSSL documentation omission.(CVE-2017-11144)\n\n - In PHP before 5.6.31, an invalid free in the WDDX\n deserialization of boolean parameters could be used by\n attackers able to inject XML for deserialization to\n crash the PHP interpreter, related to an invalid free\n for an empty boolean element in\n ext/wddx/wddx.c.(CVE-2017-11143)\n\n - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x\n before 7.1.11, an error in the date extension's\n timelib_meridian handling of 'front of' and 'back of'\n directives could be used by attackers able to supply\n date strings to leak information from the interpreter,\n related to ext/date/lib/parse_date.c out-of-bounds\n reads affecting the php_parse_date function. NOTE: this\n is a different issue than\n CVE-2017-11145.(CVE-2017-16642)\n\n - In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24\n and 7.3.x below 7.3.11 in certain configurations of FPM\n setup it is possible to cause FPM module to write past\n allocated buffers into the space reserved for FCGI\n protocol data, thus opening the possibility of remote\n code execution.(CVE-2019-11043)\n\n - Integer overflow in the phar_parse_pharfile function in\n ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before\n 7.0.15 allows remote attackers to cause a denial of\n service (memory consumption or application crash) via a\n truncated manifest entry in a PHAR\n archive.(CVE-2016-10159)\n\n - Integer overflow in the php_html_entities function in\n ext/standard/html.c in PHP before 5.5.36 and 5.6.x\n before 5.6.22 allows remote attackers to cause a denial\n of service or possibly have unspecified other impact by\n triggering a large output string from the\n htmlspecialchars function.(CVE-2016-5094)\n\n - Multiple use-after-free vulnerabilities in SPL in PHP\n before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before\n 5.6.12 allow remote attackers to execute arbitrary code\n via vectors involving (1) ArrayObject, (2)\n SplObjectStorage, and (3) SplDoublyLinkedList, which\n are mishandled during unserialization.(CVE-2015-6831)\n\n - Off-by-one error in the phar_parse_zipfile function in\n ext/phar/zip.c in PHP before 5.5.30 and 5.6.x before\n 5.6.14 allows remote attackers to cause a denial of\n service (uninitialized pointer dereference and\n application crash) by including the / filename in a\n .zip PHAR archive.(CVE-2015-7804)\n\n - PHP through 7.1.11 enables potential SSRF in\n applications that accept an fsockopen or pfsockopen\n hostname argument with an expectation that the port\n number is constrained. Because a :port syntax is\n recognized, fsockopen will use the port number that is\n specified in the hostname argument, instead of the port\n number in the second argument of the\n function.(CVE-2017-7272)\n\n - Session fixation vulnerability in the Sessions\n subsystem in PHP before 5.5.2 allows remote attackers\n to hijack web sessions by specifying a session\n ID.(CVE-2011-4718)\n\n - Stack consumption vulnerability in GD in PHP before\n 5.6.12 allows remote attackers to cause a denial of\n service via a crafted imagefilltoborder\n call.(CVE-2015-8874)\n\n - Stack-based buffer overflow in ext/phar/tar.c in PHP\n before 5.5.32, 5.6.x before 5.6.18, and 7.x before\n 7.0.3 allows remote attackers to cause a denial of\n service (application crash) or possibly have\n unspecified other impact via a crafted TAR\n archive.(CVE-2016-2554)\n\n - The Apache2 component in PHP before 5.6.38, 7.0.x\n before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before\n 7.2.10 allows XSS via the body of a 'Transfer-Encoding:\n chunked' request, because the bucket brigade is\n mishandled in the php_handler function in\n sapi/apache2handler/sapi_apache2.c.(CVE-2018-17082)\n\n - The exif_convert_any_to_int function in ext/exif/exif.c\n in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x\n before 7.1.1 allows remote attackers to cause a denial\n of service (application crash) via crafted EXIF data\n that triggers an attempt to divide the minimum\n representable negative integer by -1.(CVE-2016-10158)\n\n - The exif_process_IFD_in_JPEG function in\n ext/exif/exif.c in PHP before 5.5.35, 5.6.x before\n 5.6.21, and 7.x before 7.0.6 does not validate IFD\n sizes, which allows remote attackers to cause a denial\n of service (out-of-bounds read) or possibly have\n unspecified other impact via crafted header\n data.(CVE-2016-4543)\n\n - The exif_process_IFD_in_MAKERNOTE function in\n ext/exif/exif.c in PHP before 5.5.38, 5.6.x before\n 5.6.24, and 7.x before 7.0.9 allows remote attackers to\n cause a denial of service (out-of-bounds array access\n and memory corruption), obtain sensitive information\n from process memory, or possibly have unspecified other\n impact via a crafted JPEG image.(CVE-2016-6291)\n\n - The exif_process_IFD_in_TIFF function in\n ext/exif/exif.c in PHP before 5.6.25 and 7.x before\n 7.0.10 mishandles the case of a thumbnail offset that\n exceeds the file size, which allows remote attackers to\n obtain sensitive information from process memory via a\n crafted TIFF image.(CVE-2016-7128)\n\n - The exif_process_IFD_TAG function in ext/exif/exif.c in\n PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before\n 7.0.6 does not properly construct spprintf arguments,\n which allows remote attackers to cause a denial of\n service (out-of-bounds read) or possibly have\n unspecified other impact via crafted header\n data.(CVE-2016-4542)\n\n - The exif_process_user_comment function in\n ext/exif/exif.c in PHP before 5.5.38, 5.6.x before\n 5.6.24, and 7.x before 7.0.9 allows remote attackers to\n cause a denial of service (NULL pointer dereference and\n application crash) via a crafted JPEG\n image.(CVE-2016-6292)\n\n - The finish_nested_data function in\n ext/standard/var_unserializer.re in PHP before 5.6.31,\n 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to\n a buffer over-read while unserializing untrusted data.\n Exploitation of this issue can have an unspecified\n impact on the integrity of PHP.(CVE-2017-12933)\n\n - The get_icu_disp_value_src_php function in\n ext/intl/locale/locale_methods.c in PHP before 5.3.29,\n 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not\n properly restrict calls to the ICU uresbund.cpp\n component, which allows remote attackers to cause a\n denial of service (buffer overflow) or possibly have\n unspecified other impact via a locale_get_display_name\n call with a long first argument.(CVE-2014-9912)\n\n - The get_icu_value_internal function in\n ext/intl/locale/locale_methods.c in PHP before 5.5.36,\n 5.6.x before 5.6.22, and 7.x before 7.0.7 does not\n ensure the presence of a '\\0' character, which allows\n remote attackers to cause a denial of service\n (out-of-bounds read) or possibly have unspecified other\n impact via a crafted locale_get_primary_language\n call.(CVE-2016-5093)\n\n - The grapheme_stripos function in\n ext/intl/grapheme/grapheme_string.c in PHP before\n 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6\n allows remote attackers to cause a denial of service\n (out-of-bounds read) or possibly have unspecified other\n impact via a negative offset.(CVE-2016-4540)\n\n - The grapheme_strpos function in\n ext/intl/grapheme/grapheme_string.c in PHP before\n 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6\n allows remote attackers to cause a denial of service\n (out-of-bounds read) or possibly have unspecified other\n impact via a negative offset.(CVE-2016-4541)\n\n - The locale_accept_from_http function in\n ext/intl/locale/locale_methods.c in PHP before 5.5.38,\n 5.6.x before 5.6.24, and 7.x before 7.0.9 does not\n properly restrict calls to the ICU\n uloc_acceptLanguageFromHTTP function, which allows\n remote attackers to cause a denial of service\n (out-of-bounds read) or possibly have unspecified other\n impact via a call with a long argument.(CVE-2016-6294)\n\n - The make_http_soap_request function in\n ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before\n 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4\n allows remote attackers to obtain sensitive information\n from process memory or cause a denial of service (type\n confusion and application crash) via crafted serialized\n _cookies data, related to the SoapClient::__call method\n in ext/soap/soap.c.(CVE-2016-3185)\n\n - The make_http_soap_request function in\n ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before\n 5.5.28, and 5.6.x before 5.6.12 does not properly\n retrieve keys, which allows remote attackers to cause a\n denial of service (NULL pointer dereference, type\n confusion, and application crash) or possibly execute\n arbitrary code via crafted serialized data representing\n a numerically indexed _cookies array, related to the\n SoapClient::__call method in\n ext/soap/soap.c.(CVE-2015-8835)\n\n - The object_common1 function in\n ext/standard/var_unserializer.c in PHP before 5.6.30,\n 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows\n remote attackers to cause a denial of service (buffer\n over-read and application crash) via crafted serialized\n data that is mishandled in a finish_nested_data\n call.(CVE-2016-10161)\n\n - The odbc_bindcols function in ext/odbc/php_odbc.c in\n PHP before 5.6.12 mishandles driver behavior for\n SQL_WVARCHAR columns, which allows remote attackers to\n cause a denial of service (application crash) in\n opportunistic circumstances by leveraging use of the\n odbc_fetch_array function to access a certain type of\n Microsoft SQL Server table.(CVE-2015-8879)\n\n - The phar_convert_to_other function in\n ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x\n before 5.5.27, and 5.6.x before 5.6.11 does not\n validate a file pointer before a close operation, which\n allows remote attackers to cause a denial of service\n (segmentation fault) or possibly have unspecified other\n impact via a crafted TAR archive that is mishandled in\n a Phar::convertToData call.(CVE-2015-5589)\n\n - The phar_get_entry_data function in ext/phar/util.c in\n PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote\n attackers to cause a denial of service (NULL pointer\n dereference and application crash) via a .phar file\n with a crafted TAR archive entry in which the Link\n indicator references a file that does not\n exist.(CVE-2015-7803)\n\n - The phar_parse_zipfile function in zip.c in the PHAR\n extension in PHP before 5.5.33 and 5.6.x before 5.6.19\n allows remote attackers to obtain sensitive information\n from process memory or cause a denial of service\n (out-of-bounds read and application crash) by placing a\n PK\\x05\\x06 signature at an invalid\n location.(CVE-2016-3142)\n\n - The php_url_parse_ex function in ext/standard/url.c in\n PHP before 5.5.38 allows remote attackers to cause a\n denial of service (buffer over-read) or possibly have\n unspecified other impact via vectors involving the\n smart_str data type.(CVE-2016-6288)\n\n - The php_wddx_push_element function in ext/wddx/wddx.c\n in PHP before 5.6.26 and 7.x before 7.0.11 allows\n remote attackers to cause a denial of service (invalid\n pointer access and out-of-bounds read) or possibly have\n unspecified other impact via an incorrect boolean\n element in a wddxPacket XML document, leading to\n mishandling in a wddx_deserialize call.(CVE-2016-7418)\n\n - The php_wddx_push_element function in ext/wddx/wddx.c\n in PHP before 5.6.29 and 7.x before 7.0.14 allows\n remote attackers to cause a denial of service\n (out-of-bounds read and memory corruption) or possibly\n have unspecified other impact via an empty boolean\n element in a wddxPacket XML document.(CVE-2016-9935)\n\n - The sapi_header_op function in main/SAPI.c in PHP\n before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before\n 5.6.6 supports deprecated line folding without\n considering browser compatibility, which allows remote\n attackers to conduct cross-site scripting (XSS) attacks\n against Internet Explorer by leveraging (1) %0A%20 or\n (2) %0D%0A%20 mishandling in the header\n function.(CVE-2015-8935)\n\n - The SplObjectStorage unserialize implementation in\n ext/spl/spl_observer.c in PHP before 7.0.12 does not\n verify that a key is an object, which allows remote\n attackers to execute arbitrary code or cause a denial\n of service (uninitialized memory access) via crafted\n serialized data.(CVE-2016-7480)\n\n - The xml_parse_into_struct function in ext/xml/xml.c in\n PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before\n 7.0.6 allows remote attackers to cause a denial of\n service (buffer under-read and segmentation fault) or\n possibly have unspecified other impact via crafted XML\n data in the second argument, leading to a parser level\n of zero.(CVE-2016-4539)\n\n - The ZIP signature-verification feature in PHP before\n 5.6.26 and 7.x before 7.0.11 does not ensure that the\n uncompressed_filesize field is large enough, which\n allows remote attackers to cause a denial of service\n (out-of-bounds memory access) or possibly have\n unspecified other impact via a crafted PHAR archive,\n related to ext/phar/util.c and\n ext/phar/zip.c.(CVE-2016-7414)\n\n - Use-after-free vulnerability in the SPL unserialize\n implementation in ext/spl/spl_array.c in PHP before\n 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12\n allows remote attackers to execute arbitrary code via\n crafted serialized data that triggers misuse of an\n array field.(CVE-2015-6832)\n\n - Use-after-free vulnerability in the spl_ptr_heap_insert\n function in ext/spl/spl_heap.c in PHP before 5.5.27 and\n 5.6.x before 5.6.11 allows remote attackers to execute\n arbitrary code by triggering a failed\n SplMinHeap::compare operation.(CVE-2015-4116)\n\n - Use-after-free vulnerability in wddx.c in the WDDX\n extension in PHP before 5.5.33 and 5.6.x before 5.6.19\n allows remote attackers to cause a denial of service\n (memory corruption and application crash) or possibly\n have unspecified other impact by triggering a\n wddx_deserialize call on XML data containing a crafted\n var element.(CVE-2016-3141)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2649\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cd44f4b5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected php packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP-FPM Underflow RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-recode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"php-5.4.16-42.h51\",\n \"php-cli-5.4.16-42.h51\",\n \"php-common-5.4.16-42.h51\",\n \"php-gd-5.4.16-42.h51\",\n \"php-ldap-5.4.16-42.h51\",\n \"php-mysql-5.4.16-42.h51\",\n \"php-odbc-5.4.16-42.h51\",\n \"php-pdo-5.4.16-42.h51\",\n \"php-pgsql-5.4.16-42.h51\",\n \"php-process-5.4.16-42.h51\",\n \"php-recode-5.4.16-42.h51\",\n \"php-soap-5.4.16-42.h51\",\n \"php-xml-5.4.16-42.h51\",\n \"php-xmlrpc-5.4.16-42.h51\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T09:00:59", "description": "According to the versions of the php packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24\n and 7.3.x below 7.3.11 in certain configurations of FPM\n setup it is possible to cause FPM module to write past\n allocated buffers into the space reserved for FCGI\n protocol data, thus opening the possibility of remote\n code execution.(CVE-2019-11043)\n\n - The finish_nested_data function in\n ext/standard/var_unserializer.re in PHP before 5.6.31,\n 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to\n a buffer over-read while unserializing untrusted data.\n Exploitation of this issue can have an unspecified\n impact on the integrity of PHP.(CVE-2017-12933)\n\n - ext/standard/var_unserializer.c in PHP before 5.6.25\n and 7.x before 7.0.10 mishandles certain invalid\n objects, which allows remote attackers to cause a\n denial of service or possibly have unspecified other\n impact via crafted serialized data that leads to a (1)\n __destruct call or (2) magic method\n call.(CVE-2016-7124)\n\n - The match function in pcre_exec.c in PCRE before 8.37\n mishandles the\n /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi\n )abc)|((*ACCEPT)))/ pattern and related patterns\n involving (*ACCEPT), which allows remote attackers to\n obtain sensitive information from process memory or\n cause a denial of service (partially initialized memory\n and application crash) via a crafted regular\n expression, as demonstrated by a JavaScript RegExp\n object encountered by Konqueror, aka\n ZDI-CAN-2547.(CVE-2015-8382)\n\n - An issue was discovered in PHP before 5.6.33, 7.0.x\n before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before\n 7.2.1. There is Reflected XSS on the PHAR 404 error\n page via the URI of a request for a .phar\n file.(CVE-2018-5712)\n\n - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP\n before 5.6.37, 7.0.x before 7.0.31, 7.1.x before\n 7.1.20, and 7.2.x before 7.2.8 allows remote attackers\n to cause a denial of service (out-of-bounds read and\n application crash) via a crafted JPEG\n file.(CVE-2018-14851)\n\n - The SplObjectStorage unserialize implementation in\n ext/spl/spl_observer.c in PHP before 7.0.12 does not\n verify that a key is an object, which allows remote\n attackers to execute arbitrary code or cause a denial\n of service (uninitialized memory access) via crafted\n serialized data.(CVE-2016-7480)\n\n - ext/standard/var_unserializer.re in PHP before 5.6.26\n mishandles object-deserialization failures, which\n allows remote attackers to cause a denial of service\n (memory corruption) or possibly have unspecified other\n impact via an unserialize call that references a\n partially constructed object.(CVE-2016-7411)\n\n - The odbc_bindcols function in ext/odbc/php_odbc.c in\n PHP before 5.6.12 mishandles driver behavior for\n SQL_WVARCHAR columns, which allows remote attackers to\n cause a denial of service (application crash) in\n opportunistic circumstances by leveraging use of the\n odbc_fetch_array function to access a certain type of\n Microsoft SQL Server table.(CVE-2015-8879)\n\n - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x\n before 7.1.11, an error in the date extension's\n timelib_meridian handling of 'front of' and 'back of'\n directives could be used by attackers able to supply\n date strings to leak information from the interpreter,\n related to ext/date/lib/parse_date.c out-of-bounds\n reads affecting the php_parse_date function. NOTE: this\n is a different issue than\n CVE-2017-11145.(CVE-2017-16642)\n\n - The exif_process_IFD_in_JPEG function in\n ext/exif/exif.c in PHP before 5.5.35, 5.6.x before\n 5.6.21, and 7.x before 7.0.6 does not validate IFD\n sizes, which allows remote attackers to cause a denial\n of service (out-of-bounds read) or possibly have\n unspecified other impact via crafted header\n data.(CVE-2016-4543)\n\n - The exif_process_IFD_TAG function in ext/exif/exif.c in\n PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before\n 7.0.6 does not properly construct spprintf arguments,\n which allows remote attackers to cause a denial of\n service (out-of-bounds read) or possibly have\n unspecified other impact via crafted header\n data.(CVE-2016-4542)\n\n - The grapheme_strpos function in\n ext/intl/grapheme/grapheme_string.c in PHP before\n 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6\n allows remote attackers to cause a denial of service\n (out-of-bounds read) or possibly have unspecified other\n impact via a negative offset.(CVE-2016-4541)\n\n - The grapheme_stripos function in\n ext/intl/grapheme/grapheme_string.c in PHP before\n 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6\n allows remote attackers to cause a denial of service\n (out-of-bounds read) or possibly have unspecified other\n impact via a negative offset.(CVE-2016-4540)\n\n - The xml_parse_into_struct function in ext/xml/xml.c in\n PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before\n 7.0.6 allows remote attackers to cause a denial of\n service (buffer under-read and segmentation fault) or\n possibly have unspecified other impact via crafted XML\n data in the second argument, leading to a parser level\n of zero.(CVE-2016-4539)\n\n - ** DISPUTED ** Integer overflow in the\n php_raw_url_encode function in ext/standard/url.c in\n PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before\n 7.0.5 allows remote attackers to cause a denial of\n service (application crash) via a long string to the\n rawurlencode function. NOTE: the vendor says 'Not sure\n if this qualifies as security issue (probably\n not).'(CVE-2016-4070)\n\n - Use-after-free vulnerability in wddx.c in the WDDX\n extension in PHP before 5.5.33 and 5.6.x before 5.6.19\n allows remote attackers to cause a denial of service\n (memory corruption and application crash) or possibly\n have unspecified other impact by triggering a\n wddx_deserialize call on XML data containing a crafted\n var element.(CVE-2016-3141)\n\n - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect\n handling of various URI components in the URL parser\n could be used by attackers to bypass hostname-specific\n URL checks, as demonstrated by\n evil.example.com:80#@good.example.com/ and\n evil.example.com:80?@good.example.com/ inputs to the\n parse_url function (implemented in the php_url_parse_ex\n function in ext/standard/url.c).(CVE-2016-10397)\n\n - Multiple use-after-free vulnerabilities in SPL in PHP\n before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before\n 5.6.12 allow remote attackers to execute arbitrary code\n via vectors involving (1) ArrayObject, (2)\n SplObjectStorage, and (3) SplDoublyLinkedList, which\n are mishandled during unserialization.(CVE-2015-6831)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A heap out-of-bounds write occurs in\n bitset_set_range() during regular expression\n compilation due to an uninitialized variable from an\n incorrect state transition. An incorrect state\n transition in parse_char_class() could create an\n execution path that leaves a critical local variable\n uninitialized until it's used as an index, resulting in\n an out-of-bounds write memory\n corruption.(CVE-2017-9228)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A stack out-of-bounds read occurs in\n mbc_enc_len() during regular expression searching.\n Invalid handling of reg->dmin in forward_search_range()\n could result in an invalid pointer dereference, as an\n out-of-bounds read from a stack buffer.(CVE-2017-9227)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A heap out-of-bounds write or read\n occurs in next_state_val() during regular expression\n compilation. Octal numbers larger than 0xff are not\n handled correctly in fetch_token() and\n fetch_token_in_cc(). A malformed regular expression\n containing an octal number in the form of '\\700' would\n produce an invalid code point value larger than 0xff in\n next_state_val(), resulting in an out-of-bounds write\n memory corruption.(CVE-2017-9226)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A stack out-of-bounds read occurs in\n match_at() during regular expression searching. A\n logical error involving order of validation and access\n in match_at() could result in an out-of-bounds read\n from a stack buffer.(CVE-2017-9224)\n\n - The exif_process_IFD_in_MAKERNOTE function in\n ext/exif/exif.c in PHP before 5.5.38, 5.6.x before\n 5.6.24, and 7.x before 7.0.9 allows remote attackers to\n cause a denial of service (out-of-bounds array access\n and memory corruption), obtain sensitive information\n from process memory, or possibly have unspecified other\n impact via a crafted JPEG image.(CVE-2016-6291)\n\n - The php_url_parse_ex function in ext/standard/url.c in\n PHP before 5.5.38 allows remote attackers to cause a\n denial of service (buffer over-read) or possibly have\n unspecified other impact via vectors involving the\n smart_str data type.(CVE-2016-6288)\n\n - Integer overflow in the php_html_entities function in\n ext/standard/html.c in PHP before 5.5.36 and 5.6.x\n before 5.6.22 allows remote attackers to cause a denial\n of service or possibly have unspecified other impact by\n triggering a large output string from the\n htmlspecialchars function.(CVE-2016-5094)\n\n - The get_icu_value_internal function in\n ext/intl/locale/locale_methods.c in PHP before 5.5.36,\n 5.6.x before 5.6.22, and 7.x before 7.0.7 does not\n ensure the presence of a '\\0' character, which allows\n remote attackers to cause a denial of service\n (out-of-bounds read) or possibly have unspecified other\n impact via a crafted locale_get_primary_language\n call.(CVE-2016-5093)\n\n - In PHP before 5.6.31, an invalid free in the WDDX\n deserialization of boolean parameters could be used by\n attackers able to inject XML for deserialization to\n crash the PHP interpreter, related to an invalid free\n for an empty boolean element in\n ext/wddx/wddx.c.(CVE-2017-11143)\n\n - The php_wddx_push_element function in ext/wddx/wddx.c\n in PHP before 5.6.29 and 7.x before 7.0.14 allows\n remote attackers to cause a denial of service\n (out-of-bounds read and memory corruption) or possibly\n have unspecified other impact via an empty boolean\n element in a wddxPacket XML document.(CVE-2016-9935)\n\n - ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before\n 7.0.13 allows remote attackers to cause a denial of\n service (NULL pointer dereference) via crafted\n serialized data in a wddxPacket XML document, as\n demonstrated by a PDORow string.(CVE-2016-9934)\n\n - The ZIP signature-verification feature in PHP before\n 5.6.26 and 7.x before 7.0.11 does not ensure that the\n uncompressed_filesize field is large enough, which\n allows remote attackers to cause a denial of service\n (out-of-bounds memory access) or possibly have\n unspecified other impact via a crafted PHAR archive,\n related to ext/phar/util.c and\n ext/phar/zip.c.(CVE-2016-7414)\n\n - ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26\n and 7.x before 7.0.11 does not verify that a BIT field\n has the UNSIGNED_FLAG flag, which allows remote MySQL\n servers to cause a denial of service (heap-based buffer\n overflow) or possibly have unspecified other impact via\n crafted field metadata.(CVE-2016-7412)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A SIGSEGV occurs in\n left_adjust_char_head() during regular expression\n compilation. Invalid handling of reg->dmax in\n forward_search_range() could result in an invalid\n pointer dereference, normally as an immediate\n denial-of-service condition.(CVE-2017-9229)\n\n - The openssl_random_pseudo_bytes function in\n ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x\n before 5.5.28, and 5.6.x before 5.6.12 incorrectly\n relies on the deprecated RAND_pseudo_bytes function,\n which makes it easier for remote attackers to defeat\n cryptographic protection mechanisms via unspecified\n vectors.(CVE-2015-8867)\n\n - The sapi_header_op function in main/SAPI.c in PHP\n before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before\n 5.6.6 supports deprecated line folding without\n considering browser compatibility, which allows remote\n attackers to conduct cross-site scripting (XSS) attacks\n against Internet Explorer by leveraging (1) %0A%20 or\n (2) %0D%0A%20 mishandling in the header\n function.(CVE-2015-8935)\n\n - An issue was discovered in PHP before 5.6.35, 7.0.x\n before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before\n 7.2.4. Dumpable FPM child processes allow bypassing\n opcache access controls because fpm_unix.c makes a\n PR_SET_DUMPABLE prctl call, allowing one user (in a\n multiuser environment) to obtain sensitive information\n from the process memory of a second user's PHP\n applications by running gcore on the PID of the PHP-FPM\n worker process.(CVE-2018-10545)\n\n - An issue was discovered in ext/phar/phar_object.c in\n PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before\n 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS\n on the PHAR 403 and 404 error pages via request data of\n a request for a .phar file. NOTE: this vulnerability\n exists because of an incomplete fix for\n CVE-2018-5712.(CVE-2018-10547)\n\n - The Apache2 component in PHP before 5.6.38, 7.0.x\n before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before\n 7.2.10 allows XSS via the body of a 'Transfer-Encoding:\n chunked' request, because the bucket brigade is\n mishandled in the php_handler function in\n sapi/apache2handler/sapi_apache2.c.(CVE-2018-17082)\n\n - PHP through 7.1.11 enables potential SSRF in\n applications that accept an fsockopen or pfsockopen\n hostname argument with an expectation that the port\n number is constrained. Because a :port syntax is\n recognized, fsockopen will use the port number that is\n specified in the hostname argument, instead of the port\n number in the second argument of the\n function.(CVE-2017-7272 )\n\n - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x\n before 7.1.7, a stack-based buffer overflow in the\n zend_ini_do_op() function in Zend/zend_ini_parser.c\n could cause a denial of service or potentially allow\n executing code. NOTE: this is only relevant for PHP\n applications that accept untrusted input (instead of\n the system's php.ini file) for the parse_ini_string or\n parse_ini_file function, e.g., a web application for\n syntax validation of php.ini\n directives.(CVE-2017-11628)\n\n - In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR\n archive handler could be used by attackers supplying\n malicious archive files to crash the PHP interpreter or\n potentially disclose information due to a buffer\n over-read in the phar_parse_pharfile function in\n ext/phar/phar.c.(CVE-2017-11147)\n\n - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x\n before 7.1.7, the openssl extension PEM sealing code\n did not check the return value of the OpenSSL sealing\n function, which could lead to a crash of the PHP\n interpreter, related to an interpretation conflict for\n a negative number in ext/openssl/openssl.c, and an\n OpenSSL documentation omission.(CVE-2017-11144)\n\n - The locale_accept_from_http function in\n ext/intl/locale/locale_methods.c in PHP before 5.5.38,\n 5.6.x before 5.6.24, and 7.x before 7.0.9 does not\n properly restrict calls to the ICU\n uloc_acceptLanguageFromHTTP function, which allows\n remote attackers to cause a denial of service\n (out-of-bounds read) or possibly have unspecified other\n impact via a call with a long argument.(CVE-2016-6294)\n\n - Session fixation vulnerability in the Sessions\n subsystem in PHP before 5.5.2 allows remote attackers\n to hijack web sessions by specifying a session\n ID.(CVE-2011-4718)\n\n - Off-by-one error in the phar_parse_zipfile function in\n ext/phar/zip.c in PHP before 5.5.30 and 5.6.x before\n 5.6.14 allows remote attackers to cause a denial of\n service (uninitialized pointer dereference and\n application crash) by including the / filename in a\n .zip PHAR archive.(CVE-2015-7804)\n\n - The php_wddx_push_element function in ext/wddx/wddx.c\n in PHP before 5.6.26 and 7.x before 7.0.11 allows\n remote attackers to cause a denial of service (invalid\n pointer access and out-of-bounds read) or possibly have\n unspecified other impact via an incorrect boolean\n element in a wddxPacket XML document, leading to\n mishandling in a wddx_deserialize call.(CVE-2016-7418)\n\n - The exif_process_user_comment function in\n ext/exif/exif.c in PHP before 5.5.38, 5.6.x before\n 5.6.24, and 7.x before 7.0.9 allows remote attackers to\n cause a denial of service (NULL pointer dereference and\n application crash) via a crafted JPEG\n image.(CVE-2016-6292)\n\n - The make_http_soap_request function in\n ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before\n 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4\n allows remote attackers to obtain sensitive information\n from process memory or cause a denial of service (type\n confusion and application crash) via crafted serialized\n _cookies data, related to the SoapClient::__call method\n in ext/soap/soap.c.(CVE-2016-3185)\n\n - Directory traversal vulnerability in the\n ZipArchive::extractTo function in ext/zip/php_zip.c in\n PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x\n before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before\n 3.12.1 allows remote attackers to create arbitrary\n empty directories via a crafted ZIP\n archive.(CVE-2014-9767)\n\n - The phar_convert_to_other function in\n ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x\n before 5.5.27, and 5.6.x before 5.6.11 does not\n validate a file pointer before a close operation, which\n allows remote attackers to cause a denial of service\n (segmentation fault) or possibly have unspecified other\n impact via a crafted TAR archive that is mishandled in\n a Phar::convertToData call.(CVE-2015-5589)\n\n - Directory traversal vulnerability in the PharData class\n in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x\n before 5.6.12 allows remote attackers to write to\n arbitrary files via a .. (dot dot) in a ZIP archive\n entry that is mishandled during an extractTo\n call.(CVE-2015-6833)\n\n - The phar_get_entry_data function in ext/phar/util.c in\n PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote\n attackers to cause a denial of service (NULL pointer\n dereference and application crash) via a .phar file\n with a crafted TAR archive entry in which the Link\n indicator references a file that does not\n exist.(CVE-2015-7803)\n\n - Stack consumption vulnerability in GD in PHP before\n 5.6.12 allows remote attackers to cause a denial of\n service via a crafted imagefilltoborder\n call.(CVE-2015-8874)\n\n - Stack-based buffer overflow in ext/phar/tar.c in PHP\n before 5.5.32, 5.6.x before 5.6.18, and 7.x before\n 7.0.3 allows remote attackers to cause a denial of\n service (application crash) or possibly have\n unspecified other impact via a crafted TAR\n archive.(CVE-2016-2554)\n\n - The phar_parse_zipfile function in zip.c in the PHAR\n extension in PHP before 5.5.33 and 5.6.x before 5.6.19\n allows remote attackers to obtain sensitive information\n from process memory or cause a denial of service\n (out-of-bounds read and application crash) by placing a\n PK\\x05\\x06 signature at an invalid\n location.(CVE-2016-3142)\n\n - ext/session/session.c in PHP before 5.6.25 and 7.x\n before 7.0.10 skips invalid session names in a way that\n triggers incorrect parsing, which allows remote\n attackers to inject arbitrary-type session data by\n leveraging control of a session name, as demonstrated\n by object injection.(CVE-2016-7125)\n\n - The exif_process_IFD_in_TIFF function in\n ext/exif/exif.c in PHP before 5.6.25 and 7.x before\n 7.0.10 mishandles the case of a thumbnail offset that\n exceeds the file size, which allows remote attackers to\n obtain sensitive information from process memory via a\n crafted TIFF image.(CVE-2016-7128)\n\n - The get_icu_disp_value_src_php function in\n ext/intl/locale/locale_methods.c in PHP before 5.3.29,\n 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not\n properly restrict calls to the ICU uresbund.cpp\n component, which allows remote attackers to cause a\n denial of service (buffer overflow) or possibly have\n unspecified other impact via a locale_get_display_name\n call with a long first argument.(CVE-2014-9912)\n\n - Use-after-free vulnerability in the SPL unserialize\n implementation in ext/spl/spl_array.c in PHP before\n 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12\n allows remote attackers to execute arbitrary code via\n crafted serialized data that triggers misuse of an\n array field.(CVE-2015-6832)\n\n - The make_http_soap_request function in\n ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before\n 5.5.28, and 5.6.x before 5.6.12 does not properly\n retrieve keys, which allows remote attackers to cause a\n denial of service (NULL pointer dereference, type\n confusion, and application crash) or possibly execute\n arbitrary code via crafted serialized data representing\n a numerically indexed _cookies array, related to the\n SoapClient::__call method in\n ext/soap/soap.c.(CVE-2015-8835)\n\n - The uloc_acceptLanguageFromHTTP function in\n common/uloc.cpp in International Components for Unicode\n (ICU) through 57.1 for C/C++ does not ensure that there\n is a '\\0' character at the end of a certain temporary\n array, which allows remote attackers to cause a denial\n of service (out-of-bounds read) or possibly have\n unspecified other impact via a call with a long\n httpAcceptLanguage argument.(CVE-2016-6293)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and\n 7.3.x below 7.3.6 it is possible to supply it with data\n what will cause it to read past the allocated buffer.\n This may lead to information disclosure or\n crash.(CVE-2019-11040)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and\n 7.3.x below 7.3.8 it is possible to supply it with data\n what will cause it to read past the allocated buffer.\n This may lead to information disclosure or\n crash.(CVE-2019-11041)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and\n 7.3.x below 7.3.8 it is possible to supply it with data\n what will cause it to read past the allocated buffer.\n This may lead to information disclosure or\n crash.(CVE-2019-11042)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 8, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-12-04T00:00:00", "title": "EulerOS 2.0 SP2 : php (EulerOS-SA-2019-2438)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10397", "CVE-2014-9767", "CVE-2017-9224", "CVE-2016-7414", "CVE-2017-12933", "CVE-2014-9912", "CVE-2016-6288", "CVE-2011-4718", "CVE-2017-9228", "CVE-2017-9226", "CVE-2016-4540", "CVE-2015-8879", "CVE-2016-9935", "CVE-2016-3185", "CVE-2018-10545", "CVE-2017-11143", "CVE-2018-5712", "CVE-2017-9229", "CVE-2015-8382", "CVE-2015-8867", "CVE-2016-7125", "CVE-2016-4543", "CVE-2016-4542", "CVE-2017-9227", "CVE-2016-4541", "CVE-2019-11041", "CVE-2017-11628", "CVE-2017-7272", "CVE-2016-2554", "CVE-2018-14851", "CVE-2019-11042", "CVE-2015-8835", "CVE-2017-16642", "CVE-2015-6833", "CVE-2016-4070", "CVE-2015-8874", "CVE-2016-6292", "CVE-2016-9934", "CVE-2015-6831", "CVE-2017-11147", "CVE-2016-6293", "CVE-2019-11040", "CVE-2016-7411", "CVE-2016-4539", "CVE-2016-5093", "CVE-2016-5094", "CVE-2016-7124", "CVE-2016-7480", "CVE-2019-11043", "CVE-2016-6294", "CVE-2016-7128", "CVE-2015-8935", "CVE-2015-7803", "CVE-2016-7418", "CVE-2018-17082", "CVE-2015-5589", "CVE-2016-3141", "CVE-2018-10547", "CVE-2016-6291", "CVE-2017-11145", "CVE-2017-11144", "CVE-2015-6832", "CVE-2016-3142", "CVE-2015-7804", "CVE-2016-7412"], "modified": "2019-12-04T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:php-pgsql", "p-cpe:/a:huawei:euleros:php-common", "p-cpe:/a:huawei:euleros:php-mysql", "p-cpe:/a:huawei:euleros:php-recode", "p-cpe:/a:huawei:euleros:php-odbc", "p-cpe:/a:huawei:euleros:php-process", "p-cpe:/a:huawei:euleros:php-xml", "p-cpe:/a:huawei:euleros:php-soap", "p-cpe:/a:huawei:euleros:php-cli", "p-cpe:/a:huawei:euleros:php", "p-cpe:/a:huawei:euleros:php-ldap", "p-cpe:/a:huawei:euleros:php-xmlrpc", "p-cpe:/a:huawei:euleros:php-pdo", "p-cpe:/a:huawei:euleros:php-gd", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2438.NASL", "href": "https://www.tenable.com/plugins/nessus/131592", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131592);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2011-4718\",\n \"CVE-2014-9767\",\n \"CVE-2014-9912\",\n \"CVE-2015-5589\",\n \"CVE-2015-6831\",\n \"CVE-2015-6832\",\n \"CVE-2015-6833\",\n \"CVE-2015-7803\",\n \"CVE-2015-7804\",\n \"CVE-2015-8382\",\n \"CVE-2015-8835\",\n \"CVE-2015-8867\",\n \"CVE-2015-8874\",\n \"CVE-2015-8879\",\n \"CVE-2015-8935\",\n \"CVE-2016-10397\",\n \"CVE-2016-2554\",\n \"CVE-2016-3141\",\n \"CVE-2016-3142\",\n \"CVE-2016-3185\",\n \"CVE-2016-4070\",\n \"CVE-2016-4539\",\n \"CVE-2016-4540\",\n \"CVE-2016-4541\",\n \"CVE-2016-4542\",\n \"CVE-2016-4543\",\n \"CVE-2016-5093\",\n \"CVE-2016-5094\",\n \"CVE-2016-6288\",\n \"CVE-2016-6291\",\n \"CVE-2016-6292\",\n \"CVE-2016-6293\",\n \"CVE-2016-6294\",\n \"CVE-2016-7124\",\n \"CVE-2016-7125\",\n \"CVE-2016-7128\",\n \"CVE-2016-7411\",\n \"CVE-2016-7412\",\n \"CVE-2016-7414\",\n \"CVE-2016-7418\",\n \"CVE-2016-7480\",\n \"CVE-2016-9934\",\n \"CVE-2016-9935\",\n \"CVE-2017-11143\",\n \"CVE-2017-11144\",\n \"CVE-2017-11147\",\n \"CVE-2017-11628\",\n \"CVE-2017-12933\",\n \"CVE-2017-16642\",\n \"CVE-2017-7272\",\n \"CVE-2017-9224\",\n \"CVE-2017-9226\",\n \"CVE-2017-9227\",\n \"CVE-2017-9228\",\n \"CVE-2017-9229\",\n \"CVE-2018-10545\",\n \"CVE-2018-10547\",\n \"CVE-2018-14851\",\n \"CVE-2018-17082\",\n \"CVE-2018-5712\",\n \"CVE-2019-11040\",\n \"CVE-2019-11041\",\n \"CVE-2019-11042\",\n \"CVE-2019-11043\"\n );\n script_bugtraq_id(\n 61929,\n 75974\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : php (EulerOS-SA-2019-2438)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the php packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24\n and 7.3.x below 7.3.11 in certain configurations of FPM\n setup it is possible to cause FPM module to write past\n allocated buffers into the space reserved for FCGI\n protocol data, thus opening the possibility of remote\n code execution.(CVE-2019-11043)\n\n - The finish_nested_data function in\n ext/standard/var_unserializer.re in PHP before 5.6.31,\n 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to\n a buffer over-read while unserializing untrusted data.\n Exploitation of this issue can have an unspecified\n impact on the integrity of PHP.(CVE-2017-12933)\n\n - ext/standard/var_unserializer.c in PHP before 5.6.25\n and 7.x before 7.0.10 mishandles certain invalid\n objects, which allows remote attackers to cause a\n denial of service or possibly have unspecified other\n impact via crafted serialized data that leads to a (1)\n __destruct call or (2) magic method\n call.(CVE-2016-7124)\n\n - The match function in pcre_exec.c in PCRE before 8.37\n mishandles the\n /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi\n )abc)|((*ACCEPT)))/ pattern and related patterns\n involving (*ACCEPT), which allows remote attackers to\n obtain sensitive information from process memory or\n cause a denial of service (partially initialized memory\n and application crash) via a crafted regular\n expression, as demonstrated by a JavaScript RegExp\n object encountered by Konqueror, aka\n ZDI-CAN-2547.(CVE-2015-8382)\n\n - An issue was discovered in PHP before 5.6.33, 7.0.x\n before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before\n 7.2.1. There is Reflected XSS on the PHAR 404 error\n page via the URI of a request for a .phar\n file.(CVE-2018-5712)\n\n - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP\n before 5.6.37, 7.0.x before 7.0.31, 7.1.x before\n 7.1.20, and 7.2.x before 7.2.8 allows remote attackers\n to cause a denial of service (out-of-bounds read and\n application crash) via a crafted JPEG\n file.(CVE-2018-14851)\n\n - The SplObjectStorage unserialize implementation in\n ext/spl/spl_observer.c in PHP before 7.0.12 does not\n verify that a key is an object, which allows remote\n attackers to execute arbitrary code or cause a denial\n of service (uninitialized memory access) via crafted\n serialized data.(CVE-2016-7480)\n\n - ext/standard/var_unserializer.re in PHP before 5.6.26\n mishandles object-deserialization failures, which\n allows remote attackers to cause a denial of service\n (memory corruption) or possibly have unspecified other\n impact via an unserialize call that references a\n partially constructed object.(CVE-2016-7411)\n\n - The odbc_bindcols function in ext/odbc/php_odbc.c in\n PHP before 5.6.12 mishandles driver behavior for\n SQL_WVARCHAR columns, which allows remote attackers to\n cause a denial of service (application crash) in\n opportunistic circumstances by leveraging use of the\n odbc_fetch_array function to access a certain type of\n Microsoft SQL Server table.(CVE-2015-8879)\n\n - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x\n before 7.1.11, an error in the date extension's\n timelib_meridian handling of 'front of' and 'back of'\n directives could be used by attackers able to supply\n date strings to leak information from the interpreter,\n related to ext/date/lib/parse_date.c out-of-bounds\n reads affecting the php_parse_date function. NOTE: this\n is a different issue than\n CVE-2017-11145.(CVE-2017-16642)\n\n - The exif_process_IFD_in_JPEG function in\n ext/exif/exif.c in PHP before 5.5.35, 5.6.x before\n 5.6.21, and 7.x before 7.0.6 does not validate IFD\n sizes, which allows remote attackers to cause a denial\n of service (out-of-bounds read) or possibly have\n unspecified other impact via crafted header\n data.(CVE-2016-4543)\n\n - The exif_process_IFD_TAG function in ext/exif/exif.c in\n PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before\n 7.0.6 does not properly construct spprintf arguments,\n which allows remote attackers to cause a denial of\n service (out-of-bounds read) or possibly have\n unspecified other impact via crafted header\n data.(CVE-2016-4542)\n\n - The grapheme_strpos function in\n ext/intl/grapheme/grapheme_string.c in PHP before\n 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6\n allows remote attackers to cause a denial of service\n (out-of-bounds read) or possibly have unspecified other\n impact via a negative offset.(CVE-2016-4541)\n\n - The grapheme_stripos function in\n ext/intl/grapheme/grapheme_string.c in PHP before\n 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6\n allows remote attackers to cause a denial of service\n (out-of-bounds read) or possibly have unspecified other\n impact via a negative offset.(CVE-2016-4540)\n\n - The xml_parse_into_struct function in ext/xml/xml.c in\n PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before\n 7.0.6 allows remote attackers to cause a denial of\n service (buffer under-read and segmentation fault) or\n possibly have unspecified other impact via crafted XML\n data in the second argument, leading to a parser level\n of zero.(CVE-2016-4539)\n\n - ** DISPUTED ** Integer overflow in the\n php_raw_url_encode function in ext/standard/url.c in\n PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before\n 7.0.5 allows remote attackers to cause a denial of\n service (application crash) via a long string to the\n rawurlencode function. NOTE: the vendor says 'Not sure\n if this qualifies as security issue (probably\n not).'(CVE-2016-4070)\n\n - Use-after-free vulnerability in wddx.c in the WDDX\n extension in PHP before 5.5.33 and 5.6.x before 5.6.19\n allows remote attackers to cause a denial of service\n (memory corruption and application crash) or possibly\n have unspecified other impact by triggering a\n wddx_deserialize call on XML data containing a crafted\n var element.(CVE-2016-3141)\n\n - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect\n handling of various URI components in the URL parser\n could be used by attackers to bypass hostname-specific\n URL checks, as demonstrated by\n evil.example.com:80#@good.example.com/ and\n evil.example.com:80?@good.example.com/ inputs to the\n parse_url function (implemented in the php_url_parse_ex\n function in ext/standard/url.c).(CVE-2016-10397)\n\n - Multiple use-after-free vulnerabilities in SPL in PHP\n before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before\n 5.6.12 allow remote attackers to execute arbitrary code\n via vectors involving (1) ArrayObject, (2)\n SplObjectStorage, and (3) SplDoublyLinkedList, which\n are mishandled during unserialization.(CVE-2015-6831)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A heap out-of-bounds write occurs in\n bitset_set_range() during regular expression\n compilation due to an uninitialized variable from an\n incorrect state transition. An incorrect state\n transition in parse_char_class() could create an\n execution path that leaves a critical local variable\n uninitialized until it's used as an index, resulting in\n an out-of-bounds write memory\n corruption.(CVE-2017-9228)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A stack out-of-bounds read occurs in\n mbc_enc_len() during regular expression searching.\n Invalid handling of reg->dmin in forward_search_range()\n could result in an invalid pointer dereference, as an\n out-of-bounds read from a stack buffer.(CVE-2017-9227)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A heap out-of-bounds write or read\n occurs in next_state_val() during regular expression\n compilation. Octal numbers larger than 0xff are not\n handled correctly in fetch_token() and\n fetch_token_in_cc(). A malformed regular expression\n containing an octal number in the form of '\\700' would\n produce an invalid code point value larger than 0xff in\n next_state_val(), resulting in an out-of-bounds write\n memory corruption.(CVE-2017-9226)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A stack out-of-bounds read occurs in\n match_at() during regular expression searching. A\n logical error involving order of validation and access\n in match_at() could result in an out-of-bounds read\n from a stack buffer.(CVE-2017-9224)\n\n - The exif_process_IFD_in_MAKERNOTE function in\n ext/exif/exif.c in PHP before 5.5.38, 5.6.x before\n 5.6.24, and 7.x before 7.0.9 allows remote attackers to\n cause a denial of service (out-of-bounds array access\n and memory corruption), obtain sensitive information\n from process memory, or possibly have unspecified other\n impact via a crafted JPEG image.(CVE-2016-6291)\n\n - The php_url_parse_ex function in ext/standard/url.c in\n PHP before 5.5.38 allows remote attackers to cause a\n denial of service (buffer over-read) or possibly have\n unspecified other impact via vectors involving the\n smart_str data type.(CVE-2016-6288)\n\n - Integer overflow in the php_html_entities function in\n ext/standard/html.c in PHP before 5.5.36 and 5.6.x\n before 5.6.22 allows remote attackers to cause a denial\n of service or possibly have unspecified other impact by\n triggering a large output string from the\n htmlspecialchars function.(CVE-2016-5094)\n\n - The get_icu_value_internal function in\n ext/intl/locale/locale_methods.c in PHP before 5.5.36,\n 5.6.x before 5.6.22, and 7.x before 7.0.7 does not\n ensure the presence of a '\\0' character, which allows\n remote attackers to cause a denial of service\n (out-of-bounds read) or possibly have unspecified other\n impact via a crafted locale_get_primary_language\n call.(CVE-2016-5093)\n\n - In PHP before 5.6.31, an invalid free in the WDDX\n deserialization of boolean parameters could be used by\n attackers able to inject XML for deserialization to\n crash the PHP interpreter, related to an invalid free\n for an empty boolean element in\n ext/wddx/wddx.c.(CVE-2017-11143)\n\n - The php_wddx_push_element function in ext/wddx/wddx.c\n in PHP before 5.6.29 and 7.x before 7.0.14 allows\n remote attackers to cause a denial of service\n (out-of-bounds read and memory corruption) or possibly\n have unspecified other impact via an empty boolean\n element in a wddxPacket XML document.(CVE-2016-9935)\n\n - ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before\n 7.0.13 allows remote attackers to cause a denial of\n service (NULL pointer dereference) via crafted\n serialized data in a wddxPacket XML document, as\n demonstrated by a PDORow string.(CVE-2016-9934)\n\n - The ZIP signature-verification feature in PHP before\n 5.6.26 and 7.x before 7.0.11 does not ensure that the\n uncompressed_filesize field is large enough, which\n allows remote attackers to cause a denial of service\n (out-of-bounds memory access) or possibly have\n unspecified other impact via a crafted PHAR archive,\n related to ext/phar/util.c and\n ext/phar/zip.c.(CVE-2016-7414)\n\n - ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26\n and 7.x before 7.0.11 does not verify that a BIT field\n has the UNSIGNED_FLAG flag, which allows remote MySQL\n servers to cause a denial of service (heap-based buffer\n overflow) or possibly have unspecified other impact via\n crafted field metadata.(CVE-2016-7412)\n\n - An issue was discovered in Oniguruma 6.2.0, as used in\n Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP\n through 7.1.5. A SIGSEGV occurs in\n left_adjust_char_head() during regular expression\n compilation. Invalid handling of reg->dmax in\n forward_search_range() could result in an invalid\n pointer dereference, normally as an immediate\n denial-of-service condition.(CVE-2017-9229)\n\n - The openssl_random_pseudo_bytes function in\n ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x\n before 5.5.28, and 5.6.x before 5.6.12 incorrectly\n relies on the deprecated RAND_pseudo_bytes function,\n which makes it easier for remote attackers to defeat\n cryptographic protection mechanisms via unspecified\n vectors.(CVE-2015-8867)\n\n - The sapi_header_op function in main/SAPI.c in PHP\n before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before\n 5.6.6 supports deprecated line folding without\n considering browser compatibility, which allows remote\n attackers to conduct cross-site scripting (XSS) attacks\n against Internet Explorer by leveraging (1) %0A%20 or\n (2) %0D%0A%20 mishandling in the header\n function.(CVE-2015-8935)\n\n - An issue was discovered in PHP before 5.6.35, 7.0.x\n before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before\n 7.2.4. Dumpable FPM child processes allow bypassing\n opcache access controls because fpm_unix.c makes a\n PR_SET_DUMPABLE prctl call, allowing one user (in a\n multiuser environment) to obtain sensitive information\n from the process memory of a second user's PHP\n applications by running gcore on the PID of the PHP-FPM\n worker process.(CVE-2018-10545)\n\n - An issue was discovered in ext/phar/phar_object.c in\n PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before\n 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS\n on the PHAR 403 and 404 error pages via request data of\n a request for a .phar file. NOTE: this vulnerability\n exists because of an incomplete fix for\n CVE-2018-5712.(CVE-2018-10547)\n\n - The Apache2 component in PHP before 5.6.38, 7.0.x\n before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before\n 7.2.10 allows XSS via the body of a 'Transfer-Encoding:\n chunked' request, because the bucket brigade is\n mishandled in the php_handler function in\n sapi/apache2handler/sapi_apache2.c.(CVE-2018-17082)\n\n - PHP through 7.1.11 enables potential SSRF in\n applications that accept an fsockopen or pfsockopen\n hostname argument with an expectation that the port\n number is constrained. Because a :port syntax is\n recognized, fsockopen will use the port number that is\n specified in the hostname argument, instead of the port\n number in the second argument of the\n function.(CVE-2017-7272 )\n\n - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x\n before 7.1.7, a stack-based buffer overflow in the\n zend_ini_do_op() function in Zend/zend_ini_parser.c\n could cause a denial of service or potentially allow\n executing code. NOTE: this is only relevant for PHP\n applications that accept untrusted input (instead of\n the system's php.ini file) for the parse_ini_string or\n parse_ini_file function, e.g., a web application for\n syntax validation of php.ini\n directives.(CVE-2017-11628)\n\n - In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR\n archive handler could be used by attackers supplying\n malicious archive files to crash the PHP interpreter or\n potentially disclose information due to a buffer\n over-read in the phar_parse_pharfile function in\n ext/phar/phar.c.(CVE-2017-11147)\n\n - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x\n before 7.1.7, the openssl extension PEM sealing code\n did not check the return value of the OpenSSL sealing\n function, which could lead to a crash of the PHP\n interpreter, related to an interpretation conflict for\n a negative number in ext/openssl/openssl.c, and an\n OpenSSL documentation omission.(CVE-2017-11144)\n\n - The locale_accept_from_http function in\n ext/intl/locale/locale_methods.c in PHP before 5.5.38,\n 5.6.x before 5.6.24, and 7.x before 7.0.9 does not\n properly restrict calls to the ICU\n uloc_acceptLanguageFromHTTP function, which allows\n remote attackers to cause a denial of service\n (out-of-bounds read) or possibly have unspecified other\n impact via a call with a long argument.(CVE-2016-6294)\n\n - Session fixation vulnerability in the Sessions\n subsystem in PHP before 5.5.2 allows remote attackers\n to hijack web sessions by specifying a session\n ID.(CVE-2011-4718)\n\n - Off-by-one error in the phar_parse_zipfile function in\n ext/phar/zip.c in PHP before 5.5.30 and 5.6.x before\n 5.6.14 allows remote attackers to cause a denial of\n service (uninitialized pointer dereference and\n application crash) by including the / filename in a\n .zip PHAR archive.(CVE-2015-7804)\n\n - The php_wddx_push_element function in ext/wddx/wddx.c\n in PHP before 5.6.26 and 7.x before 7.0.11 allows\n remote attackers to cause a denial of service (invalid\n pointer access and out-of-bounds read) or possibly have\n unspecified other impact via an incorrect boolean\n element in a wddxPacket XML document, leading to\n mishandling in a wddx_deserialize call.(CVE-2016-7418)\n\n - The exif_process_user_comment function in\n ext/exif/exif.c in PHP before 5.5.38, 5.6.x before\n 5.6.24, and 7.x before 7.0.9 allows remote attackers to\n cause a denial of service (NULL pointer dereference and\n application crash) via a crafted JPEG\n image.(CVE-2016-6292)\n\n - The make_http_soap_request function in\n ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before\n 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4\n allows remote attackers to obtain sensitive information\n from process memory or cause a denial of service (type\n confusion and application crash) via crafted serialized\n _cookies data, related to the SoapClient::__call method\n in ext/soap/soap.c.(CVE-2016-3185)\n\n - Directory traversal vulnerability in the\n ZipArchive::extractTo function in ext/zip/php_zip.c in\n PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x\n before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before\n 3.12.1 allows remote attackers to create arbitrary\n empty directories via a crafted ZIP\n archive.(CVE-2014-9767)\n\n - The phar_convert_to_other function in\n ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x\n before 5.5.27, and 5.6.x before 5.6.11 does not\n validate a file pointer before a close operation, which\n allows remote attackers to cause a denial of service\n (segmentation fault) or possibly have unspecified other\n impact via a crafted TAR archive that is mishandled in\n a Phar::convertToData call.(CVE-2015-5589)\n\n - Directory traversal vulnerability in the PharData class\n in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x\n before 5.6.12 allows remote attackers to write to\n arbitrary files via a .. (dot dot) in a ZIP archive\n entry that is mishandled during an extractTo\n call.(CVE-2015-6833)\n\n - The phar_get_entry_data function in ext/phar/util.c in\n PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote\n attackers to cause a denial of service (NULL pointer\n dereference and application crash) via a .phar file\n with a crafted TAR archive entry in which the Link\n indicator references a file that does not\n exist.(CVE-2015-7803)\n\n - Stack consumption vulnerability in GD in PHP before\n 5.6.12 allows remote attackers to cause a denial of\n service via a crafted imagefilltoborder\n call.(CVE-2015-8874)\n\n - Stack-based buffer overflow in ext/phar/tar.c in PHP\n before 5.5.32, 5.6.x before 5.6.18, and 7.x before\n 7.0.3 allows remote attackers to cause a denial of\n service (application crash) or possibly have\n unspecified other impact via a crafted TAR\n archive.(CVE-2016-2554)\n\n - The phar_parse_zipfile function in zip.c in the PHAR\n extension in PHP before 5.5.33 and 5.6.x before 5.6.19\n allows remote attackers to obtain sensitive information\n from process memory or cause a denial of service\n (out-of-bounds read and application crash) by placing a\n PK\\x05\\x06 signature at an invalid\n location.(CVE-2016-3142)\n\n - ext/session/session.c in PHP before 5.6.25 and 7.x\n before 7.0.10 skips invalid session names in a way that\n triggers incorrect parsing, which allows remote\n attackers to inject arbitrary-type session data by\n leveraging control of a session name, as demonstrated\n by object injection.(CVE-2016-7125)\n\n - The exif_process_IFD_in_TIFF function in\n ext/exif/exif.c in PHP before 5.6.25 and 7.x before\n 7.0.10 mishandles the case of a thumbnail offset that\n exceeds the file size, which allows remote attackers to\n obtain sensitive information from process memory via a\n crafted TIFF image.(CVE-2016-7128)\n\n - The get_icu_disp_value_src_php function in\n ext/intl/locale/locale_methods.c in PHP before 5.3.29,\n 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not\n properly restrict calls to the ICU uresbund.cpp\n component, which allows remote attackers to cause a\n denial of service (buffer overflow) or possibly have\n unspecified other impact via a locale_get_display_name\n call with a long first argument.(CVE-2014-9912)\n\n - Use-after-free vulnerability in the SPL unserialize\n implementation in ext/spl/spl_array.c in PHP before\n 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12\n allows remote attackers to execute arbitrary code via\n crafted serialized data that triggers misuse of an\n array field.(CVE-2015-6832)\n\n - The make_http_soap_request function in\n ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before\n 5.5.28, and 5.6.x before 5.6.12 does not properly\n retrieve keys, which allows remote attackers to cause a\n denial of service (NULL pointer dereference, type\n confusion, and application crash) or possibly execute\n arbitrary code via crafted serialized data representing\n a numerically indexed _cookies array, related to the\n SoapClient::__call method in\n ext/soap/soap.c.(CVE-2015-8835)\n\n - The uloc_acceptLanguageFromHTTP function in\n common/uloc.cpp in International Components for Unicode\n (ICU) through 57.1 for C/C++ does not ensure that there\n is a '\\0' character at the end of a certain temporary\n array, which allows remote attackers to cause a denial\n of service (out-of-bounds read) or possibly have\n unspecified other impact via a call with a long\n httpAcceptLanguage argument.(CVE-2016-6293)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and\n 7.3.x below 7.3.6 it is possible to supply it with data\n what will cause it to read past the allocated buffer.\n This may lead to information disclosure or\n crash.(CVE-2019-11040)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and\n 7.3.x below 7.3.8 it is possible to supply it with data\n what will cause it to read past the allocated buffer.\n This may lead to information disclosure or\n crash.(CVE-2019-11041)\n\n - When PHP EXIF extension is parsing EXIF information\n from an image, e.g. via exif_read_data() function, in\n PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and\n 7.3.x below 7.3.8 it is possible to supply it with data\n what will cause it to read past the allocated buffer.\n This may lead to information disclosure or\n crash.(CVE-2019-11042)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2438\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?72902c09\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected php packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP-FPM Underflow RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-recode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:php-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"php-5.4.16-42.h63\",\n \"php-cli-5.4.16-42.h63\",\n \"php-common-5.4.16-42.h63\",\n \"php-gd-5.4.16-42.h63\",\n \"php-ldap-5.4.16-42.h63\",\n \"php-mysql-5.4.16-42.h63\",\n \"php-odbc-5.4.16-42.h63\",\n \"php-pdo-5.4.16-42.h63\",\n \"php-pgsql-5.4.16-42.h63\",\n \"php-process-5.4.16-42.h63\",\n \"php-recode-5.4.16-42.h63\",\n \"php-soap-5.4.16-42.h63\",\n \"php-xml-5.4.16-42.h63\",\n \"php-xmlrpc-5.4.16-42.h63\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2017-04-10T03:24:10", "description": "", "published": "2017-04-03T00:00:00", "type": "packetstorm", "title": "PHP 7.1.2 fsockopen Misbehavior", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7272"], "modified": "2017-04-03T00:00:00", "id": "PACKETSTORM:142013", "href": "https://packetstormsecurity.com/files/142013/PHP-7.1.2-fsockopen-Misbehavior.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20170403-0 > \n======================================================================= \ntitle: Misbehavior of the \"fsockopen\" function \nproduct: PHP \nvulnerable version: 7.1.2 \nfixed version: \nCVE number: CVE-2017-7272 \nimpact: Medium \nhomepage: http://www.php.net/ \nfound: 2017-03-06 \nby: Fikri Fadzil (Office Kuala Lumpur) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult \nBangkok - Berlin - Linz - Luxembourg - Montreal - Moscow \nKuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"PHP is a popular general-purpose scripting language that is especially suited \nto web development. Fast, flexible and pragmatic, PHP powers everything from \nyour blog to the most popular websites in the world.\" \n \nSource: http://www.php.net/ \n \n \nBusiness recommendation: \n------------------------ \nBy making use of this issue, it is possible for an attacker to bypass current \nprevention mechanisms used to protect the \"fsockopen\" function in PHP to perform \nserver-side request forgery attacks. \n \nSEC Consult recommends to check the developed or installed websites for any \npossibility to exploit any form of vulnerability due to this issue. \n \n \nVulnerability overview/description: \n----------------------------------- \nThe \"fsockopen\" function in PHP will respond differently if two port numbers \nare given at once. As many developers assume the function will prioritize the \nport number given to the second function parameter, an attacker may utilize this \nunpredictable behavior to e.g. conduct a server-side request forgery attack. \n \n \nProof of concept: \n----------------- \nThe \"fsockopen\" function in PHP will not use the port number given to the \nsecond parameter if the hostname already has a port number appended. The \nexample below should explain misbehavior of the function. \n \n// This request will go to port 80 \nfsockopen(\"192.168.184.132\", 80); \n \n// This request will go to port 53 \nfsockopen(\"192.168.184.132:53\", 80); \n \nInstead of initiating a socket connection on port 80 as given in the second \nparameter, the function appears to use the port number 53 which is \nappended to the hostname. \n \n \n \nVulnerable / tested versions: \n----------------------------- \nPHP version 7.0.11 and 7.1.2 have been tested and found to be vulnerable. \n \nOlder PHP versions are potentially affected as well. \n \n \nVendor contact timeline: \n------------------------ \n2017-03-07: Reported the issue through PHP Bug Tracking System. (SecBug #74216) \nhttps://bugs.php.net/bug.php?id=74216 \n2017-03-07: Changes were committed to the PHP's main repo in Github. \n \nhttps://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a \n2017-04-03: Public disclosure of the advisory \n \n \nSolution: \n--------- \nPatch: \nhttps://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a \n \n \nWorkaround: \n----------- \nIt is recommended to restrict user input data for a hostname to not have a \nport number appended. \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult \nBangkok - Berlin - Linz - Luxembourg - Montreal - Moscow \nKuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It \nensures the continued knowledge gain of SEC Consult in the field of network \nand application security to stay ahead of the attacker. The SEC Consult \nVulnerability Lab supports high-quality penetration testing and the evaluation \nof new offensive and defensive technologies for our customers. Hence our \ncustomers obtain the most current information about vulnerabilities and valid \nrecommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://www.sec-consult.com/en/Career.htm \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://www.sec-consult.com/en/About/Contact.htm \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF Fikri Fadzil / @2017 \n \n`\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142013/SA-20170403-0.txt"}], "debian": [{"lastseen": "2020-08-12T01:03:09", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7272", "CVE-2018-14851", "CVE-2018-14883"], "description": "Package : php5\nVersion : 5.6.37+dfsg-0+deb8u1\nCVE ID : CVE-2018-14851 CVE-2018-14883\nDebian Bug : 890266\n\n\nTwo vulnerabilities have been discovered in php5, a server-side,\nHTML-embedded scripting language. One (CVE-2018-14851) results in a\npotential denial of service (out-of-bounds read and application crash)\nvia a crafted JPEG file. The other (CVE-2018-14883) is an Integer\nOverflow that leads to a heap-based buffer over-read.\n\nAdditionally, a previously introduced patch for CVE-2017-7272 was found\nto negatively affect existing PHP applications (#890266). As a result\nof the negative effects and the fact that the security team has marked\nthe CVE in question as "ignore," the patch has been dropped.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n5.6.37+dfsg-0+deb8u1.\n\nWe recommend that you upgrade your php5 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 8, "modified": "2018-09-01T13:12:36", "published": "2018-09-01T13:12:36", "id": "DEBIAN:DLA-1490-1:AB1B2", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201809/msg00000.html", "title": "[SECURITY] [DLA 1490-1] php5 security update", "type": "debian", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-30T02:22:14", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7478", "CVE-2017-7272", "CVE-2016-7479", "CVE-2015-8876"], "description": "Package : php5\nVersion : 5.4.45-0+deb7u8\nCVE ID : CVE-2016-7478 CVE-2016-7479 CVE-2017-7272\n\nSeveral issues have been discovered in PHP (recursive acronym for PHP:\nHypertext Preprocessor), a widely-used open source general-purpose\nscripting language that is especially suited for web development and can\nbe embedded into HTML.\n\nCVE-2016-7478:\n Zend/zend_exceptions.c in PHP allows remote attackers to\n cause a denial of service (infinite loop) via a crafted Exception\n object in serialized data, a related issue to CVE-2015-8876.\n\nCVE-2016-7479:\n During the unserialization process, resizing the 'properties' hash\n table of a serialized object may lead to use-after-free. A remote\n attacker may exploit this bug to gain the ability of arbitrary code\n execution. Even though the property table issue only affects PHP 7\n this change also prevents a wide range of other __wakeup() based\n attacks.\n\nCVE-2017-7272:\n The fsockopen() function will use the port number which is defined\n in hostname instead of the port number passed to the second\n parameter of the function. This misbehavior may introduce another\n attack vector for an already known application vulnerability (e.g.\n Server Side Request Forgery).\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n5.4.45-0+deb7u8.\n\nWe recommend that you upgrade your php5 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2017-03-27T23:05:48", "published": "2017-03-27T23:05:48", "id": "DEBIAN:DLA-875-1:2D95B", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201703/msg00033.html", "title": "[SECURITY] [DLA 875-1] php5 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}