Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Multiple vulnerabilities in PHP

 

Systems Affected


PHP versions 5.4.41 and prior
PHP versions 5.5.25 and prior
PHP versions 5.6.9 and prior

Threat Level


High


Overview


Multiple vulnerabilities have been reported in PHP which could be exploited by a remote attacker to execute arbitrary code on the system or cause denial of service (DOS) conditions.


Description


1. Command Injection vulnerability ( CVE-2015-4642 )
The vulnerability exists in PHP due to improper validation of user supplied input in escapeshellarg() function. A remote attacker could exploit this vulnerability by injecting command in the function to trigger an error which allow an attacker to execute arbitrary OS command in context of the affected application .

2. Heap Buffer Overflow vulnerability ( CVE-2015-4643 )
The vulnerability exists in PHP due to a buffer overflow error in ftp_genlist() function. A remote attacker could exploit this vulnerability by sending specially crafted data to trigger the buffer overflow which allow attacker to execute arbitrary code on the target system.

3. Denial of Service (DoS)vulnerability ( CVE-2015-4644 )
The vulnerability exists in PHP due to error in php_pgsql_meta_data function. A remote attacker could exploit this vulnerability by sending specially crafted PHP code to trigger a segfault. Successful exploitation of this vulnerability could allow the attacker to cause Denial of Service


Impact



Solution/ Workarounds


Upgrade to versions 5.4.42, 5.6.10 or 5.5.26 or later
http://php.net/ChangeLog-5.php


References


http://www.cert-in.org.in/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.