Multiple vulnerabilities in PHP
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2012-2386 CVE-2012-2329 CVE-2012-2335 CVE-2012-2336 |
| CWE-ID | CWE-122 CWE-119 CWE-264 CWE-20 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. |
| Vulnerable software |
PHP Universal components / Libraries / Scripting languages |
| Vendor | PHP Group |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Heap-based buffer overflow
EUVDB-ID: #VU43908
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2012-2386
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Integer overflow in the phar_parse_tarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4. A remote attacker can use a crafted tar file that triggers a heap-based buffer overflow. to trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsPHP: 1.0 - 5.4.2
CPE2.3- cpe:2.3:a:php_group:php:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:2.0b10:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:3.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:4.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:4.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:4.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:5.0.5:*:*:*:*:*:*:*
https://0x1byte.blogspot.com/2011/04/php-phar-extension-heap-overflow.html
https://git.php.net/?p=php-src.git;a=commit;h=158d8a6b088662ce9d31e0c777c6ebe90efdc854
https://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
https://lists.opensuse.org/opensuse-security-announce/2012-07/msg00003.html
https://openwall.com/lists/oss-security/2012/05/22/10
https://support.apple.com/kb/HT5501
https://www.php.net/ChangeLog-5.php
https://bugs.php.net/bug.php?id=61065
https://bugzilla.redhat.com/show_bug.cgi?id=823594
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Buffer overflow
EUVDB-ID: #VU44085
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2012-2329
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
Buffer overflow in the apache_request_headers function in sapi/cgi/cgi_main.c in PHP 5.4.x before 5.4.3 allows remote attackers to cause a denial of service (application crash) via a long string in the header of an HTTP request.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 5.4.0 - 5.4.2
CPE2.3 External linkshttps://secunia.com/advisories/49014
https://www.php.net/archive/2012.php#id2012-05-08-1
https://www.php.net/ChangeLog-5.php#5.4.3
https://www.securityfocus.com/bid/53455
https://bugs.php.net/bug.php?id=61807
https://bugzilla.redhat.com/show_bug.cgi?id=820000
https://exchange.xforce.ibmcloud.com/vulnerabilities/75545
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU44086
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2012-2335
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 5.3.12 - 5.4.2
CPE2.3 External linkshttps://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
https://git.php.net/?p=php-src.git;a=blob;f=sapi/cgi/cgi_main.c;h=a7ac26f0#l1569
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00004.html
https://lists.opensuse.org/opensuse-security-announce/2012-07/msg00003.html
https://secunia.com/advisories/49014
https://www.kb.cert.org/vuls/id/520827
https://www.php.net/archive/2012.php#id2012-05-06-1
https://bugs.php.net/bug.php?id=61910
https://exchange.xforce.ibmcloud.com/vulnerabilities/75652
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU44087
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2012-2336
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 1.0 - 5.4.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2012-06/msg00004.html
https://lists.opensuse.org/opensuse-security-announce/2012-07/msg00003.html
https://secunia.com/advisories/49014
https://www.php.net/archive/2012.php#id2012-05-08-1
https://www.php.net/ChangeLog-5.php#5.4.3
https://bugs.php.net/bug.php?id=61910
https://bugs.php.net/patch-display.php?bug_id=61910&patch=CVE-2012-1823.patch&revision=1336251592&display=1
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
