Type Confusion in php (Alpine package)

1) Type Confusion

EUVDB-ID: #VU16095

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-4721

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to a type confusion error when the phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables. A local attacker can use the integer data type with crafted values, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php and obtain sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

php (Alpine package): 5.3.28-r5

CPE2.3

• cpe:2.3:o:alpine:php_alpine_package:5.3.28-r5:*:*:*:*:alpine_linux:*:2.4

External links

https://git.alpinelinux.org/aports/commit/?id=ca28f9f2b2d71543d8afa49b6568e61fd8b6513c
https://git.alpinelinux.org/aports/commit/?id=8532bf89eef0b45719c695ca28fb3d1edf74dfc3
https://git.alpinelinux.org/aports/commit/?id=9a7aacbfe4b33c0a6622963074c4875275960e95
https://git.alpinelinux.org/aports/commit/?id=d07eb25516cc54067c06cb80e93cfd50471209ac

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.