Multiple vulnerabilities in PHP

1) Segmentation fault

EUVDB-ID: #VU16314

Risk: Low

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to segfault when using convert.quoted-printable-encode filter. A remote attacker can trigger segmentation fault and cause the service to crash.

Mitigation

The vulnerability has been addressed in the versions 5.6.39, 7.0.33, 7.1.25, 7.2.13, 7.3.0.

Vulnerable software versions

PHP: 5.6.0 - 7.2.12

CPE2.3

• cpe:2.3:a:php_group:php:5.6.38:*:*:*:*:*:*:*
• cpe:2.3:a:php_group:php:7.0.32:*:*:*:*:*:*:*
• cpe:2.3:a:php_group:php:7.1.24:*:*:*:*:*:*:*
• cpe:2.3:a:php_group:php:7.2.12:*:*:*:*:*:*:*

External links

https://bugs.php.net/bug.php?id=77231

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) NULL pointer dereference

EUVDB-ID: #VU16315

Risk: Low

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2018-19935

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to NULL pointer dereference in _php_imap_mail when improper check of wheater message. A remote attacker can supply specially crafted message, trigger NULL pointer dereference and cause the service to crash.

Mitigation

The vulnerability has been addressed in the versions 5.6.39, 7.0.33, 7.3.0.

Vulnerable software versions

PHP: 5.6.0 - 7.0.32

CPE2.3

External links

https://bugs.php.net/bug.php?id=77020

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) OS command injection

EUVDB-ID: #VU16316

Risk: Low

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2018-19158

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The weakness exists due to OS command injection in imap_open. A remote attacker can bypass disabled exec functions in PHP and run arbitrary shell commands via mailbox parameter.

Mitigation

The vulnerability has been addressed in the versions 5.6.39, 7.0.33, 7.1.25, 7.3.0.

Vulnerable software versions

PHP: 5.6.0 - 7.1.24

CPE2.3

External links

https://bugs.php.net/bug.php?id=77153

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Heap-based buffer overflow

EUVDB-ID: #VU16317

Risk: Low

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to heap-based buffer overflow while fuzzing with AFL using an ASAN instrumented PHP. A remote attacker can disable the ZEND allocator, use ASAN (or valgrind/etc?) with a crafted phar as input, trigger memory corruption and cause the service to crash.

Mitigation

The vulnerability has been addressed in the versions 5.6.39, 7.0.33, 7.1.25, 7.2.13, 7.3.0.

Vulnerable software versions

PHP: 5.6.0 - 7.2.12

CPE2.3

External links

https://bugs.php.net/bug.php?id=77143

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Segmentation fault

EUVDB-ID: #VU16318

Risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to segfault when removing part "<soap:header message="tns:requestheader" part="id" use="literal"/>" wsdl SoapClient. A remote attacker can trigger WSDL_CACHE_MEMORY and cause the service to crash.

Mitigation

The vulnerability has been fixed in the versions 7.1.25, 7.2.13.

Vulnerable software versions

PHP: 7.1.0 - 7.2.12

CPE2.3

External links

https://bugs.php.net/bug.php?id=76348

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Infinite loop

EUVDB-ID: #VU16319

Risk: Low

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to infinite loop. A remote attacker can run the test script without Opcache works fine, but with Opcache enabled to cause the service to crash.

Mitigation

Update to version 7.3.0.

Vulnerable software versions

PHP: 7.3.0alpha1

CPE2.3

• cpe:2.3:a:php_group:php:7.3.0alpha1:*:*:*:*:*:*:*

External links

https://bugs.php.net/bug.php?id=76466

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

7) Improper input validation

EUVDB-ID: #VU16320

Risk: Low

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to an error if response headers have been already sent or when calling session_id($id) before session_start(). A remote attacker can send response headers and cause the service to crash.

Mitigation

Update to version 7.3.0.

Vulnerable software versions

PHP: 7.1.0 - 7.1.25

CPE2.3

• cpe:2.3:a:php_group:php:7.1.25:*:*:*:*:*:*:*

External links

https://bugs.php.net/bug.php?id=74941

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

8) Segmentation fault

EUVDB-ID: #VU16321

Risk: Low

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to segmentation fault. A remote attacker can trigger recursion and cause the service to crash.

Mitigation

Update to version 7.3.0.

Vulnerable software versions

PHP: 7.1.0 - 7.2.13

CPE2.3

• cpe:2.3:a:php_group:php:7.2.13:*:*:*:*:*:*:*

External links

https://bugs.php.net/bug.php?id=74977

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

9) Memory corruption

EUVDB-ID: #VU16322

Risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to boundary error. A remote attacker can trigger memory corruption and segmentation fault to cause the service to crash.

Mitigation

Update to version 7.3.0.

Vulnerable software versions

PHP: 7.3.0beta3

CPE2.3

• cpe:2.3:a:php_group:php:7.3.0beta3:*:*:*:*:*:*:*

External links

https://bugs.php.net/bug.php?id=76818

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Segmentation fault

EUVDB-ID: #VU16323

Risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to segfault while running PHPUnit tests of one of the libraries. A remote attacker can trigger segmentation fault to cause the service to crash.

Mitigation

Update to version 7.3.0.

Vulnerable software versions

PHP: 7.3.0beta1

CPE2.3

• cpe:2.3:a:php_group:php:7.3.0beta1:*:*:*:*:*:*:*

External links

https://bugs.php.net/bug.php?id=76713

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) XXE attack

EUVDB-ID: #VU16324

Risk: Low

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

Description

The vulnerability allows a remote attacker to conduct XXE-attack on the target system.

The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can trick the victim into open an XML file that submits malicious input and cause XML parser to stop parsing and xml_get_error_code() to return XML_ERROR_EXTERNAL_ENTITY_HANDLING.

Mitigation

Update to version 7.3.0.

Vulnerable software versions

PHP: 5.6.18 - 7.3.0beta3

CPE2.3

• cpe:2.3:a:php_group:php:5.6.39:*:*:*:*:*:*:*
• cpe:2.3:a:php_group:php:7.0.33:*:*:*:*:*:*:*

External links

https://bugs.php.net/bug.php?id=71592

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

12) Memory leak

EUVDB-ID: #VU16325

Risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to memory leaks in zend_register_functions(), specifically the section related to the new code. A remote attacker can trigger memory leaks to cause the service to crash.

Mitigation

Update to version 7.3.0.

Vulnerable software versions

PHP: 7.2.0 - 7.2.13

CPE2.3

External links

https://bugs.php.net/bug.php?id=75683

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Segmentation fault

EUVDB-ID: #VU16326

Risk: Low

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to segfault while fuzzing typed properties but reproducible on master. A remote attacker can trigger segmentation fault with divide-assign op and __get + __setto cause the service to crash.

Mitigation

Update to version 7.3.0.

Vulnerable software versions

PHP: 7.3.0alpha4

CPE2.3

• cpe:2.3:a:php_group:php:7.3.0alpha4:*:*:*:*:*:*:*

External links

https://bugs.php.net/bug.php?id=76667

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

14) Security restrictions bypass

EUVDB-ID: #VU16327

Risk: Low

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to protected method overrides a private one. A remote attacker can bypass protected method accessibility check.

Mitigation

Update to version 7.3.0.

Vulnerable software versions

PHP: 7.3.0beta3

CPE2.3

External links

https://bugs.php.net/bug.php?id=76869

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

15) Security restrictions bypass

EUVDB-ID: #VU16328

Risk: Low

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to BCMath reports some errors and warnings (such as "exponent too large in raise") by directly writing to stderr[1]. A remote attacker can bypass PHP's error handling.

Mitigation

Update to version 7.3.0.

Vulnerable software versions

PHP: 7.0.23

CPE2.3

• cpe:2.3:a:php_group:php:7.0.23:*:*:*:*:*:*:*

External links

https://bugs.php.net/bug.php?id=75169

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.