#VU41088 Buffer overflow in PHP - CVE-2014-8626

Cybersecurity Help s.r.o.

Published: 2014-11-23 | Updated: 2020-08-09

Vulnerability identifier: #VU41088

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-8626

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PHP: 5.2.0 - 5.2.5

External links
https://git.php.net/?p=php-src.git;a=commit;h=c818d0d01341907fee82bdb81cab07b7d93bb9db
https://openwall.com/lists/oss-security/2014/11/06/3
https://php.net/ChangeLog-5.php
https://rhn.redhat.com/errata/RHSA-2014-1824.html
https://rhn.redhat.com/errata/RHSA-2014-1825.html
https://www.securityfocus.com/bid/70928
https://bugs.php.net/bug.php?id=45226
https://bugzilla.redhat.com/show_bug.cgi?id=1155607

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Buffer overflow in PHP