Multiple Vulnerabilities in PHP Allow for Arbitrary Code Execution

ITS Advisory Number: 
2016-062
Date(s) Issued: 
Thursday, April 7, 2016
Subject: 
Multiple Vulnerabilities in PHP Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in PHP which could allow an attacker to potentially execute arbitrary code. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications. Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of a webserver.

Systems Affected: 
  • PHP 7 prior to 7.0.5

  • PHP 5.6 prior to 5.6.20

  • PHP 5.5 prior to 5.5.34

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in PHP, which could allow an attacker to execute remote code; PHP has released updates that addresses these vulnerabilities. These vulnerabilities include:

 

PHP Prior to 7.0.5

  • Bug 71806 (php_strip_whitespace() fails on some numerical values).
  • Bug 71624 (`php -R` (PHP_MODE_PROCESS_STDIN) is broken).
  • Bug 69953 (Support MKCALENDAR request method).
  • Bug 71694 (Support constant CURLM_ADDED_ALREADY).
  • Bug 71635 (DatePeriod::getEndDate segfault).
  • Bug 71527 (Buffer over-write in finfo_open with malformed magic file).
  • Bug 71536 (Access Violation crashes php-cgi.exe).
  • Bug 71906 (AddressSanitizer: negative-size-param (-1) in mbfl_strcut).
  • Bug 47803, (Executing prepared statements is succesfull only for the first two statements).
  • Bug 71659 (segmentation fault in pcre running twig tests).
  • Bug 54648 (PDO::MSSQL forces format of datetime fields).
  • Bug 71625 (Crash in php7.dll with bad phar filename).
  • Bug 71317 (PharData fails to open specific file).
  • Bug 71860 (Invalid memory write in phar on filename with \0 in name).
  • Fixed crash when advancing (except step) inside an internal function.
  • Bug 71683 (Null pointer dereference in zend_hash_str_find_bucket).
  • Bug 71704 (php_snmp_error() Format String Vulnerability).
  • Bug 71617 (private properties lost when unserializing ArrayObject).
  • Bug 71660 (array_column behaves incorrectly after foreach by reference).
  • Bug 71798 (Integer Overflow in php_raw_url_encode).

 

Prior to 5.6.20

  • Bug 69953 (Support MKCALENDAR request method).
  • Bug 71596 (Segmentation fault on ZTS with date function (setlocale)).
  • Bug 71694 (Support constant CURLM_ADDED_ALREADY).
  • Bug 71635 (DatePeriod::getEndDate segfault).
  • Bug 71527 (Buffer over-write in finfo_open with malformed magic file).
  • Bug 71906 (AddressSanitizer: negative-size-param (-1) in mbfl_strcut).
  • Bug 47803, (Executing prepared statements is succesfull only for the first two statements).
  • Bug 71860 (Invalid memory write in phar on filename with \0 in name).
  • Bug 54648 (PDO::MSSQL forces format of datetime fields).
  • Bug 71625 (Crash in php7.dll with bad phar filename).
  • Bug 71504 (Parsing of tar file with duplicate filenames causes memory leak).
  • Bug 71704 (php_snmp_error() Format String Vulnerability).
  • Bug 71798 (Integer Overflow in php_raw_url_encode).

 

Prior to 5.5.34

  • Fixed Bug 71527 (Buffer over-write in finfo_open with malformed magic file).

  • Fixed Bug 71906 (AddressSanitizer: negative-size-param (-1) in mbfl_strcut).

  • Fixed Bug 71860 (Invalid memory write in phar on filename with \0 in name).

  • Fixed Bug 71704 (php_snmp_error() Format String Vulnerability).

  • Fixed Bug 71798 (Integer Overflow in php_raw_url_encode).

Actions: 
  • After appropriate testing upgrade to the latest version of PHP

  • Apply the principle of Least Privilege to all systems and services

  • Verify no unauthorized system modifications have occurred on system before applying patch