Multiple Vulnerabilities in PHP Could Allow Arbitrary Code Execution

ITS Advisory Number: 
2015-089
Date(s) Issued: 
Monday, August 10, 2015
Subject: 
Multiple Vulnerabilities in PHP Could Allow Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in PHP which could allow an attacker to potentially execute arbitrary code. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications. Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of a webserver.

Systems Affected: 
  • PHP 5.4 prior to 5.4.44
  • PHP 5.5 prior to 5.5.28
  • PHP 5.6 prior to 5.6.12
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

PHP has released updates that address multiple vulnerabilities that could allow for arbitrary code execution in the context of a webserver. These vulnerabilities include:

  • Bug 70068 - A use-after-free vulnerability exists in the unserialization of ArrayObject items.
  • Bug 70166 - A use-after-free vulnerability exists in the unserialization of the SPLArrayObject.
  • Bug 70168 - A use-after-free vulnerability exists in the unserialization of SplObjectStorage.
  • Bug 70169 - A use-after-free vulnerability exists in the unserialization of SplDoublyLinkedList.

Another bug fixed in PHP Phar may be found below:

  • Bug 70019 - A vulnerability exists that allows extraction of archived files into the upper level directory.
Actions: 
  • After appropriate testing, upgrade to the latest version of PHP.
  • Apply the principle of Least Privilege to all systems and services.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Limit user account privileges to only those required.