Vulnerability in PHP Could Allow for Remote Code Execution

ITS Advisory Number: 
2015-045
Date(s) Issued: 
Friday, April 24, 2015
Subject: 
Vulnerability in PHP Could Allow for Remote Code Execution
Overview: 

A vulnerability has been identified in PHP which could allow for remote code execution. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

Successful exploitation of this vulnerability could result in remote code execution, allowing an attacker to run code in the context of the user running the affected application. Failed attempts may result in denial of service conditions.

Systems Affected: 
  • PHP 5.6 prior to 5.6.8
  • PHP 5.5 prior to 5.5.24
  • PHP 5.4 prior to 5.4.40
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

A vulnerability has been discovered in PHP versions prior to 5.6.8, 5.5.24, and 5.4.40 which could lead to remote code execution. Specifically, the vulnerability occurs when a maliciously crafted request is submitted to a web server running Apache 2.4 with the apache2handler configuration enabled. When this packet is processed by the application, it results in a segmentation fault in ‘sapi/apache2handler/sapi_apache2.c’.

Successful exploitation of this vulnerability could result in remote code execution, allowing an attacker to run code in the context of the user running the affected application. Failed attempts may result in denial of service conditions.

Actions: 

We recommend the following actions be taken:

  • Apply appropriate fixes or patches provided by the PHP Group to vulnerable systems immediately after appropriate testing.
  • Apply the principle of Least Privilege to all systems and services.
  • Limit user account privileges to only those required.