Vulnerability in PHP Could Allow for Remote Code Execution

ITS Advisory Number: 
2016-052
Date(s) Issued: 
Friday, March 11, 2016
Subject: 
Vulnerability in PHP Could Allow for Remote Code Execution
Overview: 

A vulnerability has been discovered in PHP, which could allow an attacker to execute remote code. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications. Successful exploitation of this vulnerability could allow a remote attacker to execute remote code in the context of the user running the affected application. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation will likely result in a denial-of-service condition.

Systems Affected: 

  • PHP 5.6 prior to 5.6.19

  • PHP 5.5 prior to 5.5.33

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

A vulnerability has been discovered in PHP, which could allow an attacker to execute remote code. This vulnerability exists due to a use-after-free error in the 'ext/wddx/wddx.c' file, which is caused as it fails to correctly implement Web Distributed Data eXchange (WDDX) deserialization. Failed exploitation will result in a denial-of-service condition. Successful exploitation could be performed via a specially crafted XML file.

WDDX is an XML-based technology that enables complex-data exchange between various supported Web programming languages, by allocating a specific module for each supported language. The module will translate (serialize) the native data structures into an abstract form represented as XML, or de-serialize the WDDX XML into a native data structure.

Successful exploitation of this vulnerability could allow a remote attacker to execute remote code in the context of the user running the affected application. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation will likely result in a denial-of-service condition.

Actions: 

  • After appropriate testing upgrade to the latest version of PHP.

  • Apply the principle of Least Privilege to all systems and services.

  • Do not open email attachments from unknown or untrusted sources.

  • Verify no unauthorized system modifications have occurred on system before applying patch.

  • Limit user account privileges to only those required.

References: 

PHP:

https://bugs.php.net/bug.php?id=71587

http://php.net/ChangeLog-5.php#5.6.19

http://php.net/ChangeLog-5.php#5.5.33

Office of Information Technology Services

Other Information

Language Access

Register to Vote

Sign up online or download and mail your application. Register Now