Multiple vulnerabilities in PHP

Published: 2018-01-04

Risk	Medium
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2015-8866
CWE-ID	CWE-611 CWE-835 CWE-79
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	PHP Universal components / Libraries / Scripting languages
Vendor	PHP Group

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Improper restriction of XML external entity reference (XXE)

EUVDB-ID: #VU9867

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-8866

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform XXE. attcks.

The vulnerability exists in ext/libxml/libxml.c when using PHP-FPM due to improper isolation of each threat from libxml_disable_entity_loader changes in other threads. A remote attacker can perform XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document.

Note: this vulnerability is known at least since 2013 and it was patched several times.

Mitigation

Update to version 7.0.27.

Vulnerable software versions

PHP: 5.4.15 - 7.2.0

CPE2.3

External links

https://www.openwall.com/lists/oss-security/2016/04/24/1
https://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9
https://www.php.net/ChangeLog-5.php
https://bugs.php.net/bug.php?id=64938

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Denial of service

EUVDB-ID: #VU9868

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to an error in gdImageCreateFromGifCtx() function when processing images with GD library. A remote attacker can create a specially crafted image, pass it to vulnerable application and perform a denial of service (DoS) attack via infinite loop.

Mitigation

Update to version 7.0.27,7.1.13 or 7.2.1.

Vulnerable software versions

PHP: 7.0.0 - 7.2.0

CPE2.3

External links

https://bugs.php.net/bug.php?id=75571

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Corss-site scrpting

EUVDB-ID: #VU9869

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability exists due to improper input validation in .phar when processing 404 response. A remote attacker can create a specially crafted link, rick tyhe victim into opening it and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.

Mitigation

Update to version 7.0.27,7.1.13 or 7.2.1.

Vulnerable software versions

PHP: 7.0.0 - 7.2.0

CPE2.3

External links

https://bugs.php.net/bug.php?id=74782

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.