SB2018010412 - Multiple vulnerabilities in PHP

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper restriction of XML external entity reference (XXE) (CVE-ID: CVE-2015-8866)

The vulnerability allows a remote attacker to perform XXE. attcks.

The vulnerability exists in ext/libxml/libxml.c when using PHP-FPM due to improper isolation of each threat from libxml_disable_entity_loader changes in other threads. A remote attacker can perform XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document.

Note: this vulnerability is known at least since 2013 and it was patched several times.

2) Denial of service (CVE-ID: CVE-2018-5711)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to an error in gdImageCreateFromGifCtx() function when processing images with GD library. A remote attacker can create a specially crafted image, pass it to vulnerable application and perform a denial of service (DoS) attack via infinite loop.

3) Corss-site scrpting (CVE-ID: CVE-2018-5712)

The vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability exists due to improper input validation in .phar when processing 404 response. A remote attacker can create a specially crafted link, rick tyhe victim into opening it and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.

Remediation

Install update from vendor's website.

References

• http://www.openwall.com/lists/oss-security/2016/04/24/1
• http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9
• http://www.php.net/ChangeLog-5.php
• https://bugs.php.net/bug.php?id=64938
• https://bugs.php.net/bug.php?id=75571
• https://bugs.php.net/bug.php?id=74782