#VU16123 Type confusion in PHP
Vulnerability identifier: #VU16123
Vulnerability risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-843
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
PHP
Universal components / Libraries /
Scripting languages
Vendor: PHP Group
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion in do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string. A remote attacker can trigger memory corruption and obtain sensitive information by providing crafted serialized data with an int data type.
Mitigation
Install update from vendor's website.
Vulnerable software versions
PHP: 5.4.0 - 5.4.38, 5.5.0 - 5.5.22, 5.6.0 - 5.6.6
External links
http://bugs.php.net/bug.php?id=69085
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
