#VU45307 Input validation error in PHP
Vulnerability identifier: #VU45307
Vulnerability risk: Medium
CVSSv3.1: 5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
PHP
Universal components / Libraries /
Scripting languages
Vendor: PHP Group
Description
The vulnerability allows context-dependent attackers to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (crash) via an invalid size argument, which triggers a NULL pointer dereference.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
PHP: 5.3.5
External links
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
http://securityreason.com/achievement_securityalert/94
http://securityreason.com/securityalert/8087
http://support.apple.com/kb/HT5002
http://svn.php.net/viewvc/php/php-src/trunk/ext/intl/grapheme/grapheme_string.c?r1=306449&r2=306448&pathrev=306449
http://www.debian.org/security/2011/dsa-2266
http://www.exploit-db.com/exploits/16182
http://www.kb.cert.org/vuls/id/210829
http://www.securityfocus.com/archive/1/516504/100/0/threaded
http://www.securityfocus.com/archive/1/516518/100/0/threaded
http://www.securityfocus.com/bid/46429
http://exchange.xforce.ibmcloud.com/vulnerabilities/65437
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
