Vulnerability identifier: #VU9867

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2015-8866

CWE-ID: CWE-611

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description
The vulnerability allows a remote attacker to perform XXE. attcks.

The vulnerability exists in ext/libxml/libxml.c when using PHP-FPM due to improper isolation of each threat from libxml_disable_entity_loader changes in other threads. A remote attacker can perform XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document.

Note: this vulnerability is known at least since 2013 and it was patched several times.

Mitigation
Update to version 7.0.27.

Vulnerable software versions

PHP: 7.2.0, 7.0.0 - 7.0.26, 7.1.0 - 7.1.12, 5.6.0 - 5.6.32, 5.5.0 - 5.5.38, 5.4.15 - 5.4.44

---

CPE

• cpe:2.3:a:php_group:php:7.2.0:*:*:*:*:*:*:*

External links
http://www.openwall.com/lists/oss-security/2016/04/24/1
http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9
http://www.php.net/ChangeLog-5.php
http://bugs.php.net/bug.php?id=64938

---

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?