PHP Multiple Remote Code Execution Vulnerabilities

Last Update Date: 20 Mar 2015 10:44 Release Date: 20 Mar 2015 3700 Views

RISK: High Risk

High Risk

TYPE: Servers - Web Servers

TYPE: Web Servers

Multiple vulnerabilities were identified in PHP.  A remote user can execute arbitrary code on the target system.

  1. A remote user can send specially crafted data to an application to trigger a use-after-free memory error in the unserialisation of objects in the DateTimeZone class.
  2. A remote user can send specially crafted data to trigger a memory handling error in the phar extension and potentially execute arbitrary code on the target system.
  3. A remote user can send specially crafted data to an application to trigger a heap overflow in the ereg extension and execute arbitrary code on the target system. The vulnerability resides in the Henry Spencer regex library. Only 32-bit systems are affected.

 

Impact

  • Remote Code Execution

System / Technologies affected

  • PHP prior to versions 5.4.38, 5.5.22, 5.6.6
  • 32-bit PHP

 

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • Update to version 5.4.38, 5.5.22, 5.6.6
  • No official solution is currently available for 32-bit PHP.

 

Vulnerability Identifier

Source

Related Link

Share with

Previous

Apple Safari Multiple Vulnerabilities

19 Mar 2015 3624 Views

Next

Mozilla Firefox Multiple Vulnerabilities

23 Mar 2015 3695 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY