CVSS: 8.1EPSS: 17%CPEs: 3EXPL: 5CVE-2016-5399 – PHP 5.5.37/5.6.23/7.0.8 - 'bzread()' Out-of-Bounds Write
https://notcve.org/view.php?id=CVE-2016-5399
The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted bz2 archive. La función bzread en ext/bz2/bz2.c en PHP en versiones anteriores a 5.5.38, 5.6.x en versiones anteriores a 5.6.24, y 7.x en versiones anteriores a 7.0.9 permite a atacantes remotos provocar una denegación de servicio (escritura fuera de limites) o ejecutar código arbitrario a través de un archivo bz2 manipulado. A flaw was found in the way certain error conditions were handled by bzread() function in PHP. An attacker could use this flaw to upload a specially crafted bz2 archive which, when parsed via the vulnerable function, could cause the application to crash or execute arbitrary code with the permissions of the user running the PHP application. PHP versions 7.0.8, 5.6.23, and 5.5.37 suffers from an out-of-bounds write vulnerability in bzread(). • https://www.exploit-db.com/exploits/40155 http://packetstormsecurity.com/files/137998/PHP-7.0.8-5.6.23-5.5.37-bzread-OOB-Write.html http://php.net/ChangeLog-5.php http://php.net/ChangeLog-7.php http://rhn.redhat.com/errata/RHSA-2016-2598.html http://rhn.redhat.com/errata/RHSA-2016-2750.html http://seclists.org/fulldisclosure/2016/Jul/72 http://www.debian.org/security/2016/dsa-3631 http://www.openwall.com/lists/oss-security/2016/07/21/1 http:/&#x • CWE-390: Detection of Error Condition Without Action CWE-787: Out-of-bounds Write •
CVSS: 8.1EPSS: 92%CPEs: 21EXPL: 0CVE-2016-5385 – PHP: sets environmental variable based on user supplied Proxy request header
https://notcve.org/view.php?id=CVE-2016-5385
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue. PHP hasta la versión 7.0.8 no intenta abordar los conflictos de espacio de nombres de RFC 3875 sección 4.1.18 y por lo tanto no protege aplicaciones de la presencia de datos de clientes no confiables en ambiente variable de HTTP_PROXY, lo que ppodría permitir a atacantes remotos redireccionar el tráfico HTTP saliente de una aplicación a un servidor proxy arbitrario través de una cabecera Proxy manipulada en una petición HTTP, según lo demostrado por (1) una aplicación que hace una llamada getenv('HTTP_PROXY') o (2) una configuración CGI de PHP, también conocido como problema "httpoxy". It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. • http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html http://rhn.redhat.com/errata/RHSA-2016-1609.html http://rhn.redhat.com/errata/RHSA-2016-1610.html http://rhn.redhat.com/errata/RHSA-2016-1611.html http://rhn.redhat.com/errata/RHSA-2016-1612.html http://rhn.redhat.com/errata/RHSA-2016-1613.html http://www.debian.org/security/2016/dsa-3631 http://www.kb.cert.org/vuls/id/797896 http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html • CWE-20: Improper Input Validation CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.1EPSS: 0%CPEs: 49EXPL: 0CVE-2016-5116
https://notcve.org/view.php?id=CVE-2016-5116
gd_xbm.c in the GD Graphics Library (aka libgd) before 2.2.0, as used in certain custom PHP 5.5.x configurations, allows context-dependent attackers to obtain sensitive information from process memory or cause a denial of service (stack-based buffer under-read and application crash) via a long name. gd_xbm.c en la GD Graphics Library (también conocido como libgd) en versiones anteriores a 2.2.0, como se utiliza en ciertas configuraciones personalizadas PHP 5.5.x, permite a atacantes dependientes del contexto obtener información sensible del proceso de memoria o provocar una denegación de servicio (lectura debajo de desbordamiento de búfer basado en la pila y caída de aplicación) a través de un nombre largo. • http://lists.opensuse.org/opensuse-updates/2016-09/msg00078.html http://www.debian.org/security/2016/dsa-3619 http://www.openwall.com/lists/oss-security/2016/05/29/5 http://www.ubuntu.com/usn/USN-3030-1 https://github.com/libgd/libgd/commit/4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 https://github.com/libgd/libgd/issues/211 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 3%CPEs: 9EXPL: 0CVE-2016-6128 – gd: Invalid color index not properly handled
https://notcve.org/view.php?id=CVE-2016-6128
The gdImageCropThreshold function in gd_crop.c in the GD Graphics Library (aka libgd) before 2.2.3, as used in PHP before 7.0.9, allows remote attackers to cause a denial of service (application crash) via an invalid color index. La función gdImageCropThreshold en gd_crop.c en la GD Graphics Library (también conocido como libgd) en versiones anteriores a 2.2.3, como se utiliza en PHP en versiones anteriores a 7.0.9, permite a atacantes remotos provocar una denegación de servicio (caída de aplicación) a través de un índice de color invalido. It was found that libgd did not properly handle invalid color indexes in GD files. An attacker who could submit a crafted GD file for conversion could cause applications using libgd to crash, leading to denial of service. • http://lists.opensuse.org/opensuse-updates/2016-08/msg00086.html http://lists.opensuse.org/opensuse-updates/2016-09/msg00078.html http://rhn.redhat.com/errata/RHSA-2016-2750.html http://www.debian.org/security/2016/dsa-3619 http://www.openwall.com/lists/oss-security/2016/06/30/1 http://www.securityfocus.com/bid/91509 http://www.securitytracker.com/id/1036276 http://www.ubuntu.com/usn/USN-3030-1 https://bugs.php.net/72494 https://github.com/libgd/libgd/commi • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 22%CPEs: 22EXPL: 3CVE-2016-6174 – IPS Community Suite 4.1.12.3 - PHP Code Injection
https://notcve.org/view.php?id=CVE-2016-6174
applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execute arbitrary code via the content_class parameter. applications/core/modules/front/system/content.php en Invision Power Services IPS Community Suite (también conocido como Invision Power Board, IPB o Power Board) en versiones anteriores a 4.1.13, cuando se utiliza con PHP en versiones anteriores a 5.4.24 o 5.5.x en versiones anteriores a 5.5.8, permite a atacantes remotos ejecutar código arbitrario a través del parámetro content_class. IPS Community Suite versions 4.1.12.3 and below suffer from a remote PHP code injection vulnerability. • https://www.exploit-db.com/exploits/40084 http://karmainsecurity.com/KIS-2016-11 http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html http://packetstormsecurity.com/files/137804/IPS-Community-Suite-4.1.12.3-PHP-Code-Injection.html http://seclists.org/fulldisclosure/2016/Jul/19 http://www.securityfocus.com/bid/91732 https://invisionpower.com/release-notes/4113-r44 https://support.apple.com/HT207170 •