CVSS: 5.1EPSS: 74%CPEs: 61EXPL: 1CVE-2015-4021 – php: memory corruption in phar_parse_tarfile caused by empty entry file name
https://notcve.org/view.php?id=CVE-2015-4021
The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify that the first character of a filename is different from the \0 character, which allows remote attackers to cause a denial of service (integer underflow and memory corruption) via a crafted entry in a tar archive. La función phar_parse_tarfile en ext/phar/tar.c en PHP anterior a 5.4.41, 5.5.x anterior a 5.5.25, y 5.6.x anterior a 5.6.9 no verifica que el primer caracter de un nombre de fichero es diferente al caracter \0, lo que permite a atacantes remotos causar una denegación de servicio (desbordamientos de enteros y corrupción de memoria) a través de una entrada manipulada en un archivo tar. An integer underflow flaw leading to out-of-bounds memory access was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. • http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158616.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158915.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159031.html http://lists.opensuse.org/opensuse-updates/2015-06/msg00002.html http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2015-1135.html http://rhn.redhat.com/errata/RHSA-2015&# • CWE-189: Numeric Errors CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 3%CPEs: 61EXPL: 1CVE-2015-4022 – php: integer overflow leading to heap overflow when reading FTP file listing
https://notcve.org/view.php?id=CVE-2015-4022
Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. Desbordamiento de enteros en la función ftp_genlist en ext/ftp/ftp.c en PHP anterior a 5.4.41, 5.5.x anterior a 5.5.25, y 5.6.x anterior a 5.6.9 permite a servidores FTP remotos ejecutar código arbitrario a través de una contestación larga a un comando LIST, que conduce a un desbordamiento de buffer basado en memoria dinámica. An integer overflow flaw leading to a heap-based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code. • http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158616.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158915.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159031.html http://lists.opensuse.org/opensuse-updates/2015-06/msg00002.html http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2015-1135.html http://rhn.redhat.com/errata/RHSA-2015&# • CWE-122: Heap-based Buffer Overflow CWE-189: Numeric Errors •
CVSS: 5.0EPSS: 71%CPEs: 65EXPL: 1CVE-2015-4024 – php: multipart/form-data request parsing CPU usage DoS
https://notcve.org/view.php?id=CVE-2015-4024
Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote attackers to cause a denial of service (CPU consumption) via crafted form data that triggers an improper order-of-growth outcome. Vulnerabilidad de complejidad algorítmica en la función multipart_buffer_headers en main/rfc1867.c en PHP anterior a 5.4.41, 5.5.x anterior a 5.5.25, y 5.6.x anterior a 5.6.9 permiten a atacantes remotos causar una denegación de servicio (consumo de CPU) a través de datos de formularios manipulados que provocan un resultado de orden de crecimiento incorrecto. A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. • http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158616.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158915.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159031.html http://lists.opensuse.org/opensuse-updates/2015-06/msg00002.html http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2015-1135.html http://rhn.redhat.com/errata/RHSA-2015&# • CWE-399: Resource Management Errors CWE-407: Inefficient Algorithmic Complexity •
CVSS: 7.5EPSS: 2%CPEs: 61EXPL: 0CVE-2015-4025 – php: regressions in 5.4+
https://notcve.org/view.php?id=CVE-2015-4025
PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character in certain situations, which allows remote attackers to bypass intended extension restrictions and access files or directories with unexpected names via a crafted argument to (1) set_include_path, (2) tempnam, (3) rmdir, or (4) readlink. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. PHP anterior a 5.4.41, 5.5.x anterior a 5.5.25, y 5.6.x anterior a 5.6.9 trunca un nombre de ruta al encontrar un caracter \x00 en ciertas situaciones, lo que permite a atacantes remotos evadir la restricciones de extensión y acceder a ficheros o directorios con nombres no esperados a través de un argumento manipulado en (1) set_include_path, (2) tempnam, (3) rmdir, o (4) readlink. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2006-7243. It was found that certain PHP functions did not properly handle file names containing a NULL character. • http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158616.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158915.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159031.html http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2015-1135.html http://rhn.redhat.com/errata/RHSA-2015-1186.html http://rhn.redhat.com/errata/RHSA-2015-1187.html • CWE-19: Data Processing Errors CWE-626: Null Byte Interaction Error (Poison Null Byte) •
CVSS: 7.5EPSS: 4%CPEs: 61EXPL: 1CVE-2015-4026 – php: pcntl_exec() accepts paths with NUL character
https://notcve.org/view.php?id=CVE-2015-4026
The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character, which might allow remote attackers to bypass intended extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. La implementación pcntl_exec en PHP anterior a 5.4.41, 5.5.x anterior a 5.5.25, y 5.6.x anterior a 5.6.9 trunca un nombre de ruta al encontrar un caracter \x00, lo que podría permitir a atacantes remotos evadir las restricciones de extensión y ejecutar ficheros con nombres no esperados a través de un argumento inicial manipulado. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2006-7243. It was found that certain PHP functions did not properly handle file names containing a NULL character. • http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158616.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158915.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159031.html http://lists.opensuse.org/opensuse-updates/2015-06/msg00002.html http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2015-1135.html http://rhn.redhat.com/errata/RHSA-2015&# • CWE-19: Data Processing Errors CWE-626: Null Byte Interaction Error (Poison Null Byte) •