CVE-2013-6501
https://notcve.org/view.php?id=CVE-2013-6501
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_sdl function in ext/soap/php_sdl.c. La configuración por defecto soap.wsdl_cache_dir en (1) php.ini-production y (2) php.ini-development en PHP hasta 5.6.7 especifica el directorio /tmp, lo que facilita a usuarios locales realizar ataques de inyección WSDL mediante la creación de un fichero bajo /tmp con un nombre de fichero previsible que la función get_sdl utiliza en ext/soap/php_sdl.c. • http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00003.html http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html http://www.securityfocus.com/bid/72530 https://bugzilla.redhat.com/show_bug.cgi?id=1009103 https://security.gentoo.org/glsa/201606-10 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2014-9709 – gd: buffer read overflow in gd_gif_in.c
https://notcve.org/view.php?id=CVE-2014-9709
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function. La función GetCode_ en gd_gif_in.c en GD 2.1.1 y anteriores, utilizado en PHP anterior a 5.5.21 y 5.6.x anterior a 5.6.5, permite a atacantes remotos causar una denegación de servicio (sobre lectura de buffer y caída de aplicación) a través de una imagen GIF manipulada que es manejada incorrectamente por la función gdImageCreateFromGif. A buffer over-read flaw was found in the GD library. A specially crafted GIF file could cause an application using the gdImageCreateFromGif() function to crash. • http://advisories.mageia.org/MGASA-2015-0040.html http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.html http://lists.opensuse.org/opensuse-updates/2015-04/msg00002.html http://marc.info/?l=bugtraq&m=143403519711434&w=2 http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2015-1053.html http://rhn.redhat.com/errata/RHSA-2015-1066.html http://rhn.redhat.com/errata/RHS • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2015-2348 – php: move_uploaded_file() NUL byte injection in file name
https://notcve.org/view.php?id=CVE-2015-2348
The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. La implementación move_uploaded_file en ext/standard/basic_functions.c en PHP anterior a 5.4.39, 5.5.x anterior a 5.5.23, y 5.6.x anterior a 5.6.7 trunca un nombre de ruta al encontrar un caracter \x00, lo que permite a atacantes remotos evadir las restricciones de extensiones y crear ficheros con nombres no esperados a través de un segundo argumento manipulado. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2006-7243. It was found that PHP move_uploaded_file() function did not properly handle file names with a NULL character. • http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=1291d6bbee93b6109eb07e8f7916ff1b7fcc13e1 http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.html http://lists.opensuse.org/opensuse-updates/2015-04/msg00015.html http://marc.info/?l=bugtraq&m=143748090628601&w=2 http://marc.info/?l=bugtraq&m=144050155601375&w=2 http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2015-1053.html • CWE-264: Permissions, Privileges, and Access Controls CWE-626: Null Byte Interaction Error (Poison Null Byte) •
CVE-2015-2331
https://notcve.org/view.php?id=CVE-2015-2331
Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow. Desbordamiento de enteros en la función _zip_cdir_new en zip_dirent.c en libzip 0.11.2 y anteriores, utilizado en la extensión ZIP en PHP anterior a 5.4.39, 5.5.x anterior a 5.5.23, y 5.6.x anterior a 5.6.7 y otros productos, permite a atacantes remotos causar una denegación de servicio (caída de aplicación) o posiblemente ejecutar código arbitrario a través de un archivo ZIP que contiene muchas entradas, posteriormente conduciendo a un desbordamiento de buffer basado en memoria dinámica. • http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 http://hg.nih.at/libzip/rev/9f11d54f692e http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154266.html http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154276.html http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154666.html http://lists.fedoraproject.org/pipermail/package-announce/2015-April • CWE-189: Numeric Errors •
CVE-2014-9653 – file: malformed elf file causes access to uninitialized memory
https://notcve.org/view.php?id=CVE-2014-9653
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. readelf.c en file anterior a 5.22, utilizado en el componente Fileinfo en PHP anterior a 5.4.37, 5.5.x anterior a 5.5.21, y 5.6.x anterior a 5.6.5, no considera que las llamadas a pread a veces leen solamente un subjuego de los datos disponibles, lo que permite a atacantes remotos causar una denegación de servicio (acceso a memoria no inicializada) o posiblemente tener otro impacto a través de un fichero ELF manipulado. A flaw was found in the way the File Information (fileinfo) extension parsed Executable and Linkable Format (ELF) files. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or disclose certain portions of server memory. • http://bugs.gw.com/view.php?id=409 http://marc.info/?l=bugtraq&m=143748090628601&w=2 http://marc.info/?l=bugtraq&m=144050155601375&w=2 http://mx.gw.com/pipermail/file/2014/001649.html http://openwall.com/lists/oss-security/2015/02/05/13 http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2016-0760.html http://www.debian.org/security/2015/dsa-3196 http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html http://www • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read •