Skip Ribbon Commands
Skip to main content
Mauritian National Computer Security Incident Response Team (CERT-MU)

VN-2017-94


PHP Multiple Flaws Let Remote Users Obtain Potentially Sensitive Information, Deny Service, and Execute Arbitrary Code
Severity Rating: Medium
Systems Affected:
  • PHP
Description
Several vulnerabilities have been identified in PHP and can be exploited by remote attackers to cause execution of arbitrary code, gain knowledge of potentially sensitive information and cause denial of service conditions on the vulnerable system. The vulnerabilities reported are as follows:
 
·         A vulnerability exists that can allow a remote attacker to send specially crafted HTTP POST data to cause the target application to consume excessive CPU resources.
 
·         A vulnerability exists that can allow a remote attacker to send specially crafted data to cause the target application to crash.
 
·         A vulnerability exists that can allow a remote attacker to trigger a stack overflow in the PHP INI API to potentially execute arbitrary code on the target system.
 
·         A vulnerability exists that can allow a remote attacker to trigger a buffer overread in wddx_deserialize() in the parsing of dateTime values to view potentially sensitive information on the target system.
 
Solution
Users are advised to apply updates.
More information about the update is available on:
 
Vendor Information
PHP
 
References
Security Tracker
 
PHP
 
 
 
Contact Information
 
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis