PHP Unpatched Vulnerability Affecting PHP 7 Servers

Jimmy · Dec 30, 2016

Unpatched Vulnerability Affecting PHP 7 Servers

eva2000 · Dec 30, 2016

thanks for heads up !

One bug remains unpatched
Livneh says he informed the PHP team of the issues in August and September this year. The PHP team pushed a bugfix on October 13, with the release of PHP 7.0.12, and on December 1, with the release of PHP 7.1.0.

The PHP team fixed only two of the three issues at the time of writing, with one bug remaining unpatched. Bleeping Computer has reached out to Stanislav Malyshev, a member of the PHP team, to inquire about the status of the last bug. According to Malyshev, the PHP team doesn't "usually have specific release dates for individual bugs."

"The releases of PHP are done every 4 weeks, with the next one planned on January 5th," Malyshev said. "Once the fix for the particular bug is ready, it is released in the next scheduled release."

Livneh says the three bugs can be exploited using a technique he previously detailed in August. The researcher has not specified which of the three bugs remained unpatched.

Bleeping Computer has reached out to Livneh to inquire if there is evidence that any of the three bugs has been exploited in the wild.
Click to expand...

eva2000 · Dec 30, 2016

Also at 3 Critical Zero-Day Flaws Found in PHP 7 — One Remains Unpatched!

Security researchers at Check Point's exploit research team spent several months examining the unserialized mechanism in PHP 7 and discovered "three fresh and previously unknown vulnerabilities" in the mechanism.

While researchers discovered flaws in the same mechanism, the vulnerabilities in PHP 7 are different from what was found in PHP 5.

Tracked as CVE-2016-7479, CVE-2016-7480, and CVE-2016-7478, the zero-day flaws can be exploited in a similar manner as a separate vulnerability (CVE-2015-6832) detailed in Check Point's August report.

CVE-2016-7479—Use-After-Free Code Execution

CVE-2016-7480—Use of Uninitialized Value Code Execution

CVE-2016-7478—Remote Denial of Service

The first two vulnerabilities, if exploited, would allow a hacker to take full control over the target server, enabling the attacker to do anything from spreading malware to steal customer data or to defacing it.

The third vulnerability could be exploited to generate a Denial of Service (DoS) attack, allowing a hacker to hang the website, exhaust its memory consumption and eventually shut down the target system, researchers explain in their report [PDF].

According to Yannay Livneh of Check Point's exploit research team, none of the above vulnerabilities were found exploited in the wild by hackers.
Click to expand...

Jimmy · Dec 30, 2016

Hopefully they fixed the first two... those seem to be the worst.

eva2000 · Dec 30, 2016

Original source http://blog.checkpoint.com/2016/12/...lnerabilities-web-programming-language-php-7/

Throughout our investigation we discovered 3 fresh and previously unknown vulnerabilities (CVE-2016-7479, CVE-2016-7480, CVE-2016-7478) in the PHP 7 unserialize mechanism. These vulnerabilities can be exploited using a technique we’ve discussed back in August.

The first two vulnerabilities allow attackers to take full control over servers, allowing them to do anything they want with the website, from spreading malware to defacing it or stealing customer data.

The last vulnerability generates a Denial of Service attack which basically hangs the website, exhausts its memory consumption, and shuts it down.

We have reported the three vulnerabilities to the PHP security team on the 15th of September and 6th of August.
Click to expand...

eva2000 · Dec 30, 2016

Jimmy said: ↑

Hopefully they fixed the first two... those seem to be the worst.
Click to expand...

2016-12-30
PHP CVE-2016-7480 Remote Code Execution Vulnerability

2016-12-30
PHP CVE-2016-7479 Denial of Service Vulnerability

2016-12-30
PHP CVE-2016-7478 Remote Denial Of Service Vulnerability
Click to expand...

confusing classification of 'not vulnerable' and vulnerable on those linked CVEs suggestion PHP 7.0.14 has fixed all 3 CVEs ?
Code (Text):
PHP CVE-2016-7480 Remote Code Execution Vulnerability

Bugtraq ID:    95152
Class:    Design Error
CVE:    CVE-2016-7480
Remote:    Yes
Local:    No
Published:    Dec 27 2016 12:00AM
Updated:    Dec 30 2016 12:08AM
Credit:    CHECK POINT SECURITY RESEARCH
Vulnerable:    PHP PHP 7.0.5
PHP PHP 7.0.3
PHP PHP 7.0
PHP PHP 7.0.9
PHP PHP 7.0.8
PHP PHP 7.0.7
PHP PHP 7.0.6
PHP PHP 7.0.4
PHP PHP 7.0.2
PHP PHP 7.0.11
PHP PHP 7.0.10
PHP PHP 7.0.1
PHP PHP 7.0
Not Vulnerable:    PHP PHP 7.0.14
PHP PHP 7.0.12
PHP PHP 7.0.13
Code (Text):
PHP CVE-2016-7479 Denial of Service Vulnerability

Bugtraq ID:    95151
Class:    Failure to Handle Exceptional Conditions
CVE:    CVE-2016-7479
Remote:    Yes
Local:    No
Published:    Dec 29 2016 12:00AM
Updated:    Dec 30 2016 12:08AM
Credit:    Checkpoint.
Vulnerable:    PHP PHP 7.0.12
PHP PHP 7.0.5
PHP PHP 7.0.3
PHP PHP 7.0
PHP PHP 7.0.9
PHP PHP 7.0.8
PHP PHP 7.0.7
PHP PHP 7.0.6
PHP PHP 7.0.4
PHP PHP 7.0.2
PHP PHP 7.0.13
PHP PHP 7.0.11
PHP PHP 7.0.10
PHP PHP 7.0.1
PHP PHP 7.0
Not Vulnerable:  
Code (Text):
PHP CVE-2016-7478 Remote Denial Of Service Vulnerability

Bugtraq ID:    95150
Class:    Failure to Handle Exceptional Conditions
CVE:    CVE-2016-7478
Remote:    Yes
Local:    No
Published:    Dec 28 2016 12:00AM
Updated:    Dec 30 2016 12:08AM
Credit:    yannayl at checkpoint.com.
Vulnerable:    PHP PHP 7.0.12
PHP PHP 7.0.5
PHP PHP 7.0.3
PHP PHP 7.0.9
PHP PHP 7.0.8
PHP PHP 7.0.7
PHP PHP 7.0.6
PHP PHP 7.0.4
PHP PHP 7.0.2
PHP PHP 7.0.13
PHP PHP 7.0.11
PHP PHP 7.0.10
PHP PHP 7.0.1
PHP PHP 7.0
PHP PHP 5.6.26
Not Vulnerable:
PHP 7.0.14 change log

Version 7.0.14
08 Dec 2016

Core:

Fixed memory leak(null coalescing operator with Spl hash).

Fixed bug #72736 (Slow performance when fetching large dataset with mysqli / PDO).

Fixed bug #72978 (Use After Free Vulnerability in unserialize()). (CVE-2016-9936)

Calendar:

(Fix integer overflows).

Date:

Fixed bug #69587 (DateInterval properties and isset).

DTrace:

Disabled PHP call tracing by default (it makes significant overhead). This may be enabled again using envirionment variable USE_ZEND_DTRACE=1.

JSON:

Fixed bug #73526 (php_json_encode depth issue).

Mysqlnd:

Fixed bug #64526 (Add missing mysqlnd.* parameters to php.ini-*).

ODBC:

Fixed bug #73448 (odbc_errormsg returns trash, always 513 bytes).

Opcache:

Fixed bug #69090 (check cached files permissions).

Fixed bug #73546 (Logging for opcache has an empty file name).

PCRE:

Fixed bug #73483 (Segmentation fault on pcre_replace_callback).

Fixed bug #73392 (A use-after-free in zend allocator management).

PDO_Firebird:

Fixed bug #73087, #61183, #71494 (Memory corruption in bindParam).

Phar:

Fixed bug #73580 (Phar::isValidPharFilename illegal memory access).

Postgres:

Fixed bug #73498 (Incorrect SQL generated for pg_copy_to()).

Soap:

Fixed bug #73538 (SoapClient::__setSoapHeaders doesn't overwrite SOAP headers).

Fixed bug #73452 (Segfault (Regression for #69152)).

SPL:

Fixed bug #73423 (Reproducible crash with GDB backtrace).

SQLite3:

Fixed bug #73530 (Unsetting result set may reset other result set).

Standard:

Fixed bug #73297 (HTTP stream wrapper should ignore HTTP 100 Continue).

Fixed bug #73645 (version_compare illegal write access).

Wddx:

Fixed bug #73631 (Invalid read when wddx decodes empty boolean element). (CVE-2016-9935)

XML:

Fixed bug #72135 (malformed XML causes fault).

Click to expand...

Log in / Register

Forums

Join the community today

PHP Unpatched Vulnerability Affecting PHP 7 Servers

Jimmy Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Join the community today

PHP Unpatched Vulnerability Affecting PHP 7 Servers

Jimmy Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.