PHP 5.4.x < 5.4.4 Multiple Vulnerabilities

NASLDB: PHP 5.4.x < 5.4.4 Multiple Vulnerabilities

General

ID: 59530
Name: PHP 5.4.x < 5.4.4 Multiple Vulnerabilities

Summary: Checks version of PHP

Credits: Tenable Network Security, Inc.

Classification

Risk: –

CVSS: –
CVSS Base Vector: CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C
CVSS Temporal Vector: CVSS2#E:POC/RL:OF/RC:ND

Port: 80
Family: CGI abuses
Type: Remote

Description

According to its banner, the version of PHP installed on the remote
host is 5.4.x earlier than 5.4.4, and as such is potentially
affected the following vulnerabilities :

– An integer overflow error exists in the function
‘phar_parse_tarfile’ in the file ‘ext/phar/tar.c’. This
error can lead to a heap-based buffer overflow when
handling a maliciously crafted TAR files. Arbitrary code
execution is possible due to this error. (CVE-2012-2386)

– A weakness exists in the ‘crypt’ function related to
the DES implementation that can allow brute force
attacks. (CVE-2012-2143)

– Several design errors involving the incorrect parsing
of PHP PDO prepared statements could lead to disclosure
of sensitive information or denial of service.
(CVE-2012-3450)