PHP Fixes Remote Code Execution Flaw

Tuesday, January 27, 2015 @ 03:01 PM gHale


The newest PHP version brings in security patches, one of them mitigating a vulnerability an attacker could remotely exploit to execute code.

CVE-2014-9427 is the case number for the sapi/cgi/cgi_main.c in the CGI component vulnerability in multiple versions of PHP (5.4.36 and earlier, 5.5.x through 5.5.20, and 5.6.x through 5.6.4).

RELATED STORIES
Flaw Fixed in iPass Mobile Client
90 Days: Google Reveals 3 OS X Zero Days
Google Discloses Windows 8.1 Flaw
Unpatched Windows 8.1 Hole Exposed

It occurs when the “mmap” function, responsible for mapping files into memory, ends up used for reading a PHP file and it fails to “properly consider the mapping’s length during processing of an invalid file that begins with a # character and lacks a newline character,” according to the National Vulnerability Database.

The result is reading from a location outside the bounds of the allocated memory, revealing information that should otherwise not be accessible.

A successful exploit of the vulnerability allows triggering unexpected execution of a PHP script available in the memory locations near the mapping.

Additionally, an attacker could rely on the flaw to reach confidential information from the php-cgi process memory by taking advantage of the possibility to upload a PHP file.

CVE-2014-9427 has a 7.5 severity score as per the CVSS (Common Vulnerabilities Scoring System), with a maximum exploitability subscore of 10 because it can end used without authentication and it has low access complexity.

Administrators should update their PHP version to the latest release.



Leave a Reply

You must be logged in to post a comment.