CVE-2012-2688
published 2012-07-20CVE-2012-2688: Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and…
PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
10.47%
95.2th percentile
Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an "overflow."
Affected
111 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | <= 5.3.14 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered when PHP's scandir() / _php_stream_scandir() processes a directory containing a number of files exceeding INT_MAX (2,147,483,647); monitor for abnormally large directory scans or file-upload activity that could stage such a condition. ↗
- →The root cause is an integer signedness issue leading to a heap-based buffer overflow in _php_stream_scandir; detection should focus on PHP processes crashing or executing unexpected child processes when scandir() is invoked on attacker-influenced directories. ↗
- →Patch reference commit for PHP 5.3/5.4 fix is fc74503792b1ee92e4b813690890f3ed38fa3ad5; verify this commit is present in deployed PHP source to confirm remediation. ↗
- ·Exploitation requires more than 2,147,483,647 files in the scanned directory, making real-world exploitation extremely difficult; severe filesystem/performance degradation would likely be observed before the threshold is reached. ↗
- ·Affected versions are PHP before 5.3.15 and PHP 5.4.x before 5.4.5; systems running these versions with web-accessible file upload directories are at elevated risk. ↗
- ·A practical mitigation is to enforce an upper file-count limit on directories accessible to PHP's scandir(), well below INT_MAX, to prevent the overflow condition from being reachable. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5xf9-hrqg-23cp: Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5
ghsa_unreviewed·2022-05-17
CVE-2012-2688 [HIGH] GHSA-5xf9-hrqg-23cp: Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5
Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an "overflow."
VulnCheck
PHP_php_stream_scandir Function Vulnerability
vulncheck·2012·CVSS 10.0
CVE-2012-2688 [CRITICAL] PHP_php_stream_scandir Function Vulnerability
PHP_php_stream_scandir Function Vulnerability
Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an "overflow."
Affected: PHP PHP
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortiguard.com/encyclopedia/ips/31752
Exploit PoC: https://vulncheck.com/xdb/22f6b45e19e9; https://vulncheck.com/xdb/064f7b53c992
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2012-09-17·CVSS 4.3
CVE-2011-1398 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that PHP incorrectly handled certain character sequences
when applying HTTP response-splitting protection. A remote attacker could
create a specially-crafted URL and inject arbitrary headers.
(CVE-2011-1398, CVE-2012-4388)
It was discovered that PHP incorrectly handled directories with a large
number of files. This could allow a remote attacker to execute arbitrary
code with the privileges of the web server, or to perform a denial of
service. (CVE-2012-2688)
It was discovered that PHP incorrectly parsed certain PDO prepared
statements. A remote attacker could use this flaw to cause PHP to crash,
leading to a denial of service. (CVE-2012-3450)
Instructions: In general, a standard system upd
Red Hat
php: Integer Signedness issues in _php_stream_scandir
vendor_redhat·2012-07-19·CVSS 10.0
CVE-2012-2688 [CRITICAL] php: Integer Signedness issues in _php_stream_scandir
php: Integer Signedness issues in _php_stream_scandir
Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an "overflow."
No detection rules found.
No public exploits indexed.
http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-08/msg00021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-08/msg00022.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1307.htmlhttp://secunia.com/advisories/55078http://support.apple.com/kb/HT5501http://www.debian.org/security/2012/dsa-2527http://www.mandriva.com/security/advisories?name=MDVSA-2012:108http://www.php.net/ChangeLog-5.phphttp://www.securityfocus.com/bid/54638http://www.securitytracker.com/id?1027287http://www.ubuntu.com/usn/USN-1569-1https://exchange.xforce.ibmcloud.com/vulnerabilities/77155https://hermes.opensuse.org/messages/15376003http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-08/msg00021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-08/msg00022.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1307.htmlhttp://secunia.com/advisories/55078http://support.apple.com/kb/HT5501http://www.debian.org/security/2012/dsa-2527http://www.mandriva.com/security/advisories?name=MDVSA-2012:108http://www.php.net/ChangeLog-5.phphttp://www.securityfocus.com/bid/54638http://www.securitytracker.com/id?1027287http://www.ubuntu.com/usn/USN-1569-1https://exchange.xforce.ibmcloud.com/vulnerabilities/77155https://hermes.opensuse.org/messages/15376003
2012-07-20
Published
Exploited in the wild