CVE-2014-9427
published 2015-01-03CVE-2014-9427: sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not…
PriorityP347high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
16.89%
96.7th percentile
sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping.
Affected
172 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | os_x_el_capitan_v10.11 | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2015-02-17·CVSS 7.5
CVE-2014-8142 [HIGH] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
Stefan Esser discovered that PHP incorrectly handled unserializing objects.
A remote attacker could use this issue to cause PHP to crash, resulting in
a denial of service, or possibly execute arbitrary code. (CVE-2014-8142,
CVE-2015-0231)
Brian Carpenter discovered that the PHP CGI component incorrectly handled
invalid files. A local attacker could use this issue to obtain sensitive
information, or possibly execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9427)
It was discovered that PHP incorrectly handled certain pascal strings in
the fileinfo extension. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. This
Red Hat
php: out of bounds read when parsing a crafted .php file
vendor_redhat·2014-12-17·CVSS 7.5
CVE-2014-9427 [HIGH] CWE-125 php: out of bounds read when parsing a crafted .php file
php: out of bounds read when parsing a crafted .php file
sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping.
A flaw was found in the way PHP handled malformed source files when running in CGI mode. A specially crafted PHP file could cause PHP CGI to cras
Apple
CVE-2014-9427: OS X El Capitan v10.11
vendor_apple·CVSS 7.5
CVE-2014-9427 [HIGH] CVE-2014-9427: OS X El Capitan v10.11
Apple Security Update: About the security content of OS X El Capitan v10.11
Product: OS X El Capitan v10.11
CVE: CVE-2014-9427
Component: CVE-2014-9427
GHSA
GHSA-jv9r-h7r8-3459: sapi/cgi/cgi_main
ghsa_unreviewed·2022-05-17
CVE-2014-9427 [HIGH] CWE-119 GHSA-jv9r-h7r8-3459: sapi/cgi/cgi_main
sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping.
OSV
php5 vulnerabilities
osv·2015-02-17·CVSS 7.5
CVE-2014-8142 [HIGH] php5 vulnerabilities
php5 vulnerabilities
Stefan Esser discovered that PHP incorrectly handled unserializing objects.
A remote attacker could use this issue to cause PHP to crash, resulting in
a denial of service, or possibly execute arbitrary code. (CVE-2014-8142,
CVE-2015-0231)
Brian Carpenter discovered that the PHP CGI component incorrectly handled
invalid files. A local attacker could use this issue to obtain sensitive
information, or possibly execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9427)
It was discovered that PHP incorrectly handled certain pascal strings in
the fileinfo extension. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CV
OSV
CVE-2014-9427: sapi/cgi/cgi_main
osv·2015-01-02·CVSS 7.5
CVE-2014-9427 [HIGH] CVE-2014-9427: sapi/cgi/cgi_main
sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-9427 php: out of bounds read when parsing a crafted .php file
bugzilla·2015-01-05·CVSS 7.5
CVE-2014-9427 [HIGH] CVE-2014-9427 php: out of bounds read when parsing a crafted .php file
CVE-2014-9427 php: out of bounds read when parsing a crafted .php file
It was reported that a one byte file containing '#' and no newline causes php-cgi to segfault:
https://bugs.php.net/bug.php?id=68618
...
$ printf "#" >crashme.php
$ ./php-cgi crashme.php
Segmentation fault
...
Upstream patch that fixes this issue:
http://git.php.net/?p=php-src.git;a=commit;h=f9ad3086693fce680fbe246e4a45aa92edd2ac35
Discussion:
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1178740]
---
Fixed upstream in PHP 5.6.5, 5.5.21, and 5.4.37:
http://php.net/ChangeLog-5.php#5.6.5
http://php.net/ChangeLog-5.php#5.5.21
http://php.net/ChangeLog-5.php#5.4.37
---
php-5.6.5-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in thi
Bugzilla
CVE-2014-9427 php: out of bounds read when parsing a crafted .php file [fedora-all]
bugzilla·2015-01-05·CVSS 7.5
CVE-2014-9427 [HIGH] CVE-2014-9427 php: out of bounds read when parsing a crafted .php file [fedora-all]
CVE-2014-9427 php: out of bounds read when parsing a crafted .php file [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versio
HackerOne
out of bounds read crashes php-cgi
hackerone·2014-12-30·CVSS 7.5
CVE-2014-9427 [HIGH] out of bounds read crashes php-cgi
out of bounds read crashes php-cgi
I found and disclosed CVE-2014-9427 to the PHP dev team on 17 December 2014 (https://bugs.php.net/bug.php?id=68618) and a patch was committed on 30 December 2014 (http://git.php.net/?p=php-src.git;a=commit;h=f9ad3086693fce680fbe246e4a45aa92edd2ac35) and the flaw is now fixed.
Details of the flaw: sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload
http://advisories.mageia.org/MGASA-2015-0040.htmlhttp://git.php.net/?p=php-src.git%3Ba=commit%3Bh=f9ad3086693fce680fbe246e4a45aa92edd2ac35http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-02/msg00029.htmlhttp://lists.opensuse.org/opensuse-updates/2015-02/msg00079.htmlhttp://marc.info/?l=bugtraq&m=143748090628601&w=2http://marc.info/?l=bugtraq&m=144050155601375&w=2http://openwall.com/lists/oss-security/2014/12/31/6http://openwall.com/lists/oss-security/2015/01/01/1http://openwall.com/lists/oss-security/2015/01/03/4http://rhn.redhat.com/errata/RHSA-2015-1053.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1066.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2015:032http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlhttp://www.securityfocus.com/bid/71833https://bugs.php.net/bug.php?id=68618https://security.gentoo.org/glsa/201503-03https://support.apple.com/HT205267http://advisories.mageia.org/MGASA-2015-0040.htmlhttp://git.php.net/?p=php-src.git%3Ba=commit%3Bh=f9ad3086693fce680fbe246e4a45aa92edd2ac35http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-02/msg00029.htmlhttp://lists.opensuse.org/opensuse-updates/2015-02/msg00079.htmlhttp://marc.info/?l=bugtraq&m=143748090628601&w=2http://marc.info/?l=bugtraq&m=144050155601375&w=2http://openwall.com/lists/oss-security/2014/12/31/6http://openwall.com/lists/oss-security/2015/01/01/1http://openwall.com/lists/oss-security/2015/01/03/4http://rhn.redhat.com/errata/RHSA-2015-1053.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1066.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2015:032http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlhttp://www.securityfocus.com/bid/71833https://bugs.php.net/bug.php?id=68618https://security.gentoo.org/glsa/201503-03https://support.apple.com/HT205267
2015-01-03
Published