cbcvebase.
CVE-2016-3078
published 2016-08-07

CVE-2016-3078: Multiple integer overflows in php_zip.c in the zip extension in PHP before 7.0.6 allow remote attackers to cause a denial of service (heap-based buffer…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
58.51%
99.0th percentile
Multiple integer overflows in php_zip.c in the zip extension in PHP before 7.0.6 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted call to (1) getFromIndex or (2) getFromName in the ZipArchive class.

Affected

2 ranges
VendorProductVersion rangeFixed in
phpphp>= 7.0.0 < 7.0.67.0.6
php5php5>= 0 < 5.5.9+dfsg-1ubuntu4.175.5.9+dfsg-1ubuntu4.17

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39742.zip
urlhttps://github.com/dyntopia/exploits/tree/master/CVE-2016-3078
  • Monitor PHP applications invoking ZipArchive::getFromIndex() or ZipArchive::getFromName() with attacker-controlled zip files, particularly on 32-bit PHP 7.x systems where integer wrap of uncomp_size can trigger a heap overflow.
  • Alert on PHP-FPM processes (php-fpm 7.0.x on i686/32-bit) crashing or spawning unexpected child processes after processing uploaded zip archives, consistent with heap overflow exploitation.
  • ·The heap overflow is only reliably exploitable on 32-bit PHP 7.x builds; on 64-bit systems zip_fread() catches the wrapped size via the ZIP_INT64_MAX guard and returns an error instead of overflowing.
  • ·All Red Hat Enterprise Linux packages (php, php53, php54-php, php55-php, rh-php56-php) are listed as Not Affected, so RHEL-based detections should focus on upstream PHP 7.0.x deployments only.
  • ·The vulnerability is fixed in PHP 7.0.6; systems running PHP >= 7.0.6 are not vulnerable and detections should be scoped to PHP 7.0.0–7.0.5.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.