CVE-2016-6175
published 2017-02-07CVE-2016-6175: Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote attackers to execute arbitrary PHP code via a crafted plural forms header.
PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.66%
97.1th percentile
Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote attackers to execute arbitrary PHP code via a crafted plural forms header.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-gettext | < php-gettext 1.0.12-1 (bookworm) | php-gettext 1.0.12-1 (bookworm) |
| php-gettext_project | php-gettext | <= 1.0.12 | — |
| php-gettext_project | php-gettext | >= 0 < 1.0.12-1 | 1.0.12-1 |
| php-gettext_project | php-gettext | >= 0 < 1.0.12-1 | 1.0.12-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for eval() calls in PHP processes where the input originates from a parsed MO/PO file plural forms header — the vulnerable code path passes the unsanitized $string variable directly to eval(). ↗
- →Detect bypass of the preg_replace sanitizer in sanitize_plural_expression(): the regex @[^a-zA-Z0-9_:;\(\)\?\|\&=!<>+*/\%-]@ permits alphanumeric function names such as system(), allowing OS command injection through the eval() call. ↗
- →Alert on unexpected modifications to MO/PO locale files in application locale directories (e.g. nagvis locale path), as an attacker may plant a crafted plural forms header to achieve code execution on next load. ↗
- →Look for function calls to system() or similar OS-execution functions appearing inside the plural forms header string of MO files, as these pass through the permissive character whitelist and reach eval(). ↗
- ·The vulnerability requires the attacker to control or tamper with a MO/PO translation file; it is not directly exploitable via a standard HTTP request unless the application exposes a file-upload or file-write path to untrusted users. ↗
- ·The NagVis patch removes the plural-forms functionality entirely rather than fixing the sanitizer; deployments relying on that patch may lose plural-form translation support. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2016-6175: php-gettext - Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote att...
vendor_debian·2016·CVSS 9.8
CVE-2016-6175 [CRITICAL] CVE-2016-6175: php-gettext - Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote att...
Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote attackers to execute arbitrary PHP code via a crafted plural forms header.
Scope: local
bookworm: resolved (fixed in 1.0.12-1)
bullseye: resolved (fixed in 1.0.12-1)
sid: resolved (fixed in 1.0.12-1)
GHSA
GHSA-6f39-vhv8-5hcw: Eval injection vulnerability in php-gettext 1
ghsa_unreviewed·2022-05-17
CVE-2016-6175 [CRITICAL] CWE-94 GHSA-6f39-vhv8-5hcw: Eval injection vulnerability in php-gettext 1
Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote attackers to execute arbitrary PHP code via a crafted plural forms header.
OSV
CVE-2016-6175: Eval injection vulnerability in php-gettext 1
osv·2017-02-07·CVSS 9.8
CVE-2016-6175 [CRITICAL] CVE-2016-6175: Eval injection vulnerability in php-gettext 1
Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote attackers to execute arbitrary PHP code via a crafted plural forms header.
No detection rules found.
Bugzilla
CVE-2016-6175 php-php-gettext: $string variable not sufficiently sanitized
bugzilla·2017-01-19·CVSS 9.8
CVE-2016-6175 [CRITICAL] CVE-2016-6175 php-php-gettext: $string variable not sufficiently sanitized
CVE-2016-6175 php-php-gettext: $string variable not sufficiently sanitized
php-gettext code that parses the plural forms header relies on eval() and only filters out some known-bad characters before passing the value from a MO file in directly to eval().
References:
https://bugs.launchpad.net/php-gettext/+bug/1606184
https://kmkz-web-blog.blogspot.cz/2016/07/advisory-cve-2016-6175.html
Discussion:
Created php-php-gettext tracking bugs for this issue:
Affects: fedora-all [bug 1414685]
Affects: epel-all [bug 1414686]
---
Is there any patch available already? The NagVis fork seems to just rip out
the functionality rather really fixing the issue...
https://github.com/NagVis/nagvis/commit/4fe8672a5aec3467da72b5852ca6d283c15adb53
---
(In reply to Robert Scheck from comment #2)
> Is the
Bugzilla
CVE-2016-6175 php-php-gettext: $string variable not sufficiently sanitized [fedora-all]
bugzilla·2017-01-19·CVSS 9.8
CVE-2016-6175 [CRITICAL] CVE-2016-6175 php-php-gettext: $string variable not sufficiently sanitized [fedora-all]
CVE-2016-6175 php-php-gettext: $string variable not sufficiently sanitized [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ve
Bugzilla
CVE-2016-6175 php-php-gettext: $string variable not sufficiently sanitized [epel-all]
bugzilla·2017-01-19·CVSS 9.8
CVE-2016-6175 [CRITICAL] CVE-2016-6175 php-php-gettext: $string variable not sufficiently sanitized [epel-all]
CVE-2016-6175 php-php-gettext: $string variable not sufficiently sanitized [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
https://bugs.launchpad.net/php-gettext/+bug/1606184https://github.com/NagVis/nagvis/commit/4fe8672a5aec3467da72b5852ca6d283c15adb53https://kmkz-web-blog.blogspot.cz/2016/07/advisory-cve-2016-6175.htmlhttps://www.exploit-db.com/exploits/40154/https://bugs.launchpad.net/php-gettext/+bug/1606184https://github.com/NagVis/nagvis/commit/4fe8672a5aec3467da72b5852ca6d283c15adb53https://kmkz-web-blog.blogspot.cz/2016/07/advisory-cve-2016-6175.htmlhttps://www.exploit-db.com/exploits/40154/
2017-02-07
Published