CVE-2018-5712
published 2018-01-16CVE-2018-5712: An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error…
PriorityP343medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
79.95%
99.6th percentile
An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| php | php | < 5.6.36 | 5.6.36 |
| php | php | <= 5.6.32 | — |
| php | php | <= 7.1.12 | — |
| php | php | — | — |
| php | php | >= 7.0.0 < 7.0.30 | 7.0.30 |
| php | php | 7.0.0 – 7.0.26 | — |
| php | php | >= 7.1.0 < 7.1.17 | 7.1.17 |
| php | php | >= 7.2.0 < 7.2.5 | 7.2.5 |
| php5 | php5 | >= 0 < 5.6.36-r0 | 5.6.36-r0 |
| php5 | php5 | >= 0 < 5.6.36-r0 | 5.6.36-r0 |
| php5 | php5 | >= 0 < 5.5.9+dfsg-1ubuntu4.23 | 5.5.9+dfsg-1ubuntu4.23 |
| php5 | php5 | >= 0 < 5.5.9+dfsg-1ubuntu4.24 | 5.5.9+dfsg-1ubuntu4.24 |
Detection & IOCsextracted from sources · hover to see the quote
- →Reflected XSS is triggered via the URI of a request for a .phar file, specifically on the PHAR 404 error page — monitor/alert on requests to .phar files that include script-injection payloads in the URI ↗
- →The vulnerable code resides in ext/phar/phar_object.c — patch validation or file-integrity checks should target this source file ↗
- →The incomplete fix for CVE-2018-5712 also left PHAR 403 error pages vulnerable — detection logic should cover both 403 and 404 PHAR error responses for XSS payloads in request data ↗
- ·Affected PHP versions for CVE-2018-5712: before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1 — the initial fix was incomplete and CVE-2018-10547 covers the bypass ↗
- ·Red Hat Enterprise Linux 5 (php) and RHEL 8 are listed as Not Affected; php53 on RHEL 5, php on RHEL 6, and rh-php56-php in Red Hat Software Collections are 'Will not fix' — do not rely on vendor patches for these platforms ↗
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_oracle6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Secure Backup Risk Matrix: PHP — CVE-2018-5712
vendor_oracle·2020-04-15·CVSS 6.1
CVE-2018-5712 [MEDIUM] Oracle Oracle Secure Backup Risk Matrix: PHP — CVE-2018-5712
Oracle Oracle Secure Backup Risk Matrix: PHP vulnerability
CVE: CVE-2018-5712
CVSS: 6.1
Protocol: HTTPS
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2020 (APR 2020)
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2018-05-15·CVSS 6.1
CVE-2018-5712 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
USN-3600-1 fixed a vulnerability in PHP. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that PHP incorrectly handled the PHAR 404 error page. A
remote attacker could possibly use this issue to conduct cross-site
scripting (XSS) attacks. (CVE-2018-5712)
It was discovered that PHP incorrectly handled parsing certain HTTP
responses. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2018-7584)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
php: Reflected XSS vulnerability on PHAR 403 and 404 error pages
vendor_redhat·2018-04-26·CVSS 6.1
CVE-2018-10547 [MEDIUM] CWE-79 php: Reflected XSS vulnerability on PHAR 403 and 404 error pages
php: Reflected XSS vulnerability on PHAR 403 and 404 error pages
An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.
Package: php (Red Hat Enterprise Linux 5) - Not affected
Package: php53 (Red Hat Enterprise Linux 5) - Will not fix
Package: php (Red Hat Enterprise Linux 6) - Will not fix
Package: php (Red Hat Enterprise Linux 8) - Not affected
Package: rh-php70-php (Red Hat Software Collections) - Will not fix
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2018-03-19·CVSS 7.5
CVE-2016-10712 [HIGH] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that PHP incorrectly handled certain stream metadata. A
remote attacker could possibly use this issue to set arbitrary metadata.
This issue only affected Ubuntu 14.04 LTS. (CVE-2016-10712)
It was discovered that PHP incorrectly handled the PHAR 404 error page. A
remote attacker could possibly use this issue to conduct cross-site
scripting (XSS) attacks. This issue only affected Ubuntu 16.04 LTS and
Ubuntu 17.10. (CVE-2018-5712)
It was discovered that PHP incorrectly handled parsing certain HTTP
responses. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2018-7584)
Instructions: In Ubuntu 16.04 LTS and U
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2018-02-12·CVSS 9.8
CVE-2017-12933 [CRITICAL] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that PHP incorrectly handled the PHAR 404 error page. A
remote attacker could possibly use this issue to conduct cross-site
scripting (XSS) attacks. (CVE-2018-5712)
It was discovered that PHP incorrectly handled memory when unserializing
certain data. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2017-12933)
It was discovered that PHP incorrectly handled 'front of' and 'back of'
date directives. A remote attacker could possibly use this issue to obtain
sensitive information. (CVE-2017-16642)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
php: Reflected XSS on PHAR 404 page
vendor_redhat·2017-06-19·CVSS 6.1
CVE-2018-5712 [MEDIUM] php: Reflected XSS on PHAR 404 page
php: Reflected XSS on PHAR 404 page
An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.
Package: php (Red Hat Enterprise Linux 5) - Not affected
Package: php53 (Red Hat Enterprise Linux 5) - Will not fix
Package: php (Red Hat Enterprise Linux 6) - Will not fix
Package: php (Red Hat Enterprise Linux 8) - Not affected
Package: rh-php56-php (Red Hat Software Collections) - Will not fix
GHSA
GHSA-phvf-v525-xwq3: An issue was discovered in ext/phar/phar_object
ghsa_unreviewed·2022-05-14·CVSS 6.1
CVE-2018-10547 [MEDIUM] CWE-79 GHSA-phvf-v525-xwq3: An issue was discovered in ext/phar/phar_object
An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.
GHSA
GHSA-p569-737x-7h7p: An issue was discovered in PHP before 5
ghsa_unreviewed·2022-05-14
CVE-2018-5712 [MEDIUM] CWE-79 GHSA-p569-737x-7h7p: An issue was discovered in PHP before 5
An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.
OSV
CVE-2018-10547: An issue was discovered in ext/phar/phar_object
osv·2018-04-29·CVSS 6.1
CVE-2018-10547 [MEDIUM] CVE-2018-10547: An issue was discovered in ext/phar/phar_object
An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.
OSV
php5, php7.0, php7.1 vulnerabilities
osv·2018-03-19·CVSS 7.5
CVE-2016-10712 [HIGH] php5, php7.0, php7.1 vulnerabilities
php5, php7.0, php7.1 vulnerabilities
It was discovered that PHP incorrectly handled certain stream metadata. A
remote attacker could possibly use this issue to set arbitrary metadata.
This issue only affected Ubuntu 14.04 LTS. (CVE-2016-10712)
It was discovered that PHP incorrectly handled the PHAR 404 error page. A
remote attacker could possibly use this issue to conduct cross-site
scripting (XSS) attacks. This issue only affected Ubuntu 16.04 LTS and
Ubuntu 17.10. (CVE-2018-5712)
It was discovered that PHP incorrectly handled parsing certain HTTP
responses. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2018-7584)
OSV
php5 vulnerabilities
osv·2018-02-12·CVSS 9.8
CVE-2018-5712 [CRITICAL] php5 vulnerabilities
php5 vulnerabilities
It was discovered that PHP incorrectly handled the PHAR 404 error page. A
remote attacker could possibly use this issue to conduct cross-site
scripting (XSS) attacks. (CVE-2018-5712)
It was discovered that PHP incorrectly handled memory when unserializing
certain data. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2017-12933)
It was discovered that PHP incorrectly handled 'front of' and 'back of'
date directives. A remote attacker could possibly use this issue to obtain
sensitive information. (CVE-2017-16642)
OSV
CVE-2018-5712: An issue was discovered in PHP before 5
osv·2018-01-16·CVSS 6.1
CVE-2018-5712 [MEDIUM] CVE-2018-5712: An issue was discovered in PHP before 5
An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-10547 php: Reflected XSS vulnerability on PHAR 403 and 404 error pages
bugzilla·2018-05-02·CVSS 6.1
CVE-2018-10547 [MEDIUM] CVE-2018-10547 php: Reflected XSS vulnerability on PHAR 403 and 404 error pages
CVE-2018-10547 php: Reflected XSS vulnerability on PHAR 403 and 404 error pages
An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.
Upstream bug:
https://bugs.php.net/bug.php?id=76129
Upstream patch:
https://git.php.net/?p=php-src.git;a=commit;h=6e64aba47f4e41d97c4d010024c68320c0855f45
Discussion:
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1573816]
---
This issue has been addressed in the following products:
Red Hat Software Collections for Red Hat Enterprise Linux 7
Red Hat Software Col
Bugzilla
CVE-2018-5712 php: reflected XSS in .phar 404 page [fedora-all]
bugzilla·2018-01-17·CVSS 6.1
CVE-2018-5712 [MEDIUM] CVE-2018-5712 php: reflected XSS in .phar 404 page [fedora-all]
CVE-2018-5712 php: reflected XSS in .phar 404 page [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. Wh
Bugzilla
CVE-2018-5712 php: Reflected XSS on PHAR 404 page
bugzilla·2018-01-16·CVSS 6.1
CVE-2018-5712 [MEDIUM] CVE-2018-5712 php: Reflected XSS on PHAR 404 page
CVE-2018-5712 php: Reflected XSS on PHAR 404 page
A flaw was found in php when creating a .phar file and configuring apache to handle phar files using php, when accessing invalid page the page name is reflected back to the user in the 404 response. This user input is not being sanitized and therefore it is vulnerable to a reflected XSS. Making, every site configured to run .phar files using php vulnerable.
References:
https://bugs.php.net/bug.php?id=74782
https://bugs.php.net/bug.php?id=74782
Patch:
https://gist.github.com/anonymous/70d2f6bac8db576d6386bd79c1e6e081
Discussion:
Wrong patch link on #c0, the correct one is:
http://git.php.net/?p=php-src.git;a=commit;h=4e3f55c36272a5f29b50e1924b78e9db1b23f214
---
Created php tracking bugs for this issue:
Affects: fedora-all [bug 153568
http://php.net/ChangeLog-5.phphttp://php.net/ChangeLog-7.phphttp://www.securityfocus.com/bid/102742http://www.securityfocus.com/bid/104020http://www.securitytracker.com/id/1040363https://access.redhat.com/errata/RHSA-2018:1296https://access.redhat.com/errata/RHSA-2019:2519https://bugs.php.net/bug.php?id=74782https://lists.debian.org/debian-lts-announce/2018/01/msg00025.htmlhttps://usn.ubuntu.com/3566-1/https://usn.ubuntu.com/3600-1/https://usn.ubuntu.com/3600-2/https://www.oracle.com/security-alerts/cpuapr2020.htmlhttp://php.net/ChangeLog-5.phphttp://php.net/ChangeLog-7.phphttp://www.securityfocus.com/bid/102742http://www.securityfocus.com/bid/104020http://www.securitytracker.com/id/1040363https://access.redhat.com/errata/RHSA-2018:1296https://access.redhat.com/errata/RHSA-2019:2519https://bugs.php.net/bug.php?id=74782https://lists.debian.org/debian-lts-announce/2018/01/msg00025.htmlhttps://usn.ubuntu.com/3566-1/https://usn.ubuntu.com/3600-1/https://usn.ubuntu.com/3600-2/https://www.oracle.com/security-alerts/cpuapr2020.html
2018-01-16
Published