Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.PHP_7_2_13.NASL
HistoryDec 19, 2018 - 12:00 a.m.

PHP 7.2.x < 7.2.13 Multiple vulnerabilities

2018-12-1900:00:00
This script is Copyright (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
622

CVSS2

8.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.969

Percentile

99.7%

JSON

According to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.13. It is, therefore, affected by multiple vulnerabilities:

  • An arbitrary command injection vulnerability exists in the imap_open function due to improper filters for mailbox names prior to passing them to rsh or ssh commands. An authenticated, remote attacker can exploit this by sending a specially crafted IMAP server name to cause the execution of arbitrary commands on the target system. (CVE-2018-19518)

  • A heap buffer over-read exists in the phar_parse_pharfile function.
    An unauthenticated, remote attacker can exploit this to read allocated or unallocated memory past the actual data when trying to parse a .phar file. (CVE-2018-20783)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(119766);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/31");

  script_cve_id("CVE-2018-19518", "CVE-2018-20783");
  script_bugtraq_id(106018, 107121);

  script_name(english:"PHP 7.2.x < 7.2.13 Multiple vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote host is affected by 
 multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of PHP running on the remote web
server is 7.2.x prior to 7.2.13. It is, therefore, affected by
multiple vulnerabilities:

  - An arbitrary command injection vulnerability exists in the
  imap_open function due to improper filters for mailbox names prior
  to passing them to rsh or ssh commands. An authenticated, remote
  attacker can exploit this by sending a specially crafted IMAP server
  name to cause the execution of arbitrary commands on the target
  system. (CVE-2018-19518)

  - A heap buffer over-read exists in the phar_parse_pharfile function.
  An unauthenticated, remote attacker can exploit this to read
  allocated or unallocated memory past the actual data when trying to 
  parse a .phar file. (CVE-2018-20783)");
  script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.2.13");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PHP version 7.2.13 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-19518");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-20783");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'php imap_open Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/12/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/19");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("php_version.nasl");
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:80, php:TRUE);

php = get_php_from_kb(
  port : port,
  exit_on_fail : TRUE
);

version = php["ver"];
source = php["src"];

backported = get_kb_item('www/php/'+port+'/'+version+'/backported');

if (report_paranoia < 2 && backported)
  audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");

# Check that it is the correct version of PHP
if (version =~ "^7(\.2)?$") audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version);
if (version !~ "^7\.2\.") audit(AUDIT_NOT_DETECT, "PHP version 7.2.x", port);

fix = "7.2.13";
if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
{
  report =
    '\n  Version source    : ' + source +
    '\n  Installed version : ' + version +
    '\n  Fixed version     : ' + fix +
    '\n';
  security_report_v4(port:port, extra:report, severity:SECURITY_HOLE );
}
else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);
VendorProductVersionCPE
phpphpcpe:/a:php:php

Related

nessus 52
osv 9
openvas 33
prion 3
debian 4
attackerkb 1
redhatcve 3
checkpoint_advisories 1
ibm 3
mageia 1
nvd 4
ubuntu 2
veracode 2
suse 6
debiancve 3
wallarmlab 1
exploitdb 1
cve 4
ubuntucve 3
cvelist 3
alpinelinux 3
hackerone 1
f5 2
fedora 2
metasploit 1
amazon 1
gentoo 1
oraclelinux 1
redhat 3
almalinux 1
rocky 1
rosalinux 1
nessus
nessus
PHP 7.1.x < 7.1.25 Multiple vulnerabilities
2018-12-19 00:00:00
PHP 7.0.x < 7.0.33 Multiple vulnerabilities
2019-03-13 00:00:00
PHP 7.1.x < 7.1.25 Multiple vulnerabilities
2019-01-31 00:00:00
osv
osv
php5 - security update
2018-12-16 00:00:00
uw-imap - security update
2021-12-29 00:00:00
CVE-2018-19518
2018-11-25 10:29:00
openvas
openvas
PHP Multiple Vulnerabilities (Dec 2018) - Linux
2018-12-11 00:00:00
Debian: Security Advisory (DLA-1608-1)
2018-12-17 00:00:00
PHP Multiple Vulnerabilities (Dec 2018) - Windows
2018-12-11 00:00:00
prion
prion
Input validation
2018-11-25 10:29:00
Design/Logic Flaw
2019-02-21 19:29:00
Heap overflow
2019-02-22 23:29:00
debian
debian
[SECURITY] [DLA 2866-1] uw-imap security update
2021-12-29 17:12:17
[SECURITY] [DLA 1700-1] uw-imap security update
2019-03-01 13:26:16
[SECURITY] [DLA 1608-1] php5 security update
2018-12-17 01:56:08
attackerkb
attackerkb
CVE-2018-19518
2018-11-25 00:00:00
redhatcve
redhatcve
CVE-2018-19518
2018-11-28 10:19:59
CVE-2018-20783
2020-01-19 09:40:43
CVE-2019-9021
2019-10-29 04:03:55
checkpoint_advisories
checkpoint_advisories
PHP IMAP imap_open Command Injection (CVE-2018-19518)
2022-11-17 00:00:00
ibm
ibm
Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerability in PHP (CVE-2018-19518)
2020-01-08 21:42:21
Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerability in PHP.
2023-12-07 22:45:07
Security Bulletin: API Connect's Developer Portal is impacted by vulnerabilities in PHP
2020-03-03 02:43:43
mageia
mageia
Updated php packages fix security vulnerability
2018-12-20 23:17:27
nvd
nvd
CVE-2018-19518
2018-11-25 10:29:00
CVE-2018-20783
2019-02-21 19:29:00
CVE-2018-1000859
2018-12-06 17:15:08
ubuntu
ubuntu
UW IMAP vulnerability
2019-10-21 00:00:00
PHP vulnerabilities
2019-05-22 00:00:00
veracode
veracode
Remote Code Execution (RCE)
2020-09-21 06:25:14
Information Disclosure
2019-08-20 00:10:41
suse
suse
Recommended update for php5 (moderate)
2018-12-08 00:19:13
Recommended update for php7 (moderate)
2018-12-08 00:11:09
Security update for php5 (moderate)
2019-04-23 00:00:00
debiancve
debiancve
CVE-2018-19518
2018-11-25 10:29:00
CVE-2018-20783
2019-02-21 19:29:00
CVE-2019-9021
2019-02-22 23:29:00
wallarmlab
wallarmlab
RCE in PHP or how to bypass disable_functions in PHP installations
2018-12-06 17:32:24
exploitdb
exploitdb
PHP imap_open - Remote Code Execution (Metasploit)
2018-11-29 00:00:00
cve
cve
CVE-2018-19518
2018-11-25 10:29:00
CVE-2018-20783
2019-02-21 19:29:00
CVE-2018-1000859
2022-10-03 16:21:59
ubuntucve
ubuntucve
CVE-2018-19518
2018-11-25 00:00:00
CVE-2018-20783
2019-02-21 00:00:00
CVE-2019-9021
2019-02-22 00:00:00
cvelist
cvelist
CVE-2018-19518
2018-11-25 10:00:00
CVE-2018-20783
2019-02-21 19:00:00
CVE-2019-9021
2019-02-22 23:00:00
alpinelinux
alpinelinux
CVE-2018-19518
2018-11-25 10:29:00
CVE-2018-20783
2019-02-21 19:29:00
CVE-2019-9021
2019-02-22 23:29:00
hackerone
hackerone
Internet Bug Bounty: Heap Buffer Overflow (READ: 4) in phar_parse_pharfile
2019-01-09 22:03:25
f5
f5
K03544225 : PHP vulnerabilities CVE-2018-19518 and CVE-2018-19935
2019-01-08 00:00:00
K50602063 : PHP vulnerability CVE-2019-9021
2019-02-28 00:00:00
fedora
fedora
[SECURITY] Fedora 29 Update: php-7.2.13-2.fc29
2018-12-17 19:12:53
[SECURITY] Fedora 28 Update: php-7.2.13-2.fc28
2018-12-17 02:28:09
metasploit
metasploit
php imap_open Remote Code Execution
2018-11-19 02:28:19
amazon
amazon
Medium: php56, php70, php71, php72
2019-01-09 22:58:00
gentoo
gentoo
PHP: Multiple vulnerabilities
2020-03-26 00:00:00
oraclelinux
oraclelinux
php:7.2 security, bug fix, and enhancement update
2020-05-05 00:00:00
redhat
redhat
(RHSA-2020:1624) Moderate: php:7.2 security, bug fix, and enhancement update
2020-04-28 08:57:54
(RHSA-2019:3299) Critical: rh-php72-php security update
2019-11-01 12:22:19
(RHSA-2019:2519) Moderate: rh-php71-php security, bug fix, and enhancement update
2019-08-19 08:09:18
almalinux
almalinux
Moderate: php:7.2 security, bug fix, and enhancement update
2020-04-28 08:57:54
rocky
rocky
php:7.2 security, bug fix, and enhancement update
2020-04-28 08:57:54
rosalinux
rosalinux
Advisory ROSA-SA-2021-1950
2021-07-02 17:57:45

CVSS2

8.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.969

Percentile

99.7%

JSON
Related for PHP_7_2_13.NASL
nessus52osv9openvas33prion3debian4attackerkb1redhatcve3checkpoint_advisories1ibm3mageia1nvd4ubuntu2veracode2suse6debiancve3wallarmlab1exploitdb1cve4ubuntucve3cvelist3alpinelinux3hackerone1f52fedora2metasploit1amazon1gentoo1oraclelinux1redhat3almalinux1rocky1rosalinux1