PHP 'openssl_encrypt()' Function Information Disclosure Vulnerability (Windows)

Published: 2013-01-24 11:09:00
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact:
Successful exploitation will allow remote attackers to obtain sensitive information from process memory by providing zero bytes of input data.

Affected Versions:
PHP version 5.3.9 through 5.3.13 on Windows

Technical Details:
The flaw is due to error in 'openssl_encrypt()' function when handling empty $data strings which will allow an attacker to gain access to arbitrary pieces of information in current memory.

Summary:
This host is installed with PHP and is prone to information disclosure vulnerability

Recommendations:
Apply the patch or upgrade to the latest version from the references. ***** NOTE: Ignore this warning, if above mentioned patch is manually applied. *****

Detection Type:
Remote Banner

Solution Type:
Vendor Patch

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2012-6113

SecurityFocus Bugtraq ID:

https://www.securityfocus.com/bid/57462

References:

http://www.php.net/downloads.php
https://bugs.php.net/bug.php?id=61413
http://xforce.iss.net/xforce/xfdb/81400
http://git.php.net/?p=php-src.git;a=commitdiff;h=270a406ac94b5fc5cc9ef59fc61e3b4b95648a3e

Search
Severity
Medium
CVSS Score
5.0

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.