CVE-2014-9427

Name of the Vulnerable Software and Affected Versions PHP versions 5.4.36 and earlier PHP versions 5.5.x through 5.5.20 PHP versions 5.6.x through 5.6.4

Description The issue is related to the CGI component in PHP, specifically in the sapi/cgi/cgi main.c file. When using mmap to read a .php file, it does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character. This can cause an out-of-bounds read, potentially allowing remote attackers to obtain sensitive information from the php-cgi process memory by uploading a .php file. Additionally, it might trigger unexpected code execution if a valid PHP script is present in adjacent memory locations.

Recommendations For PHP versions 5.4.36 and earlier, update to a version later than 5.4.36 to resolve the issue. For PHP versions 5.5.x through 5.5.20, update to a version later than 5.5.20 to resolve the issue. For PHP versions 5.6.x through 5.6.4, update to a version later than 5.6.4 to resolve the issue.