tenable:105771 · PHP 5.6.x < 5.6.33 Multiple Vulnerabilities

01 · The Real Story

This is a loose screen door, not a blown-open vault door

Tenable plugin 105771 is flagging upstream PHP versions earlier than 5.6.33, which fixed two issues in this release train: CVE-2018-5711, an infinite-loop bug in GD image parsing when an application feeds attacker-controlled GIF data into functions like imagecreatefromgif(), and CVE-2018-5712, a reflected XSS on the PHAR 404 error page when a request for a .phar file is reflected back to a user. Upstream affected ranges were 5.6.x < 5.6.33, 7.0.x < 7.0.27, 7.1.x < 7.1.13, and 7.2.x < 7.2.1.

The vendor's MEDIUM label is fair in a vacuum, but reality is narrower. The higher-scored issue is *user-interaction-dependent reflected XSS*; the other is an *application-mediated DoS* that only matters if your app accepts attacker-controlled GIFs and routes them through GD. Add Tenable's own warning that detection is based only on the server banner, plus the very real chance of distro backports, and this drops into backlog-hygiene territory for most enterprises.

"This is mostly a click-to-XSS or app-mediated DoS problem, not a mass-compromise PHP emergency"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable PHP surface

The attacker first needs a web path backed by the vulnerable PHP runtime. For the XSS branch, they specifically need a route where a request for a .phar path can trigger PHP's PHAR 404 handling; for the DoS branch, they need an application workflow that hands attacker-controlled GIF content to GD functions such as imagecreatefromgif() or imagecreatefromstring().

Conditions required:

Public or internal HTTP reachability to the PHP application
A vulnerable upstream PHP branch or an unbackported package
Either PHAR-related request handling or GD-based image parsing exposed through the application

Where this breaks in practice:

Many enterprises never expose .phar request paths in normal workflows
Many apps do not use GD on untrusted GIF input
Reverse proxies, app routing, and custom 404 handlers often prevent the stock PHAR error path from surfacing

Detection/coverage: Nessus plugin 105771 is version/banner-based only; it does not verify exploitability on-path.

STEP 02

Weaponize the reachable feature

For CVE-2018-5712, the attacker crafts a URL that causes the vulnerable PHAR 404 page to reflect attacker input. For CVE-2018-5711, they provide a malformed GIF designed to trap GD in an infinite loop during server-side processing.

Conditions required:

XSS branch: reflection reaches a browser-visible response
DoS branch: the application actually parses the supplied GIF with vulnerable GD code

Where this breaks in practice:

XSS requires a browser-facing victim path, not just raw server reachability
DoS requires application logic the attacker does not always control
Image validation, transcoding, or asynchronous processing can break the GIF path

Detection/coverage: WAFs may catch obvious reflected payloads; file-sandboxing or image validation pipelines may reject malformed GIFs before PHP touches them.

STEP 03

Land execution or impact

The XSS branch only pays off if a user with an active session follows the crafted URL and the browser executes the reflected script. The GIF branch does not produce code execution from these sources; the practical impact is service degradation or a hung PHP worker handling the malicious file.

Conditions required:

XSS branch: a victim must click or be redirected to the URL
DoS branch: the crafted file must be processed synchronously enough to matter operationally

Where this breaks in practice:

User interaction is mandatory for the XSS path
HttpOnly, SameSite, CSP, and app session design all limit what XSS can actually steal or do
Worker pools and request timeouts often contain a single hung request

Detection/coverage: Browser telemetry, WAF logs, CSP violation reports, and PHP-FPM slow logs can show the XSS or stuck-image-processing path.

STEP 04

Translate it into business damage

At the end of the chain, the likely outcomes are limited: session riding or limited browser-side abuse from the reflected XSS, or localized availability loss from malformed GIF handling. This is not an unauthenticated server-side RCE path from the evidence reviewed.

Conditions required:

A privileged victim session for the XSS branch, or a performance-sensitive image-processing workload for the DoS branch

Where this breaks in practice:

No source reviewed showed broad weaponization or active exploitation
No KEV listing means there is no authoritative current signal that attackers care about this pair
Blast radius is usually one session or one worker/request path, not whole-host takeover

Detection/coverage: EDR is mostly irrelevant here; focus on web logs, CSP reports, PHP-FPM worker saturation, and application error telemetry.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No active-exploitation signal found in the reviewed sources. The current CISA KEV catalog does not list `CVE-2018-5711` or `CVE-2018-5712`.
Proof-of-concept availability	Public bug trackers and patches exist at PHP bug `#75571` and `#74782`. Tenable explicitly says `Exploit Ease: No known exploits are available` for plugin `105771`.
EPSS	`CVE-2018-5711` shows a low exploit-likelihood signal: 0.31% EPSS, 66.4th percentile in search results reflecting FIRST data. No higher-priority exploit signal was found for this pair.
KEV status	Not KEV-listed as of 2026-05-31 based on a direct check of the CISA KEV catalog and CVE-specific searches.
CVSS vector and meaning	Tenable keys the plugin to `CVE-2018-5712` with `CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N` (6.1 / Medium): remote and unauthenticated, but user interaction is required. `CVE-2018-5711` is weaker in practice: a crafted GIF can cause availability impact during GD parsing.
Affected versions	Upstream affected ranges are `PHP < 5.6.33`, `7.0.x < 7.0.27`, `7.1.x < 7.1.13`, and `7.2.x < 7.2.1`.
Fixed versions	Upstream fix is `5.6.33`. Distro backports exist: Ubuntu fixed affected PHP packages in `USN-3566-1`; Red Hat shipped `rh-php70-php 7.0.27` in `RHSA-2018:1296`; Amazon Linux fixed `php56/php70/php71` in `ALAS-2018-946`.
Scanner / exposure reality	This finding is banner/version-based only. Tenable states it did not test exploitation. That means backported distro builds are a real false-positive risk until you verify package provenance locally.
Disclosure dates	PHP `5.6.33` was released on 2018-01-04 as a security release; NVD shows both CVEs published on 2018-01-16.
Reporter / source component	The fixes are tied to PHP bug tracker entries `#75571` (GD infinite loop) and `#74782` (PHAR 404 reflected XSS), maintained through the upstream PHP project.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.4/10)

The decisive factor is that the realistic attack chains are narrow: the headline path is reflected XSS that requires a victim click, while the alternate path is an application-dependent GIF parsing DoS rather than host compromise. On top of that, the Tenable check is banner-only, so some percentage of your findings will be package-backport noise rather than truly vulnerable runtimes.

HIGH Attack-path friction assessment

MEDIUM Population-level exposure estimate for PHAR 404 reachability and GD-on-untrusted-GIF usage

Why this verdict

Down from the vendor baseline because the top-scored branch is click-dependent. CVE-2018-5712 is UI:R, so it is not a one-packet server compromise; it needs a user to follow a crafted URL.
Down again because the vulnerable feature exposure is narrow. The XSS needs PHAR 404 behavior to be reachable through real app routing, and the DoS needs an application to parse attacker-controlled GIF data with GD.
Down again because blast radius is modest. The reviewed sources support reflected XSS or localized availability impact, not unauthenticated server-side RCE or durable host takeover.
Down again because scanner certainty is limited. Tenable says the plugin relies on self-reported version banners and does not actually test the flaw, which matters a lot on distro-packaged PHP with backports.
Not ignored because it is still remotely triggerable in the right app shape. If you do expose .phar request handling or parse untrusted GIFs at scale, there is real exploitability at the application tier.

Why not higher?

There is no reviewed evidence of active exploitation, KEV inclusion, or a practical unauthenticated RCE path. Every meaningful branch needs extra conditions that sharply narrow who can reach it and what they get out of it.

Why not lower?

This is still a genuine security fix in a widely deployed runtime, and the XSS issue is remote and unauthenticated if the endpoint is reachable. If a business-critical admin user can be lured to the crafted PHAR path, the result can still be session abuse in the application.

05 · Compensating Control

What to do — in priority order.

Block direct .phar web requests — Deny or reroute requests for .phar paths at the reverse proxy or web server so the PHAR 404 reflection path never reaches users. For a LOW verdict there is no SLA; treat this as backlog hygiene and deploy during routine hardening.
Enforce CSP and cookie hardening — Use a restrictive Content-Security-Policy, plus HttpOnly, Secure, and SameSite session cookies, to shrink what any reflected XSS can steal or execute. For a LOW verdict there is no SLA; fold it into your normal web-security baseline work.
Sanitize image ingestion — Validate, transcode, or sandbox untrusted GIF uploads before PHP/GD processes them so malformed images never hit the vulnerable parser path. For a LOW verdict there is no SLA; schedule it as application hardening.
Verify package provenance before escalating — Because the Nessus plugin is banner-based, confirm whether the host is running upstream PHP or a distro-backported build before burning change windows. For a LOW verdict there is no SLA; do this during normal triage.

What doesn't work

Hiding the X-Powered-By header alone does not fix the bugs; it only reduces easy fingerprinting.
EDR on the web server is not the primary control here; browser-side XSS and app-level image parsing are better addressed with web controls, CSP, and input handling.
Generic network segmentation does little for the XSS branch if the vulnerable app is already reachable by the intended users.

06 · Verification

Crowdsourced verification payload.

Run this on the target host, container, or build artifact that actually provides the PHP runtime. Invoke it as python3 check_php_2018_571x.py /usr/bin/php or just python3 check_php_2018_571x.py if php is on PATH; no elevated privileges are required unless the PHP binary is restricted. This checks the local runtime version against the upstream fixed ranges and returns UNKNOWN when distro packaging may be masking backports.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
# check_php_2018_571x.py
# Verifies whether the local PHP runtime falls into the upstream-affected
# ranges for CVE-2018-5711 / CVE-2018-5712.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

import os
import re
import sys
import shutil
import subprocess

EXIT_PATCHED = 0
EXIT_VULNERABLE = 1
EXIT_UNKNOWN = 2

AFFECTED = {
    (5, 6): (5, 6, 33),
    (7, 0): (7, 0, 27),
    (7, 1): (7, 1, 13),
    (7, 2): (7, 2, 1),
}

DISTRO_HINTS = ("ubuntu", "deb", "el", "fc", "amzn", "suse", "alpine")


def find_php(argv_path=None):
    if argv_path:
        return argv_path
    php = shutil.which("php")
    return php


def get_php_version(php_bin):
    try:
        out = subprocess.check_output(
            [php_bin, "-r", "echo PHP_VERSION;"],
            stderr=subprocess.STDOUT,
            text=True,
            timeout=10,
        ).strip()
        return out
    except Exception:
        return None


def parse_version(raw):
    if not raw:
        return None
    m = re.search(r"(\d+)\.(\d+)\.(\d+)", raw)
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def has_distro_suffix(raw):
    lower = raw.lower()
    if "-" in raw:
        return True
    return any(h in lower for h in DISTRO_HINTS)


def main():
    php_bin = find_php(sys.argv[1] if len(sys.argv) > 1 else None)
    if not php_bin or not os.path.exists(php_bin):
        print("UNKNOWN: php binary not found")
        sys.exit(EXIT_UNKNOWN)

    raw = get_php_version(php_bin)
    parsed = parse_version(raw)

    if not raw or not parsed:
        print("UNKNOWN: unable to determine PHP version")
        sys.exit(EXIT_UNKNOWN)

    major_minor = parsed[:2]

    # Versions newer than the affected upstream trains are considered patched
    # for these specific CVEs.
    if major_minor not in AFFECTED:
        if parsed >= (7, 3, 0):
            print(f"PATCHED: PHP {raw} is outside the affected release trains")
            sys.exit(EXIT_PATCHED)
        else:
            print(f"UNKNOWN: PHP {raw} is outside this script's direct comparison scope")
            sys.exit(EXIT_UNKNOWN)

    fixed = AFFECTED[major_minor]

    # If a distro-style suffix is present on an apparently vulnerable version,
    # treat as UNKNOWN because backports may exist even when the upstream
    # semantic version looks old.
    if parsed < fixed and has_distro_suffix(raw):
        print(
            f"UNKNOWN: PHP {raw} appears older than upstream fix {fixed[0]}.{fixed[1]}.{fixed[2]}, "
            "but distro/backport packaging may apply"
        )
        sys.exit(EXIT_UNKNOWN)

    if parsed < fixed:
        print(
            f"VULNERABLE: PHP {raw} is in an upstream-affected range; fixed at {fixed[0]}.{fixed[1]}.{fixed[2]}"
        )
        sys.exit(EXIT_VULNERABLE)

    print(f"PATCHED: PHP {raw} meets or exceeds upstream fix level {fixed[0]}.{fixed[1]}.{fixed[2]}")
    sys.exit(EXIT_PATCHED)


if __name__ == "__main__":
    main()

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: do not treat plugin 105771 like an emergency fleet-wide fire drill unless the affected app is both user-facing and demonstrably exposes PHAR 404 behavior or parses untrusted GIFs with GD. Because this is a LOW reassessment, there is no noisgate mitigation SLA and no noisgate remediation SLA here beyond backlog hygiene; validate whether the host is a real upstream 5.6.32-style runtime versus a backported distro package, then fold patching into your normal legacy-PHP maintenance stream. Separately, use this finding as leverage to retire PHP 5.6, which has been upstream EOL since 2018-12-31 and carries broader unsupported-runtime risk beyond this one plugin.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.