tenable:107216 · PHP 5.6.x < 5.6.34 Stack Buffer Overflow

01 · The Real Story

This is a booby-trapped reply, not an unlocked front door

Tenable plugin 107216 maps to CVE-2018-7584. The bug sits in PHP's HTTP response parsing path, specifically php_stream_url_wrap_http_ex() in ext/standard/http_fopen_wrapper.c. Affected upstream versions are PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2; PHP 5.6.34 is the fix point for the 5.6 branch. The trigger condition is not 'send a bad request to the web server' but 'make the vulnerable PHP runtime fetch an attacker-controlled HTTP response' via URL wrappers such as file_get_contents("http://...").

The headline CVSS/NVD view (9.8 / CRITICAL) overshoots what most enterprise defenders should prioritize. Yes, the memory-safety bug is real, and public PoC material exists, but the reachable population is much smaller than 'all internet-facing PHP'. An attacker usually needs a second bug or an application feature that lets them steer PHP into making an outbound request to an attacker-controlled server; without that, the vulnerable code path is dead. That friction downgrades this from emergency patching to targeted medium-priority cleanup, especially since public material is mainly DoS-oriented, not a field-proven reliable RCE chain.

"Technically nasty, operationally narrow: this is not a straight-to-RCE internet fire drill"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a PHP fetch gadget

The attacker first needs the application to invoke a PHP URL-wrapper fetch against a URL they control. In practice this means an SSRF primitive, a webhook/import feature, a feed reader, or application logic that calls file_get_contents(), fopen(), or similar on attacker-influenced URLs. The vulnerable component is PHP acting as an HTTP client, not the web server passively serving inbound requests.

Conditions required:

Target runs vulnerable PHP branch (<=5.6.33, <7.0.28, <=7.1.14, <=7.2.2)
PHP URL wrappers for HTTP are available
Application exposes an attacker-influenced outbound fetch path

Where this breaks in practice:

Most PHP sites do not let arbitrary unauthenticated users force server-side HTTP fetches
Many enterprises block or restrict outbound egress from app tiers
Banner-based scanners report vulnerable PHP broadly but cannot prove this fetch path is reachable

Detection/coverage: SCA/package checks catch vulnerable versions; remote network scanners usually only infer from banners and do not validate exploitability of the fetch path.

STEP 02

Serve the malformed response

Once the victim PHP runtime connects out, the attacker returns a malformed HTTP response that abuses the parser bug described in PHP bug #75981. Public weaponization references include Exploit-DB EDB-44846 by Wei Lei and Liu Yang, which demonstrates the malformed-response technique with a simple listener (nc).

Conditions required:

Attacker controls the upstream HTTP endpoint contacted by PHP
Victim request reaches attacker infrastructure without proxy normalization interfering

Where this breaks in practice:

Secure web proxies, content filters, or protocol normalization can interfere with malformed responses
Applications often fetch only trusted internal or allowlisted destinations

Detection/coverage: Network IDS may only see an odd outbound HTTP transaction; most signatures will not be specific unless you already know the app made an unusual outbound call.

STEP 03

Trigger the under-read and oversized copy

The malformed response drives a stack-based under-read in php_stream_url_wrap_http_ex(), after which PHP may copy an overly large string. The upstream fix commit is 523f230 ('prevent reading beyond buffer start'). This is the memory-corruption point where crash or worse becomes possible.

Conditions required:

Victim actually processes the malformed response through the vulnerable code path
Target runtime has not already been backport-patched by the distro vendor

Where this breaks in practice:

Some distro packages remain on older-looking version strings while carrying the fix
Modern hardening and allocator behavior can turn theoretical code-exec into a crash instead

Detection/coverage: Host logs may only show worker crashes or PHP faults; EDR can catch abnormal child-process crashes more reliably than network tooling.

STEP 04

Land impact: usually crash, maybe more

The practical public outcome is denial of service against the PHP process or worker handling the fetch. NVD and some advisories mention possible arbitrary code execution, but the public PoC corpus is not a mature internet-scale RCE ecosystem. Treat the blast radius as 'crashable fetch-capable PHP app' unless you have internal evidence of stronger exploit reliability.

Conditions required:

The process handling the fetch can be crashed without graceful recovery
Service design makes repeated crashes operationally meaningful

Where this breaks in practice:

FPM pools, worker recycling, and orchestration can reduce impact to transient worker death
No strong evidence of broad real-world exploitation pressure was found

Detection/coverage: Application crashes, core dumps, FPM worker restarts, and outbound-call telemetry are the best clues; external scanning will not show successful impact.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No solid active-exploitation evidence found in the sources reviewed, and the CVE does not appear in the CISA KEV catalog source checked.
Public PoC	Yes — Exploit-DB EDB-44846 by Wei Lei and Liu Yang demonstrates a malformed HTTP response causing crash behavior.
EPSS	Tenable shows EPSS 0.83066; CVE Details shows roughly 83.07% probability / ~99th percentile. Useful as a background signal, but it overstates urgency here because reachable exploit paths are app-dependent.
KEV status	Not listed in the CISA Known Exploited Vulnerabilities Catalog.
CVSS vector	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` (9.8). In vacuum that reads like internet-reachable no-auth RCE; in reality it assumes away the biggest prerequisite: the target must first be coerced into making an outbound HTTP fetch to attacker infrastructure.
Affected versions	Upstream affected branches are PHP <= 5.6.33, 7.0.x < 7.0.28, 7.1.x <= 7.1.14, and 7.2.x <= 7.2.2.
Fixed versions	Upstream fixes landed in 5.6.34 / 7.0.28 / 7.1.15 / 7.2.3. Distro backports exist, e.g. Ubuntu 7.0.28-0ubuntu0.16.04.1 and 7.1.15-0ubuntu0.17.10.1; SUSE shipped a backported fix in its php7 packages while keeping an older-looking base version.
Scanner reality check	Tenable plugin `107216` is a banner/version check. It is good for finding stale PHP, but it does not tell you whether the app exposes an attacker-controlled fetch path, which is the deciding exploitability factor.
Disclosure	PHP bug `#75981` was submitted on 2018-02-20 and the CVE was assigned on 2018-03-01.
Reporting researcher	The original PHP security bug report credits Wei Lei (`l dot wei at ntu dot edu dot sg`); public exploit material is attributed to Wei Lei and Liu Yang.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.8/10)

The decisive downgrading factor is attacker position: this is usually not directly reachable from the internet-facing request path and instead requires the victim PHP runtime to make an outbound HTTP request to an attacker-controlled server. That prerequisite sharply narrows the exposed population compared with what the 9.8 CVSS suggests, and the public exploit record is much stronger for crash/DoS than for reliable operational RCE.

HIGH Version mapping of Tenable plugin `107216` to **CVE-2018-7584**

HIGH Assessment that exploitation generally requires an **attacker-controlled outbound fetch path**

MEDIUM Judgment that real-world impact is usually **DoS over reliable RCE**

Why this verdict

Baseline starts too high: the NVD/Tenable-style 9.8 assumes a generic unauthenticated network bug, but this parser flaw sits behind application behavior that must first cause PHP to fetch a malicious HTTP response.
Attacker needs a second foothold or feature: SSRF, a webhook/importer, or some user-controlled remote-fetch capability is typically required. That means many deployments are only exposed *after* a separate app weakness or risky feature is in play.
Reachable population is smaller than 'all PHP': PHP is everywhere, but only a subset of apps let untrusted users influence outbound requests. Version prevalence is not the same as exploit-path prevalence.
Public weaponization is weak: there is a public Exploit-DB PoC, but it is oriented around crashing the process. I did not find strong evidence of a mature, broadly used RCE exploit chain.
Still not low: if you do have SSRF/webhook/import features on vulnerable legacy PHP, the attacker can remotely drive memory corruption in the runtime itself, which is too dangerous to shrug off as backlog dust.

Why not higher?

This is not a clean 'send one packet to the public web server and win' bug. The chain usually requires attacker control over the URL or upstream response source that PHP fetches, which implies a narrower and more application-specific path than classic edge RCE. Also, the public exploit material is not a convincing internet-scale RCE ecosystem.

Why not lower?

It is still a memory-corruption bug in the PHP runtime, not a cosmetic parser oddity. Environments with SSRF primitives, feed importers, webhooks, or permissive outbound fetch features can make the bug remotely triggerable, and vulnerable PHP 5.6 estates tend to have plenty of neighboring risk.

05 · Compensating Control

What to do — in priority order.

Constrain outbound fetches — Restrict app-tier egress so PHP cannot freely connect to attacker-controlled hosts. This directly breaks the exploit chain because the vulnerable code path needs an outbound HTTP response to parse. For a MEDIUM verdict there is no mitigation SLA; implement this as normal hardening while you work toward patching within the 365-day remediation window.
Audit SSRF and fetch features — Inventory code paths and product features that let users trigger server-side URL retrievals: webhooks, feed readers, remote image fetchers, SSO metadata imports, health checks, callback validators. Those apps should be prioritized ahead of generic brochureware sites. There is no mitigation SLA for MEDIUM here, so use this to triage where patching matters most first.
Disable risky URL-wrapper usage where feasible — If specific apps do not need remote URL access via convenience helpers, remove or refactor those paths and prefer tightly controlled client libraries with destination allowlists. That reduces both this CVE and the broader SSRF blast radius. Again, no mitigation SLA — treat it as targeted hardening before the remediation deadline.
Monitor worker crash loops — Set alerts on PHP-FPM worker restarts, segfaults, and unusual outbound calls to rare domains from app tiers. This won't prevent exploitation, but it is your best chance of spotting abuse if a fetch-capable app is targeted. For MEDIUM, fold this into standard detection engineering rather than emergency change windows.

What doesn't work

A generic WAF at the inbound edge does not reliably help, because the dangerous payload is typically the server's outbound HTTP response, not the attacker's initial inbound request.
MFA is irrelevant unless the only exploitable path is an authenticated application feature; it does nothing to the parser flaw itself.
Treating this as a pure internet-facing PHP version problem is misleading. Version-only exposure dashboards overcount risk when the app cannot be coerced into outbound fetches.

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux host that has PHP installed, not from an auditor workstation. Invoke it as sudo bash check-cve-2018-7584.sh or bash check-cve-2018-7584.sh; no root is strictly required for php -v, but package backport checks are more reliable with local package metadata available. The script outputs VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2018-7584.sh
# Detect likely exposure to CVE-2018-7584 on Linux PHP hosts.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

out() {
  echo "$1"
  exit "$2"
}

have_cmd() {
  command -v "$1" >/dev/null 2>&1
}

ver_ge() {
  # returns true if $1 >= $2
  [ "$(printf '%s\n%s\n' "$2" "$1" | sort -V | head -n1)" = "$2" ]
}

ver_lt() {
  ! ver_ge "$1" "$2"
}

php_bin="${PHP_BIN:-php}"
if ! have_cmd "$php_bin"; then
  out "UNKNOWN: php binary not found" 2
fi

php_version="$($php_bin -r 'echo PHP_VERSION;' 2>/dev/null || true)"
if [ -z "$php_version" ]; then
  out "UNKNOWN: unable to read PHP_VERSION" 2
fi

php_major_minor="$($php_bin -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;' 2>/dev/null || true)"
if [ -z "$php_major_minor" ]; then
  out "UNKNOWN: unable to parse PHP major/minor" 2
fi

# Upstream fixed versions for affected branches:
# 5.6.34 / 7.0.28 / 7.1.15 / 7.2.3
case "$php_major_minor" in
  5.6)
    if ver_ge "$php_version" "5.6.34"; then
      out "PATCHED: upstream PHP version $php_version is >= 5.6.34" 0
    fi
    ;;
  7.0)
    if ver_ge "$php_version" "7.0.28"; then
      out "PATCHED: upstream PHP version $php_version is >= 7.0.28" 0
    fi
    ;;
  7.1)
    if ver_ge "$php_version" "7.1.15"; then
      out "PATCHED: upstream PHP version $php_version is >= 7.1.15" 0
    fi
    ;;
  7.2)
    if ver_ge "$php_version" "7.2.3"; then
      out "PATCHED: upstream PHP version $php_version is >= 7.2.3" 0
    fi
    ;;
  *)
    out "PATCHED: installed PHP branch $php_version is outside the known affected upstream ranges for CVE-2018-7584" 0
    ;;
esac

# Package/backport checks for common distros.
# If we positively identify a known fixed distro build, mark PATCHED.
# If package metadata shows an older branch but we cannot confirm backports, return UNKNOWN.

if have_cmd dpkg-query; then
  # Ubuntu examples from USN-3600-1
  for pkg in php5-cli php5-cgi php5-fpm libapache2-mod-php5 php7.0-cli php7.0-cgi php7.0-fpm libapache2-mod-php7.0 php7.1-cli php7.1-cgi php7.1-fpm libapache2-mod-php7.1; do
    if dpkg-query -W -f='${Status} ${Version}\n' "$pkg" 2>/dev/null | grep -q '^install ok installed '; then
      pkgver="$(dpkg-query -W -f='${Version}' "$pkg" 2>/dev/null)"
      case "$pkg" in
        php7.1-*|libapache2-mod-php7.1)
          if ver_ge "$pkgver" "7.1.15-0ubuntu0.17.10.1"; then
            out "PATCHED: package $pkg at $pkgver includes the Ubuntu fix baseline" 0
          else
            out "UNKNOWN: package $pkg at $pkgver is on an affected branch; verify distro backports or upgrade" 2
          fi
          ;;
        php7.0-*|libapache2-mod-php7.0)
          if ver_ge "$pkgver" "7.0.28-0ubuntu0.16.04.1"; then
            out "PATCHED: package $pkg at $pkgver includes the Ubuntu fix baseline" 0
          else
            out "UNKNOWN: package $pkg at $pkgver is on an affected branch; verify distro backports or upgrade" 2
          fi
          ;;
        php5-*|libapache2-mod-php5)
          # Ubuntu 14.04 php5 packages were fixed via backport even though upstream 5.5 looked older.
          if ver_ge "$pkgver" "5.5.9+dfsg-1ubuntu4.24"; then
            out "PATCHED: package $pkg at $pkgver includes the Ubuntu backport fix baseline" 0
          else
            out "UNKNOWN: package $pkg at $pkgver is old and may still be vulnerable; verify vendor backports or replace" 2
          fi
          ;;
      esac
    fi
  done
fi

if have_cmd rpm; then
  # SUSE advisories backported the fix while keeping older-looking upstream base versions.
  # We do not attempt complete distro-specific EVR logic here; if RPM-managed and branch looks affected,
  # require package/advisory confirmation.
  rpm_php_pkg="$(rpm -qa | grep -E '^(php|php7)(-|$)' | head -n1 || true)"
  if [ -n "$rpm_php_pkg" ]; then
    out "UNKNOWN: RPM-based PHP package detected ($rpm_php_pkg); check vendor advisory/backport status for CVE-2018-7584" 2
  fi
fi

# If we got here, branch is affected upstream and we found no positive backport evidence.
out "VULNERABLE: upstream PHP version $php_version is in a known affected range and no distro backport fix was confirmed" 1

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not treat this like a universal edge-PHP emergency; treat it like a targeted review of legacy PHP apps that make outbound HTTP requests. First, identify vulnerable hosts running affected PHP and sort them by whether the application exposes SSRF, webhook, feed-import, remote fetch, or callback-style features; those are your real priorities. Because this is MEDIUM, there is noisgate mitigation SLA here — no mitigation SLA — go straight to the 365-day remediation window — but you should still harden egress and review fetch-capable apps during normal change cycles. Your noisgate remediation SLA is ≤365 days to get onto fixed upstream or distro-patched builds, with PHP 5.6 estates treated as retirement candidates rather than something to preserve indefinitely.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.