Several PHP Vulnerabilities [medium priority]


#1

Short story: You can usually fix these vulnerabilities by upgrading and updating your packages. Do this by running this in a shell:

sudo apt-get update; sudo apt-get upgrade

I would think this would be a “medium” priority for Mail-in-a-Box users, since I would think the vulnerability could only be exploited only by users logged in to Nextcloud, or any possible Nextcloud plugin installed. However, I am not an expert in this stuff.

Mail-in-a-Box uses PHP7 (I believe), since Nextcloud runs on PHP. These security vulnerabilities are in regards to php7.0 and php7.2 . According to Ubuntu “It was discovered that PHP incorrectly handled certain exif tags in JPEG images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.”

https://usn.ubuntu.com/3953-1/

CVE-2019-11034
Ubuntu: https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11034.html
Debian: https://security-tracker.debian.org/tracker/CVE-2019-11034
Priority: Medium
(medium: “Open vulnerability that is a real problem and is exploitable for many users of the affected software. Examples include network daemon denial of service, cross-site scripting and gaining user privileges.”)

CVE-2019-11035
Ubuntu: https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11035.html
Debian: https://security-tracker.debian.org/tracker/CVE-2019-11035
Priority: Medium
(medium: “Open vulnerability that is a real problem and is exploitable for many users of the affected software. Examples include network daemon denial of service, cross-site scripting and gaining user privileges.”)


#2

This is only an issue if an attacker is:

A) An end-user that has valid credentials to the box (Real threat tbh)

B) An Admin put a PHP script on the box that allows unauthenticated uploads.

The script that the jpg is uploaded to will also need to use either the exif_iif_add_value() or exif_process_IFD_TAG() functions in PHP for the exploit to take place.

Just as a note: Only Nextcloud and Roundcube would potentially be affected in normal installations. However they might not use those functions.