This host is running PHP and is prone to format string vulnerability.

Successful exploitation could allow attackers to obtain sensitive information and possibly execute arbitrary code via a crafted phar:// URI. Impact Level: Network

Upgrade to PHP version 5.3.4 or later, For updates refer to http://www.php.net/downloads.php

The flaws are due to: - An error in 'stream.c' in the phar extension, which allows attackers to obtain sensitive information. - An error in 'open_wrappers.c', allow remote attackers to bypass open_basedir restrictions via vectors related to the length of a filename. - An error in 'mb_strcut()' function in 'Libmbfl' , allows context-dependent attackers to obtain potentially sensitive information via a large value of the third parameter (aka the length parameter).

PHP version 5.3 through 5.3.3

• http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html
• http://security-tracker.debian.org/tracker/CVE-2010-2950

---

Updated on 2015-03-25