CVE-2016-4473
📋 TL;DR
This vulnerability in PHP's PHAR extension allows remote attackers to execute arbitrary code on affected systems. It affects PHP 7.0.7 and certain 5.6.x versions, and was introduced as an incomplete fix for CVE-2015-6833. Attackers can exploit this to gain full control of vulnerable servers.
💻 Affected Systems
- PHP
📦 What is this software?
Linux Enterprise Module For Web Scripting by Suse
View all CVEs affecting Linux Enterprise Module For Web Scripting →
Linux Enterprise Software Development Kit by Suse
View all CVEs affecting Linux Enterprise Software Development Kit →
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Remote code execution allowing attackers to install malware, create backdoors, or exfiltrate sensitive data.
If Mitigated
Limited impact with proper network segmentation, WAF rules blocking PHAR file uploads, and minimal PHP privileges.
🎯 Exploit Status
Exploitation involves crafting malicious PHAR files that trigger use-after-free conditions. Public exploit code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PHP 7.0.8 and later PHP 5.6.x security updates
Vendor Advisory: http://rhn.redhat.com/errata/RHSA-2016-2750.html
Restart Required: Yes
Instructions:
1. Update PHP to version 7.0.8 or later, or apply security patches for PHP 5.6.x. 2. Restart web server (Apache/Nginx) and PHP-FPM if applicable. 3. Verify the update with php -v command.
🔧 Temporary Workarounds
Disable PHAR extension
allDisable the vulnerable PHAR extension if not required by your application
Edit php.ini and add: phar.readonly = On
Or disable extension: extension=phar.so (remove or comment)
Web Application Firewall rules
allBlock PHAR file uploads and requests containing PHAR signatures
🧯 If You Can't Patch
- Implement strict file upload validation to reject PHAR files
- Run PHP with minimal privileges and in chroot/jail environments
🔍 How to Verify
Check if Vulnerable:
Check PHP version with: php -v | grep 'PHP' and compare against affected versions (7.0.7 or vulnerable 5.6.x)Check Version:
php -v | grep 'PHP'Verify Fix Applied:
Verify PHP version is 7.0.8+ or patched 5.6.x version, and test PHAR functionality if required📡 Detection & Monitoring
Log Indicators:
- Unusual PHP process spawning
- PHAR file uploads to unexpected locations
- Errors in PHP logs related to phar_object.c
Network Indicators:
- HTTP requests with PHAR file uploads to PHP endpoints
- Unusual outbound connections from web servers
SIEM Query:
source="php.log" AND ("phar" OR "CVE-2016-4473")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00007.html
- http://rhn.redhat.com/errata/RHSA-2016-2750.html
- http://www.securityfocus.com/bid/98999
- https://bugzilla.redhat.com/show_bug.cgi?id=1347772
- http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00007.html
- http://rhn.redhat.com/errata/RHSA-2016-2750.html
- http://www.securityfocus.com/bid/98999
- https://bugzilla.redhat.com/show_bug.cgi?id=1347772
