CVE-2015-7803 in PHP
Summary
by MITRE
The phar_get_entry_data function in ext/phar/util.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a .phar file with a crafted TAR archive entry in which the Link indicator references a file that does not exist.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/06/2025
The vulnerability identified as CVE-2015-7803 represents a critical denial of service flaw within PHP's phar extension, specifically affecting versions prior to 5.5.30 and 5.6.14. This vulnerability resides in the phar_get_entry_data function located within ext/phar/util.c, which is responsible for processing phar archive entries. The flaw manifests when PHP encounters a maliciously crafted .phar file containing a TAR archive entry with a malformed Link indicator that references a non-existent file. This particular vulnerability falls under the CWE-476 category of NULL Pointer Dereference, where the application attempts to access a null pointer during the processing of archive metadata.
The technical exploitation of this vulnerability occurs during the parsing of TAR archive entries within phar files, where PHP's phar extension fails to properly validate the existence of referenced files before attempting to process symbolic links. When a crafted phar file contains a Link indicator pointing to a non-existent file, the phar_get_entry_data function attempts to dereference a NULL pointer, leading to an application crash and subsequent denial of service. This behavior represents a classic null pointer dereference vulnerability that can be triggered through remote file processing, making it particularly dangerous in web applications that accept user-uploaded phar files or process external archive data.
The operational impact of CVE-2015-7803 extends beyond simple service disruption, as it can be leveraged by remote attackers to systematically crash PHP applications that process phar archives. The vulnerability is particularly concerning in environments where phar files are processed without proper validation, such as content management systems, file upload handlers, or any application that accepts and processes archive files. The attack vector requires minimal privileges and can be executed through simple file manipulation, making it an attractive target for attackers seeking to disrupt services. This vulnerability aligns with ATT&CK technique T1499.004 for Network Denial of Service and represents a critical weakness in PHP's archive processing capabilities that affects numerous web applications.
Mitigation strategies for CVE-2015-7803 primarily focus on upgrading to patched PHP versions where the vulnerability has been resolved. System administrators should prioritize immediate deployment of PHP 5.5.30 or 5.6.14, which contain the necessary fixes to properly validate file references within phar archives. Additionally, implementing proper input validation and sanitization measures can help prevent exploitation, including restricting phar file processing capabilities and validating all archive metadata before processing. Organizations should also consider implementing network segmentation and monitoring solutions to detect potential exploitation attempts, as the vulnerability can be used as part of broader attack campaigns targeting web application availability. The fix implemented in the patched versions ensures proper null pointer checks and validation of file references within TAR archive entries, preventing the application crash that occurred when encountering non-existent file references in symbolic link indicators.