CVE-2016-10160 in macOSinfo

Summary

by MITRE

Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/14/2026

The vulnerability identified as CVE-2016-10160 represents a critical off-by-one error within the PHP phar extension that affects versions prior to 5.6.30 and 7.0.15. This flaw exists in the phar_parse_pharfile function located in ext/phar/phar.c, where improper bounds checking during PHAR archive processing creates a condition that can be exploited by remote attackers to achieve either denial of service through memory corruption or potentially arbitrary code execution. The vulnerability specifically manifests when processing crafted PHAR archives containing alias mismatches, exploiting a fundamental boundary condition error that can lead to unpredictable memory behavior.

The technical implementation of this vulnerability stems from an off-by-one error that occurs during the parsing of PHAR archive headers and metadata. When PHP processes a PHAR archive, the phar_parse_pharfile function attempts to validate and parse the archive's internal structure including alias information. The flaw arises when the function fails to properly validate the length of alias strings, allowing an attacker to craft a malicious PHAR archive where the alias field contains one byte more than the allocated buffer space. This minor buffer overflow condition can corrupt adjacent memory regions and potentially allow attackers to manipulate the execution flow of the PHP interpreter.

From an operational impact perspective, this vulnerability presents significant risks to web applications that utilize PHAR archives for file handling, compression, or packaging purposes. Attackers can leverage this weakness by uploading or serving malicious PHAR files that, when processed by vulnerable PHP applications, can cause the web server to crash or potentially execute unintended code. The denial of service aspect directly impacts application availability and can be exploited for distributed denial of service attacks against web servers. The arbitrary code execution capability represents a more severe threat, as it could allow attackers to gain control over the affected system, potentially leading to complete compromise of the web application environment.

The vulnerability aligns with CWE-121, which describes stack-based buffer overflow conditions, and can be categorized under ATT&CK technique T1190 for Exploit Public-Facing Application. Organizations utilizing PHP applications that process user-uploaded files or external PHAR archives are particularly vulnerable, as the attack vector requires only the ability to upload or access a malicious PHAR file. The exploitability of this vulnerability is enhanced in environments where PHP applications handle untrusted PHAR data without proper validation or where PHAR archives are automatically parsed during application startup or file processing operations.

Mitigation strategies should focus on immediate patching of affected PHP versions to the latest stable releases containing the fix for this buffer overflow condition. System administrators should also implement strict validation of PHAR archives before processing, particularly in applications that handle user-uploaded content. Additional protective measures include disabling PHAR extension functionality when not required, implementing proper input sanitization for file handling operations, and monitoring for unusual memory consumption patterns that might indicate exploitation attempts. Organizations should also consider implementing network-level protections such as web application firewalls to detect and block malicious PHAR file access patterns. The vulnerability highlights the importance of thorough input validation and memory boundary checking in language extensions that handle complex binary formats, emphasizing the need for security reviews of core PHP extensions that process external data structures.

Reservation

01/24/2017

Disclosure

01/24/2017

Moderation

accepted

Entry

2

Relate

show

CPE

ready

EPSS

0.07322

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!