Miggo Logo
Miggo Vulnerability Database
CVE-2015-5243

CVE-2015-5243:
phpWhois arbitrary code execution via a crafted whois record

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2015-5243
GHSA ID
GHSA-c95f-27gx-6vq9
EPSS Score
0.92708%
CWE
CWE-94
Published
5/14/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
jsmitty12/phpwhoiscomposer< 5.1.05.1.0
phpwhois/phpwhoiscomposer<= 4.2.5
brightlocal/phpwhoiscomposer<= 4.2.5
david-garcia/phpwhoiscomposer<= 4.3.1
ivankristianto/phpwhoiscomposer<= 4.3.0
kazist/phpwhoiscomposer<= 4.2.6
serluck/phpwhoiscomposer<= 4.2.6
simple-updates/phpwhoiscomposer<= 1.0.0
truckersmp/phpwhoiscomposer<= 4.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the use of eval() in parsing WHOIS data, as shown in the provided commit diffs (e.g., Gemorroj/phpwhois@91c937e and sparc/phpWhois.org@5cc5724). Both functions (generic_parser_b and generic_parser_a_blocks) dynamically constructed PHP code via eval() using untrusted WHOIS record input. The Nettitude blog and SBA Research advisory confirm this attack vector, where crafted WHOIS data could escape string literals and execute arbitrary code. The fixes replaced eval() with variable variables (e.g., ${'block...'}), directly addressing the code injection issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

p*pW*ois *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* * *r**t** w*ois r**or*.

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* *v*l() in p*rsin* W*OIS **t*, *s s*own in t** provi*** *ommit *i**s (*.*., **morroj/p*pw*ois@******* *n* sp*r*/p*pW*ois.or*@*******). *ot* *un*tions (**n*ri*_p*rs*r_* *n* **n*ri*_p*rs*r_*_*lo*ks) *yn*mi**lly *o