Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2016-6639: PHP Buildpack exposes .profile file

by: September 9, 2016

CVE-2016-6639: PHP Buildpack exposes .profile file

Severity

Medium

Vendor

Cloud Foundry Foundation

Versions Affected

  • PHP Buildpack versions prior to v4.3.18
  • Cf-release versions prior to v242

Description

The .profile file, which can potentially include environment variables and credentials, is exposed by default in the PHP Buildpack. The PHP buildpack prior to v4.3.18 did not actually allow for execution of the .profile file, so it is unlikely that many applications were using it.

Mitigation

Users of affected versions should apply the following mitigation:

  • For existing deployments, upgrade the PHP Buildpack to v4.3.18 or later [1] and restage all applications that use automated buildpack detection.
  • Immediately rotate credentials for apps using the PHP buildpack if they were stored in the .profile file.

Credit

Cloud Foundry Buildpacks Team

References

[1] https://github.com/cloudfoundry/php-buildpack/releases

History

2016-09-07: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-3770-1: Little CMS vulnerabilities
Security Advisory

USN-3770-1: Little CMS vulnerabilities

by Cloud Foundry Foundation Security Team September 25, 2018
USN-5328-2: OpenSSL vulnerabilityUSN-5328-2: OpenSSL vulnerability
Security Advisory

USN-5328-2: OpenSSL vulnerabilityUSN-5328-2: OpenSSL vulnerability

by Cloud Foundry Foundation Security Team April 21, 2022
USN-6310-1: json-c vulnerability
Security Advisory

USN-6310-1: json-c vulnerability

by Cloud Foundry Foundation Security Team October 5, 2023
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept