CVE-2015-5243
Description
phpWhois before 5.1.0 contains a code injection vulnerability via unsanitized WHOIS data that allows remote attackers to execute arbitrary PHP code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpWhois before 5.1.0 contains a code injection vulnerability via unsanitized WHOIS data that allows remote attackers to execute arbitrary PHP code.
Vulnerability
phpWhois before version 5.1.0 (including the original phpwhois.org 4.2.2 and earlier, the abcdmitry fork 4.2.5 and earlier, and the jsmitty12 fork 5.0.2 and earlier) is vulnerable to a PHP code injection flaw in the whois.parser.php file. The generic_parser_b function constructs PHP statements by concatenating strings from returned WHOIS record data without proper sanitization, then passes them to the eval() function [3]. This allows an attacker controlling the WHOIS information of a requested domain to inject arbitrary PHP code. The vulnerability also exists in other functions that use eval() in similar parser routines [4].
Exploitation
To exploit this vulnerability, an attacker must control the WHOIS information for a domain that is queried by an application using the vulnerable phpWhois library. The attacker registers or has control over a domain with a TLD that supports sufficiently unrestricted WHOIS output (typically generic TLDs or country-code TLDs with custom WHOIS servers). The malicious WHOIS record contains specially crafted fields, such as name, organization, or address, that include PHP code strings. When the vulnerable generic_parser_b function processes the record, it concatenates the malicious value into an eval() statement, causing the injected PHP code to execute on the server [3][1]. No authentication is required; the attack is performed remotely via a standard WHOIS lookup.
Impact
Successful exploitation allows the attacker to execute arbitrary PHP code in the context of the web application, typically with the privileges of the web server user. This can lead to full compromise of the application and server, including unauthorized access to sensitive data, modification or deletion of files, installation of backdoors, and further lateral movement within the network. The CVSS v3 base score is 9.8 (Critical), indicating a severe impact on confidentiality, integrity, and availability [3].
Mitigation
The vulnerability is fixed in version 5.1.0 of the jsmitty12 fork of phpWhois [1][3]. All users should upgrade to at least version 5.1.0 or later (current stable is 6.0.2). The fix removes all eval() calls from the parser functions, directly assigning variables instead [4]. For applications using the original phpwhois.org or the abcdmitry fork, no official patch is available; migration to the maintained jsmitty12 fork is recommended. As a workaround, if upgrading is not immediately possible, applications should strictly control which WHOIS servers are queried and validate or sanitize all returned WHOIS data before passing it to phpWhois. This CVE is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jsmitty12/phpwhoisPackagist | < 5.1.0 | 5.1.0 |
phpwhois/phpwhoisPackagist | <= 4.2.5 | — |
brightlocal/phpwhoisPackagist | <= 4.2.5 | — |
david-garcia/phpwhoisPackagist | <= 4.3.1 | — |
ivankristianto/phpwhoisPackagist | <= 4.3.0 | — |
kazist/phpwhoisPackagist | <= 4.2.6 | — |
serluck/phpwhoisPackagist | <= 4.2.6 | — |
simple-updates/phpwhoisPackagist | <= 1.0.0 | — |
truckersmp/phpwhoisPackagist | <= 4.3.1 | — |
Affected products
9- ghsa-coords9 versionspkg:composer/brightlocal/phpwhoispkg:composer/david-garcia/phpwhoispkg:composer/ivankristianto/phpwhoispkg:composer/jsmitty12/phpwhoispkg:composer/kazist/phpwhoispkg:composer/phpwhois/phpwhoispkg:composer/serluck/phpwhoispkg:composer/simple-updates/phpwhoispkg:composer/truckersmp/phpwhois
<= 4.2.5+ 8 more
- (no CPE)range: <= 4.2.5
- (no CPE)range: <= 4.3.1
- (no CPE)range: <= 4.3.0
- (no CPE)range: < 5.1.0
- (no CPE)range: <= 4.2.6
- (no CPE)range: <= 4.2.5
- (no CPE)range: <= 4.2.6
- (no CPE)range: <= 1.0.0
- (no CPE)range: <= 4.3.1
Patches
21 file changed · +15 −9
src/whois.parser.php+15 −9 modified@@ -102,10 +102,12 @@ function generic_parser_a_blocks($rawdata, $translate, &$disclaimer) $k = $translate[$k]; if ($k == '') continue; if (strstr($k, '.')) { - eval("\$block" . getvarname($k) . "=\$v;"); + ${'block' . getvarname($k)} = $v; continue; } - } else $k = strtolower($k); + } else { + $k = strtolower($k); + } if ($k == 'handle') { $v = strtok($v, ' '); @@ -345,15 +347,16 @@ function generic_parser_b($rawdata, $items = false, $dateformat = 'mdy', $hasreg if ($pos !== false) { if ($field != '') { - $var = '$r' . getvarname($field); $itm = trim(substr($val, $pos + strlen($match))); - if ($itm != '') - eval($var . '="' . str_replace('"', '\"', $itm) . '";'); + if ($itm != '') { + ${'r' . getvarname($field)} = '="' . str_replace('"', '\"', $itm) . '";'; + } } - if (!$scanall) + if (!$scanall) { break; + } } } } @@ -418,7 +421,8 @@ function get_blocks($rawdata, $items, $partial_match = false, $def_block = false } else { $var = getvarname(strtok($field, '#')); $itm = trim(substr($val, $pos + strlen($match))); - eval('$r' . $var . '=$itm;'); + + ${'r' . $var} = $itm; } break; @@ -480,7 +484,9 @@ function get_blocks($rawdata, $items, $partial_match = false, $def_block = false if ($pos !== false) { $var = getvarname(strtok($field, '#')); - if ($var != '[]') eval('$r' . $var . '=$block;'); + if ($var != '[]') { + ${'r' . $var} = $block; + } } } } @@ -586,7 +592,7 @@ function get_contact($array, $extra_items = '', $has_org = false) $itm = trim(substr($val, $pos + strlen($match))); if ($field != '' && $itm != '') { - eval('$r' . getvarname($field) . '=$itm;'); + ${'r' . getvarname($field)} = $itm; } $val = trim(substr($val, 0, $pos));
5cc572490c901 file changed · +11 −6
whois.parser.php+11 −6 modified@@ -109,7 +109,8 @@ function generic_parser_a_blocks ($rawdata, $translate, &$disclaimer) if ($k=='') continue; if (strstr($k,'.')) { - eval("\$block".getvarname($k)."=\$v;"); + $var = 'block'.getvarname($k); + $$var = $v; continue; } } @@ -446,9 +447,8 @@ function get_blocks ( $rawdata, $items, $partial_match = false, $def_block = fal } else { - $var = getvarname(strtok($field,'#')); - $itm = trim(substr($val,$pos+strlen($match))); - eval('$r'.$var.'=$itm;'); + $var = 'r'.getvarname(strtok($field,'#')); + $$var = trim(substr($val,$pos+strlen($match))); } break; @@ -518,7 +518,11 @@ function get_blocks ( $rawdata, $items, $partial_match = false, $def_block = fal if ($pos !== false) { $var = getvarname(strtok($field,'#')); - if ($var != '[]') eval('$r'.$var.'=$block;'); + if ($var != '[]') + { + $var = 'r'.$var; + $$var = $block; + } } } } @@ -630,7 +634,8 @@ function get_contact ( $array, $extra_items='', $has_org= false ) if ($field != '' && $itm != '') { - eval('$r'.getvarname($field).'=$itm;'); + $var = 'r'.getvarname($field); + $$var = $itm; } $val = trim(substr($val,0,$pos));
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- github.com/advisories/GHSA-c95f-27gx-6vq9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-5243ghsaADVISORY
- blog.nettitude.com/uk/cve-2015-5243-phpwhois-remote-code-executionghsax_refsource_MISCWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/brightlocal/phpwhois/CVE-2015-5243.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/david-garcia/phpwhois/CVE-2015-5243.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/ivankristianto/phpwhois/CVE-2015-5243.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/kazist/phpwhois/CVE-2015-5243.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/phpwhois/phpwhois/CVE-2015-5243.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/serluck/phpwhois/CVE-2015-5243.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/simple-updates/phpwhois/CVE-2015-5243.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/truckersmp/phpwhois/CVE-2015-5243.yamlghsaWEB
- github.com/Gemorroj/phpwhois/commit/91c937e03c876ba1290b6de2a3ad953d2105fdd0ghsax_refsource_CONFIRMWEB
- github.com/jsmitty12/phpWhois/blob/master/CHANGELOG.mdghsax_refsource_CONFIRMWEB
- github.com/jsmitty12/phpWhois/issues/19ghsax_refsource_CONFIRMWEB
- github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180425-01_phpWhois_Code_Executionghsax_refsource_MISCWEB
- github.com/sparc/phpWhois.org/commit/5cc572490c9053d46598ec9348a11e36a5a33a46ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.