PHP 4.0.0

The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability."

Published: 2011-06-16T23:00:00.000Z
Updated: 2024-08-06T22:53:17.428Z

The Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a ziparchive stream that is not properly handled by the stream_get_contents function.

Published: 2011-03-20T01:00:00.000Z
Updated: 2024-08-06T22:28:41.493Z

Unspecified vulnerability in the Streams component in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) by accessing an ftp:// URL during use of an HTTP proxy with the FTP wrapper.

Published: 2011-03-20T01:00:00.000Z
Updated: 2024-08-06T22:28:41.600Z

Multiple memory leaks in the OpenSSL extension in PHP before 5.3.6 might allow remote attackers to cause a denial of service (memory consumption) via (1) plaintext data to the openssl_encrypt function or (2) ciphertext data to the openssl_decrypt function.

Published: 2011-03-20T01:00:00.000Z
Updated: 2024-08-06T22:28:41.435Z

Unspecified vulnerability in the NumberFormatter::setSymbol (aka numfmt_set_symbol) function in the Intl extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via an invalid argument, a related issue to CVE-2010-4409.

Published: 2011-03-20T01:00:00.000Z
Updated: 2024-08-06T22:28:41.353Z

Integer overflow in the SdnToJulian function in the Calendar extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a large integer in the first argument to the cal_from_jd function.

Published: 2011-03-20T01:00:00.000Z
Updated: 2024-08-06T22:28:41.750Z

Buffer overflow in the strval function in PHP before 5.3.6, when the precision configuration option has a large value, might allow context-dependent attackers to cause a denial of service (application crash) via a small numerical value in the argument.

Published: 2011-03-20T01:00:00.000Z
Updated: 2024-08-06T22:28:41.468Z

Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments.

Published: 2011-03-18T15:00:00.000Z
Updated: 2024-08-06T22:14:27.813Z

Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (crash) and possibly read sensitive memory via a large third argument to the shmop_read function.

Published: 2011-03-15T17:00:00.000Z
Updated: 2024-08-06T22:14:27.679Z

Integer overflow in the mt_rand function in PHP before 5.3.4 might make it easier for context-dependent attackers to predict the return values by leveraging a script's use of a large max parameter, as demonstrated by a value that exceeds mt_getrandmax.

Published: 2011-02-02T21:00:00.000Z
Updated: 2024-08-06T22:05:53.567Z

The SplFileInfo::getType function in the Standard PHP Library (SPL) extension in PHP before 5.3.4 on Windows does not properly detect symbolic links, which might make it easier for local users to conduct symlink attacks by leveraging cross-platform differences in the stat structure, related to lack of a FILE_ATTRIBUTE_REPARSE_POINT check.

Published: 2011-02-02T21:00:00.000Z
Updated: 2024-08-06T22:05:53.657Z

Race condition in the PCNTL extension in PHP before 5.3.4, when a user-defined signal handler exists, might allow context-dependent attackers to cause a denial of service (memory corruption) via a large number of concurrent signals.

Published: 2011-02-02T21:00:00.000Z
Updated: 2024-08-06T22:05:53.445Z

exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read.

Published: 2011-03-20T01:00:00.000Z
Updated: 2024-08-06T21:58:26.128Z

The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation.

Published: 2011-03-20T01:00:00.000Z
Updated: 2024-08-06T21:51:09.075Z

The iconv_mime_decode_headers function in the Iconv extension in PHP before 5.3.4 does not properly handle encodings that are unrecognized by the iconv and mbstring (aka Multibyte String) implementations, which allows remote attackers to trigger an incomplete output array, and possibly bypass spam detection or have unspecified other impact, via a crafted Subject header in an e-mail message, as demonstrated by the ks_c_5601-1987 character set.

Published: 2011-01-18T19:00:00.000Z
Updated: 2024-08-07T03:55:34.470Z

Integer overflow in the NumberFormatter::getSymbol (aka numfmt_get_symbol) function in PHP 5.3.3 and earlier allows context-dependent attackers to cause a denial of service (application crash) via an invalid argument.

Published: 2010-12-06T20:00:00.000Z
Updated: 2024-08-07T03:43:14.910Z

Integer overflow in the xml_utf8_decode function in ext/xml/xml.c in PHP before 5.2.11 makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string that uses overlong UTF-8 encoding, a different vulnerability than CVE-2010-3870.

Published: 2010-11-12T21:00:00.000Z
Updated: 2024-08-07T07:24:54.057Z

PHP before 5.2.12 does not properly handle session data, which has unspecified impact and attack vectors related to (1) interrupt corruption of the SESSION superglobal array and (2) the session.save_path directive.

Published: 2009-12-21T16:00:00.000Z
Updated: 2024-08-07T06:54:09.936Z

The htmlspecialchars function in PHP before 5.2.12 does not properly handle (1) overlong UTF-8 sequences, (2) invalid Shift_JIS sequences, and (3) invalid EUC-JP sequences, which allows remote attackers to conduct cross-site scripting (XSS) attacks by placing a crafted byte sequence before a special character.

Published: 2009-12-21T16:00:00.000Z
Updated: 2024-08-07T06:54:09.694Z

The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable.

Published: 2009-11-27T19:00:00.000Z
Updated: 2024-08-07T06:45:50.944Z

The posix_mkfifo function in ext/posix/posix.c in PHP before 5.2.12 and 5.3.x before 5.3.1 allows context-dependent attackers to bypass open_basedir restrictions, and create FIFO files, via the pathname and mode arguments, as demonstrated by creating a .htaccess file.

Published: 2009-11-23T17:00:00.000Z
Updated: 2024-08-07T06:31:10.377Z

The tempnam function in ext/standard/file.c in PHP before 5.2.12 and 5.3.x before 5.3.1 allows context-dependent attackers to bypass safe_mode restrictions, and create files in group-writable or world-writable directories, via the dir and prefix arguments.

Published: 2009-11-23T17:00:00.000Z
Updated: 2024-08-07T06:31:10.549Z

Unspecified vulnerability in the imagecolortransparent function in PHP before 5.2.11 has unknown impact and attack vectors related to an incorrect "sanity check for the color index."

Published: 2009-09-22T10:00:00.000Z
Updated: 2024-08-07T06:22:24.230Z

Unspecified vulnerability in PHP before 5.2.11, and 5.3.x before 5.3.1, has unknown impact and attack vectors related to "missing sanity checks around exif processing."

Published: 2009-09-22T10:00:00.000Z
Updated: 2024-08-07T06:22:24.335Z

The php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform certificate validation, which has unknown impact and attack vectors, probably related to an ability to spoof certificates.

Published: 2009-09-22T10:00:00.000Z
Updated: 2024-08-07T06:22:24.519Z

The zend_restore_ini_entry_cb function in zend_ini.c in PHP 5.3.0, 5.2.10, and earlier versions allows context-specific attackers to obtain sensitive information (memory contents) and cause a PHP crash by using the ini_set function to declare a variable, then using the ini_restore function to restore the variable.

Published: 2009-12-01T16:00:00.000Z
Updated: 2024-09-16T23:56:55.697Z

The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent attackers to cause a denial of service (file truncation) via a key with the NULL byte. NOTE: this might only be a vulnerability in limited circumstances in which the attacker can modify or add database entries but does not have permissions to truncate the file.

Published: 2009-08-25T10:00:00.000Z
Updated: 2024-08-07T11:56:14.170Z

Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and earlier, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: because of the lack of details, it is unclear whether this is related to CVE-2006-0208.

Published: 2009-01-02T18:00:00.000Z
Updated: 2024-08-07T11:04:44.594Z

The disable_functions feature in PHP 4 and 5 allows attackers to bypass intended restrictions by using an alias, as demonstrated by using ini_alter when ini_set is disabled.

Published: 2007-10-12T23:00:00.000Z
Updated: 2024-08-07T15:31:58.246Z

PHP 4.x and 5.x before 5.2.1, when running on multi-threaded systems, does not ensure thread safety for libc crypt function calls using protection schemes such as a mutex, which creates race conditions that allow remote attackers to overwrite internal program memory and gain system access.

Published: 2007-05-24T18:00:00.000Z
Updated: 2024-08-07T13:57:53.376Z

Buffer overflow in the sqlite_decode_binary function in src/encode.c in SQLite 2, as used by PHP 4.x through 5.x and other applications, allows context-dependent attackers to execute arbitrary code via an empty value of the in parameter. NOTE: some PHP installations use a bundled version of sqlite without this vulnerability. The SQLite developer has argued that this issue could be due to a misuse of the sqlite_decode_binary() API.

Published: 2007-04-06T01:00:00.000Z
Updated: 2024-08-07T13:13:41.460Z

Multiple integer signedness errors in the printf function family in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 on 64 bit machines allow context-dependent attackers to execute arbitrary code via (1) certain negative argument numbers that arise in the php_formatted_print function because of 64 to 32 bit truncation, and bypass a check for the maximum allowable value; and (2) a width and precision of -1, which make it possible for the php_sprintf_appendstring function to place an internal buffer at an arbitrary memory location.

Published: 2007-04-06T01:00:00.000Z
Updated: 2024-08-07T13:13:41.826Z

PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session save path (session.save_path), uses the TMPDIR default after checking the restrictions, which allows local users to bypass open_basedir restrictions.

Published: 2007-04-03T00:00:00.000Z
Updated: 2024-08-07T13:13:40.598Z

CRLF injection vulnerability in the mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows remote attackers to inject arbitrary e-mail headers and possibly conduct spam attacks via a control character immediately following folding of the (1) Subject or (2) To parameter, as demonstrated by a parameter containing a "\r\n\t\n" sequence, related to an increment bug in the SKIP_LONG_HEADER_SEP macro.

Published: 2007-03-28T00:00:00.000Z
Updated: 2024-08-07T13:06:26.069Z

The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte, which might allow context-dependent attackers to prevent intended information from being delivered in e-mail messages. NOTE: this issue might be security-relevant in cases when the trailing contents of e-mail messages are important, such as logging information or if the message is expected to be well-formed.

Published: 2007-03-28T00:00:00.000Z
Updated: 2024-08-07T13:06:26.101Z

The session extension in PHP 4 before 4.4.5, and PHP 5 before 5.2.1, calculates the reference count for the session variables without considering the internal pointer from the session globals, which allows context-dependent attackers to execute arbitrary code via a crafted string in the session_register after unsetting HTTP_SESSION_VARS and _SESSION, which destroys the session data Hashtable.

Published: 2007-03-27T01:00:00.000Z
Updated: 2024-08-07T13:06:26.206Z

The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 sets the internal register_globals flag and does not disable it in certain cases when a script terminates, which allows remote attackers to invoke available PHP scripts with register_globals functionality that is not detectable by these scripts, as demonstrated by forcing a memory_limit violation.

Published: 2007-03-21T23:00:00.000Z
Updated: 2024-08-07T12:59:08.864Z

The resource system in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary code by interrupting certain functions in the GD (ext/gd) extension and unspecified other extensions via a userspace error handler, which can be used to destroy and modify internal resources.

Published: 2007-03-21T23:00:00.000Z
Updated: 2024-08-07T12:59:08.980Z

Integer overflow in the 16 bit variable reference counter in PHP 4 allows context-dependent attackers to execute arbitrary code by overflowing this counter, which causes the same variable to be destroyed twice, a related issue to CVE-2007-1286.

Published: 2007-03-10T00:00:00.000Z
Updated: 2025-04-03T14:53:51.666Z

The php_binary serialization handler in the session extension in PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent attackers to obtain sensitive information (memory contents) via a serialized variable entry with a large length value, which triggers a buffer over-read.

Published: 2007-03-10T00:00:00.000Z
Updated: 2024-08-07T12:50:35.258Z

The ovrimos_close function in the Ovrimos extension for PHP before 4.4.5 can trigger efree of an arbitrary address, which might allow context-dependent attackers to execute arbitrary code.

Published: 2007-03-10T00:00:00.000Z
Updated: 2024-08-07T12:50:35.317Z

The ovrimos_longreadlen function in the Ovrimos extension for PHP before 4.4.5 allows context-dependent attackers to write to arbitrary memory locations via the result_id and length arguments.

Published: 2007-03-10T00:00:00.000Z
Updated: 2024-08-07T12:50:35.265Z

The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x series, do not verify that their arguments correspond to a shmop resource, which allows context-dependent attackers to read and write arbitrary memory locations via arguments associated with an inappropriate resource, as demonstrated by a GD Image resource.

Published: 2007-03-10T00:00:00.000Z
Updated: 2024-08-07T12:50:35.224Z

Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.

Published: 2007-04-06T00:00:00.000Z
Updated: 2024-08-07T12:43:21.675Z

The zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4.5, when running on a 64-bit platform, allows context-dependent attackers to cause a denial of service (infinite loop) by unserializing certain integer expressions, which only cause 32-bit arguments to be used after the check for a negative value, as demonstrated by an "a:2147483649:{" argument.

Published: 2007-02-20T17:00:00.000Z
Updated: 2024-08-07T12:43:22.216Z

Unspecified vulnerability in PHP before 5.2.1 allows attackers to "clobber" certain super-global variables via unspecified vectors.

Published: 2007-02-13T23:00:00.000Z
Updated: 2024-08-07T12:34:21.320Z

Multiple format string vulnerabilities in PHP before 5.2.1 might allow attackers to execute arbitrary code via format string specifiers to (1) all of the *print functions on 64-bit systems, and (2) the odbc_result_all function.

Published: 2007-02-13T23:00:00.000Z
Updated: 2024-08-07T12:34:21.303Z

The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.

Published: 2007-02-13T23:00:00.000Z
Updated: 2024-08-07T12:34:21.323Z

Buffer underflow in PHP before 5.2.1 allows attackers to cause a denial of service via unspecified vectors involving the sapi_header_op function.

Published: 2007-02-13T23:00:00.000Z
Updated: 2024-08-07T12:34:21.309Z

Multiple buffer overflows in PHP before 5.2.1 allow attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors in the (1) session, (2) zip, (3) imap, and (4) sqlite extensions; (5) stream filters; and the (6) str_replace, (7) mail, (8) ibase_delete_user, (9) ibase_add_user, and (10) ibase_modify_user functions. NOTE: vector 6 might actually be an integer overflow (CVE-2007-1885). NOTE: as of 20070411, vector (3) might involve the imap_mail_compose function (CVE-2007-1825).

Published: 2007-02-13T23:00:00.000Z
Updated: 2024-08-07T12:34:21.285Z

PHP before 5.2.1 allows attackers to bypass safe_mode and open_basedir restrictions via unspecified vectors in the session extension. NOTE: it is possible that this issue is a duplicate of CVE-2006-6383.

Published: 2007-02-13T23:00:00.000Z
Updated: 2024-08-07T12:34:21.251Z

PHP before 5.3.4 accepts the \0 character in a pathname, which might allow context-dependent attackers to bypass intended access restrictions by placing a safe file extension after this character, as demonstrated by .php\0.jpg at the end of the argument to the file_exists function.

Published: 2011-01-18T19:00:00.000Z
Updated: 2024-08-07T20:57:41.063Z

Race condition in the symlink function in PHP 5.1.6 and earlier allows local users to bypass the open_basedir restriction by using a combination of symlink, mkdir, and unlink functions to change the file path after the open_basedir check and before the file is opened by the underlying system, as demonstrated by symlinking a symlink into a subdirectory, to point to a parent directory via .. (dot dot) sequences, and then unlinking the resulting symlink.

Published: 2006-10-06T00:00:00.000Z
Updated: 2024-08-07T19:41:04.388Z

Integer overflow in PHP 5 up to 5.1.6 and 4 before 4.3.0 allows remote attackers to execute arbitrary code via an argument to the unserialize PHP function with a large value for the number of array elements, which triggers the overflow in the Zend Engine ecalloc function (Zend/zend_alloc.c).

Published: 2006-10-09T18:00:00.000Z
Updated: 2024-08-07T19:23:41.021Z

PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to bypass certain Apache HTTP Server httpd.conf options, such as safe_mode and open_basedir, via the ini_restore function, which resets the values to their php.ini (Master Value) defaults.

Published: 2006-09-12T16:00:00.000Z
Updated: 2024-08-07T19:14:47.764Z

PHP before 4.4.3 and 5.x before 5.1.4 does not limit the character set of the session identifier (PHPSESSID) for third party session handlers, which might make it easier for remote attackers to exploit other vulnerabilities by inserting PHP code into the PHPSESSID, which is stored in the session file. NOTE: it could be argued that this not a vulnerability in PHP itself, rather a design limitation that enables certain attacks against session handlers that do not account for this limitation.

Published: 2006-08-29T00:00:00.000Z
Updated: 2024-08-07T19:06:07.663Z

scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.

Published: 2006-08-08T20:00:00.000Z
Updated: 2024-08-07T18:57:43.862Z

zend_hash_del_key_or_index in zend_hash.c in PHP before 4.4.3 and 5.x before 5.1.3 can cause zend_hash_del to delete the wrong element, which prevents a variable from being unset even when the PHP unset function is called, which might cause the variable's value to be used in security-relevant operations.

Published: 2006-06-14T23:00:00.000Z
Updated: 2024-08-07T18:16:05.512Z

The copy function in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass safe mode and read arbitrary files via a source argument containing a compress.zlib:// URI.

Published: 2006-04-10T19:00:00.000Z
Updated: 2024-08-07T17:19:48.728Z

Directory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function.

Published: 2006-04-10T19:00:00.000Z
Updated: 2024-08-07T17:12:22.139Z

PHP 4 (PHP4) allows attackers to cause a denial of service (daemon crash) by using the readfile function on a file whose size is a multiple of the page size.

Published: 2005-03-01T05:00:00.000Z
Updated: 2024-09-16T17:42:45.659Z

PHP 4.0 with cURL functions allows remote attackers to bypass the open_basedir setting and read arbitrary files via a file: URL argument to the curl_init function.

Published: 2005-02-06T05:00:00.000Z
Updated: 2024-08-08T00:46:12.551Z

Buffer overflow in the exif_read_data function in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to execute arbitrary code via a long section name in an image file.

Published: 2004-12-22T05:00:00.000Z
Updated: 2024-08-08T00:39:00.815Z

The deserialization code in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to cause a denial of service and execute arbitrary code via untrusted data to the unserialize function that may trigger "information disclosure, double-free and negative reference index array underflow" results.

Published: 2004-12-22T05:00:00.000Z
Updated: 2024-08-08T00:39:00.862Z

The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities.

Published: 2004-07-16T04:00:00.000Z
Updated: 2024-08-08T00:24:26.176Z

Integer overflows in (1) base64_encode and (2) the GD library for PHP before 4.3.3 have unknown impact and unknown attack vectors.

Published: 2003-10-15T04:00:00.000Z
Updated: 2024-08-08T02:05:12.633Z

Buffer overflows in PHP before 4.3.3 have unknown impact and unknown attack vectors.

Published: 2003-10-15T04:00:00.000Z
Updated: 2024-08-08T02:05:12.618Z

Integer signedness error in emalloc() function for PHP before 4.3.2 allow remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via negative arguments to functions such as (1) socket_recv, (2) socket_recvfrom, and possibly other functions.

Published: 2003-03-27T05:00:00.000Z
Updated: 2024-08-08T01:43:36.054Z

php.exe in PHP 3.0 through 4.2.2, when running on Apache, does not terminate properly, which allows remote attackers to cause a denial of service via a direct request without arguments.

Published: 2007-10-26T19:00:00.000Z
Updated: 2024-09-17T03:23:18.970Z

The imap_header function in the IMAP functionality for PHP before 4.3.0 allows remote attackers to cause a denial of service via an e-mail message with a large number of "To" addresses, which triggers an error in the rfc822_write_address function.

Published: 2006-06-14T22:00:00.000Z
Updated: 2024-08-08T03:59:10.674Z

The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a "spam proxy."

Published: 2004-09-01T04:00:00.000Z
Updated: 2024-08-08T03:12:16.696Z

move_uploaded_file in PHP does not does not check for the base directory (open_basedir), which could allow remote attackers to upload files to unintended locations on the system.

Published: 2003-04-02T05:00:00.000Z
Updated: 2024-08-08T02:49:28.591Z

PHP, when not configured with the "display_errors = Off" setting in php.ini, allows remote attackers to obtain the physical path for an include file via a trailing slash in a request to a directly accessible PHP program, which modifies the base path, causes the include directive to fail, and produces an error message that contains the path.

Published: 2002-05-03T04:00:00.000Z
Updated: 2024-08-08T02:42:28.568Z

Safe Mode feature (safe_mode) in PHP 3.0 through 4.1.0 allows attackers with access to the MySQL database to bypass Safe Mode access restrictions and read arbitrary files using "LOAD DATA INFILE LOCAL" SQL statements.

Published: 2002-05-03T04:00:00.000Z
Updated: 2024-08-08T02:42:28.924Z

The Apache module for PHP 4.0.0 through PHP 4.0.4, when disabled with the 'engine = off' option for a virtual host, may disable PHP for other virtual hosts, which could cause Apache to serve the source code of PHP scripts.

Published: 2003-04-02T05:00:00.000Z
Updated: 2024-08-08T04:51:08.293Z

PHP Apache module 4.0.4 and earlier allows remote attackers to bypass .htaccess access restrictions via a malformed HTTP request on an unrestricted page that causes PHP to use those access controls on the next page that is requested.

Published: 2001-09-18T04:00:00.000Z
Updated: 2024-08-08T04:06:55.467Z

PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error messages that are improperly written to the error logs.

Published: 2001-01-22T05:00:00.000Z
Updated: 2024-08-08T05:37:32.006Z

The file upload capability in PHP versions 3 and 4 allows remote attackers to read arbitrary files by setting hidden form fields whose names match the names of internal PHP script variables.

Published: 2001-01-22T05:00:00.000Z
Updated: 2024-08-08T05:37:30.522Z