Vulnerabilities > CVE-2004-0958 - Unspecified vulnerability in PHP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character, which causes PHP to calculate an incorrect string length.
Vulnerable Configurations
Exploit-Db
| description | PHP 4.x/5.0.1 PHP_Variables Remote Memory Disclosure Vulnerability. CVE-2004-0958. Remote exploit for php platform |
| id | EDB-ID:24656 |
| last seen | 2016-02-02 |
| modified | 2004-09-15 |
| published | 2004-09-15 |
| reporter | Stefano Di Paola |
| source | https://www.exploit-db.com/download/24656/ |
| title | PHP 4.x/5.0.1 PHP_Variables Remote Memory Disclosure Vulnerability |
Nessus
NASL family CGI abuses NASL id PHP_MEM_DISCLOSURE.NASL description The remote host is running a version of PHP that is older than 5.0.2 or 4.39. The remote version of this software is affected by a memory disclosure vulnerability in PHP_Variables. An attacker may exploit this flaw to remotely read portions of the memory of the httpd process on the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 15436 published 2004-10-08 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15436 title PHP php_variables.c Multiple Variable Open Bracket Memory Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(15436); script_version("1.20"); script_cvs_date("Date: 2018/07/24 18:56:10"); script_cve_id("CVE-2004-0958"); script_bugtraq_id(11334); script_name(english:"PHP php_variables.c Multiple Variable Open Bracket Memory Disclosure"); script_summary(english:"Checks for version of PHP"); script_set_attribute( attribute:"synopsis", value: "The remote server is affected by an information disclosure vulnerability." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of PHP that is older than 5.0.2 or 4.39. The remote version of this software is affected by a memory disclosure vulnerability in PHP_Variables. An attacker may exploit this flaw to remotely read portions of the memory of the httpd process on the remote host." ); script_set_attribute(attribute:"see_also", value:"http://www.php.net/ChangeLog-5.php#5.0.2"); script_set_attribute(attribute:"solution", value:"Upgrade to PHP 5.0.2 or 4.3.9."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/10/08"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/09/15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_dependencies("php_version.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("audit.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); php = get_php_from_kb( port : port, exit_on_fail : TRUE ); version = php["ver"]; source = php["src"]; backported = get_kb_item('www/php/'+port+'/'+version+'/backported'); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install"); if (version =~ "^[0-3]\." || version =~ "^4\.[0-2]\." || version =~ "^4\.3\.[0-8]($|[^0-9])" || version =~ "^5\.0\.[01]($|[^0-9])" ) { if (report_verbosity > 0) { report = '\n Version source : '+source + '\n Installed version : '+version+ '\n Fixed version : 5.0.2 / 4.3.9\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);NASL family Fedora Local Security Checks NASL id FEDORA_2004-567.NASL description This update includes the latest release of PHP 4.3, including fixes for security issues in the unserializer (CVE-2004-1019), exif image parsing (CVE-2004-1065), and form upload parsing (CVE-2004-0958 and CVE-2004-0959). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 16030 published 2004-12-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16030 title Fedora Core 2 : php-4.3.10-2.4 (2004-567) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-687.NASL description Updated php packages that fix various security issues and bugs are now available for Red Hat Enterprise Linux 3. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Flaws including possible information disclosure, double free, and negative reference index array underflow were found in the deserialization code of PHP. PHP applications may use the unserialize function on untrusted user data, which could allow a remote attacker to gain access to memory or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1019 to this issue. A flaw in the exif extension of PHP was found which lead to a stack overflow. An attacker could create a carefully crafted image file in such a way that if parsed by a PHP script using the exif extension it could cause a crash or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1065 to this issue. An information disclosure bug was discovered in the parsing of last seen 2020-06-01 modified 2020-06-02 plugin id 16041 published 2004-12-23 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/16041 title RHEL 3 : php (RHSA-2004:687)
Oval
| accepted | 2013-04-29T04:09:28.221-04:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| definition_extensions |
| ||||||||
| description | php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character, which causes PHP to calculate an incorrect string length. | ||||||||
| family | unix | ||||||||
| id | oval:org.mitre.oval:def:10863 | ||||||||
| status | accepted | ||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||
| title | php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character, which causes PHP to calculate an incorrect string length. | ||||||||
| version | 26 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0053.html
- http://marc.info/?l=bugtraq&m=109527531130492&w=2
- http://secunia.com/advisories/12560/
- http://securitytracker.com/id?1011279
- http://www.redhat.com/support/errata/RHSA-2004-687.html
- https://bugzilla.fedora.us/show_bug.cgi?id=2344
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17393
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10863