CVE-2006-4020 - Unspecified vulnerability in PHP

Vulnerable Configurations

Part	Description	Count
Application	Php PHP PHP 4.3.9 PHP PHP 4.0 PHP PHP 5.1.2 PHP PHP 4.2.0 PHP PHP 5.1.1 PHP PHP 5.0.0 PHP PHP 4.1.0 PHP PHP 4.3.4 PHP PHP 4.0.4 PHP PHP 4.3.0 PHP PHP 4.0.5 PHP PHP 5.0 PHP PHP 5.0.5 PHP PHP 4.3.6 PHP PHP 5.0.1 PHP PHP 5.1.4 PHP PHP 4.0.7 PHP PHP 4.3.7 PHP PHP 5.0.4 PHP PHP 4.2.2 PHP PHP 4.4.2 PHP PHP 4.3.2 PHP PHP 4.3.11 PHP PHP 4.0.0 PHP PHP 4.0.3 PHP PHP 4.0.2 PHP PHP 4.3.3 PHP PHP 4.1.1 PHP PHP 4.4.3 PHP PHP 5.0.3 PHP PHP 4.2.3 PHP PHP 5.1.0 PHP PHP 4.0.1 PHP PHP 4.0.6 PHP PHP 4.1.2 PHP PHP 4.3.1 PHP PHP 4.4.0 PHP PHP 4.3.10 PHP PHP 4.2.1 PHP PHP 5.0.2 PHP PHP 4.2 PHP PHP 4.4.1 PHP PHP 4.3.8 PHP PHP 4.3.5	67

Exploit-Db

description	PHP <= 4.4.3 / 5.1.4 (sscanf) Local Buffer Overflow Exploit. CVE-2006-4020. Local exploit for linux platform
id	EDB-ID:2193
last seen	2016-01-31
modified	2006-08-16
published	2006-08-16
reporter	Andi
source	https://www.exploit-db.com/download/2193/
title	PHP <= 4.4.3 / 5.1.4 sscanf Local Buffer Overflow Exploit

Nessus

NASL family	SuSE Local Security Checks
NASL id	SUSE_SA_2006_052.NASL
description	The remote host is missing the patch for the advisory SUSE-SA:2006:052 (php4,php5). Various security problems have been fixed in the PHP script language engine and its modules, versions 4 and 5. The PHP4 updated packages were released on September 12, the PHP5 update packages were released on September 20. The following security problems were fixed, with respective Mitre CVE ID: - The CURL module lacked checks for control characters (CVE-2006-2563) - A potential basedir evasion in the CURL module (CVE-2006-4483) - basedir and safemode evasion in the IMAP module (CVE-2006-4481) - str_repeat() contained an integer overflow (CVE-2006-4482) - GIF LZWReadByte overflow in the GD extension (CVE-2006-4484) - ext/wddx contained a buffer overflow - memory_limit() lacked checks for integer overflows - fixed memory overflow in foreach (CVE-2006-4482) - a bug in sscanf() could potentially be exploited to execute arbitrary code (CVE-2006-4020)
last seen	2019-10-28
modified	2007-02-18
plugin id	24430
published	2007-02-18
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24430
title	SUSE-SA:2006:052: php4,php5
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:052 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(24430); script_version ("1.9"); name["english"] = "SUSE-SA:2006:052: php4,php5"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2006:052 (php4,php5). Various security problems have been fixed in the PHP script language engine and its modules, versions 4 and 5. The PHP4 updated packages were released on September 12, the PHP5 update packages were released on September 20. The following security problems were fixed, with respective Mitre CVE ID: - The CURL module lacked checks for control characters (CVE-2006-2563) - A potential basedir evasion in the CURL module (CVE-2006-4483) - basedir and safemode evasion in the IMAP module (CVE-2006-4481) - str_repeat() contained an integer overflow (CVE-2006-4482) - GIF LZWReadByte overflow in the GD extension (CVE-2006-4484) - ext/wddx contained a buffer overflow - memory_limit() lacked checks for integer overflows - fixed memory overflow in foreach (CVE-2006-4482) - a bug in sscanf() could potentially be exploited to execute arbitrary code (CVE-2006-4020)" ); script_set_attribute(attribute:"solution", value: "http://www.novell.com/linux/security/advisories/2006_52_php.html" ); script_set_attribute(attribute:"risk_factor", value:"Medium" ); script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/18"); script_end_attributes(); summary["english"] = "Check for the version of the php4,php5 package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"apache2-mod_php4-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php5-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-curl-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-devel-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-exif-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-fastcgi-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-gd-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-imap-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-mbstring-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-pgsql-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-servlet-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-session-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-unixODBC-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-wddx-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-bcmath-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-curl-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-devel-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-dom-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-exif-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-fastcgi-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-ftp-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-gd-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-iconv-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-imap-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-ldap-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mbstring-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mysql-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mysqli-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-pear-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-pgsql-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-soap-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-wddx-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-xmlrpc-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php4-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-curl-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-devel-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-exif-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-fastcgi-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-gd-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-imap-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-mbstring-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-pear-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-pgsql-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-session-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-sysvshm-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-wddx-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php4-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php5-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-curl-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-devel-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-exif-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-fastcgi-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-gd-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-imap-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-mbstring-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-pear-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-pgsql-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-session-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-sysvshm-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-wddx-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-bcmath-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-curl-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-dba-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-devel-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-dom-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-exif-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-fastcgi-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-ftp-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-gd-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-iconv-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-imap-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-ldap-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mbstring-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mysql-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mysqli-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-pear-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-pgsql-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-soap-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-wddx-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-xmlrpc-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); }

NASL family	CGI abuses
NASL id	PHP_4_4_4.NASL
description	According to its banner, the version of PHP installed on the remote host is older than 4.4.4. As such, it is potentially affected by the following vulnerabilities : - The c-client library 2000, 2001, or 2004 for PHP does not check the safe_mode or open_basedir functions. (CVE-2006-1017) - A buffer overflow exists in the sscanf function. (CVE-2006-4020)
last seen	2020-06-01
modified	2020-06-02
plugin id	17710
published	2011-11-18
reporter	This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/17710
title	PHP < 4.4.4 Multiple Vulnerabilities

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2006-0669.NASL
description	Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the
last seen	2020-06-01
modified	2020-06-02
plugin id	22423
published	2006-09-22
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/22423
title	CentOS 3 / 4 : php (CESA-2006:0669)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2006-0682.NASL
description	Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered found in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the
last seen	2020-06-01
modified	2020-06-02
plugin id	22444
published	2006-09-22
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/22444
title	RHEL 2.1 : php (RHSA-2006:0682)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-342-1.NASL
description	The sscanf() function did not properly check array boundaries. In applications which use sscanf() with argument swapping, a remote attacker could potentially exploit this to crash the affected web application or even execute arbitrary code with the application
last seen	2020-06-01
modified	2020-06-02
plugin id	27921
published	2007-11-10
reporter	Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/27921
title	Ubuntu 5.04 / 5.10 / 6.06 LTS : php4, php5 vulnerabilities (USN-342-1)

NASL family	CGI abuses
NASL id	PHP_5_1_5.NASL
description	According to its banner, the version of PHP 5.x installed on the remote host is older than 5.1.5. Such versions may be affected by the following vulnerabilities : - The c-client library 2000, 2001, or 2004 for PHP does not check the safe_mode or open_basedir functions. (CVE-2006-1017) - A buffer overflow exists in the sscanf function. (CVE-2006-4020) - The file_exists and imap_reopen functions do not check for the safe_mode and open_basedir settings, which allows local users to bypass the settings. (CVE-2006-4481) - Multiple heap-based buffer overflows exist in the str_repeat and wordwrap functions in ext/standard/string.c. (CVE-2006-4482) - The cURL extension files permit the CURLOPT_FOLLOWLOCATION option when open_basedir or safe_mode is enabled, which allows attackers to perform unauthorized actions. (CVE-2006-4483) - A buffer overflow vulnerability exists in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the GD extension. (CVE-2006-4484) - The stripos function is affected by an out-of-bounds read. (CVE-2006-4485)
last seen	2020-06-01
modified	2020-06-02
plugin id	17713
published	2011-11-18
reporter	This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/17713
title	PHP 5.1.x < 5.1.5 Multiple Vulnerabilities

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2006-144.NASL
description	A vulnerability was discovered in the sscanf function that could allow attackers in certain circumstances to execute arbitrary code via argument swapping which incremented an index past the end of an array and triggered a buffer over-read. Updated packages have been patched to correct these issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	23893
published	2006-12-16
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/23893
title	Mandrake Linux Security Advisory : php (MDKSA-2006:144)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2006-1024.NASL
description	This update includes the latest upstream release of PHP 5.1, version 5.1.6, fixing a number of security vulnerabilities, and other bugs. An integer overflow was discovered in the PHP memory handling routines. If a script can cause memory allocation based on untrusted user data, a remote attacker sending a carefully crafted request could execute arbitrary code as the
last seen	2020-06-01
modified	2020-06-02
plugin id	24032
published	2007-01-17
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24032
title	Fedora Core 5 : php-5.1.6-1.1 (2006-1024)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2006-0730.NASL
description	Updated PHP packages that fix a security issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. These packages also contain a fix for a bug where certain input strings to the metaphone() function could cause memory corruption. From Red Hat Security Advisory 2006:0730 : The Hardened-PHP Project discovered an overflow in the PHP htmlentities() and htmlspecialchars() routines. If a PHP script used the vulnerable functions to parse UTF-8 data, a remote attacker sending a carefully crafted request could trigger the overflow and potentially execute arbitrary code as the
last seen	2020-06-01
modified	2020-06-02
plugin id	67421
published	2013-07-12
reporter	This script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/67421
title	Oracle Linux 4 : php (ELSA-2006-0730 / ELSA-2006-0669)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2006-0669.NASL
description	Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the
last seen	2020-06-01
modified	2020-06-02
plugin id	22443
published	2006-09-22
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/22443
title	RHEL 3 / 4 : php (RHSA-2006:0669)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200608-28.NASL
description	The remote host is affected by the vulnerability described in GLSA-200608-28 (PHP: Arbitary code execution) The sscanf() PHP function contains an array boundary error that can be exploited to dereference a NULL pointer. This can possibly allow the bypass of the safe mode protection by executing arbitrary code. Impact : A remote attacker might be able to exploit this vulnerability in PHP applications making use of the sscanf() function, potentially resulting in the execution of arbitrary code or the execution of scripted contents in the context of the affected site. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	22290
published	2006-08-30
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22290
title	GLSA-200608-28 : PHP: Arbitary code execution

NASL family	SuSE Local Security Checks
NASL id	SUSE_APACHE2-MOD_PHP5-2039.NASL
description	- the CURL module lacked checks for control characters (CVE-2006-2563)) - str_repeat() contained an integer overflow - ext/wddx contained a buffer overflow - memory_limit() lacked checks for integer overflows - a bug in sscanf() could potentially be exploited to execute arbitrary code (CVE-2006-4020) - an uninitialized varable caused apache to crash during startup - corrupt gif images could crash php
last seen	2020-06-01
modified	2020-06-02
plugin id	27146
published	2007-10-17
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/27146
title	openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-2039)

NASL family	SuSE Local Security Checks
NASL id	SUSE_APACHE2-MOD_PHP5-2102.NASL
description	- the CURL module lacked checks for control characters (CVE-2006-2563)) - str_repeat() contained an integer overflow - ext/wddx contained a buffer overflow - memory_limit() lacked checks for integer overflows - a bug in sscanf() could potentially be exploited to execute arbitrary code. (CVE-2006-4020) - an uninitialized varable caused apache to crash during startup - corrupt gif images could crash php
last seen	2020-06-01
modified	2020-06-02
plugin id	29374
published	2007-12-13
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/29374
title	SuSE 10 Security Update : PHP5 (ZYPP Patch Number 2102)

Oval

accepted

2013-04-29T04:11:12.491-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651
comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990

description

scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.

family

unix

id

oval:org.mitre.oval:def:11062

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.

version

26

Redhat

advisories

rhsa
id RHSA-2006:0669
rhsa
id RHSA-2006:0682
rhsa
id RHSA-2006:0688
rhsa
id RHSA-2006:0736

rpms

php-0:4.3.2-36.ent
php-0:4.3.9-3.18
php-debuginfo-0:4.3.2-36.ent
php-debuginfo-0:4.3.9-3.18
php-devel-0:4.3.2-36.ent
php-devel-0:4.3.9-3.18
php-domxml-0:4.3.9-3.18
php-gd-0:4.3.9-3.18
php-imap-0:4.3.2-36.ent
php-imap-0:4.3.9-3.18
php-ldap-0:4.3.2-36.ent
php-ldap-0:4.3.9-3.18
php-mbstring-0:4.3.9-3.18
php-mysql-0:4.3.2-36.ent
php-mysql-0:4.3.9-3.18
php-ncurses-0:4.3.9-3.18
php-odbc-0:4.3.2-36.ent
php-odbc-0:4.3.9-3.18
php-pear-0:4.3.9-3.18
php-pgsql-0:4.3.2-36.ent
php-pgsql-0:4.3.9-3.18
php-snmp-0:4.3.9-3.18
php-xmlrpc-0:4.3.9-3.18
php-0:5.1.4-1.el4s1.4
php-bcmath-0:5.1.4-1.el4s1.4
php-dba-0:5.1.4-1.el4s1.4
php-debuginfo-0:5.1.4-1.el4s1.4
php-devel-0:5.1.4-1.el4s1.4
php-gd-0:5.1.4-1.el4s1.4
php-imap-0:5.1.4-1.el4s1.4
php-ldap-0:5.1.4-1.el4s1.4
php-mbstring-0:5.1.4-1.el4s1.4
php-mysql-0:5.1.4-1.el4s1.4
php-ncurses-0:5.1.4-1.el4s1.4
php-odbc-0:5.1.4-1.el4s1.4
php-pdo-0:5.1.4-1.el4s1.4
php-pgsql-0:5.1.4-1.el4s1.4
php-snmp-0:5.1.4-1.el4s1.4
php-soap-0:5.1.4-1.el4s1.4
php-xml-0:5.1.4-1.el4s1.4
php-xmlrpc-0:5.1.4-1.el4s1.4

Vulnerabilities > CVE-2006-4020 - Unspecified vulnerability in PHP

Summary

Vulnerable Configurations

Exploit-Db

Nessus

Oval

Redhat

References