Vulnerabilities > CVE-2006-4020 - Unspecified vulnerability in PHP
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.
Vulnerable Configurations
Exploit-Db
| description | PHP <= 4.4.3 / 5.1.4 (sscanf) Local Buffer Overflow Exploit. CVE-2006-4020. Local exploit for linux platform |
| id | EDB-ID:2193 |
| last seen | 2016-01-31 |
| modified | 2006-08-16 |
| published | 2006-08-16 |
| reporter | Andi |
| source | https://www.exploit-db.com/download/2193/ |
| title | PHP <= 4.4.3 / 5.1.4 sscanf Local Buffer Overflow Exploit |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_052.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:052 (php4,php5). Various security problems have been fixed in the PHP script language engine and its modules, versions 4 and 5. The PHP4 updated packages were released on September 12, the PHP5 update packages were released on September 20. The following security problems were fixed, with respective Mitre CVE ID: - The CURL module lacked checks for control characters (CVE-2006-2563) - A potential basedir evasion in the CURL module (CVE-2006-4483) - basedir and safemode evasion in the IMAP module (CVE-2006-4481) - str_repeat() contained an integer overflow (CVE-2006-4482) - GIF LZWReadByte overflow in the GD extension (CVE-2006-4484) - ext/wddx contained a buffer overflow - memory_limit() lacked checks for integer overflows - fixed memory overflow in foreach (CVE-2006-4482) - a bug in sscanf() could potentially be exploited to execute arbitrary code (CVE-2006-4020) last seen 2019-10-28 modified 2007-02-18 plugin id 24430 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24430 title SUSE-SA:2006:052: php4,php5 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:052 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(24430); script_version ("1.9"); name["english"] = "SUSE-SA:2006:052: php4,php5"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2006:052 (php4,php5). Various security problems have been fixed in the PHP script language engine and its modules, versions 4 and 5. The PHP4 updated packages were released on September 12, the PHP5 update packages were released on September 20. The following security problems were fixed, with respective Mitre CVE ID: - The CURL module lacked checks for control characters (CVE-2006-2563) - A potential basedir evasion in the CURL module (CVE-2006-4483) - basedir and safemode evasion in the IMAP module (CVE-2006-4481) - str_repeat() contained an integer overflow (CVE-2006-4482) - GIF LZWReadByte overflow in the GD extension (CVE-2006-4484) - ext/wddx contained a buffer overflow - memory_limit() lacked checks for integer overflows - fixed memory overflow in foreach (CVE-2006-4482) - a bug in sscanf() could potentially be exploited to execute arbitrary code (CVE-2006-4020)" ); script_set_attribute(attribute:"solution", value: "http://www.novell.com/linux/security/advisories/2006_52_php.html" ); script_set_attribute(attribute:"risk_factor", value:"Medium" ); script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/18"); script_end_attributes(); summary["english"] = "Check for the version of the php4,php5 package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"apache2-mod_php4-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php5-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-curl-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-devel-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-exif-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-fastcgi-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-gd-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-imap-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-mbstring-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-pgsql-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-servlet-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-session-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-unixODBC-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-wddx-4.4.0-6.18", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-bcmath-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-curl-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-devel-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-dom-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-exif-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-fastcgi-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-ftp-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-gd-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-iconv-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-imap-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-ldap-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mbstring-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mysql-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mysqli-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-pear-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-pgsql-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-soap-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-wddx-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-xmlrpc-5.0.4-9.17", release:"SUSE10.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php4-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-curl-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-devel-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-exif-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-fastcgi-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-gd-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-imap-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-mbstring-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-pear-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-pgsql-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-session-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-sysvshm-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-wddx-4.3.8-8.31", release:"SUSE9.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php4-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"apache2-mod_php5-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"mod_php4-servlet-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-curl-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-devel-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-exif-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-fastcgi-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-gd-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-imap-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-mbstring-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-pear-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-pgsql-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-session-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-sysvshm-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php4-wddx-4.3.10-14.28", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-bcmath-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-curl-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-dba-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-devel-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-dom-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-exif-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-fastcgi-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-ftp-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-gd-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-iconv-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-imap-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-ldap-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mbstring-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mysql-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-mysqli-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-pear-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-pgsql-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-soap-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-wddx-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"php5-xmlrpc-5.0.3-14.27", release:"SUSE9.3") ) { security_warning(0); exit(0); }NASL family CGI abuses NASL id PHP_4_4_4.NASL description According to its banner, the version of PHP installed on the remote host is older than 4.4.4. As such, it is potentially affected by the following vulnerabilities : - The c-client library 2000, 2001, or 2004 for PHP does not check the safe_mode or open_basedir functions. (CVE-2006-1017) - A buffer overflow exists in the sscanf function. (CVE-2006-4020) last seen 2020-06-01 modified 2020-06-02 plugin id 17710 published 2011-11-18 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17710 title PHP < 4.4.4 Multiple Vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0669.NASL description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 22423 published 2006-09-22 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22423 title CentOS 3 / 4 : php (CESA-2006:0669) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0682.NASL description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered found in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 22444 published 2006-09-22 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22444 title RHEL 2.1 : php (RHSA-2006:0682) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-342-1.NASL description The sscanf() function did not properly check array boundaries. In applications which use sscanf() with argument swapping, a remote attacker could potentially exploit this to crash the affected web application or even execute arbitrary code with the application last seen 2020-06-01 modified 2020-06-02 plugin id 27921 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27921 title Ubuntu 5.04 / 5.10 / 6.06 LTS : php4, php5 vulnerabilities (USN-342-1) NASL family CGI abuses NASL id PHP_5_1_5.NASL description According to its banner, the version of PHP 5.x installed on the remote host is older than 5.1.5. Such versions may be affected by the following vulnerabilities : - The c-client library 2000, 2001, or 2004 for PHP does not check the safe_mode or open_basedir functions. (CVE-2006-1017) - A buffer overflow exists in the sscanf function. (CVE-2006-4020) - The file_exists and imap_reopen functions do not check for the safe_mode and open_basedir settings, which allows local users to bypass the settings. (CVE-2006-4481) - Multiple heap-based buffer overflows exist in the str_repeat and wordwrap functions in ext/standard/string.c. (CVE-2006-4482) - The cURL extension files permit the CURLOPT_FOLLOWLOCATION option when open_basedir or safe_mode is enabled, which allows attackers to perform unauthorized actions. (CVE-2006-4483) - A buffer overflow vulnerability exists in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the GD extension. (CVE-2006-4484) - The stripos function is affected by an out-of-bounds read. (CVE-2006-4485) last seen 2020-06-01 modified 2020-06-02 plugin id 17713 published 2011-11-18 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17713 title PHP 5.1.x < 5.1.5 Multiple Vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-144.NASL description A vulnerability was discovered in the sscanf function that could allow attackers in certain circumstances to execute arbitrary code via argument swapping which incremented an index past the end of an array and triggered a buffer over-read. Updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 23893 published 2006-12-16 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/23893 title Mandrake Linux Security Advisory : php (MDKSA-2006:144) NASL family Fedora Local Security Checks NASL id FEDORA_2006-1024.NASL description This update includes the latest upstream release of PHP 5.1, version 5.1.6, fixing a number of security vulnerabilities, and other bugs. An integer overflow was discovered in the PHP memory handling routines. If a script can cause memory allocation based on untrusted user data, a remote attacker sending a carefully crafted request could execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 24032 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24032 title Fedora Core 5 : php-5.1.6-1.1 (2006-1024) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2006-0730.NASL description Updated PHP packages that fix a security issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. These packages also contain a fix for a bug where certain input strings to the metaphone() function could cause memory corruption. From Red Hat Security Advisory 2006:0730 : The Hardened-PHP Project discovered an overflow in the PHP htmlentities() and htmlspecialchars() routines. If a PHP script used the vulnerable functions to parse UTF-8 data, a remote attacker sending a carefully crafted request could trigger the overflow and potentially execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 67421 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/67421 title Oracle Linux 4 : php (ELSA-2006-0730 / ELSA-2006-0669) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0669.NASL description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 22443 published 2006-09-22 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22443 title RHEL 3 / 4 : php (RHSA-2006:0669) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200608-28.NASL description The remote host is affected by the vulnerability described in GLSA-200608-28 (PHP: Arbitary code execution) The sscanf() PHP function contains an array boundary error that can be exploited to dereference a NULL pointer. This can possibly allow the bypass of the safe mode protection by executing arbitrary code. Impact : A remote attacker might be able to exploit this vulnerability in PHP applications making use of the sscanf() function, potentially resulting in the execution of arbitrary code or the execution of scripted contents in the context of the affected site. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 22290 published 2006-08-30 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22290 title GLSA-200608-28 : PHP: Arbitary code execution NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-MOD_PHP5-2039.NASL description - the CURL module lacked checks for control characters (CVE-2006-2563)) - str_repeat() contained an integer overflow - ext/wddx contained a buffer overflow - memory_limit() lacked checks for integer overflows - a bug in sscanf() could potentially be exploited to execute arbitrary code (CVE-2006-4020) - an uninitialized varable caused apache to crash during startup - corrupt gif images could crash php last seen 2020-06-01 modified 2020-06-02 plugin id 27146 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27146 title openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-2039) NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-MOD_PHP5-2102.NASL description - the CURL module lacked checks for control characters (CVE-2006-2563)) - str_repeat() contained an integer overflow - ext/wddx contained a buffer overflow - memory_limit() lacked checks for integer overflows - a bug in sscanf() could potentially be exploited to execute arbitrary code. (CVE-2006-4020) - an uninitialized varable caused apache to crash during startup - corrupt gif images could crash php last seen 2020-06-01 modified 2020-06-02 plugin id 29374 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29374 title SuSE 10 Security Update : PHP5 (ZYPP Patch Number 2102)
Oval
| accepted | 2013-04-29T04:11:12.491-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:11062 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||||||||||
| rpms |
|
References
- http://www.securityfocus.com/archive/1/442438/30/0/threaded
- http://www.plain-text.info/sscanf_bug.txt
- http://bugs.php.net/bug.php?id=38322
- http://www.securityfocus.com/bid/19415
- http://secunia.com/advisories/21403
- http://www.novell.com/linux/security/advisories/2006_19_sr.html
- http://www.novell.com/linux/security/advisories/2006_20_sr.html
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:144
- http://secunia.com/advisories/21608
- http://www.php.net/ChangeLog-5.php#5.1.5
- http://www.php.net/release_5_1_5.php
- http://security.gentoo.org/glsa/glsa-200608-28.xml
- http://secunia.com/advisories/21546
- http://secunia.com/advisories/21683
- http://www.novell.com/linux/security/advisories/2006_22_sr.html
- http://www.ubuntu.com/usn/usn-342-1
- http://secunia.com/advisories/21768
- http://www.redhat.com/support/errata/RHSA-2006-0669.html
- http://www.redhat.com/support/errata/RHSA-2006-0682.html
- http://www.novell.com/linux/security/advisories/2006_52_php.html
- http://secunia.com/advisories/22004
- http://secunia.com/advisories/22069
- http://securitytracker.com/id?1016984
- http://support.avaya.com/elmodocs2/security/ASA-2006-221.htm
- http://support.avaya.com/elmodocs2/security/ASA-2006-222.htm
- http://secunia.com/advisories/22440
- http://support.avaya.com/elmodocs2/security/ASA-2006-223.htm
- http://rhn.redhat.com/errata/RHSA-2006-0688.html
- ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
- http://secunia.com/advisories/22538
- http://secunia.com/advisories/22487
- http://secunia.com/advisories/21847
- http://secunia.com/advisories/22039
- http://rhn.redhat.com/errata/RHSA-2006-0736.html
- http://secunia.com/advisories/23247
- http://secunia.com/advisories/21467
- http://securityreason.com/securityalert/1341
- http://www.vupen.com/english/advisories/2006/3193
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11062