Vulnerabilities > PHP

DATE CVE VULNERABILITY TITLE RISK
2009-04-08 CVE-2009-1271 Unspecified vulnerability in PHP
The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x before 5.2.9 allows remote attackers to cause a denial of service (segmentation fault) via a malformed string to the json_decode API function.
network
low complexity
php
5.0
2009-03-03 CVE-2009-0754 USE of Externally-Controlled Format String vulnerability in PHP 4.4.4/5.1.6
PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server.
local
low complexity
php apache CWE-134
2.1
2009-01-05 CVE-2008-5844 Configuration vulnerability in PHP 5.2.7
PHP 5.2.7 contains an incorrect change to the FILTER_UNSAFE_RAW functionality, and unintentionally disables magic_quotes_gpc regardless of the actual magic_quotes_gpc setting, which might make it easier for context-dependent attackers to conduct SQL injection attacks and unspecified other attacks.
network
low complexity
php CWE-16
7.5
2009-01-02 CVE-2008-5814 Cross-Site Scripting vulnerability in PHP
Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and earlier, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
high complexity
php CWE-79
2.6
2008-12-26 CVE-2008-5498 Information Exposure vulnerability in PHP
Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image.
network
low complexity
php CWE-200
5.0
2008-12-23 CVE-2008-5557 Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in PHP
Heap-based buffer overflow in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring extension in PHP 4.3.0 through 5.2.6 allows context-dependent attackers to execute arbitrary code via a crafted string containing an HTML entity, which is not properly handled during Unicode conversion, related to the (1) mb_convert_encoding, (2) mb_check_encoding, (3) mb_convert_variables, and (4) mb_parse_str functions.
network
low complexity
php CWE-119
critical
10.0
2008-12-17 CVE-2008-5658 Path Traversal vulnerability in PHP
Directory traversal vulnerability in the ZipArchive::extractTo function in PHP 5.2.6 and earlier allows context-dependent attackers to write arbitrary files via a ZIP file with a file whose name contains ..
network
low complexity
php CWE-22
7.5
2008-12-17 CVE-2008-5625 Permissions, Privileges, and Access Controls vulnerability in PHP
PHP 5 before 5.2.7 does not enforce the error_log safe_mode restrictions when safe_mode is enabled through a php_admin_flag setting in httpd.conf, which allows context-dependent attackers to write to arbitrary files by placing a "php_value error_log" entry in a .htaccess file.
network
low complexity
php CWE-264
7.5
2008-12-17 CVE-2008-5624 Permissions, Privileges, and Access Controls vulnerability in PHP
PHP 5 before 5.2.7 does not properly initialize the page_uid and page_gid global variables for use by the SAPI php_getuid function, which allows context-dependent attackers to bypass safe_mode restrictions via variable settings that are intended to be restricted to root, as demonstrated by a setting of /etc for the error_log variable.
network
low complexity
php CWE-264
7.5
2008-09-18 CVE-2008-4107 Numeric Errors vulnerability in PHP
The (1) rand and (2) mt_rand functions in PHP 5.2.6 do not produce cryptographically strong random numbers, which allows attackers to leverage exposures in products that rely on these functions for security-relevant functionality, as demonstrated by the password-reset functionality in Joomla! 1.5.x and WordPress before 2.6.2, a different vulnerability than CVE-2008-2107, CVE-2008-2108, and CVE-2008-4102.
network
high complexity
php CWE-189
5.1