Input validation error in PHP
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2012-3450 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
PHP Universal components / Libraries / Scripting languages |
| Vendor | PHP Group |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Input validation error
EUVDB-ID: #VU43771
Risk: Low
CVSSv3.1: 3.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2012-3450
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x before 5.4.4 does not properly determine the end of the query string during parsing of prepared statements, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted parameter value.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 5.3.0 - 5.4.3
External linkshttp://lists.opensuse.org/opensuse-security-announce/2012-08/msg00021.html
http://seclists.org/bugtraq/2012/Jun/60
http://www.debian.org/security/2012/dsa-2527
http://www.mandriva.com/security/advisories?name=MDVSA-2012:108
http://www.openwall.com/lists/oss-security/2012/08/02/3
http://www.openwall.com/lists/oss-security/2012/08/02/7
http://www.php.net/ChangeLog-5.php
http://www.ubuntu.com/usn/USN-1569-1
http://bugs.php.net/bug.php?id=61755
http://bugzilla.novell.com/show_bug.cgi?id=769785
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
