SB2018101523 - Multiple vulnerabilities in PHP
Published: October 15, 2018 Updated: June 12, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2007-5128)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
SimpNews 2.41.03 on Windows, when PHP before 5.0.0 is used, allows remote attackers to obtain sensitive information via an certain link_date parameter to events.php, which reveals the path in an error message due to an unsupported argument type for the mktime function on Windows.
2) Input validation error (CVE-ID: CVE-2007-1401)
The vulnerability allows a local user to execute arbitrary code.
Buffer overflow in the crack extension (CrackLib), as bundled with PHP 4.4.6 and other versions before 5.0.0, might allow local users to gain privileges via a long argument to the crack_opendict function.
Remediation
Install update from vendor's website.
References
- http://forum.boesch-it.de/viewtopic.php?t=2791
- http://securityreason.com/securityalert/3174
- http://www.netvigilance.com/advisory0068
- http://www.securityfocus.com/archive/1/480588/100/0/threaded
- http://retrogod.altervista.org/php_446_crack_opendict_local_bof.html
- http://securityreason.com/securityalert/2405
- http://www.securityfocus.com/archive/1/462226/100/0/threaded
- https://www.exploit-db.com/exploits/3431