SB2020120862 - Multiple vulnerabilities in PHP

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020120862

SB2020120862 - Multiple vulnerabilities in PHP

Published: December 8, 2020 Updated: June 13, 2025

Security Bulletin ID SB2020120862
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2004-1018)

The vulnerability allows attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can bypass safe mode restrictions, cause a denial of service, or execute arbitrary code via (1) a negative offset value to the shmop_write function, (2) an "integer overflow/underflow" in the pack function, or (3) an "integer overflow/underflow" in the unpack function. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute.


2) Input validation error (CVE-ID: CVE-2004-1020)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The addslashes function in PHP 4.3.9 does not properly escape a NULL (/0) character, which may allow remote attackers to read arbitrary files in PHP applications that contain a directory traversal vulnerability in require or include statements, but are otherwise protected by the magic_quotes_gpc mechanism. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.


Remediation

Install update from vendor's website.

References