Multiple vulnerabilities in PHP



| Updated: 2025-06-14
Risk High
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2007-1383
CVE-2005-0596
CWE-ID CWE-20
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
 PHP
Universal components / Libraries / Scripting languages

Vendor PHP Group

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU110453

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2007-1383

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Integer overflow in the 16 bit variable reference counter in PHP 4 allows context-dependent attackers to execute arbitrary code by overflowing this counter, which causes the same variable to be destroyed twice, a related issue to CVE-2007-1286.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PHP: 4.0

CPE2.3 External links

https://secunia.com/advisories/24606
https://secunia.com/advisories/24606
https://secunia.com/advisories/25056
https://secunia.com/advisories/25056
https://security.gentoo.org/glsa/glsa-200703-21.xml
https://security.gentoo.org/glsa/glsa-200703-21.xml
https://www.novell.com/linux/security/advisories/2007_32_php.html
https://www.novell.com/linux/security/advisories/2007_32_php.html
https://www.osvdb.org/32770
https://www.osvdb.org/32770
https://www.php-security.org/MOPB/MOPB-01-2007.html
https://www.php-security.org/MOPB/MOPB-01-2007.html
https://www.securityfocus.com/bid/22765
https://www.securityfocus.com/bid/22765


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Input validation error

EUVDB-ID: #VU110509

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2005-0596

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform service disruption.

PHP 4 (PHP4) allows attackers to cause a denial of service (daemon crash) by using the readfile function on a file whose size is a multiple of the page size.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PHP: 4.0

CPE2.3 External links

https://www.linuxcompatible.org/story42495.html
https://www.securityfocus.com/bid/12665


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###