Input validation error in PHP - CVE-2006-2660
Published: October 30, 2018 / Updated: June 8, 2025
Vulnerability identifier: #VU110482
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2006-2660
CWE-ID: CWE-20
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: PHP Group
Affected software:
PHP
PHP
Detailed vulnerability description
The vulnerability allows a local user to corrupt data.
Buffer consumption vulnerability in the tempnam function in PHP 5.1.4 and 4.x before 4.4.3 allows local users to bypass restrictions and create PHP files with fixed names in other directories via a pathname argument longer than MAXPATHLEN, which prevents a unique string from being appended to the filename.
How to mitigate CVE-2006-2660
Install update from vendor's website.
Sources
- http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0209.html
- http://cvs.php.net/viewcvs.cgi/php-src/NEWS?view=markup&rev=1.1247.2.920.2.134
- http://secunia.com/advisories/21125
- http://securityreason.com/securityalert/1069
- http://securitytracker.com/id?1016271
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:122
- http://www.securityfocus.com/archive/1/436785/100/0/threaded
- http://www.ubuntu.com/usn/usn-320-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/27049