Input validation error in PHP - CVE-2004-0958
Published: October 11, 2017 / Updated: June 9, 2025
Vulnerability identifier: #VU110519
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2004-0958
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: PHP Group
Affected software:
PHP
PHP
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character, which causes PHP to calculate an incorrect string length.
How to mitigate CVE-2004-0958
Install update from vendor's website.
Sources
- http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0053.html
- http://marc.info/?l=bugtraq&m=109527531130492&w=2
- http://secunia.com/advisories/12560/
- http://securitytracker.com/id?1011279
- http://www.redhat.com/support/errata/RHSA-2004-687.html
- https://bugzilla.fedora.us/show_bug.cgi?id=2344
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17393
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10863