Improper Neutralization of Argument Delimiters in a Command in PHP - CVE-2002-0985
Published: February 13, 2024 / Updated: June 8, 2025
Vulnerability identifier: #VU110539
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2002-0985
CWE-ID: CWE-88
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PHP
PHP
Software vendor:
PHP Group
PHP Group
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Argument injection vulnerability in the mail function for PHP 4.x to 4.2.2 may allow attackers to bypass safe mode restrictions and modify command line arguments to the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA behavior and possibly executing commands.
Remediation
Install update from vendor's website.
External links
- http://www.redhat.com/support/errata/RHSA-2002-213.html
- http://www.debian.org/security/2002/dsa-168
- http://www.redhat.com/support/errata/RHSA-2002-214.html
- http://www.redhat.com/support/errata/RHSA-2002-243.html
- http://www.redhat.com/support/errata/RHSA-2002-244.html
- http://www.redhat.com/support/errata/RHSA-2002-248.html
- http://www.redhat.com/support/errata/RHSA-2003-159.html
- http://www.novell.com/linux/security/advisories/2002_036_modphp4.html
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000545
- ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-008.0.txt
- http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:082
- http://www.osvdb.org/2111
- http://marc.info/?l=bugtraq&m=103011916928204&w=2
- http://marc.info/?l=bugtraq&m=105760591228031&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/9966