#VU110551 Input validation error in PHP - CVE-2000-0967
Published: May 3, 2018 / Updated: June 10, 2025
Vulnerability identifier: #VU110551
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2000-0967
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
PHP
PHP
Software vendor:
PHP Group
PHP Group
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error messages that are improperly written to the error logs.
Remediation
Install update from vendor's website.
External links
- ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:75.php.asc
- http://archives.neohapsis.com/archives/bugtraq/2000-10/0204.html
- http://www.atstake.com/research/advisories/2000/a101200-1.txt
- http://www.calderasystems.com/support/security/advisories/CSSA-2000-037.0.txt
- http://www.linux-mandrake.com/en/security/MDKSA-2000-062.php3?dis=7.1
- http://www.redhat.com/support/errata/RHSA-2000-088.html
- http://www.redhat.com/support/errata/RHSA-2000-095.html
- http://www.securityfocus.com/bid/1786
- https://exchange.xforce.ibmcloud.com/vulnerabilities/5359