#VU110479 Input validation error in PHP - CVE-2006-4020
Vulnerability identifier: #VU110479
Vulnerability risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Local
Exploit availability: Yes
Vulnerable software:
PHP
Universal components / Libraries /
Scripting languages
Vendor: PHP Group
Description
The vulnerability allows a local user to read and manipulate data.
scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.
Mitigation
Install update from vendor's website.
Vulnerable software versions
PHP: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.1, 4.1.1, 4.1.2, 4.2, 4.2.1, 4.2.2, 4.2.3, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.3.11, 4.4, 4.4.1, 4.4.2, 4.4.3, 5, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 5.1.4
External links
https://www.securityfocus.com/archive/1/442438/30/0/threaded
https://www.plain-text.info/sscanf_bug.txt
https://bugs.php.net/bug.php?id=38322
https://www.securityfocus.com/bid/19415
https://secunia.com/advisories/21403
https://www.novell.com/linux/security/advisories/2006_19_sr.html
https://www.novell.com/linux/security/advisories/2006_20_sr.html
https://www.mandriva.com/security/advisories?name=MDKSA-2006:144
https://secunia.com/advisories/21608
https://www.php.net/ChangeLog-5.php#5.1.5
https://www.php.net/release_5_1_5.php
https://security.gentoo.org/glsa/glsa-200608-28.xml
https://secunia.com/advisories/21546
https://secunia.com/advisories/21683
https://www.novell.com/linux/security/advisories/2006_22_sr.html
https://www.ubuntu.com/usn/usn-342-1
https://secunia.com/advisories/21768
https://www.redhat.com/support/errata/RHSA-2006-0669.html
https://www.redhat.com/support/errata/RHSA-2006-0682.html
https://www.novell.com/linux/security/advisories/2006_52_php.html
https://secunia.com/advisories/22004
https://secunia.com/advisories/22069
https://securitytracker.com/id?1016984
https://support.avaya.com/elmodocs2/security/ASA-2006-221.htm
https://support.avaya.com/elmodocs2/security/ASA-2006-222.htm
https://secunia.com/advisories/22440
https://support.avaya.com/elmodocs2/security/ASA-2006-223.htm
https://rhn.redhat.com/errata/RHSA-2006-0688.html
ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
https://secunia.com/advisories/22538
https://secunia.com/advisories/22487
https://secunia.com/advisories/21847
https://secunia.com/advisories/22039
https://rhn.redhat.com/errata/RHSA-2006-0736.html
https://secunia.com/advisories/23247
https://secunia.com/advisories/21467
https://securityreason.com/securityalert/1341
https://www.vupen.com/english/advisories/2006/3193
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11062
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
