CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 2CVE-2006-4023
https://notcve.org/view.php?id=CVE-2006-4023
The ip2long function in PHP 5.1.4 and earlier may incorrectly validate an arbitrary string and return a valid network IP address, which allows remote attackers to obtain network information and facilitate other attacks, as demonstrated using SQL injection in the X-FORWARDED-FOR Header in index.php in MiniBB 2.0. NOTE: it could be argued that the ip2long behavior represents a risk for security-relevant issues in a way that is similar to strcpy's role in buffer overflows, in which case this would be a class of implementation bugs that would require separate CVE items for each PHP application that uses ip2long in a security-relevant manner. La función ip2long en PHP 5.1.4 y anteriores puede validar incorrectamente una cadena de su elección y devolver una dirección IP, la cual permite a atacantes remotos obtener información y facilitar otros ataques, como se demostró usando inyección SQL en la cabecera X-FORWARDED-FOR en index.php en MiniBB 2.0. NOTA: podría discutirse que el funcionamiento ip2long representa un riesgo para los asuntos de seguridad relevantes en la medida que es similar al papel de los strcpy en el desbordamiento de búfer, en cuyo caso esto podría ser un tipo de bug de implementación que requeriría separar los asuntos CVE para cada aplicación PHP que utiliza ip2long en una manera se seguridad relevante. • http://retrogod.altervista.org/php_ip2long.htm http://securitytracker.com/id?1016609 http://www.securityfocus.com/archive/1/441529/100/100/threaded http://www.securityfocus.com/archive/1/441708/100/100/threaded •
CVSS: 4.6EPSS: 0%CPEs: 67EXPL: 4CVE-2006-4020 – PHP 4.4.3/5.1.4 - 'sscanf' Local Buffer Overflow
https://notcve.org/view.php?id=CVE-2006-4020
scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read. scanf.c en PHP 5.1.4 y anteriores, y 4.4.3 y anteriores, permite a atacantes (locales o remotos dependiendo del contexto) ejecutar código de su elección mediante una llamada a la función sscanf de PHP que realiza un intercambio de argumentos que incrementa un índice más allá del final de un array y dispara una lectura de búfer fuera de límite. • https://www.exploit-db.com/exploits/2193 ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc http://bugs.php.net/bug.php?id=38322 http://rhn.redhat.com/errata/RHSA-2006-0688.html http://rhn.redhat.com/errata/RHSA-2006-0736.html http://secunia.com/advisories/21403 http://secunia.com/advisories/21467 http://secunia.com/advisories/21546 http://secunia.com/advisories/21608 http://secunia.com/advisories/21683 http://secunia.com/advisories/21768 h •
CVSS: 4.6EPSS: 0%CPEs: 77EXPL: 2CVE-2006-3011 – PHP 5.2.6 - 'error_log' Safe_mode Bypass
https://notcve.org/view.php?id=CVE-2006-3011
The error_log function in basic_functions.c in PHP before 4.4.4 and 5.x before 5.1.5 allows local users to bypass safe mode and open_basedir restrictions via a "php://" or other scheme in the third argument, which disables safe mode. La función error_log en basic_functions.c en PHP anterior v4.4.4 y v5.x anterior v5.1.5 permite a usuarios locales superar el modo de seguridad y las restricciones open_basedir a través de un "php://" u otros esquemas en el tercer argumento, que deshabilitan el modo seguro. • https://www.exploit-db.com/exploits/7171 http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?diff_format=u&view=log&pathrev=PHP_4_4 http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.543.2.51.2.9&r2=1.543.2.51.2.10&pathrev=PHP_4_4&diff_format=u http://secunia.com/advisories/20818 http://secunia.com/advisories/21050 http://secunia.com/advisories/21125 http://secunia.com/advisories/21546 http://securityreason.com/ • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 0CVE-2006-3018
https://notcve.org/view.php?id=CVE-2006-3018
Unspecified vulnerability in the session extension functionality in PHP before 5.1.3 has unknown impact and attack vectors related to heap corruption. Vulnerabilidad no especificada en la funcionalidad de extensión de sesión en PHP anterior a la versión 5.1.3 tiene un impacto y vectores de ataque desconocidos, relacionados con una corrupción de memoria dinámica. • http://secunia.com/advisories/19927 http://secunia.com/advisories/21050 http://secunia.com/advisories/21125 http://securitytracker.com/id?1016306 http://www.mandriva.com/security/advisories?name=MDKSA-2006:122 http://www.osvdb.org/25254 http://www.php.net/release_5_1_3.php http://www.securityfocus.com/bid/17843 http://www.ubuntu.com/usn/usn-320-1 •
CVSS: 9.3EPSS: 1%CPEs: 1EXPL: 1CVE-2006-3016
https://notcve.org/view.php?id=CVE-2006-3016
Unspecified vulnerability in session.c in PHP before 5.1.3 has unknown impact and attack vectors, related to "certain characters in session names," including special characters that are frequently associated with CRLF injection, SQL injection, cross-site scripting (XSS), and HTTP response splitting vulnerabilities. NOTE: while the nature of the vulnerability is unspecified, it is likely that this is related to a violation of an expectation by PHP applications that the session name is alphanumeric, as implied in the PHP manual for session_name(). • ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc http://rhn.redhat.com/errata/RHSA-2006-0736.html http://secunia.com/advisories/19927 http://secunia.com/advisories/21050 http://secunia.com/advisories/22004 http://secunia.com/advisories/22069 http://secunia.com/advisories/22225 http://secunia.com/advisories/22440 http://secunia.com/advisories/22487 http://secunia.com/advisories/23247 http://securitytracker.com/id?1016306 http://support.avaya.com/el •