SB2017101146 - Multiple vulnerabilities in PHP
Published: October 11, 2017 Updated: June 9, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2004-0958)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character, which causes PHP to calculate an incorrect string length.
2) Input validation error (CVE-ID: CVE-2004-0959)
The vulnerability allows a local user to corrupt data.
rfc1867.c in PHP before 5.0.2 allows local users to upload files to arbitrary locations via a PHP script with a certain MIME header that causes the "$_FILES" array to be modified.
Remediation
Install update from vendor's website.
References
- http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0053.html
- http://marc.info/?l=bugtraq&m=109527531130492&w=2
- http://secunia.com/advisories/12560/
- http://securitytracker.com/id?1011279
- http://www.redhat.com/support/errata/RHSA-2004-687.html
- https://bugzilla.fedora.us/show_bug.cgi?id=2344
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17393
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10863
- http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0054.html
- http://marc.info/?l=bugtraq&m=109534848430404&w=2
- http://securitytracker.com/id?1011307
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17392
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10961