| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2012-4388 |
20 |
|
Http R.Spl. Bypass |
2012-09-07 |
2013-04-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0 does not properly determine a pointer during checks for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1398. |
|
2 |
CVE-2012-2143 |
310 |
|
|
2012-07-05 |
2013-04-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. |
|
3 |
CVE-2011-3189 |
310 |
|
Bypass |
2011-08-25 |
2012-02-03 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The crypt function in PHP 5.3.7, when the MD5 hash type is used, returns the value of the salt argument instead of the hashed string, which might allow remote attackers to bypass authentication via an arbitrary password, a different vulnerability than CVE-2011-2483. |
|
4 |
CVE-2011-1471 |
189 |
|
DoS |
2011-03-19 |
2012-01-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Integer signedness error in zip_stream.c in the Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (CPU consumption) via a malformed archive file that triggers errors in zip_fread function calls. |
|
5 |
CVE-2011-1470 |
20 |
|
DoS |
2011-03-19 |
2011-10-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a ziparchive stream that is not properly handled by the stream_get_contents function. |
|
6 |
CVE-2011-1469 |
|
|
DoS |
2011-03-19 |
2012-01-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in the Streams component in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) by accessing an ftp:// URL during use of an HTTP proxy with the FTP wrapper. |
|
7 |
CVE-2011-1468 |
399 |
|
DoS |
2011-03-19 |
2012-01-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Multiple memory leaks in the OpenSSL extension in PHP before 5.3.6 might allow remote attackers to cause a denial of service (memory consumption) via (1) plaintext data to the openssl_encrypt function or (2) ciphertext data to the openssl_decrypt function. |
|
8 |
CVE-2011-1464 |
119 |
|
DoS Overflow |
2011-03-19 |
2011-04-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Buffer overflow in the strval function in PHP before 5.3.6, when the precision configuration option has a large value, might allow context-dependent attackers to cause a denial of service (application crash) via a small numerical value in the argument. |
|
9 |
CVE-2011-1398 |
20 |
|
Http R.Spl. Bypass |
2012-08-30 |
2013-04-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome. |
|
10 |
CVE-2011-0754 |
59 |
|
|
2011-02-02 |
2011-07-18 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The SplFileInfo::getType function in the Standard PHP Library (SPL) extension in PHP before 5.3.4 on Windows does not properly detect symbolic links, which might make it easier for local users to conduct symlink attacks by leveraging cross-platform differences in the stat structure, related to lack of a FILE_ATTRIBUTE_REPARSE_POINT check. |
|
11 |
CVE-2011-0753 |
362 |
|
DoS Mem. Corr. |
2011-02-02 |
2011-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Race condition in the PCNTL extension in PHP before 5.3.4, when a user-defined signal handler exists, might allow context-dependent attackers to cause a denial of service (memory corruption) via a large number of concurrent signals. |
|
12 |
CVE-2011-0708 |
119 |
1
|
DoS Overflow |
2011-03-19 |
2012-11-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read. |
|
13 |
CVE-2011-0421 |
|
1
|
DoS |
2011-03-19 |
2011-10-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation. |
|
14 |
CVE-2010-3710 |
399 |
|
DoS |
2010-10-25 |
2011-03-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Stack consumption vulnerability in the filter_var function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows remote attackers to cause a denial of service (memory consumption and application crash) via a long e-mail address string. |
|
15 |
CVE-2010-3709 |
20 |
1
|
DoS |
2010-11-08 |
2011-05-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The ZipArchive::getArchiveComment function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ZIP archive. |
|
16 |
CVE-2010-2531 |
200 |
|
+Info |
2010-08-20 |
2011-08-26 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The var_export function in PHP 5.2 before 5.2.14 and 5.3 before 5.3.3 flushes the output buffer to the user when certain fatal errors occur, even if display_errors is off, which allows remote attackers to obtain sensitive information by causing the application to exceed limits for memory, execution time, or recursion. |
|
17 |
CVE-2009-4142 |
79 |
|
XSS |
2009-12-21 |
2011-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The htmlspecialchars function in PHP before 5.2.12 does not properly handle (1) overlong UTF-8 sequences, (2) invalid Shift_JIS sequences, and (3) invalid EUC-JP sequences, which allows remote attackers to conduct cross-site scripting (XSS) attacks by placing a crafted byte sequence before a special character. |
|
18 |
CVE-2009-2687 |
20 |
|
DoS |
2009-08-05 |
2011-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The exif_read_data function in the Exif module in PHP before 5.2.10 allows remote attackers to cause a denial of service (crash) via a malformed JPEG image with invalid offset fields, a different issue than CVE-2005-3353. |
|
19 |
CVE-2007-5899 |
200 |
|
+Info |
2007-11-20 |
2010-08-21 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The output_add_rewrite_var function in PHP before 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which allows remote attackers to obtain potentially sensitive information by reading the requests for this URL, as demonstrated by a rewritten form containing a local session ID. |
|
20 |
CVE-2007-5447 |
264 |
1
|
Bypass |
2007-10-14 |
2008-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
ioncube_loader_win_5.2.dll in the ionCube Loader 6.5 extension for PHP 5.2.4 does not follow safe_mode and disable_functions restrictions, which allows context-dependent attackers to bypass intended limitations, as demonstrated by reading arbitrary files via the ioncube_read_file function. |
|
21 |
CVE-2007-4887 |
20 |
|
DoS |
2007-09-13 |
2009-03-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The dl function in PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in the library parameter. NOTE: there are limited usage scenarios under which this would be a vulnerability. |
|
22 |
CVE-2007-4652 |
59 |
|
Bypass |
2007-09-04 |
2011-08-23 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The session extension in PHP before 5.2.4 might allow local users to bypass open_basedir restrictions via a session file that is a symlink. |
|
23 |
CVE-2007-4528 |
|
1
|
Exec Code |
2007-08-24 |
2008-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Foreign Function Interface (ffi) extension in PHP 5.0.5 does not follow safe_mode restrictions, which allows context-dependent attackers to execute arbitrary code by loading an arbitrary DLL and calling a function, as demonstrated by kernel32.dll and the WinExec function. NOTE: this issue does not cross privilege boundaries in most contexts, so perhaps it should not be included in CVE. |
|
24 |
CVE-2007-4441 |
|
1
|
Exec Code Overflow |
2007-08-20 |
2008-09-05 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in php_win32std.dll in the win32std extension for PHP 5.2.0 and earlier allows context-dependent attackers to execute arbitrary code via a long string in the filename argument to the win_browse_file function. |
|
25 |
CVE-2007-3799 |
20 |
|
|
2007-07-16 |
2012-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The session_start function in ext/session in PHP 4.x up to 4.4.7 and 5.x up to 5.2.3 allows remote attackers to insert arbitrary attributes into the session cookie via special characters in a cookie that is obtained from (1) PATH_INFO, (2) the session_id function, and (3) the session_start function, which are not encoded or filtered when the new session cookie is generated, a related issue to CVE-2006-0207. |
|
26 |
CVE-2007-2748 |
|
|
+Info |
2007-05-17 |
2012-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The substr_count function in PHP 5.2.1 and earlier allows context-dependent attackers to obtain sensitive information via unspecified vectors, a different affected function than CVE-2007-1375. |
|
27 |
CVE-2007-2728 |
264 |
|
|
2007-05-16 |
2012-11-05 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The soap extension in PHP calls php_rand_r with an uninitialized seed variable, which has unknown impact and attack vectors, a related issue to the mcrypt_create_iv issue covered by CVE-2007-2727. |
|
28 |
CVE-2007-1835 |
|
|
Bypass |
2007-04-02 |
2012-11-05 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session save path (session.save_path), uses the TMPDIR default after checking the restrictions, which allows local users to bypass open_basedir restrictions. |
|
29 |
CVE-2007-1710 |
|
1
|
Bypass |
2007-03-26 |
2008-09-05 |
4.3 |
User |
Local |
Low |
Single system |
Partial |
Partial |
Partial |
|
The readfile function in PHP 4.4.4, 5.1.6, and 5.2.1 allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files by referring to local files with a certain URL syntax instead of a pathname syntax, as demonstrated by a filename preceded a "php://../../" sequence. |
|
30 |
CVE-2007-1709 |
119 |
1
|
Exec Code Overflow |
2007-03-26 |
2008-09-05 |
4.3 |
User |
Local |
Low |
Single system |
Partial |
Partial |
Partial |
|
Buffer overflow in the confirm_phpdoc_compiled function in the phpDOC extension (PECL phpDOC) in PHP 5.2.1 allows context-dependent attackers to execute arbitrary code via a long argument string. |
|
31 |
CVE-2007-1484 |
|
|
Exec Code Mem. Corr. Bypass |
2007-03-16 |
2008-09-05 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The array_user_key_compare function in PHP 4.4.6 and earlier, and 5.x up to 5.2.1, makes erroneous calls to zval_dtor, which triggers memory corruption and allows local users to bypass safe_mode and execute arbitrary code via a certain unset operation after array_user_key_compare has been called. |
|
32 |
CVE-2007-1454 |
|
|
XSS |
2007-03-14 |
2008-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
ext/filter in PHP 5.2.0, when FILTER_SANITIZE_STRING is used with the FILTER_FLAG_STRIP_LOW flag, does not properly strip HTML tags, which allows remote attackers to conduct cross-site scripting (XSS) attacks via HTML with a '<' character followed by certain whitespace characters, which passes one filter but is collapsed into a valid tag, as demonstrated using %0b. |
|
33 |
CVE-2007-1287 |
|
|
XSS |
2007-03-06 |
2008-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A regression error in the phpinfo function in PHP 4.4.3 to 4.4.6, and PHP 6.0 in CVS, allows remote attackers to conduct cross-site scripting (XSS) attacks via GET, POST, or COOKIE array values, which are not escaped in the phpinfo output, as originally fixed for CVE-2005-3388. |
|
34 |
CVE-2007-0988 |
119 |
|
DoS Overflow |
2007-02-20 |
2011-05-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4.5, when running on a 64-bit platform, allows context-dependent attackers to cause a denial of service (infinite loop) by unserializing certain integer expressions, which only cause 32-bit arguments to be used after the check for a negative value, as demonstrated by an "a:2147483649:{" argument. |
|
35 |
CVE-2006-6383 |
|
|
Bypass |
2006-12-10 |
2008-11-15 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHP 5.2.0 and 4.4 allows local users to bypass safe_mode and open_basedir restrictions via a malicious path and a null byte before a ";" in a session_save_path argument, followed by an allowed path, which causes a parsing inconsistency in which PHP validates the allowed path but sets session.save_path to the malicious path. |
|
36 |
CVE-2006-4020 |
|
|
Exec Code |
2006-08-08 |
2010-08-21 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read. |
|
37 |
CVE-2006-3011 |
264 |
|
Bypass |
2006-06-26 |
2011-07-11 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The error_log function in basic_functions.c in PHP before 4.4.4 and 5.x before 5.1.5 allows local users to bypass safe mode and open_basedir restrictions via a "php://" or other scheme in the third argument, which disables safe mode. |
|
38 |
CVE-2006-0996 |
79 |
|
XSS |
2006-04-10 |
2010-08-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2 and 4.4.2 allows remote attackers to inject arbitrary web script or HTML via long array variables, including (1) a large number of dimensions or (2) long values, which prevents HTML tags from being removed. |
|
39 |
CVE-2005-3388 |
|
|
XSS |
2005-11-01 |
2010-08-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a "stacked array assignment." |
|
40 |
CVE-2003-0442 |
|
|
XSS |
2003-07-24 |
2008-09-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter. |
|
41 |
CVE-2002-1954 |
|
|
XSS |
2002-12-31 |
2008-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.2.3 allows remote attackers to inject arbitrary web script or HTML via the query string argument, as demonstrated using soinfo.php. |
