| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2007-6512 |
264 |
|
+Info |
2007-12-21 |
2008-11-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
PHP MySQL Banner Exchange 2.2.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain database information via a direct request to inc/lib.inc. |
|
2 |
CVE-2007-6039 |
20 |
|
DoS Exec Code |
2007-11-20 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
PHP 5.2.5 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in (1) the domain parameter to the dgettext function, the message parameter to the (2) dcgettext or (3) gettext function, the msgid1 parameter to the (4) dngettext or (5) ngettext function, or (6) the classname parameter to the stream_wrapper_register function. NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless this issue can be demonstrated for code execution. |
|
3 |
CVE-2007-5900 |
264 |
|
Bypass |
2007-11-20 |
2009-02-05 |
6.9 |
Admin |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
PHP before 5.2.5 allows local users to bypass protection mechanisms configured through php_admin_value or php_admin_flag in httpd.conf by using ini_set to modify arbitrary configuration variables, a different issue than CVE-2006-4625. |
|
4 |
CVE-2007-5899 |
200 |
|
+Info |
2007-11-20 |
2010-08-21 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The output_add_rewrite_var function in PHP before 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which allows remote attackers to obtain potentially sensitive information by reading the requests for this URL, as demonstrated by a rewritten form containing a local session ID. |
|
5 |
CVE-2007-5898 |
|
|
|
2007-11-20 |
2010-08-21 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The (1) htmlentities and (2) htmlspecialchars functions in PHP before 5.2.5 accept partial multibyte sequences, which has unknown impact and attack vectors, a different issue than CVE-2006-5465. |
|
6 |
CVE-2007-5653 |
78 |
1
|
Bypass |
2007-10-23 |
2008-09-05 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The Component Object Model (COM) functions in PHP 5.x on Windows do not follow safe_mode and disable_functions restrictions, which allows context-dependent attackers to bypass intended limitations, as demonstrated by executing objects with the kill bit set in the corresponding ActiveX control Compatibility Flags, executing programs via a function in compatUI.dll, invoking wscript.shell via wscript.exe, invoking Scripting.FileSystemObject via wshom.ocx, and adding users via a function in shgina.dll, related to the com_load_typelib function. |
|
7 |
CVE-2007-5447 |
264 |
1
|
Bypass |
2007-10-14 |
2008-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
ioncube_loader_win_5.2.dll in the ionCube Loader 6.5 extension for PHP 5.2.4 does not follow safe_mode and disable_functions restrictions, which allows context-dependent attackers to bypass intended limitations, as demonstrated by reading arbitrary files via the ioncube_read_file function. |
|
8 |
CVE-2007-5424 |
|
|
Bypass |
2007-10-12 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The disable_functions feature in PHP 4 and 5 allows attackers to bypass intended restrictions by using an alias, as demonstrated by using ini_alter when ini_set is disabled. |
|
9 |
CVE-2007-5128 |
20 |
|
+Info |
2007-09-27 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
SimpNews 2.41.03 on Windows, when PHP before 5.0.0 is used, allows remote attackers to obtain sensitive information via an certain link_date parameter to events.php, which reveals the path in an error message due to an unsupported argument type for the mktime function on Windows. |
|
10 |
CVE-2007-4889 |
|
|
Bypass |
2007-09-13 |
2008-09-05 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The MySQL extension in PHP 5.2.4 and earlier allows remote attackers to bypass safe_mode and open_basedir restrictions via the MySQL (1) LOAD_FILE, (2) INTO DUMPFILE, and (3) INTO OUTFILE functions, a different issue than CVE-2007-3997. |
|
11 |
CVE-2007-4887 |
20 |
|
DoS |
2007-09-13 |
2009-03-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The dl function in PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in the library parameter. NOTE: there are limited usage scenarios under which this would be a vulnerability. |
|
12 |
CVE-2007-4840 |
20 |
|
DoS Exec Code |
2007-09-12 |
2009-02-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via (1) a long string in the out_charset parameter to the iconv function; or a long string in the charset parameter to the (2) iconv_mime_decode_headers, (3) iconv_mime_decode, or (4) iconv_strlen function. NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless these issues can be demonstrated for code execution. |
|
13 |
CVE-2007-4825 |
22 |
|
Exec Code Dir. Trav. Bypass |
2007-09-11 |
2009-02-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in PHP 5.2.4 and earlier allows attackers to bypass open_basedir restrictions and possibly execute arbitrary code via a .. (dot dot) in the dl function. |
|
14 |
CVE-2007-4784 |
20 |
|
DoS Exec Code |
2007-09-10 |
2009-02-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The setlocale function in PHP before 5.2.4 allows context-dependent attackers to cause a denial of service (application crash) via a long string in the locale parameter. NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless this issue can be demonstrated for code execution. |
|
15 |
CVE-2007-4783 |
20 |
|
DoS Exec Code |
2007-09-10 |
2009-02-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The iconv_substr function in PHP 5.2.4 and earlier allows context-dependent attackers to cause (1) a denial of service (application crash) via a long string in the charset parameter, probably also requiring a long string in the str parameter; or (2) a denial of service (temporary application hang) via a long string in the str parameter. NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless these issues can be demonstrated for code execution. |
|
16 |
CVE-2007-4782 |
94 |
|
DoS Exec Code |
2007-09-10 |
2010-08-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
PHP before 5.2.3 allows context-dependent attackers to cause a denial of service (application crash) via (1) a long string in the pattern parameter to the glob function; or (2) a long string in the string parameter to the fnmatch function, accompanied by a pattern parameter value with undefined characteristics, as demonstrated by a "*[1]e" value. NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless these issues can be demonstrated for code execution. |
|
17 |
CVE-2007-4670 |
|
|
|
2007-09-04 |
2010-08-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in PHP before 5.2.4 has unknown impact and attack vectors, related to an "Improved fix for MOPB-03-2007," probably a variant of CVE-2007-1285. |
|
18 |
CVE-2007-4663 |
22 |
|
Dir. Trav. Bypass |
2007-09-04 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in PHP before 5.2.4 allows attackers to bypass open_basedir restrictions via unspecified vectors involving the glob function. |
|
19 |
CVE-2007-4662 |
119 |
|
Overflow |
2007-09-04 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in the php_openssl_make_REQ function in PHP before 5.2.4 has unknown impact and attack vectors. |
|
20 |
CVE-2007-4661 |
399 |
|
Overflow |
2007-09-04 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The chunk_split function in string.c in PHP 5.2.3 does not properly calculate the needed buffer size due to precision loss when performing integer arithmetic with floating point numbers, which has unknown attack vectors and impact, possibly resulting in a heap-based buffer overflow. NOTE: this is due to an incomplete fix for CVE-2007-2872. |
|
21 |
CVE-2007-4660 |
399 |
|
|
2007-09-04 |
2008-09-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in the chunk_split function in PHP before 5.2.4 has unknown impact and attack vectors, related to an incorrect size calculation. |
|
22 |
CVE-2007-4659 |
|
|
|
2007-09-04 |
2008-09-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The zend_alter_ini_entry function in PHP before 5.2.4 does not properly handle an interruption to the flow of execution triggered by a memory_limit violation, which has unknown impact and attack vectors. |
|
23 |
CVE-2007-4658 |
|
|
|
2007-09-04 |
2011-06-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The money_format function in PHP 5 before 5.2.4, and PHP 4 before 4.4.8, permits multiple (1) %i and (2) %n tokens, which has unknown impact and attack vectors, possibly related to a format string vulnerability. |
|
24 |
CVE-2007-4657 |
119 |
|
DoS Overflow +Info |
2007-09-04 |
2009-09-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, allow remote attackers to obtain sensitive information (memory contents) or cause a denial of service (thread crash) via a large len value to the (1) strspn or (2) strcspn function, which triggers an out-of-bounds read. NOTE: this affects different product versions than CVE-2007-3996. |
|
25 |
CVE-2007-4652 |
59 |
|
Bypass |
2007-09-04 |
2011-08-23 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The session extension in PHP before 5.2.4 might allow local users to bypass open_basedir restrictions via a session file that is a symlink. |
|
26 |
CVE-2007-4596 |
94 |
1
|
Exec Code |
2007-08-30 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The perl extension in PHP does not follow safe_mode restrictions, which allows context-dependent attackers to execute arbitrary code via the Perl eval function. NOTE: this might only be a vulnerability in limited environments. |
|
27 |
CVE-2007-4586 |
119 |
1
|
Exec Code Overflow |
2007-08-28 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple buffer overflows in php_iisfunc.dll in the iisfunc extension for PHP 5.2.0 and earlier allow context-dependent attackers to execute arbitrary code, probably during Unicode conversion, as demonstrated by a long string in the first argument to the iis_getservicestate function, related to the ServiceId argument to the (1) fnStartService, (2) fnGetServiceState, (3) fnStopService, and possibly other functions. |
|
28 |
CVE-2007-4528 |
|
1
|
Exec Code |
2007-08-24 |
2008-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Foreign Function Interface (ffi) extension in PHP 5.0.5 does not follow safe_mode restrictions, which allows context-dependent attackers to execute arbitrary code by loading an arbitrary DLL and calling a function, as demonstrated by kernel32.dll and the WinExec function. NOTE: this issue does not cross privilege boundaries in most contexts, so perhaps it should not be included in CVE. |
|
29 |
CVE-2007-4507 |
|
1
|
DoS Exec Code Overflow |
2007-08-23 |
2008-09-05 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple buffer overflows in the php_ntuser component for PHP 5.2.3 allow context-dependent attackers to cause a denial of service or execute arbitrary code via long arguments to the (1) ntuser_getuserlist, (2) ntuser_getuserinfo, (3) ntuser_getusergroups, or (4) ntuser_getdomaincontroller functions. |
|
30 |
CVE-2007-4441 |
|
1
|
Exec Code Overflow |
2007-08-20 |
2008-09-05 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in php_win32std.dll in the win32std extension for PHP 5.2.0 and earlier allows context-dependent attackers to execute arbitrary code via a long string in the filename argument to the win_browse_file function. |
|
31 |
CVE-2007-4255 |
|
1
|
Exec Code Overflow |
2007-08-08 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in the mSQL extension in PHP 5.2.3 allows context-dependent attackers to execute arbitrary code via a long first argument to the msql_connect function. |
|
32 |
CVE-2007-4033 |
119 |
1
|
Exec Code Overflow |
2007-07-27 |
2010-08-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in the intT1_EnvGetCompletePath function in lib/t1lib/t1env.c in t1lib 5.1.1 allows context-dependent attackers to execute arbitrary code via a long FileName parameter. NOTE: this issue was originally reported to be in the imagepsloadfont function in php_gd2.dll in the gd (PHP_GD2) extension in PHP 5.2.3. |
|
33 |
CVE-2007-4010 |
|
1
|
Exec Code |
2007-07-25 |
2008-09-05 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The win32std extension in PHP 5.2.3 does not follow safe_mode and disable_functions restrictions, which allows remote attackers to execute arbitrary commands via the win_shell_execute function. |
|
34 |
CVE-2007-3998 |
20 |
|
DoS |
2007-09-04 |
2010-08-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The wordwrap function in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, does not properly use the breakcharlen variable, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash, or infinite loop) via certain arguments, as demonstrated by a 'chr(0), 0, ""' argument set. |
|
35 |
CVE-2007-3997 |
264 |
1
|
Bypass |
2007-09-04 |
2009-09-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The (1) MySQL and (2) MySQLi extensions in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, allow remote attackers to bypass safe_mode and open_basedir restrictions via MySQL LOCAL INFILE operations, as demonstrated by a query with LOAD DATA LOCAL INFILE. |
|
36 |
CVE-2007-3996 |
189 |
|
DoS Exec Code Overflow |
2007-09-04 |
2010-08-21 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function. |
|
37 |
CVE-2007-3806 |
399 |
2
|
DoS Exec Code Mem. Corr. |
2007-07-16 |
2012-11-05 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The glob function in PHP 5.2.3 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via an invalid value of the flags parameter, probably related to memory corruption or an invalid read on win32 platforms, and possibly related to lack of initialization for a glob structure. |
|
38 |
CVE-2007-3799 |
20 |
|
|
2007-07-16 |
2012-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The session_start function in ext/session in PHP 4.x up to 4.4.7 and 5.x up to 5.2.3 allows remote attackers to insert arbitrary attributes into the session cookie via special characters in a cookie that is obtained from (1) PATH_INFO, (2) the session_id function, and (3) the session_start function, which are not encoded or filtered when the new session cookie is generated, a related issue to CVE-2006-0207. |
|
39 |
CVE-2007-3790 |
|
1
|
DoS |
2007-07-15 |
2012-10-30 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
The com_print_typeinfo function in the bz2 extension in PHP 5.2.3 allows context-dependent attackers to cause a denial of service via a long argument. |
|
40 |
CVE-2007-3378 |
|
|
Exec Code Bypass |
2007-06-29 |
2010-11-22 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The (1) session_save_path, (2) ini_set, and (3) error_log functions in PHP 4.4.7 and earlier, and PHP 5 5.2.3 and earlier, when invoked from a .htaccess file, allow remote attackers to bypass safe_mode and open_basedir restrictions and possibly execute arbitrary commands, as demonstrated using (a) php_value, (b) php_flag, and (c) directives in .htaccess. |
|
41 |
CVE-2007-3294 |
119 |
1
|
Exec Code Overflow |
2007-06-20 |
2012-10-30 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple buffer overflows in libtidy, as used in the Tidy extension for PHP 5.2.3 and possibly other products, allow context-dependent attackers to execute arbitrary code via (1) a long second argument to the tidy_parse_string function or (2) an unspecified vector to the tidy_repair_string function. NOTE: this might only be an issue in environments where vsnprintf is implemented as a wrapper for vsprintf. |
|
42 |
CVE-2007-3205 |
|
|
|
2007-06-13 |
2012-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Subhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the function or a bug in PHP, although it is likely to be regarded as a bug in Hardened-PHP and Subhosin. |
|
43 |
CVE-2007-3007 |
264 |
|
|
2007-06-04 |
2012-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
PHP 5 before 5.2.3 does not enforce the open_basedir or safe_mode restriction in certain cases, which allows context-dependent attackers to determine the existence of arbitrary files by checking if the readfile function returns a string. NOTE: this issue might also involve the realpath function. |
|
44 |
CVE-2007-2872 |
189 |
|
DoS Exec Code Overflow |
2007-06-04 |
2012-10-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple integer overflows in the chunk_split function in PHP 5 before 5.2.3 and PHP 4 before 4.4.8 allow remote attackers to cause a denial of service (crash) or execute arbitrary code via the (1) chunks, (2) srclen, and (3) chunklen arguments. |
|
45 |
CVE-2007-2844 |
|
|
|
2007-05-24 |
2012-11-05 |
9.3 |
Admin |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
PHP 4.x and 5.x before 5.2.1, when running on multi-threaded systems, does not ensure thread safety for libc crypt function calls using protection schemes such as a mutex, which creates race conditions that allow remote attackers to overwrite internal program memory and gain system access. |
|
46 |
CVE-2007-2748 |
|
|
+Info |
2007-05-17 |
2012-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The substr_count function in PHP 5.2.1 and earlier allows context-dependent attackers to obtain sensitive information via unspecified vectors, a different affected function than CVE-2007-1375. |
|
47 |
CVE-2007-2728 |
264 |
|
|
2007-05-16 |
2012-11-05 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The soap extension in PHP calls php_rand_r with an uninitialized seed variable, which has unknown impact and attack vectors, a related issue to the mcrypt_create_iv issue covered by CVE-2007-2727. |
|
48 |
CVE-2007-2727 |
|
|
|
2007-05-16 |
2012-11-05 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
The mcrypt_create_iv function in ext/mcrypt/mcrypt.c in PHP before 4.4.7, 5.2.1, and possibly 5.0.x and other PHP 5 versions, calls php_rand_r with an uninitialized seed variable and therefore always generates the same initialization vector (IV), which might allow context-dependent attackers to decrypt certain data more easily because of the guessable encryption keys. |
|
49 |
CVE-2007-2511 |
|
|
Overflow |
2007-05-08 |
2012-10-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in the user_filter_factory_create function in PHP before 5.2.2 has unknown impact and local attack vectors. |
|
50 |
CVE-2007-2510 |
119 |
|
Overflow |
2007-05-08 |
2012-10-30 |
5.1 |
User |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in the make_http_soap_request function in PHP before 5.2.2 has unknown impact and remote attack vectors, possibly related to "/" (slash) characters. |
