SB2018103065 - Multiple vulnerabilities in PHP
Published: October 30, 2018 Updated: June 8, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2006-2660)
The vulnerability allows a local user to corrupt data.
Buffer consumption vulnerability in the tempnam function in PHP 5.1.4 and 4.x before 4.4.3 allows local users to bypass restrictions and create PHP files with fixed names in other directories via a pathname argument longer than MAXPATHLEN, which prevents a unique string from being appended to the filename.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2001-1247)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
PHP 4.0.4pl1 and 4.0.5 in safe mode allows remote attackers to read and write files owned by the web server UID by uploading a PHP script that uses the error_log function to access the files.
Remediation
Install update from vendor's website.
References
- http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0209.html
- http://cvs.php.net/viewcvs.cgi/php-src/NEWS?view=markup&rev=1.1247.2.920.2.134
- http://secunia.com/advisories/21125
- http://securityreason.com/securityalert/1069
- http://securitytracker.com/id?1016271
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:122
- http://www.securityfocus.com/archive/1/436785/100/0/threaded
- http://www.ubuntu.com/usn/usn-320-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/27049
- http://online.securityfocus.com/archive/1/194425
- http://www.osvdb.org/5440
- http://www.php.net/do_download.php?download_file=php-4.1.2.tar.gz
- http://www.redhat.com/support/errata/RHSA-2002-035.html