| | PHP multiple security vulnerabilities
updated since 02.11.2010
|
 | | DoS, base_dir protection bypass, crossite scripting. |
| 6! | PHP multiple security vulnerabilities
|
| | phar extension information leaks, SPLObjectStorage information leaks, error messages information leaks, variables spoofing. |
| 7! | PHP multiple security vulnerabilities
|
| | Multiple information lekages, uninitialized memory access, double free(), integer overflows. |
| 6! | PHP DoS
|
| | Crash on XML-RPC requests processing. |
| 7! | PHP multiple security vulnerabilities
|
| | safe_mode bypass, open_basedir bypass, memory corruption. |
| 6! | PHP multiple security vulnerabilities
|
| | Multiple buffer overflows, memory corruptions and DoS conditions. |
| 7! | PHP multiple security vulnerabilities
updated since 28.09.2009
|
| | Certificates spoofing, memory corruptions on images parsing, information leakage. |
| | PHP DoS
|
| | Crash on JPEG Exif data parsing. |
| | PHP safemode execution protection bypass
|
| | It's possible to bypass safemode protection by inserting few backslashes into command. |
| | PHP safe mode bypass vulneraebility
updated since 24.01.2008
|
| | It's possible to access files behind sandbox directory with cURL module. |
| | PHP DoS
|
| | Crash on malformed string in JSON_parser. |
| | PHP popen() function buffer overflow
|
| | Buffer overflow on oversized mode argument. |
| 6! | PHP proc_open() safe_mode bypass
|
| | It's possible to execute any code from shared library via proc_open(). |
| 6! | PHP ZipArchive::extractTo() directory traversal
|
| | Directory traversal then upacking ZIP files. |
| | PHP dba_replace() DoS
|
| | It's possible to destroy ini-file content. |
| | PHP safe_mode protection bypass
|
| | It's possible to bypass protection with ini_set("error_log", "/hack/"); |
| | PHP safe_mode protection bypass
|
| | Protection bypass with posix_access(), chdir(), ftok() functions. |
| | PHP multiple security vulnerabilities
|
| | GENERATE_SEED() weak random generator, |
| | PHP integer overflow
|
| | Integer overflow in printf function. |
| | PHP safe mode protection bypass with htaccess
updated since 27.06.2007
|
| | It's possible to manipulate function ini_set() and session_save_path() with htaccess settings. |
| 6! | PHP multiple Denial of Service conditions
|
| | Multiple denial of service conditions. |
| | PHP multiple denial of service conditions
|
| | DoS in stream_wrapper_register(), dgettext(), dcgettext(), dngettext(), gettext(), ngettext(), dcgettext() functions. |
| | PHP disable_functions function aliases protection bypass
|
| | Function, disabled with disable_functions, may be invoked by it's alias. |
| 6! | t1lib library / PHP buffer overflow
|
| | Buffer overflow in intT1_Env_GetCompletePath() |
| | PHP safemode bypass
|
| | By using LOAD_FILE, INTO DUMPFILE, INTO OUTFILE SQL modifiers it's possible to access files behind basedir. |
| 6! | PHP multiple DoS conditions
updated since 06.09.2007
|
| | Crash on oversized strings in fnmatch(), iconv_substr(), glob() and setlocale() functions. |
| 6! | PHP msql_connect buffer overflow
|
| | Stack based buffer overflow on oversized function's argument. |
| 6! | PHP glob code execution
|
| | With negative argument values it's possible to executed code from address space controlled by attacker. |
| | PHP win32service extension protection bypass
|
| | Service management functions ara available from safe mode. |
| | libgd PNG DoS
|
| | Resource exhaustion on PNG parsing. |
| 6! | PHP multiple security vulnerabilities
|
| | chunk_split() integer overflow. |
| 6! | PHP SOAP extension buffer overflow
|
| | Buffer overflow in make_http_soap_request function. |
| 6! | PHP libxmlrpc buffer overflow |
| | | |
| | Buffer overflow on in PHP sqlite_udf_decode_binary() function
|
| | Buffer overflow on the string with single \0x01 character. |
| | PHP php_stream_filter_create() buffer overflow
|
| | Off-by-one overflow on the filter name ending with dot. |
| 6! | PHP imap_mail_compose buffer overflow
|
| | Buffer overflow on oversized MIME boundary. |
| | PHP str_replcae() integer overflow
|
| | Integer overflow on a large number of single char substring occurance. |
| 6! | PHP ext/filter protection bypass
|
| | \n injection is not checked. |
| | PHP memory manager integer overflow
|
| | Integer overflow on large memory allocation. |
| | PHP msg_receive() integer overflow
|
| | Integer overflow with max_size parameter. |
| | PHP gd extension readwbmp() function integer overflow
|
| | Buffer overflow on WBMP image parsing. |
| | PHP iptcembed() function information leak
|
| | Uninitialized memory region is returned on invalid function termination. |
| 6! | PHP printf() integer overflow
|
| | Integer overflow on 64-bit systems. |
| | PHP session.save_path open_basedir protection bypass
|
| | It's possible to create file in any directory by using environment variables. |
| 6! | PHP read_file safe_mode protection bypass
|
| | It's possible to bypass protection by using php://../../ prefix to filename. |
| | PHP mail() function invalid characters processing
|
| | Unfiltered \r\n and \0 characters allows strings injection and header truncation. |
| | PHP PECL functions buffer overflows
|
| | Buffer overflow in confirm_phpdoc_compiled() function. |
| 6! | PHP variables unset use after free vulnerability
|
| | There is no access counters for _SESSION and HTTP_SESSION_VARS variables, making it possible to trigger use-after-free conditions by unsetting these variables. In addition, it's possible to deserealize these variables. |
| | PHP unserialize() function information leak
|
| | Uninitiailized memory fragment is returned on "S:" string. |
| | PHP FTP commans injection
|
| | Unchecked CRLF in filename allows to inject FTP commands. |
| 6! | PHP ext/gd use after free() vulnerability
|
| | During exceptional conditions handling, some resourceses aree free()ed and later accessed. |
| | mb_parse_str() exceptional conditions protection bypass
|
| | Exceptional conditions during function invocation may lead to enabling register_globals. |
| 6! | PHP hash_update_file() function use after free() vulnerability
|
| | Race conditions allows to free resource processed by function. |
| | PHP header() function memory corruption
|
| | Heap memory page coruption allows code execution on big endian systems. |
| | PHP array_user_key_compare() function memory corruption
|
| | Reference are left to freed buffer. It may lead to de-allocated memory space usage. |
| | PHP invalid session id and session_regenerate_id() function double free() vulnerability
|
| | Race conditions on session identifier freeing can lead to double free() operation. |
| | PHP compress.bzip2:// URL safe mode protection bypass
|
| | Safe mode and open_basedir limitations are not checked. |
| | PHP filtering extension multiple security vulnerabilities
|
| | Buffer underflow, filtering protection bypass. |
| | PHP substr_compare information leak
|
| | Integer overflow allows memory reading behind variable boundaries. |
| | PHP zip:// URL buffer overflow
|
| | Stack buffer overflow (stack overrun) on oversized URL. |
| | PHP FDF POST request filtering protection bypass
|
| | FDF extension doesn't support filtering. |
| | PHP shmop information leak
|
| | By using shared memory via shmop() function, script can obtain content of parent application's memory. |
| | PHP import_request_variables internal variables overwrite
|
| | $_GET $_POST $_COOKIE $_FILES $_SERVER $_SESSION and another internal variables may be overwritten during import. |
| 6! | PHP mssql_connect() / mssql_pconnect() functions buffer overflow
|
| | Buffer overflow leads to code execution, resulting in sandbox protection bypass. |
| | PHP php_binary / WDDX information leak
|
| | Fragment of heap memory may be red because of missed variable length checking. |
| | PHP zend_hash_init function infinite loop
updated since 22.02.2007
|
| | Infinite loop on 64-bit platforms. |
| 6! | Multiple PHP vulnerabilities
|
| | Multiple buffer overflows, DoS conditions, information leaks, etc. |
| | PHP str_ireplace DoS
|
| | $Data = str_ireplace("\n", "<br>", $Data);
can cause PHP engine to crash Because of off-by-one overflow. |
| 6! | PHP Safe Mod protection bypass
|
| | It's possible to traverse working directory protection by using writing mode (srpath://../ file prefix for fopen()). |
| 6! | PHP safe_mode and open_basedir protection bypass
|
| | It's possible to access directories above basedir with session_save_path(). |
| | PHP safe_mode glob() protection bypass
|
| | glob() function allows to check existance of file/directory and build directory listing. |
| | PHP open_basedir protection bypass
updated since 04.10.2006
|
| | By using symbolic links in race period of time it's possible to bypass open_basedir protection. |
| 6! | PHP Safe Mode protection bypass
|
| | By usgin ini_restore function it's possible to clear safe_mode variable. |
| | |
