CVE-2006-4020

Description

scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.

CVSS Metrics

• v2.0•MEDIUM•Score: 4.6AV:L/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 5.86%• Percentile: 91%

Affected Systems

• Unknown•PHP

  4.0 | 4.0:beta_4_patch1 | 4.0:beta1 | 4.0:beta2 | 4.0:beta3 | 4.0:beta4 | 4.0:rc1 | 4.0:rc2 | 4.0.0 | 4.0.1 | 4.0.1:patch1 | 4.0.1:patch2 | 4.0.2 | 4.0.3 | 4.0.3:patch1 | 4.0.4 | 4.0.4:patch1 | 4.0.5 | 4.0.6 | 4.0.7 | 4.0.7:rc1 | 4.0.7:rc2 | 4.0.7:rc3 | 4.1.0 | 4.1.1 | 4.1.2 | 4.2 | 4.2.0 | 4.2.1 | 4.2.2 | 4.2.3 | 4.3.0 | 4.3.1 | 4.3.2 | 4.3.3 | 4.3.4 | 4.3.5 | 4.3.6 | 4.3.7 | 4.3.8 | 4.3.9 | 4.3.10 | 4.3.11 | 4.4.0 | 4.4.1 | 4.4.2 | 4.4.3 | 5.0:rc1 | 5.0:rc2 | 5.0:rc3 | 5.0.0 | 5.0.0:beta1 | 5.0.0:beta2 | 5.0.0:beta3 | 5.0.0:beta4 | 5.0.0:rc1 | 5.0.0:rc2 | 5.0.0:rc3 | 5.0.1 | 5.0.2 | 5.0.3 | 5.0.4 | 5.0.5 | 5.1.0 | 5.1.1 | 5.1.2 | 5.1.4

References (39)

• http://securitytracker.com/id?1016984
• http://www.plain-text.info/sscanf_bug.txt
• http://www.php.net/release_5_1_5.php
• http://www.securityfocus.com/bid/19415
• http://secunia.com/advisories/21768
• http://secunia.com/advisories/21403
• http://www.redhat.com/support/errata/RHSA-2006-0669.html
• http://www.mandriva.com/security/advisories?name=MDKSA-2006:144
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11062
• http://secunia.com/advisories/21847
• http://www.novell.com/linux/security/advisories/2006_20_sr.html
• http://secunia.com/advisories/22487
• http://www.ubuntu.com/usn/usn-342-1
• http://support.avaya.com/elmodocs2/security/ASA-2006-221.htm
• http://secunia.com/advisories/22039
• http://rhn.redhat.com/errata/RHSA-2006-0688.html
• http://bugs.php.net/bug.php?id=38322
• http://secunia.com/advisories/21683
• http://secunia.com/advisories/23247
• http://secunia.com/advisories/21467
• http://www.novell.com/linux/security/advisories/2006_19_sr.html
• http://secunia.com/advisories/22004
• http://support.avaya.com/elmodocs2/security/ASA-2006-222.htm
• http://secunia.com/advisories/22538
• http://www.redhat.com/support/errata/RHSA-2006-0682.html
• http://secunia.com/advisories/21546
• http://secunia.com/advisories/21608
• http://secunia.com/advisories/22440
• http://secunia.com/advisories/22069
• http://www.securityfocus.com/archive/1/442438/30/0/threaded
• http://support.avaya.com/elmodocs2/security/ASA-2006-223.htm
• http://www.novell.com/linux/security/advisories/2006_22_sr.html
• http://www.vupen.com/english/advisories/2006/3193
• http://www.php.net/ChangeLog-5.php#5.1.5
• ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
• http://security.gentoo.org/glsa/glsa-200608-28.xml
• http://securityreason.com/securityalert/1341
• http://rhn.redhat.com/errata/RHSA-2006-0736.html
• http://www.novell.com/linux/security/advisories/2006_52_php.html