Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.6
CVSSv2

CVE-2006-4020

Published: 08/08/2006 Updated: 14/02/2024
CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9
VMScore: 465
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Php

Vulnerability Summary

scanf.c in PHP 5.1.4 and previous versions, and 4.4.3 and previous versions, allows context-dependent malicious users to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.

Vulnerable Product Search on Vulmon Subscribe to Product

php php 4.3.9

php php 4.0

php php 5.1.2

php php 4.2.0

php php 5.1.1

php php 5.0.0

php php 4.1.0

php php 4.3.4

php php 4.0.4

php php 4.3.0

php php 4.0.5

php php 5.0

php php 5.0.5

php php 4.3.6

php php 5.0.1

php php 5.1.4

php php 4.0.7

php php 4.3.7

php php 5.0.4

php php 4.2.2

php php 4.4.2

php php 4.3.2

php php 4.3.11

php php 4.0.0

php php 4.0.3

php php 4.0.2

php php 4.3.3

php php 4.1.1

php php 4.4.3

php php 5.0.3

php php 4.2.3

php php 5.1.0

php php 4.0.1

php php 4.0.6

php php 4.1.2

php php 4.3.1

php php 4.4.0

php php 4.3.10

php php 4.2.1

php php 5.0.2

php php 4.2

php php 4.4.1

php php 4.3.8

php php 4.3.5

Vendor Advisories

Ubuntu Security Notice: php4, php5 vulnerabilities
The sscanf() function did not properly check array boundaries In applications which use sscanf() with argument swapping, a remote attacker could potentially exploit this to crash the affected web application or even execute arbitrary code with the application’s privileges (CVE-2006-4020) ...
Debian CVElist Bug Report Logs: php5: CVE-2006-4020: arbitrary code execution in php
Debian Bug report logs - #382256 php5: CVE-2006-4020: arbitrary code execution in php Package: php5; Maintainer for php5 is Debian PHP Maintainers <pkg-php-maint@listsaliothdebianorg>; Source for php5 is src:php5 (PTS, buildd, popcon) Reported by: Stefan Fritsch <sf@sfritschde> Date: Wed, 9 Aug 2006 19:18:18 UTC ...
Debian CVElist Bug Report Logs: PHP 4.4.3 and 4.4.4 fix security bugs (CVE-2006-301[67], et al.)
Debian Bug report logs - #382259 PHP 443 and 444 fix security bugs (CVE-2006-301[67], et al) Package: php4; Maintainer for php4 is (unknown); Reported by: Stefan Fritsch <sf@sfritschde> Date: Wed, 9 Aug 2006 20:03:02 UTC Severity: grave Tags: fixed, fixed-upstream, security, upstream Done: Ondřej Surý <ondrej ...
Debian CVElist Bug Report Logs: php5-curl: [CVE-2006-2563] PHP cURL Safe_Mode Bypass Vulnerability
Debian Bug report logs - #370165 php5-curl: [CVE-2006-2563] PHP cURL Safe_Mode Bypass Vulnerability Package: php5-curl; Maintainer for php5-curl is Debian PHP Maintainers <pkg-php-maint@listsaliothdebianorg>; Source for php5-curl is src:php5 (PTS, buildd, popcon) Reported by: SALVETTI Djoume <djoume@taketorg> Dat ...

Exploits

Exploit DB: PHP 4.4.3/5.1.4 - 'sscanf' Local Buffer Overflow
<? /*********************************************************** * hoagie_php_sscanfphp * PHP <= 443 / 514 local buffer overflow exploit * * howto get offsets: * (set $base_addr to 0x41414141) * # ulimit -c 20000 * # /etc/initd/apache restart * (execute script via web browser) * # tail /var/log/apache/errorlog * * [Wed Au ...

References

NVD-CWE-Otherhttp://www.securityfocus.com/archive/1/442438/30/0/threadedhttp://www.plain-text.info/sscanf_bug.txthttp://bugs.php.net/bug.php?id=38322http://www.securityfocus.com/bid/19415http://secunia.com/advisories/21403http://www.novell.com/linux/security/advisories/2006_19_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_20_sr.htmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:144http://secunia.com/advisories/21608http://www.php.net/ChangeLog-5.php#5.1.5http://www.php.net/release_5_1_5.phphttp://security.gentoo.org/glsa/glsa-200608-28.xmlhttp://secunia.com/advisories/21546http://secunia.com/advisories/21683http://www.novell.com/linux/security/advisories/2006_22_sr.htmlhttp://www.ubuntu.com/usn/usn-342-1http://secunia.com/advisories/21768http://www.redhat.com/support/errata/RHSA-2006-0669.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0682.htmlhttp://www.novell.com/linux/security/advisories/2006_52_php.htmlhttp://secunia.com/advisories/22004http://secunia.com/advisories/22069http://securitytracker.com/id?1016984http://support.avaya.com/elmodocs2/security/ASA-2006-221.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-222.htmhttp://secunia.com/advisories/22440http://support.avaya.com/elmodocs2/security/ASA-2006-223.htmhttp://rhn.redhat.com/errata/RHSA-2006-0688.htmlftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.aschttp://secunia.com/advisories/22538http://secunia.com/advisories/22487http://secunia.com/advisories/21847http://secunia.com/advisories/22039http://rhn.redhat.com/errata/RHSA-2006-0736.htmlhttp://secunia.com/advisories/23247http://secunia.com/advisories/21467http://securityreason.com/securityalert/1341http://www.vupen.com/english/advisories/2006/3193https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11062https://usn.ubuntu.com/342-1/https://nvd.nist.govhttps://www.exploit-db.com/exploits/2193/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-2907hardcodedinjectCVE-2024-20359CVE-2024-2467CVE-2024-4077CVE-2024-22391cameraCVE-2024-20353
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook