sapi/cgi/cgi_main.c in PHP prior to 5.3.12 and 5.4.x prior to 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote malicious users to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
php php 5.2.9 |
||
php php 5.3.10 |
||
php php 5.1.5 |
||
php php 5.3.6 |
||
php php 5.3.9 |
||
php php 5.1.2 |
||
php php 5.3.1 |
||
php php 5.1.1 |
||
php php 5.2.14 |
||
php php 5.0.0 |
||
php php 5.1.6 |
||
php php 5.2.16 |
||
php php 5.3.8 |
||
php php 5.2.7 |
||
php php 5.2.2 |
||
php php 5.0.5 |
||
php php 5.0.1 |
||
php php 5.1.4 |
||
php php 5.2.5 |
||
php php 5.0.4 |
||
php php 5.2.12 |
||
php php 5.2.11 |
||
php php 5.2.6 |
||
php php 5.2.17 |
||
php php |
||
php php 5.3.0 |
||
php php 5.2.3 |
||
php php 5.3.3 |
||
php php 5.0.3 |
||
php php 5.3.7 |
||
php php 5.1.0 |
||
php php 5.2.13 |
||
php php 5.2.0 |
||
php php 5.2.4 |
||
php php 5.3.2 |
||
php php 5.3.4 |
||
php php 5.1.3 |
||
php php 5.2.10 |
||
php php 5.0.2 |
||
php php 5.2.15 |
||
php php 5.3.5 |
||
php php 5.2.1 |
||
php php 5.2.8 |
||
php php 5.4.0 |
||
php php 5.4.1 |
PHP fixes critical RCE flaw impacting all versions for Windows By Bill Toulas June 7, 2024 10:32 AM 0 A new PHP for Windows remote code execution (RCE) vulnerability has been disclosed, impacting all releases since version 5.x, potentially impacting a massive number of servers worldwide. PHP is a widely used open-source scripting language designed for web development and commonly used on both Windows and Linux servers. The new RCE flaw tracked as CVE-2024-4577, was discovered by Devcore Pri...
In early June, Kaspersky Lab announced a discovery that opened a whole new chapter in the field of cyber-espionage. Named NetTraveler, this is family of malicious programs used by APT actors to successfully compromise more than 350 high-profile victims in 40 countries. The NetTraveler group infected victims across both the public and private sector including government institutions, embassies, the oil and gas industry, research centers, military contractors and activists. The threat, which has b...