CVE-2000-0967
published 2000-12-19CVE-2000-0967: PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error messages that…
PriorityP345critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
20.63%
97.2th percentile
PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error messages that are improperly written to the error logs.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | — | — |
| php | php | — | — |
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v3f7-v9wm-vwj3: PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error mess
ghsa_unreviewed·2022-05-03
CVE-2000-0967 [HIGH] GHSA-v3f7-v9wm-vwj3: PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error mess
PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error messages that are improperly written to the error logs.
Red Hat
security flaw
vendor_redhat·2000-10-12·CVSS 10.0
CVE-2000-0967 [CRITICAL] security flaw
security flaw
PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error messages that are improperly written to the error logs.
Statement: This issue was fixed in the following products:
- Red Hat Linux 5.2 - RHSA-2000:088 (2000-10-23)
- Red Hat Linux 6.0 - RHSA-2000:088 (2000-10-23)
- Red Hat Linux 6.1 - RHSA-2000:088 (2000-10-23)
- Red Hat Linux 6.2 - RHSA-2000:088 (2000-10-23)
- Red Hat Linux 7.0 - RHSA-2000:088 (2000-10-23)
- Red Hat Secure Web Server 3.2 - RHSA-2000:095 (2000-10-26)
No detection rules found.
Exploit-DB
PHP 3.0.16/4.0.2 - Remote Format Overflow
exploitdb·2000-12-06
CVE-2000-0967 PHP 3.0.16/4.0.2 - Remote Format Overflow
PHP 3.0.16/4.0.2 - Remote Format Overflow
---
/*
* PHP 3.0.16/4.0.2 remote format overflow exploit.
* Copyright (c) 2000
* Field Marshal Count August Anton Wilhelm Neithardt von Gneisenau
* [email protected]
* my regards to sheib and darkx
* All rights reserved
* Pascal Boucheraine's paper was enlightening
* THERE IS NO IMPLIED OR EXPRESS WARRANTY FOR THIS CODE.
* YOU ARE RESPONSIBLE FOR YOUR OWN ACTIONS AND I CANNOT BE HELD RESPONSIBLE
* FOR THE CONSEQUENCES
* Usage:
* phpxpl -sx -uwww.victim.com/some.php3 | nc www.victim.com 80
*
* Slackware 7.0: eip address/shellcode address
* 0xbfff9b90/0xbfff958c
*
*/
/*
* We just printf the shellcode and stuff and nc it to the target
*/
#include
#include
#include
#include
#include
// this exploit does not like 0x0a = '\n' in the shellcode. als
Exploit-DB
PHP 3.0/4.0 - Error Logging Format String
exploitdb·2000-10-12
CVE-2000-0967 PHP 3.0/4.0 - Error Logging Format String
PHP 3.0/4.0 - Error Logging Format String
---
// source: https://www.securityfocus.com/bid/1786/info
PHP is a scripting language designed for CGI applications that is used on many websites. There exists a remotely exploitable format string vulnerability in all versions of PHP below PHP 4.0.3.
The vulnerability exists in the code that handles error logging and is present if error logging is enabled in the "php.ini" configuration file. When errors are encountered by PHP, a string containing data supplied by the user is passed as the format string argument (the log_message variable) to the php_syslog() function (which contains *printf functions). As a result, it is possible for a malicious user to craft a string containing malicious format specifiers that will be passed to the php_syslog
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:75.php.aschttp://archives.neohapsis.com/archives/bugtraq/2000-10/0204.htmlhttp://www.atstake.com/research/advisories/2000/a101200-1.txthttp://www.calderasystems.com/support/security/advisories/CSSA-2000-037.0.txthttp://www.linux-mandrake.com/en/security/MDKSA-2000-062.php3?dis=7.1http://www.redhat.com/support/errata/RHSA-2000-088.htmlhttp://www.redhat.com/support/errata/RHSA-2000-095.htmlhttp://www.securityfocus.com/bid/1786https://exchange.xforce.ibmcloud.com/vulnerabilities/5359ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:75.php.aschttp://archives.neohapsis.com/archives/bugtraq/2000-10/0204.htmlhttp://www.atstake.com/research/advisories/2000/a101200-1.txthttp://www.calderasystems.com/support/security/advisories/CSSA-2000-037.0.txthttp://www.linux-mandrake.com/en/security/MDKSA-2000-062.php3?dis=7.1http://www.redhat.com/support/errata/RHSA-2000-088.htmlhttp://www.redhat.com/support/errata/RHSA-2000-095.htmlhttp://www.securityfocus.com/bid/1786https://exchange.xforce.ibmcloud.com/vulnerabilities/5359
2000-12-19
Published