CVE-2004-0958
published 2004-11-03CVE-2004-0958: php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an…
PriorityP430medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
9.73%
94.9th percentile
php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character, which causes PHP to calculate an incorrect string length.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | <= 5.0.2 | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
core-dumping unreadable binaries via PT_INTERP
vendor_redhat·2007-01-26·CVSS 2.1
CVE-2007-0958 [LOW] core-dumping unreadable binaries via PT_INTERP
core-dumping unreadable binaries via PT_INTERP
Linux kernel 2.6.x before 2.6.20 allows local users to read unreadable binaries by using the interpreter (PT_INTERP) functionality and triggering a core dump, a variant of CVE-2004-1073.
Red Hat
security flaw
vendor_redhat·2004-09-15·CVSS 5.0
CVE-2004-0958 [MEDIUM] security flaw
security flaw
php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character, which causes PHP to calculate an incorrect string length.
GHSA
GHSA-7c8x-jx93-w7hg: php_variables
ghsa_unreviewed·2022-04-29
CVE-2004-0958 [MEDIUM] GHSA-7c8x-jx93-w7hg: php_variables
php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character, which causes PHP to calculate an incorrect string length.
No detection rules found.
Bugzilla
CVE-2004-0958 security flaw
bugzilla·2018-08-16·CVSS 5.0
CVE-2004-0958 [MEDIUM] CVE-2004-0958 security flaw
CVE-2004-0958 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character, which causes PHP to calculate an incorrect string length.
Bugzilla
CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
bugzilla·2007-06-08·CVSS 2.1
CVE-2007-0958 [LOW] CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
CVE-2004-1073 is still an issue -- a patched PoC can still cause a
coredump of a non-readable binary such as /usr/bin/sudo; PoC attached;
the tweak is question is adding:
eph.p_memsz = 4097;
Run "./poc /usr/bin/sudo" and a "core" spits out -- WFM on a 2.6.17.x
kernel.
To reproduce, do
* grab poc at the end of advisory.
* add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;"
where first "4096" is something equal to or greater than 4096.
* ./poc /usr/bin/sudo && ls -l
Here I get:
-rw------- 1 ad ad 102400 2007-01-15 19:17 core
---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo
Check for MAY_READ as binfmt_misc.c does.
Discussion:
committed in stream rhel‑4.5.z build 55.0.1
---
An advisory has been issued
Bugzilla
CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
bugzilla·2007-02-23·CVSS 2.1
CVE-2007-0958 [LOW] CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
+++ This bug was initially created as a clone of Bug #228886 +++
CVE-2004-1073 is still an issue -- PoC can still cause a coredump of a
non-readable binary such as /usr/bin/sudo; PoC attached; the tweak is question
is adding:
eph.p_memsz = 4097;
Run "./poc /usr/bin/sudo" and a "core" spits out -- WFM on a 2.6.17.x kernel.
-- Additional comment from [email protected] on 2007-02-15 14:07 EST --
Created an attachment (id=148136)
Proposed upstream patch
-- Additional comment from [email protected] on 2007-02-23 14:04 EST --
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engine
http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0053.htmlhttp://marc.info/?l=bugtraq&m=109527531130492&w=2http://secunia.com/advisories/12560/http://securitytracker.com/id?1011279http://www.redhat.com/support/errata/RHSA-2004-687.htmlhttps://bugzilla.fedora.us/show_bug.cgi?id=2344https://exchange.xforce.ibmcloud.com/vulnerabilities/17393https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10863http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0053.htmlhttp://marc.info/?l=bugtraq&m=109527531130492&w=2http://secunia.com/advisories/12560/http://securitytracker.com/id?1011279http://www.redhat.com/support/errata/RHSA-2004-687.htmlhttps://bugzilla.fedora.us/show_bug.cgi?id=2344https://exchange.xforce.ibmcloud.com/vulnerabilities/17393https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10863
2004-11-03
Published