CVE-2004-1018
published 2005-01-10CVE-2004-1018: Multiple integer handling errors in PHP before 4.3.10 allow attackers to bypass safe mode restrictions, cause a denial of service, or execute arbitrary code…
PriorityP346critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
16.16%
96.5th percentile
Multiple integer handling errors in PHP before 4.3.10 allow attackers to bypass safe mode restrictions, cause a denial of service, or execute arbitrary code via (1) a negative offset value to the shmop_write function, (2) an "integer overflow/underflow" in the pack function, or (3) an "integer overflow/underflow" in the unpack function. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| php | php | < 4.3.10 | 4.3.10 |
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP4 vulnerabilities
vendor_ubuntu·2005-03-18
CVE-2004-1018 PHP4 vulnerabilities
Title: PHP4 vulnerabilities
Summary: PHP4 vulnerabilities
Stefano Di Paola discovered integer overflows in PHP's pack() and
unpack() functions. A malicious PHP script could exploit these to
break out of safe mode and execute arbitrary code with the privileges
of the PHP interpreter. (CAN-2004-1018)
Note: The second part of CAN-2004-1018 (buffer overflow in the
shmop_write() function) was already fixed in USN-66-1.
Stefan Esser discovered two safe mode bypasses which allowed malicious
PHP scripts to circumvent path restrictions. This was possible by
either using virtual_popen() with a current directory containing shell
metacharacters (CAN-2004-1063) or creating a specially crafted
directory whose length exceeded the capacity of the realpath()
function (CAN-2004-1064).
Instructions: In
Red Hat
security flaw
vendor_redhat·2004-12-15·CVSS 10.0
CVE-2004-1018 [CRITICAL] security flaw
security flaw
Multiple integer handling errors in PHP before 4.3.10 allow attackers to bypass safe mode restrictions, cause a denial of service, or execute arbitrary code via (1) a negative offset value to the shmop_write function, (2) an "integer overflow/underflow" in the pack function, or (3) an "integer overflow/underflow" in the unpack function. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.
GHSA
GHSA-qgcx-fh28-73fm: Multiple integer handling errors in PHP before 4
ghsa_unreviewed·2022-04-29
CVE-2004-1018 [HIGH] GHSA-qgcx-fh28-73fm: Multiple integer handling errors in PHP before 4
Multiple integer handling errors in PHP before 4.3.10 allow attackers to bypass safe mode restrictions, cause a denial of service, or execute arbitrary code via (1) a negative offset value to the shmop_write function, (2) an "integer overflow/underflow" in the pack function, or (3) an "integer overflow/underflow" in the unpack function. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.
No detection rules found.
Exploit-DB
PHP 3/4/5 - Multiple Local/Remote Vulnerabilities (1)
exploitdb·2004-12-15
CVE-2004-1018 PHP 3/4/5 - Multiple Local/Remote Vulnerabilities (1)
PHP 3/4/5 - Multiple Local/Remote Vulnerabilities (1)
---
source: https://www.securityfocus.com/bid/11964/info
PHP4 and PHP5 are reported prone to multiple local and remote vulnerabilities that may lead to code execution within the context of the vulnerable process. The following specific issues are reported:
A heap-based buffer overflow is reported to affect the PHP 'pack()' function call. An attacker that has the ability to make the PHP interpreter run a malicious script may exploit this condition to execute arbitrary instructions in the context of the vulnerable process.
A heap-based memory disclosure vulnerability is reported to affect the PHP 'unpack()' function call. An attacker that has the ability to make the PHP interpreter run a malicious script may exploit this condition to
Exploit-DB
PHP 3/4/5 - Multiple Local/Remote Vulnerabilities (2)
exploitdb·2004-12-15
CVE-2004-1018 PHP 3/4/5 - Multiple Local/Remote Vulnerabilities (2)
PHP 3/4/5 - Multiple Local/Remote Vulnerabilities (2)
---
source: https://www.securityfocus.com/bid/11964/info
PHP4 and PHP5 are reported prone to multiple local and remote vulnerabilities that may lead to code execution within the context of the vulnerable process. The following specific issues are reported:
A heap-based buffer overflow is reported to affect the PHP 'pack()' function call. An attacker that has the ability to make the PHP interpreter run a malicious script may exploit this condition to execute arbitrary instructions in the context of the vulnerable process.
A heap-based memory disclosure vulnerability is reported to affect the PHP 'unpack()' function call. An attacker that has the ability to make the PHP interpreter run a malicious script may exploit this condition to
Bugzilla
CVE-2004-1018 security flaw
bugzilla·2018-08-16·CVSS 10.0
CVE-2004-1018 [CRITICAL] CVE-2004-1018 security flaw
CVE-2004-1018 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Multiple integer handling errors in PHP before 4.3.10 allow attackers to bypass safe mode restrictions, cause a denial of service, or execute arbitrary code via (1) a negative offset value to the shmop_write function, (2) an "integer overflow/underflow" in the pack function, or (3) an "integer overflow/underflow" in the unpack function. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.
Bugzilla
CVE-2004-0595 PHP flaws (CVE-2004-0594 CVE-2004-1018 CVE-2004-1019)
bugzilla·2005-10-25·CVSS 5.1
CVE-2004-0595 [MEDIUM] CVE-2004-0595 PHP flaws (CVE-2004-0594 CVE-2004-1018 CVE-2004-1019)
CVE-2004-0595 PHP flaws (CVE-2004-0594 CVE-2004-1018 CVE-2004-1019)
Multiple flaws in Stronghold 4.0 PHP
A flaw in the strip_tags function in PHP, commonly used by PHP scripts to
prevent cross-site scripting attacks by removing HTML tags from
user-supplied form data. HTML tags can, in some cases, be passed intact
through the strip_tags function, which may allow a cross-site scripting
attack. (CVE-2004-0595)
A flaw if the memory_limit configuration setting is enabled in PHP. If a
remote attacker could force the PHP interpreter to allocate more memory
than the memory_limit setting before script execution begins, then the
attacker may be able to supply the contents of a PHP hash table remotely.
This hash table could then be used to execute arbitrary code in the context
of the server. (CVE-
http://marc.info/?l=bugtraq&m=110314318531298&w=2http://www.hardened-php.net/advisories/012004.txthttp://www.mandriva.com/security/advisories?name=MDKSA-2004:151http://www.mandriva.com/security/advisories?name=MDKSA-2005:072http://www.osvdb.org/12411http://www.php.net/release_4_3_10.phphttp://www.redhat.com/support/errata/RHSA-2005-032.htmlhttp://www.redhat.com/support/errata/RHSA-2005-816.htmlhttp://www.securityfocus.com/advisories/9028http://www.securityfocus.com/archive/1/384920http://www.securityfocus.com/bid/12045https://bugzilla.fedora.us/show_bug.cgi?id=2344https://exchange.xforce.ibmcloud.com/vulnerabilities/18515https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10949https://www.ubuntu.com/usn/usn-99-1/http://marc.info/?l=bugtraq&m=110314318531298&w=2http://www.hardened-php.net/advisories/012004.txthttp://www.mandriva.com/security/advisories?name=MDKSA-2004:151http://www.mandriva.com/security/advisories?name=MDKSA-2005:072http://www.osvdb.org/12411http://www.php.net/release_4_3_10.phphttp://www.redhat.com/support/errata/RHSA-2005-032.htmlhttp://www.redhat.com/support/errata/RHSA-2005-816.htmlhttp://www.securityfocus.com/advisories/9028http://www.securityfocus.com/archive/1/384920http://www.securityfocus.com/bid/12045https://bugzilla.fedora.us/show_bug.cgi?id=2344https://exchange.xforce.ibmcloud.com/vulnerabilities/18515https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10949https://www.ubuntu.com/usn/usn-99-1/
2005-01-10
Published