cbcvebase.
CVE-2005-3390
published 2005-11-01

CVE-2005-3390: The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when register_globals is enabled, allows remote attackers to modify the GLOBALS…

PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
65.51%
99.2th percentile
The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when register_globals is enabled, allows remote attackers to modify the GLOBALS array and bypass security protections of PHP applications via a multipart/form-data POST request with a "GLOBALS" fileupload field.

Affected

55 ranges· showing 25
VendorProductVersion rangeFixed in
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp

Detection & IOCsextracted from sources · hover to see the quote

pathe107_handlers/tiny_mce/plugins/ibrowser/ibrowser.php
  • Detect multipart/form-data POST requests containing a file upload field named 'GLOBALS', which is the core exploitation mechanism for this CVE.
  • Monitor POST requests targeting e107 CMS path 'e107_handlers/tiny_mce/plugins/ibrowser/ibrowser.php' as a known exploitation target for this vulnerability.
  • Look for the MIME boundary string '-----------------------------7d529a1d23092a' in HTTP request bodies as a fingerprint of this specific exploit.
  • Flag PHP environments where register_globals is enabled (register_globals=on), as exploitation of this CVE requires that configuration.
  • ·This vulnerability is only exploitable when PHP's register_globals directive is enabled. Systems with register_globals=off are not affected.
  • ·Affected versions are PHP 4.x up to and including 4.4.0 and PHP 5.x up to and including 5.0.5. The exploit PoC also notes the check: 'register_globals=off here or wrong PHP version'.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
vendor_ubuntu2.1LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.