CVE-2006-4020
published 2006-08-08CVE-2006-4020: scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that…
PriorityP427medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
1.54%
71.8th percentile
scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.
Affected
44 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
CVSS provenance
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat4.6MEDIUM
vendor_ubuntu4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2006-09-07·CVSS 4.6
CVE-2006-4020 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: PHP vulnerabilities
The sscanf() function did not properly check array boundaries. In
applications which use sscanf() with argument swapping, a remote attacker
could potentially exploit this to crash the affected web application
or even execute arbitrary code with the application's privileges.
(CVE-2006-4020)
The file_exists() and imap_reopen() functions did not perform
proper open_basedir and safe_mode checks which could allow local
scripts to bypass intended restrictions. (CVE-2006-4481)
On 64 bit systems the str_repeat() and wordwrap() functions did not
properly check buffer boundaries. Depending on the application, this
could potentially be exploited to execute arbitrary code with the
applications' privileges. This only affects the amd64 and spar
Red Hat
security flaw
vendor_redhat·2006-08-04·CVSS 4.6
CVE-2006-4020 [MEDIUM] security flaw
security flaw
scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.
GHSA
GHSA-ccmc-8626-x545: scanf
ghsa_unreviewed·2022-05-03
CVE-2006-4020 [MEDIUM] GHSA-ccmc-8626-x545: scanf
scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.
No detection rules found.
Bugzilla
CVE-2006-4020 security flaw
bugzilla·2018-08-16·CVSS 4.6
CVE-2006-4020 [MEDIUM] CVE-2006-4020 security flaw
CVE-2006-4020 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.
Bugzilla
CVE-2006-4020 PHP security issues (CVE-2006-4482 CVE-2006-4484 CVE-2006-4485 CVE-2006-4486)
bugzilla·2006-09-19·CVSS 4.6
CVE-2006-4020 [MEDIUM] CVE-2006-4020 PHP security issues (CVE-2006-4482 CVE-2006-4484 CVE-2006-4485 CVE-2006-4486)
CVE-2006-4020 PHP security issues (CVE-2006-4482 CVE-2006-4484 CVE-2006-4485 CVE-2006-4486)
Description of problem:
The following issues affect the PHP package:
CVE-2006-4486 PHP integer overflows in Zend
CVE-2006-4485 PHP buffer overread in str_ipos
CVE-2006-4482 PHP heap overflow in wordwrap/str_repeat
CVE-2006-4020 PHP sscanf buffer overflow
CVE-2006-4484 PHP heap overflow in LWZReadByte
Version-Release number of selected component (if applicable):
php-5.1.4-1.el4s1.2
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solutio
Bugzilla
CVE-2006-4020 PHP buffer overread flaw
bugzilla·2006-09-18·CVSS 4.6
CVE-2006-4020 [MEDIUM] CVE-2006-4020 PHP buffer overread flaw
CVE-2006-4020 PHP buffer overread flaw
+++ This bug was initially created as a clone of Bug #201766 +++
PHP buffer overflow flaw
A buffer overflow flaw was found in the way PHP executes an argument
swap via the sscanf function. The below URLs contain more
information.
http://bugs.php.net/bug.php?id=38322
http://www.securityfocus.com/archive/1/442438/30/0/threaded
http://bugs.gentoo.org/show_bug.cgi?id=143126
This issue also affects RHEL3
This issue also affects RHEL2.1
-- Additional comment from [email protected] on 2006-08-09 08:35 EST --
The upstream patch is here:
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/scanf.c?r1=1.31.2.2&r2=1.31.2.2.2.1
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore bei
Bugzilla
CVE-2006-4020 PHP buffer overflow flaw
bugzilla·2006-08-15·CVSS 4.6
CVE-2006-4020 [MEDIUM] CVE-2006-4020 PHP buffer overflow flaw
CVE-2006-4020 PHP buffer overflow flaw
For FC6
+++ This bug was initially created as a clone of Bug #201767 +++
PHP buffer overflow flaw
A buffer overflow flaw was found in the way PHP executes an argument
swap via the sscanf function. The below URLs contain more
information.
http://bugs.php.net/bug.php?id=38322
http://www.securityfocus.com/archive/1/442438/30/0/threaded
http://bugs.gentoo.org/show_bug.cgi?id=143126
-- Additional comment from [email protected] on 2006-08-09 08:35 EST --
The upstream patch is here:
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/scanf.c?r1=1.31.2.2&r2=1.31.2.2.2.1
Discussion:
Fixed for FC6 GA.
Bugzilla
CVE-2006-4020 PHP buffer overread flaw
bugzilla·2006-08-08·CVSS 4.6
CVE-2006-4020 [MEDIUM] CVE-2006-4020 PHP buffer overread flaw
CVE-2006-4020 PHP buffer overread flaw
PHP buffer overflow flaw
A buffer overflow flaw was found in the way PHP executes an argument
swap via the sscanf function. The below URLs contain more
information.
http://bugs.php.net/bug.php?id=38322
http://www.securityfocus.com/archive/1/442438/30/0/threaded
http://bugs.gentoo.org/show_bug.cgi?id=143126
This issue also affects RHEL3
This issue also affects RHEL2.1
Discussion:
The upstream patch is here:
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/scanf.c?r1=1.31.2.2&r2=1.31.2.2.2.1
---
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the l
Bugzilla
CVE-2006-4020 PHP buffer overflow flaw
bugzilla·2006-08-08·CVSS 4.6
CVE-2006-4020 [MEDIUM] CVE-2006-4020 PHP buffer overflow flaw
CVE-2006-4020 PHP buffer overflow flaw
PHP buffer overflow flaw
A buffer overflow flaw was found in the way PHP executes an argument
swap via the sscanf function. The below URLs contain more
information.
http://bugs.php.net/bug.php?id=38322
http://www.securityfocus.com/archive/1/442438/30/0/threaded
http://bugs.gentoo.org/show_bug.cgi?id=143126
Discussion:
The upstream patch is here:
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/scanf.c?r1=1.31.2.2&r2=1.31.2.2.2.1
---
Fixed in FEDORA-2006-1024:
http://www.redhat.com/archives/fedora-package-announce/2006-October/msg00028.html
ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.aschttp://bugs.php.net/bug.php?id=38322http://rhn.redhat.com/errata/RHSA-2006-0688.htmlhttp://rhn.redhat.com/errata/RHSA-2006-0736.htmlhttp://secunia.com/advisories/21403http://secunia.com/advisories/21467http://secunia.com/advisories/21546http://secunia.com/advisories/21608http://secunia.com/advisories/21683http://secunia.com/advisories/21768http://secunia.com/advisories/21847http://secunia.com/advisories/22004http://secunia.com/advisories/22039http://secunia.com/advisories/22069http://secunia.com/advisories/22440http://secunia.com/advisories/22487http://secunia.com/advisories/22538http://secunia.com/advisories/23247http://security.gentoo.org/glsa/glsa-200608-28.xmlhttp://securityreason.com/securityalert/1341http://securitytracker.com/id?1016984http://support.avaya.com/elmodocs2/security/ASA-2006-221.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-222.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-223.htmhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:144http://www.novell.com/linux/security/advisories/2006_19_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_20_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_22_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_52_php.htmlhttp://www.php.net/ChangeLog-5.php#5.1.5http://www.php.net/release_5_1_5.phphttp://www.plain-text.info/sscanf_bug.txthttp://www.redhat.com/support/errata/RHSA-2006-0669.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0682.htmlhttp://www.securityfocus.com/archive/1/442438/30/0/threadedhttp://www.securityfocus.com/bid/19415http://www.ubuntu.com/usn/usn-342-1http://www.vupen.com/english/advisories/2006/3193https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11062ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.aschttp://bugs.php.net/bug.php?id=38322http://rhn.redhat.com/errata/RHSA-2006-0688.htmlhttp://rhn.redhat.com/errata/RHSA-2006-0736.htmlhttp://secunia.com/advisories/21403http://secunia.com/advisories/21467http://secunia.com/advisories/21546http://secunia.com/advisories/21608http://secunia.com/advisories/21683http://secunia.com/advisories/21768http://secunia.com/advisories/21847http://secunia.com/advisories/22004http://secunia.com/advisories/22039http://secunia.com/advisories/22069http://secunia.com/advisories/22440http://secunia.com/advisories/22487http://secunia.com/advisories/22538http://secunia.com/advisories/23247http://security.gentoo.org/glsa/glsa-200608-28.xmlhttp://securityreason.com/securityalert/1341http://securitytracker.com/id?1016984http://support.avaya.com/elmodocs2/security/ASA-2006-221.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-222.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-223.htmhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:144http://www.novell.com/linux/security/advisories/2006_19_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_20_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_22_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_52_php.htmlhttp://www.php.net/ChangeLog-5.php#5.1.5http://www.php.net/release_5_1_5.phphttp://www.plain-text.info/sscanf_bug.txthttp://www.redhat.com/support/errata/RHSA-2006-0669.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0682.htmlhttp://www.securityfocus.com/archive/1/442438/30/0/threadedhttp://www.securityfocus.com/bid/19415http://www.ubuntu.com/usn/usn-342-1http://www.vupen.com/english/advisories/2006/3193https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11062
2006-08-08
Published