ID CVE-2006-4020
Summary scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.
References
Vulnerable Configurations
  • cpe:2.3:a:php:php:4.3.9:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0:beta4:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0:beta4:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0.7:rc2:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0.7:rc2:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0.7:rc1:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0.7:rc1:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.3.11:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.3.11:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0.3:patch1:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0.3:patch1:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0.1:patch1:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0.1:patch1:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.0.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.0.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0.1:patch2:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0.1:patch2:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.0.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.0.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0.7:rc3:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0.7:rc3:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0:beta_4_patch1:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0:beta_4_patch1:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.3.10:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.3.10:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0.4:patch1:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0.4:patch1:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.2:*:dev:*:*:*:*:*
    cpe:2.3:a:php:php:4.2:*:dev:*:*:*:*:*
  • cpe:2.3:a:php:php:4.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.0.0:beta4:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.0.0:beta4:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.3.8:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.3.8:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:4.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:4.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:php:php:5.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.0.0:beta2:*:*:*:*:*:*
CVSS
Base: 4.6 (as of 14-02-2024 - 01:17)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:L/AC:L/Au:N/C:P/I:P/A:P
oval via4
accepted 2013-04-29T04:11:12.491-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.
family unix
id oval:org.mitre.oval:def:11062
status accepted
submitted 2010-07-09T03:56:16-04:00
title scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.
version 29
redhat via4
advisories
  • rhsa
    id RHSA-2006:0669
  • rhsa
    id RHSA-2006:0682
  • rhsa
    id RHSA-2006:0688
  • rhsa
    id RHSA-2006:0736
rpms
  • php-0:4.3.2-36.ent
  • php-0:4.3.9-3.18
  • php-debuginfo-0:4.3.2-36.ent
  • php-debuginfo-0:4.3.9-3.18
  • php-devel-0:4.3.2-36.ent
  • php-devel-0:4.3.9-3.18
  • php-domxml-0:4.3.9-3.18
  • php-gd-0:4.3.9-3.18
  • php-imap-0:4.3.2-36.ent
  • php-imap-0:4.3.9-3.18
  • php-ldap-0:4.3.2-36.ent
  • php-ldap-0:4.3.9-3.18
  • php-mbstring-0:4.3.9-3.18
  • php-mysql-0:4.3.2-36.ent
  • php-mysql-0:4.3.9-3.18
  • php-ncurses-0:4.3.9-3.18
  • php-odbc-0:4.3.2-36.ent
  • php-odbc-0:4.3.9-3.18
  • php-pear-0:4.3.9-3.18
  • php-pgsql-0:4.3.2-36.ent
  • php-pgsql-0:4.3.9-3.18
  • php-snmp-0:4.3.9-3.18
  • php-xmlrpc-0:4.3.9-3.18
  • php-0:5.1.4-1.el4s1.4
  • php-bcmath-0:5.1.4-1.el4s1.4
  • php-dba-0:5.1.4-1.el4s1.4
  • php-debuginfo-0:5.1.4-1.el4s1.4
  • php-devel-0:5.1.4-1.el4s1.4
  • php-gd-0:5.1.4-1.el4s1.4
  • php-imap-0:5.1.4-1.el4s1.4
  • php-ldap-0:5.1.4-1.el4s1.4
  • php-mbstring-0:5.1.4-1.el4s1.4
  • php-mysql-0:5.1.4-1.el4s1.4
  • php-ncurses-0:5.1.4-1.el4s1.4
  • php-odbc-0:5.1.4-1.el4s1.4
  • php-pdo-0:5.1.4-1.el4s1.4
  • php-pgsql-0:5.1.4-1.el4s1.4
  • php-snmp-0:5.1.4-1.el4s1.4
  • php-soap-0:5.1.4-1.el4s1.4
  • php-xml-0:5.1.4-1.el4s1.4
  • php-xmlrpc-0:5.1.4-1.el4s1.4
refmap via4
bid 19415
bugtraq 20060804 php local buffer underflow could lead to arbitary code execution
confirm
gentoo GLSA-200608-28
mandriva MDKSA-2006:144
misc http://www.plain-text.info/sscanf_bug.txt
sectrack 1016984
secunia
  • 21403
  • 21467
  • 21546
  • 21608
  • 21683
  • 21768
  • 21847
  • 22004
  • 22039
  • 22069
  • 22440
  • 22487
  • 22538
  • 23247
sgi 20061001-01-P
sreason 1341
suse
  • SUSE-SA:2006:052
  • SUSE-SR:2006:019
  • SUSE-SR:2006:020
  • SUSE-SR:2006:022
ubuntu USN-342-1
vupen ADV-2006-3193
Last major update 14-02-2024 - 01:17
Published 08-08-2006 - 20:04
Last modified 14-02-2024 - 01:17
Back to Top