fkie_cve-2008-3660
Vulnerability from fkie_nvd
Published
2008-08-15 00:41
Modified
2025-04-09 00:30
Severity ?
Summary
PHP 4.4.x before 4.4.9, and 5.x through 5.2.6, when used as a FastCGI module, allows remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension, as demonstrated using foo..php.
References
cve@mitre.orghttp://bugs.gentoo.org/show_bug.cgi?id=234102
cve@mitre.orghttp://lists.apple.com/archives/security-announce/2009/May/msg00002.html
cve@mitre.orghttp://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
cve@mitre.orghttp://marc.info/?l=bugtraq&m=124654546101607&w=2
cve@mitre.orghttp://marc.info/?l=bugtraq&m=124654546101607&w=2
cve@mitre.orghttp://marc.info/?l=bugtraq&m=125631037611762&w=2
cve@mitre.orghttp://marc.info/?l=bugtraq&m=125631037611762&w=2
cve@mitre.orghttp://secunia.com/advisories/31982
cve@mitre.orghttp://secunia.com/advisories/32148
cve@mitre.orghttp://secunia.com/advisories/32746
cve@mitre.orghttp://secunia.com/advisories/35074
cve@mitre.orghttp://secunia.com/advisories/35306
cve@mitre.orghttp://secunia.com/advisories/35650
cve@mitre.orghttp://security.gentoo.org/glsa/glsa-200811-05.xml
cve@mitre.orghttp://support.apple.com/kb/HT3549
cve@mitre.orghttp://wiki.rpath.com/Advisories:rPSA-2009-0035
cve@mitre.orghttp://www.debian.org/security/2008/dsa-1647
cve@mitre.orghttp://www.mandriva.com/security/advisories?name=MDVSA-2009:021
cve@mitre.orghttp://www.mandriva.com/security/advisories?name=MDVSA-2009:022
cve@mitre.orghttp://www.mandriva.com/security/advisories?name=MDVSA-2009:023
cve@mitre.orghttp://www.mandriva.com/security/advisories?name=MDVSA-2009:024
cve@mitre.orghttp://www.openwall.com/lists/oss-security/2008/08/08/2
cve@mitre.orghttp://www.openwall.com/lists/oss-security/2008/08/13/8
cve@mitre.orghttp://www.redhat.com/support/errata/RHSA-2009-0350.html
cve@mitre.orghttp://www.securityfocus.com/archive/1/501376/100/0/threaded
cve@mitre.orghttp://www.securitytracker.com/id?1020994
cve@mitre.orghttp://www.us-cert.gov/cas/techalerts/TA09-133A.htmlUS Government Resource
cve@mitre.orghttp://www.vupen.com/english/advisories/2008/2336
cve@mitre.orghttp://www.vupen.com/english/advisories/2009/1297
cve@mitre.orghttps://exchange.xforce.ibmcloud.com/vulnerabilities/44402
cve@mitre.orghttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9597
cve@mitre.orghttps://www.redhat.com/archives/fedora-package-announce/2009-May/msg01451.html
cve@mitre.orghttps://www.redhat.com/archives/fedora-package-announce/2009-May/msg01465.html
af854a3a-2127-422b-91ae-364da2661108http://bugs.gentoo.org/show_bug.cgi?id=234102
af854a3a-2127-422b-91ae-364da2661108http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
af854a3a-2127-422b-91ae-364da2661108http://marc.info/?l=bugtraq&m=124654546101607&w=2
af854a3a-2127-422b-91ae-364da2661108http://marc.info/?l=bugtraq&m=124654546101607&w=2
af854a3a-2127-422b-91ae-364da2661108http://marc.info/?l=bugtraq&m=125631037611762&w=2
af854a3a-2127-422b-91ae-364da2661108http://marc.info/?l=bugtraq&m=125631037611762&w=2
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/31982
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/32148
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/32746
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/35074
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/35306
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/35650
af854a3a-2127-422b-91ae-364da2661108http://security.gentoo.org/glsa/glsa-200811-05.xml
af854a3a-2127-422b-91ae-364da2661108http://support.apple.com/kb/HT3549
af854a3a-2127-422b-91ae-364da2661108http://wiki.rpath.com/Advisories:rPSA-2009-0035
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2008/dsa-1647
af854a3a-2127-422b-91ae-364da2661108http://www.mandriva.com/security/advisories?name=MDVSA-2009:021
af854a3a-2127-422b-91ae-364da2661108http://www.mandriva.com/security/advisories?name=MDVSA-2009:022
af854a3a-2127-422b-91ae-364da2661108http://www.mandriva.com/security/advisories?name=MDVSA-2009:023
af854a3a-2127-422b-91ae-364da2661108http://www.mandriva.com/security/advisories?name=MDVSA-2009:024
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2008/08/08/2
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2008/08/13/8
af854a3a-2127-422b-91ae-364da2661108http://www.redhat.com/support/errata/RHSA-2009-0350.html
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/archive/1/501376/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id?1020994
af854a3a-2127-422b-91ae-364da2661108http://www.us-cert.gov/cas/techalerts/TA09-133A.htmlUS Government Resource
af854a3a-2127-422b-91ae-364da2661108http://www.vupen.com/english/advisories/2008/2336
af854a3a-2127-422b-91ae-364da2661108http://www.vupen.com/english/advisories/2009/1297
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/44402
af854a3a-2127-422b-91ae-364da2661108https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9597
af854a3a-2127-422b-91ae-364da2661108https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01451.html
af854a3a-2127-422b-91ae-364da2661108https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01465.html
Impacted products
Vendor Product Version
php php 4.4.0
php php 4.4.1
php php 4.4.2
php php 4.4.3
php php 4.4.4
php php 4.4.5
php php 4.4.6
php php 4.4.7
php php 4.4.8
php php 5.2.0
php php 5.2.1
php php 5.2.2
php php 5.2.3
php php 5.2.4
php php 5.2.5
php php 5.2.6


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:php:php:4.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "78B7BA75-2A32-4A8E-ADF8-BCB4FC48CB5C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:4.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "2BEA491B-77FD-4760-8F6F-3EBC6BD810D9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:4.4.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "BB25CFBB-347C-479E-8853-F49DD6CBD7D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:4.4.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "4D2937B3-D034-400E-84F5-33833CE3764D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:4.4.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "71AEE8B4-FCF8-483B-8D4C-2E80A02E925E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:4.4.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C2AF1D9-33B6-4B2C-9269-426B6B720164",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:4.4.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "84B70263-37AA-4539-A286-12038A3792C6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:4.4.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "2E46E4B4-808C-4B47-81D9-EC2B02A5E57B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:4.4.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "6FF30D7F-353B-4496-9A89-4EF2BB279E0A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:5.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD02D837-FD28-4E0F-93F8-25E8D1C84A99",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:5.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "88358D1E-BE6F-4CE3-A522-83D1FA4739E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:5.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8B97B03-7DA7-4A5F-89B4-E78CAB20DE17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:5.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "86767200-6C9C-4C3E-B111-0E5BE61E197B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:5.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "B00B416D-FF23-4C76-8751-26D305F0FA0F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:5.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "CCB6CDDD-70D3-4004-BCE0-8C4723076103",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:5.2.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "A782CA26-9C38-40A8-92AE-D47B14D2FCE3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PHP 4.4.x before 4.4.9, and 5.x through 5.2.6, when used as a FastCGI module, allows remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension, as demonstrated using foo..php."
    },
    {
      "lang": "es",
      "value": "PHP 4.4.x en versiones anteriores a PHP 4.4.9 y 5.2.6 a trav\u00e9s de 5.6, cuando se utiliza como un m\u00f3dulo FastCGI, permite a atacantes remotos provocar una denegaci\u00f3n de servicio (con caida de la aplicaci\u00f3n) a trav\u00e9s de una solicitud con varios puntos precediendo a la extensi\u00f3n, como se demuestra usando foo..php."
    }
  ],
  "evaluatorComment": "Overview contains a typo, should read \"PHP 5.2 through 5.2.6\" not \"5.6 through 5.2.6\".",
  "id": "CVE-2008-3660",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2008-08-15T00:41:00.000",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://bugs.gentoo.org/show_bug.cgi?id=234102"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.apple.com/archives/security-announce/2009/May/msg00002.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://marc.info/?l=bugtraq\u0026m=124654546101607\u0026w=2"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://marc.info/?l=bugtraq\u0026m=124654546101607\u0026w=2"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://marc.info/?l=bugtraq\u0026m=125631037611762\u0026w=2"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://marc.info/?l=bugtraq\u0026m=125631037611762\u0026w=2"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/31982"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/32148"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/32746"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/35074"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/35306"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/35650"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://security.gentoo.org/glsa/glsa-200811-05.xml"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://support.apple.com/kb/HT3549"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://wiki.rpath.com/Advisories:rPSA-2009-0035"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.debian.org/security/2008/dsa-1647"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:021"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:022"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:023"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:024"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.openwall.com/lists/oss-security/2008/08/08/2"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.openwall.com/lists/oss-security/2008/08/13/8"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.redhat.com/support/errata/RHSA-2009-0350.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/501376/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securitytracker.com/id?1020994"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.us-cert.gov/cas/techalerts/TA09-133A.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.vupen.com/english/advisories/2008/2336"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.vupen.com/english/advisories/2009/1297"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44402"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9597"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01451.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01465.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://bugs.gentoo.org/show_bug.cgi?id=234102"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.apple.com/archives/security-announce/2009/May/msg00002.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://marc.info/?l=bugtraq\u0026m=124654546101607\u0026w=2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://marc.info/?l=bugtraq\u0026m=124654546101607\u0026w=2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://marc.info/?l=bugtraq\u0026m=125631037611762\u0026w=2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://marc.info/?l=bugtraq\u0026m=125631037611762\u0026w=2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/31982"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/32148"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/32746"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/35074"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/35306"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/35650"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://security.gentoo.org/glsa/glsa-200811-05.xml"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://support.apple.com/kb/HT3549"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://wiki.rpath.com/Advisories:rPSA-2009-0035"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2008/dsa-1647"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:021"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:022"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:023"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:024"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2008/08/08/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2008/08/13/8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.redhat.com/support/errata/RHSA-2009-0350.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/501376/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id?1020994"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.us-cert.gov/cas/techalerts/TA09-133A.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vupen.com/english/advisories/2008/2336"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vupen.com/english/advisories/2009/1297"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44402"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9597"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01451.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01465.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.