| ID |
CVE-2007-3205
|
| Summary |
The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the function or a bug in PHP, although it is likely to be regarded as a bug in Hardened-PHP and Suhosin. |
| References |
|
| Vulnerable Configurations |
-
cpe:2.3:a:hardened-php_project:hardened-php:*:*:*:*:*:*:*:*
cpe:2.3:a:hardened-php_project:hardened-php:*:*:*:*:*:*:*:*
-
cpe:2.3:a:hardened-php_project:subhosin:*:*:*:*:*:*:*:*
cpe:2.3:a:hardened-php_project:subhosin:*:*:*:*:*:*:*:*
-
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
|
| CVSS |
| Base: | 5.0 (as of 16-10-2018 - 16:47) |
| Impact: | |
| Exploitability: | |
|
| CWE |
NVD-CWE-Other |
| CAPEC |
|
| Access |
| Vector | Complexity | Authentication |
| NETWORK |
LOW |
NONE |
|
| Impact |
| Confidentiality | Integrity | Availability |
| NONE |
PARTIAL |
NONE |
|
| cvss-vector
via4
|
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
| refmap
via4
|
| bugtraq | - 20070612 PHP parse_str() arbitrary variable overwrite
- 20070612 Re: PHP parse_str() arbitrary variable overwrite
- 20070613 Re: PHP parse_str() arbitrary variable overwrite
| | misc | http://www.acid-root.new.fr/advisories/14070612.txt | | osvdb | 39834 | | sreason | 2800 | | xf | php-parsestr-code-execution(34836) |
|
| statements
via4
|
| contributor | Mark J Cox | | lastmodified | 2007-06-26 | | organization | Red Hat | | statement | This is not a security vulnerability: it is the expected behaviour of parse_str when used without a second parameter. |
|
| Last major update |
16-10-2018 - 16:47 |
| Published |
13-06-2007 - 10:30 |
| Last modified |
16-10-2018 - 16:47 |
