Launchpad.net

CVE 2007-1583

The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 sets the internal register_globals flag and does not disable it in certain cases when a script terminates, which allows remote attackers to invoke available PHP scripts with register_globals functionality that is not detectable by these scripts, as demonstrated by forcing a memory_limit violation.

See the

CVE page on Mitre.org for more details.

References

MISC: http://www.php-securit...
BID: 23016
REDHAT: RHSA-2007:0155
SECUNIA: 24924
CONFIRM: https://issues.rpath.c...
REDHAT: RHSA-2007:0153
SECUNIA: 24965
SECUNIA: 24945
REDHAT: RHSA-2007:0162
DEBIAN: DSA-1283
UBUNTU: USN-455-1
SECUNIA: 25062
CONFIRM: http://us2.php.net/rel...
CONFIRM: http://us2.php.net/rel...
SECUNIA: 25057
SECUNIA: 24909
SUSE: SUSE-SA:2007:032
SECUNIA: 25056
GENTOO: GLSA-200705-19
SECUNIA: 25445
CONFIRM: http://docs.info.apple...
APPLE: APPLE-SA-2007-07-31
BID: 25159
SECUNIA: 26235
MANDRIVA: MDKSA-2007:088
MANDRIVA: MDKSA-2007:089
MANDRIVA: MDKSA-2007:090
VUPEN: ADV-2007-2732
OVAL: oval:org.mitre.oval:de...
BUGTRAQ: 20070418 rPSA-2007-007...

Launchpad.net

CVE 2007-1583

Related bugs

References