Unrated severityNVD Advisory· Published Mar 8, 2002· Updated Jun 16, 2026

CVE-2002-0081

Description

Buffer overflows in (1) php_mime_split in PHP 4.1.0, 4.1.1, and 4.0.6 and earlier, and (2) php3_mime_split in PHP 3.0.x allows remote attackers to execute arbitrary code via a multipart/form-data HTTP POST request when file_uploads is enabled.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

PHP/PHP5 versions
cpe:2.3:a:php:php:3.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:php:php:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.1.1:*:*:*:*:*:*:*
- (no CPE)range: <=4.1.1 (PHP 4) and <=3.0.x (PHP 3)

Patches

Vulnerability mechanics

Root cause

"Buffer overflow in the MIME multipart/form-data parser due to insufficient bounds checking when processing HTTP POST requests."

Attack vector

An attacker sends a crafted `multipart/form-data` HTTP POST request to a PHP-enabled web server. The `php_mime_split` or `php3_mime_split` function contains buffer overflows that are triggered during parsing of the malformed multipart data [ref_id=1]. Successful exploitation allows remote code execution with the privileges of the web server process, or can cause a denial of service [ref_id=1].

Affected code

The vulnerability resides in the `php_mime_split` function (PHP 4.1.0, 4.1.1, 4.0.6 and earlier) and the `php3_mime_split` function (PHP 3.0.x). These functions are responsible for parsing multipart/form-data HTTP POST requests when the `file_uploads` configuration directive is enabled.

What the fix does

The advisory recommends upgrading PHP to a patched version or applying the provided diffs (`rfc1867.c.diff-4.1.x.gz`, `rfc1867.c.diff-4.0.6.gz`, `mime.c.diff-3.0.gz`) [ref_id=1]. As a workaround, setting `file_uploads = Off` in `php.ini` disables file uploads and eliminates the attack surface, though this may not be acceptable for all deployments [ref_id=1].

Preconditions

configfile_uploads must be enabled in php.ini
networkAttacker must be able to send HTTP POST requests to the server

Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.php.net/downloads.phpnvdPatch
security.e-matters.de/advisories/012002.htmlnvdVendor Advisory
www.cert.org/advisories/CA-2002-05.htmlnvdUS Government Resource
www.kb.cert.org/vuls/id/297363nvdUS Government Resource
distro.conectiva.com.br/atualizacoes/nvd
marc.infonvd
marc.infonvd
marc.infonvd
marc.infonvd
marc.infonvd
online.securityfocus.com/advisories/3911nvd
www.debian.org/security/2002/dsa-115nvd
www.iss.net/security_center/static/8281.phpnvd
www.linux-mandrake.com/en/security/2002/MDKSA-2002-017.phpnvd
www.linuxsecurity.com/advisories/other_advisory-1924.htmlnvd
www.novell.com/linux/security/advisories/2002_007_mod_php4_txt.htmlnvd
www.redhat.com/support/errata/RHSA-2002-035.htmlnvd
www.redhat.com/support/errata/RHSA-2002-040.htmlnvd
www.securityfocus.com/bid/4183nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.019
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000