VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2003· Updated Jun 16, 2026

CVE-2003-1303

CVE-2003-1303

Description

Buffer overflow in the imap_fetch_overview function in the IMAP functionality (php_imap.c) in PHP before 4.3.3 allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a long e-mail address in a (1) To or (2) From header.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

4
  • PHP/PHP4 versions
    cpe:2.3:a:php:php:4.3.0:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:a:php:php:4.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.3.2:*:*:*:*:*:*:*
    • (no CPE)range: <4.3.3

Patches

Vulnerability mechanics

Root cause

"Missing length validation when copying an e-mail address into a fixed 1024-byte buffer in imap_fetch_overview."

Attack vector

An attacker sends an e-mail message with an excessively long address in the To or From header (the reporter demonstrated a ~10 KB address). When the victim's PHP application calls `imap_fetch_overview()` on the mailbox containing that message, the function copies the oversized address into a stack buffer of size `MAILTMPLEN` (1024 bytes) without length checking, causing a buffer overflow [ref_id=1]. This leads to a segmentation fault and could potentially allow arbitrary code execution.

Affected code

The vulnerable function is `imap_fetch_overview` in `ext/imap/php_imap.c` (line 2666 in the 4.3.2 source). The bug is triggered when a very long e-mail address in the To or From header exceeds the fixed-size buffer `MAILTMPLEN` (1024 bytes), causing a buffer overflow.

What the fix does

The patch (committed in CVS on 2003-06-16) truncates the e-mail address to fit within the `MAILTMPLEN` buffer, similar to the existing truncation already performed in `imap_headerinfo()` [ref_id=1]. By adding a length check before copying, the overflow is prevented and the function no longer crashes on oversized headers.

Preconditions

  • inputThe attacker must be able to send an e-mail message with a To or From header longer than 1024 bytes to a mailbox that the victim will process with imap_fetch_overview().
  • configThe victim's PHP application must call imap_fetch_overview() on the mailbox containing the crafted message.

Reproduction

Send an e-mail with a To or From address exceeding ~10 KB (the reporter's example is a ~10 KB address). Call `imap_fetch_overview()` on the mailbox containing that message. PHP will segfault with a stack buffer overflow in `zif_imap_fetch_overview` at `php_imap.c:224` [ref_id=1].

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.