CVE-2005-3319
Description
The apache2handler SAPI (sapi_apache2.c) in the Apache module (mod_php) for PHP 5.x before 5.1.0 final and 4.4 before 4.4.1 final allows attackers to cause a denial of service (segmentation fault) via the session.save_path option in a .htaccess file or VirtualHost.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
45cpe:2.3:a:php:php:4.0.0:*:*:*:*:*:*:*+ 44 more
- cpe:2.3:a:php:php:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.1:patch1:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.1:patch2:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.3:patch1:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.7:rc2:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.7:rc3:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.2:*:dev:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0:rc3:*:*:*:*:*:*
- (no CPE)range: <5.1.0, <4.4.1
Patches
Vulnerability mechanics
Root cause
"NULL pointer dereference in the apache2handler SAPI output function when session.save_path is set to a non-existent path with safe_mode enabled."
Attack vector
An attacker who can set the `session.save_path` PHP directive — either through a `.htaccess` file (if `AllowOverride` permits `Options` or `All`) or via a `VirtualHost` configuration — can cause Apache to crash with a segmentation fault. The crash is triggered when `safe_mode` is enabled and the specified path does not exist, leading to a NULL pointer dereference in the output handler [ref_id=1]. No authentication is required; the attacker only needs the ability to place a `.htaccess` file or have VirtualHost-level configuration access.
Affected code
The vulnerability resides in the `apache2handler` SAPI, specifically in `sapi/apache2handler/sapi_apache2.c` and `ext/session/session.c`. The crash occurs in `php_apache_sapi_ub_write` (sapi_apache2.c:74) when a NULL pointer is passed, triggered via `OnUpdateSaveDir` in session.c during configuration processing [ref_id=1].
What the fix does
The upstream fix (applied in PHP 5.1.0 final and 4.4.1 final) adds a NULL-pointer check in the `apache2handler` SAPI before the output write function is called, preventing the dereference that causes the segmentation fault [ref_id=1]. The patch was backported to affected Gentoo packages including `dev-lang/php-4.3.11-r3`, `dev-lang/php-4.4.0-r3`, and `dev-lang/php-5.0.4-r3` [ref_id=1]. No patch diff is included in the bundle, but the advisory confirms the fix eliminates the crash.
Preconditions
- configPHP safe_mode must be enabled (safe_mode = On in php.ini)
- inputAttacker must be able to set session.save_path via .htaccess (AllowOverride Options or All) or VirtualHost php_admin_value
- inputThe specified session.save_path must point to a non-existent directory
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
22- www.us-cert.gov/cas/techalerts/TA06-062A.htmlnvdUS Government Resource
- archives.neohapsis.com/archives/fulldisclosure/2005-10/0491.htmlnvd
- bugs.gentoo.org/show_bug.cginvd
- docs.info.apple.com/article.htmlnvd
- itrc.hp.com/service/cki/docDisplay.donvd
- lists.apple.com/archives/security-announce/2006/Mar/msg00000.htmlnvd
- marc.infonvd
- secunia.com/advisories/17510nvd
- secunia.com/advisories/17557nvd
- secunia.com/advisories/18198nvd
- secunia.com/advisories/19064nvd
- secunia.com/advisories/22691nvd
- securityreason.com/securityalert/525nvd
- www.gentoo.org/security/en/glsa/glsa-200511-08.xmlnvd
- www.mandriva.com/security/advisoriesnvd
- www.osvdb.org/20491nvd
- www.securityfocus.com/bid/15177nvd
- www.securityfocus.com/bid/16907nvd
- www.vupen.com/english/advisories/2006/0791nvd
- www.vupen.com/english/advisories/2006/4320nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/22844nvd
- www.ubuntu.com/usn/usn-232-1/nvd
News mentions
0No linked articles in our index yet.