Unrated severityNVD Advisory· Published Nov 1, 2005· Updated Jun 16, 2026
CVE-2005-3389
CVE-2005-3389
Description
The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the register_globals directive via inputs that cause a request to be terminated due to the memory_limit setting, which causes PHP to set an internal flag that enables register_globals and allows attackers to exploit vulnerabilities in PHP applications that would otherwise be protected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
51cpe:2.3:a:php:php:4.0.0:*:*:*:*:*:*:*+ 48 more
- cpe:2.3:a:php:php:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.1:patch1:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.1:patch2:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.3:patch1:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.7:rc2:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.7:rc3:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.2:*:dev:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.5:*:*:*:*:*:*:*
- (no CPE)range: <=5.0.5
- osv-coords2 versionspkg:rpm/opensuse/php7&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/php8&distro=openSUSE%20Tumbleweed
< 7.4.24-1.1+ 1 more
- (no CPE)range: < 7.4.24-1.1
- (no CPE)range: < 8.0.11-1.1
Patches
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
33- secunia.com/advisories/17371nvdPatchVendor Advisory
- www.php.net/release_4_4_1.phpnvdPatch
- www.securityfocus.com/bid/15249nvdPatch
- secunia.com/advisories/17490nvdVendor Advisory
- secunia.com/advisories/17510nvdVendor Advisory
- secunia.com/advisories/17531nvdVendor Advisory
- secunia.com/advisories/17557nvdVendor Advisory
- secunia.com/advisories/17559nvdVendor Advisory
- secunia.com/advisories/18054nvdVendor Advisory
- secunia.com/advisories/18198nvdVendor Advisory
- secunia.com/advisories/18669nvdVendor Advisory
- secunia.com/advisories/21252nvdVendor Advisory
- secunia.com/advisories/22691nvdVendor Advisory
- www.hardened-php.net/advisory_192005.78.htmlnvdVendor Advisory
- www.vupen.com/english/advisories/2005/2254nvdVendor Advisory
- www.vupen.com/english/advisories/2006/4320nvdVendor Advisory
- itrc.hp.com/service/cki/docDisplay.donvd
- rhn.redhat.com/errata/RHSA-2006-0549.htmlnvd
- securityreason.com/securityalert/134nvd
- securitytracker.com/idnvd
- support.avaya.com/elmodocs2/security/ASA-2006-037.htmnvd
- www.fedoralegacy.org/updates/FC2/2005-11-28-FLSA_2005_166943__Updated_php_packages_fix_security_issues.htmlnvd
- www.gentoo.org/security/en/glsa/glsa-200511-08.xmlnvd
- www.mandriva.com/security/advisoriesnvd
- www.novell.com/linux/security/advisories/2005_27_sr.htmlnvd
- www.openpkg.org/security/OpenPKG-SA-2005.027-php.htmlnvd
- www.redhat.com/support/errata/RHSA-2005-831.htmlnvd
- www.redhat.com/support/errata/RHSA-2005-838.htmlnvd
- www.securityfocus.com/archive/1/415291nvd
- www.securityfocus.com/archive/1/419504/100/0/threadednvd
- www.turbolinux.com/security/2006/TLSA-2006-38.txtnvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11481nvd
- www.ubuntu.com/usn/usn-232-1/nvd
News mentions
0No linked articles in our index yet.