PHP
by PHP
Source repositories
CVEs (730)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2002-2214 | 0.00 | — | 0.02 | Dec 31, 2002 | The php_if_imap_mime_header_decode function in the IMAP functionality in PHP before 4.2.2 allows remote attackers to cause a denial of service (crash) via an e-mail header with a long "To" header. | |||
| CVE-2002-2215 | 0.00 | — | 0.01 | Dec 31, 2002 | The imap_header function in the IMAP functionality for PHP before 4.3.0 allows remote attackers to cause a denial of service via an e-mail message with a large number of "To" addresses, which triggers an error in the rfc822_write_address function. | |||
| CVE-2002-0986 | 0.00 | — | 0.03 | Sep 24, 2002 | The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a "spam proxy." | |||
| CVE-2002-0985 | 0.00 | — | 0.03 | Sep 24, 2002 | Argument injection vulnerability in the mail function for PHP 4.x to 4.2.2 may allow attackers to bypass safe mode restrictions and modify command line arguments to the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA behavior and possibly executing commands. | |||
| CVE-2002-0253 | 0.00 | — | 0.05 | May 29, 2002 | PHP, when not configured with the "display_errors = Off" setting in php.ini, allows remote attackers to obtain the physical path for an include file via a trailing slash in a request to a directly accessible PHP program, which modifies the base path, causes the include directive… | |||
| CVE-2002-0121 | 0.00 | — | 0.01 | Mar 25, 2002 | PHP 4.0 through 4.1.1 stores session IDs in temporary files whose name contains the session ID, which allows local users to hijack web connections. | |||
| CVE-2001-0108 | 0.00 | — | 0.02 | Mar 12, 2001 | PHP Apache module 4.0.4 and earlier allows remote attackers to bypass .htaccess access restrictions via a malformed HTTP request on an unrestricted page that causes PHP to use those access controls on the next page that is requested. | |||
| CVE-2001-1385 | 0.00 | — | 0.02 | Jan 12, 2001 | The Apache module for PHP 4.0.0 through PHP 4.0.4, when disabled with the 'engine = off' option for a virtual host, may disable PHP for other virtual hosts, which could cause Apache to serve the source code of PHP scripts. | |||
| CVE-2000-0860 | 0.00 | — | 0.03 | Nov 14, 2000 | The file upload capability in PHP versions 3 and 4 allows remote attackers to read arbitrary files by setting hidden form fields whose names match the names of internal PHP script variables. | |||
| CVE-1999-0058 | 0.00 | — | 0.02 | Apr 17, 1997 | Buffer overflow in PHP cgi program, php.cgi allows shell access. |
- CVE-2002-2214Dec 31, 2002risk 0.00cvss —epss 0.02
The php_if_imap_mime_header_decode function in the IMAP functionality in PHP before 4.2.2 allows remote attackers to cause a denial of service (crash) via an e-mail header with a long "To" header.
- CVE-2002-2215Dec 31, 2002risk 0.00cvss —epss 0.01
The imap_header function in the IMAP functionality for PHP before 4.3.0 allows remote attackers to cause a denial of service via an e-mail message with a large number of "To" addresses, which triggers an error in the rfc822_write_address function.
- CVE-2002-0986Sep 24, 2002risk 0.00cvss —epss 0.03
The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a "spam proxy."
- CVE-2002-0985Sep 24, 2002risk 0.00cvss —epss 0.03
Argument injection vulnerability in the mail function for PHP 4.x to 4.2.2 may allow attackers to bypass safe mode restrictions and modify command line arguments to the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA behavior and possibly executing commands.
- CVE-2002-0253May 29, 2002risk 0.00cvss —epss 0.05
PHP, when not configured with the "display_errors = Off" setting in php.ini, allows remote attackers to obtain the physical path for an include file via a trailing slash in a request to a directly accessible PHP program, which modifies the base path, causes the include directive…
- CVE-2002-0121Mar 25, 2002risk 0.00cvss —epss 0.01
PHP 4.0 through 4.1.1 stores session IDs in temporary files whose name contains the session ID, which allows local users to hijack web connections.
- CVE-2001-0108Mar 12, 2001risk 0.00cvss —epss 0.02
PHP Apache module 4.0.4 and earlier allows remote attackers to bypass .htaccess access restrictions via a malformed HTTP request on an unrestricted page that causes PHP to use those access controls on the next page that is requested.
- CVE-2001-1385Jan 12, 2001risk 0.00cvss —epss 0.02
The Apache module for PHP 4.0.0 through PHP 4.0.4, when disabled with the 'engine = off' option for a virtual host, may disable PHP for other virtual hosts, which could cause Apache to serve the source code of PHP scripts.
- CVE-2000-0860Nov 14, 2000risk 0.00cvss —epss 0.03
The file upload capability in PHP versions 3 and 4 allows remote attackers to read arbitrary files by setting hidden form fields whose names match the names of internal PHP script variables.
- CVE-1999-0058Apr 17, 1997risk 0.00cvss —epss 0.02
Buffer overflow in PHP cgi program, php.cgi allows shell access.
Page 37 of 37