PHP FastCGI Module Request Processing Bug Lets Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1020994
|
|
SecurityTracker URL: http://securitytracker.com/id?1020994
|
|
CVE Reference: CVE-2008-3660
(Links to External Site)
|
Date: Oct 7 2008
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 4.4.x prior to 4.4.9; 5.6 - 5.2.6
|
Description: A vulnerability was reported in PHP when used as a FastCGI module. A remote user can cause denial of service conditions.
A remote user can send a specially crafted request with multiple dots preceding the extension (e.g., 'foo..php) to cause the target
service to crash.
[Editor's note: This vulnerability was original corrected by the vendor in August 2008.]
|
Impact: A remote user can cause the target application to crash.
|
Solution: The vendor has issued a fix (4.4.9). A source code fix for 5.2.x is available.
|
Vendor URL: www.php.net/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 7 Oct 2008 09:12:57 -0400
Subject: PHP
|
CVE-2008-3660
PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6, when used as a FastCGI module,
allows remote attackers to cause a denial of service (crash) via a request with
multiple dots preceding the extension, as demonstrated using foo..php.
|
|
