Filtered by vendor Php
Subscriptions
Filtered by product Php
Subscriptions
Total
730 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2003-0249 | 1 Php | 1 Php | 2025-04-03 | N/A |
| PHP treats unknown methods such as "PoSt" as a GET request, which could allow attackers to intended access restrictions if PHP is running on a server that passes on all methods, such as Apache httpd 2.0, as demonstrated using a Limit directive. NOTE: this issue has been disputed by the Apache security team, saying "It is by design that PHP allows scripts to process any request method. A script which does not explicitly verify the request method will hence be processed as normal for arbitrary methods. It is therefore expected behaviour that one cannot implement per-method access control using the Apache configuration alone, which is the assumption made in this report. | ||||
| CVE-2002-0121 | 1 Php | 1 Php | 2025-04-03 | N/A |
| PHP 4.0 through 4.1.1 stores session IDs in temporary files whose name contains the session ID, which allows local users to hijack web connections. | ||||
| CVE-2001-1247 | 2 Php, Redhat | 2 Php, Linux | 2025-04-03 | N/A |
| PHP 4.0.4pl1 and 4.0.5 in safe mode allows remote attackers to read and write files owned by the web server UID by uploading a PHP script that uses the error_log function to access the files. | ||||
| CVE-1999-0058 | 1 Php | 1 Php | 2025-04-03 | N/A |
| Buffer overflow in PHP cgi program, php.cgi allows shell access. | ||||
| CVE-1999-0238 | 1 Php | 1 Php | 2025-04-03 | N/A |
| php.cgi allows attackers to read any file on the system. | ||||
| CVE-2003-0860 | 1 Php | 1 Php | 2025-04-03 | N/A |
| Buffer overflows in PHP before 4.3.3 have unknown impact and unknown attack vectors. | ||||
| CVE-2003-1303 | 2 Php, Redhat | 2 Php, Enterprise Linux | 2025-04-03 | N/A |
| Buffer overflow in the imap_fetch_overview function in the IMAP functionality (php_imap.c) in PHP before 4.3.3 allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a long e-mail address in a (1) To or (2) From header. | ||||
| CVE-2004-0542 | 1 Php | 1 Php | 2025-04-03 | N/A |
| PHP before 4.3.7 on Win32 platforms does not properly filter all shell metacharacters, which allows local or remote attackers to execute arbitrary code, overwrite files, and access internal environment variables via (1) the "%", "|", or ">" characters to the escapeshellcmd function, or (2) the "%" character to the escapeshellarg function. | ||||
| CVE-2005-3388 | 2 Php, Redhat | 4 Php, Enterprise Linux, Rhel Stronghold and 1 more | 2025-04-03 | N/A |
| Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a "stacked array assignment." | ||||
| CVE-2006-1990 | 2 Php, Redhat | 3 Php, Enterprise Linux, Rhel Stronghold | 2025-04-03 | N/A |
| Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396. | ||||
| CVE-2001-0108 | 3 Mandrakesoft, Php, Redhat | 3 Mandrake Linux, Php, Linux | 2025-04-03 | N/A |
| PHP Apache module 4.0.4 and earlier allows remote attackers to bypass .htaccess access restrictions via a malformed HTTP request on an unrestricted page that causes PHP to use those access controls on the next page that is requested. | ||||
| CVE-2002-0229 | 1 Php | 1 Php | 2025-04-03 | N/A |
| Safe Mode feature (safe_mode) in PHP 3.0 through 4.1.0 allows attackers with access to the MySQL database to bypass Safe Mode access restrictions and read arbitrary files using "LOAD DATA INFILE LOCAL" SQL statements. | ||||
| CVE-2002-0253 | 1 Php | 1 Php | 2025-04-03 | N/A |
| PHP, when not configured with the "display_errors = Off" setting in php.ini, allows remote attackers to obtain the physical path for an include file via a trailing slash in a request to a directly accessible PHP program, which modifies the base path, causes the include directive to fail, and produces an error message that contains the path. | ||||
| CVE-2002-0484 | 1 Php | 1 Php | 2025-04-03 | N/A |
| move_uploaded_file in PHP does not does not check for the base directory (open_basedir), which could allow remote attackers to upload files to unintended locations on the system. | ||||
| CVE-2003-0097 | 1 Php | 1 Php | 2025-04-03 | N/A |
| Unknown vulnerability in CGI module for PHP 4.3.0 allows attackers to access arbitrary files as the PHP user, and possibly execute PHP code, by bypassing the CGI force redirect settings (cgi.force_redirect or --enable-force-cgi-redirect). | ||||
| CVE-2006-0207 | 1 Php | 1 Php | 2025-04-03 | N/A |
| Multiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow remote attackers to inject arbitrary HTTP headers via a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function. | ||||
| CVE-2006-2563 | 1 Php | 1 Php | 2025-04-03 | N/A |
| The cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to bypass safe mode and read files via a file:// request containing null characters. | ||||
| CVE-2004-1065 | 5 Openpkg, Php, Redhat and 2 more | 5 Openpkg, Php, Enterprise Linux and 2 more | 2025-04-03 | N/A |
| Buffer overflow in the exif_read_data function in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to execute arbitrary code via a long section name in an image file. | ||||
| CVE-2006-0200 | 1 Php | 1 Php | 2025-04-03 | N/A |
| Format string vulnerability in the error-reporting feature in the mysqli extension in PHP 5.1.0 and 5.1.1 might allow remote attackers to execute arbitrary code via format string specifiers in MySQL error messages. | ||||
| CVE-2005-3391 | 1 Php | 1 Php | 2025-04-03 | N/A |
| Multiple vulnerabilities in PHP before 4.4.1 allow remote attackers to bypass safe_mode and open_basedir restrictions via unknown attack vectors in (1) ext/curl and (2) ext/gd. | ||||