CVE-2000-0860
PHP 3 and 4 - Arbitrary File Read via Hidden Form Field Injection
Title source: llmDescription
The file upload capability in PHP versions 3 and 4 allows remote attackers to read arbitrary files by setting hidden form fields whose names match the names of internal PHP script variables.
References (6)
Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/5190
Third Party Advisory mailing-list
x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0477.html
Exploit, Vendor Advisory vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/1649
Various Sources x_refsource_confirm
http://cvsweb.php.net/viewcvs.cgi/php4/main/rfc1867.c.diff?r1=1.38%3Aphp_4_0_2&tr1=1.1&r2=text&tr2=1.45&diff_format=u
Vendor Advisory mailing-list
x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0455.html
Third Party Advisory vendor-advisory
x_refsource_mandrake
http://archives.neohapsis.com/archives/bugtraq/2000-09/0150.html
Scores
EPSS
0.0111
EPSS Percentile
78.4%
Details
Status
published
Products (18)
php/php
1.0
php/php
2.0
php/php
2.0b10
php/php
3.0
php/php
3.0.1
php/php
3.0.2
php/php
3.0.3
php/php
3.0.4
php/php
3.0.5
php/php
3.0.6
... and 8 more
Published
Nov 14, 2000
Tracked Since
Feb 18, 2026