CVE-2004-1020

PHP 4.3.9 - Directory Traversal and Arbitrary File Read via addslashes NULL Character Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2004-1020. PoCs published by Daniel Fabian.

AI-analyzed exploit summary The provided text describes a directory traversal vulnerability in PHP4 and PHP5 on Windows systems, allowing arbitrary file disclosure and upload. It includes example URLs demonstrating the attack vectors but lacks executable exploit code.

Description

The addslashes function in PHP 4.3.9 does not properly escape a NULL (/0) character, which may allow remote attackers to read arbitrary files in PHP applications that contain a directory traversal vulnerability in require or include statements, but are otherwise protected by the magic_quotes_gpc mechanism. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Daniel Fabian · textremotephp
https://www.exploit-db.com/exploits/24985

The provided text describes a directory traversal vulnerability in PHP4 and PHP5 on Windows systems, allowing arbitrary file disclosure and upload. It includes example URLs demonstrating the attack vectors but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Theoretical
Target: PHP4 and PHP5 (Windows)
No auth needed
Prerequisites: PHP4 or PHP5 running on a Windows system · A vulnerable script that processes user-supplied input in file operations
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/18516
Vendor Advisory x_refsource_confirm
http://www.php.net/release_4_3_10.php
Vendor Advisory vendor-advisory x_refsource_mandrake
http://www.mandriva.com/security/advisories?name=MDKSA-2004:151
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11981
Exploit, Vendor Advisory mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/384663
Vendor Advisory vendor-advisory x_refsource_conectiva
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000915
Vendor Advisory vendor-advisory x_refsource_gentoo
http://www.gentoo.org/security/en/glsa/glsa-200412-14.xml
Third Party Advisory, VDB Entry vendor-advisory x_refsource_hp
http://www.securityfocus.com/advisories/9028

Scores

EPSS 0.0707
EPSS Percentile 93.4%

Details

Status published
Products (8)
php/php 4.3.6
php/php 4.3.7
php/php 4.3.8
php/php 4.3.9
php/php 5.0 rc1 (3 CPE variants)
php/php 5.0.0
php/php 5.0.1
php/php 5.0.2
Published Jan 10, 2005
Tracked Since Feb 18, 2026