CVE-2006-4020

PHP <5.1.4 & <4.4.3 - Buffer Overflow

Title source: llm

Description

scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Andi · phplocallinux

https://www.exploit-db.com/exploits/2193

View Code ZIP pw:eip

References (39)

[Exploit, Patch] http://bugs.php.net/bug.php?id=38322

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2006-0688.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2006-0736.html

[Third Party Advisory, VDB Entry] http://securitytracker.com/id?1016984

[Exploit, URL Repurposed] http://www.plain-text.info/sscanf_bug.txt

[Vendor Advisory] http://www.redhat.com/support/errata/RHSA-2006-0669.html

[Vendor Advisory] http://www.redhat.com/support/errata/RHSA-2006-0682.html

[Exploit, Patch, Vendor Advisory] http://www.securityfocus.com/archive/1/442438/30/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/19415

[Third Party Advisory, VDB Entry] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11062

[Vendor Advisory] http://www.ubuntu.com/usn/usn-342-1

[Vendor Advisory] http://www.mandriva.com/security/advisories?name=MDKSA-2006:144

[Vendor Advisory] http://support.avaya.com/elmodocs2/security/ASA-2006-221.htm

[Vendor Advisory] http://support.avaya.com/elmodocs2/security/ASA-2006-222.htm

[Vendor Advisory] http://support.avaya.com/elmodocs2/security/ASA-2006-223.htm

[Vendor Advisory] http://www.php.net/ChangeLog-5.php#5.1.5

[Vendor Advisory] http://www.php.net/release_5_1_5.php

[Vendor Advisory] ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc

[Vendor Advisory] http://www.novell.com/linux/security/advisories/2006_19_sr.html

[Vendor Advisory] http://www.novell.com/linux/security/advisories/2006_20_sr.html

... and 19 more

Scores

EPSS 0.0586

EPSS Percentile 90.6%

Details

Status published

Products (34)

php/php 4.0 (8 CPE variants)

php/php 4.0.0

php/php 4.0.1 (3 CPE variants)

php/php 4.0.2

php/php 4.0.3 (2 CPE variants)

php/php 4.0.4 (2 CPE variants)

php/php 4.0.5

php/php 4.0.6

php/php 4.0.7 (4 CPE variants)

php/php 4.1.0

... and 24 more

Published Aug 08, 2006

Tracked Since Feb 18, 2026