CVE-2010-2531

PHP 5.2.0-5.2.13 and 5.3.0-5.3.2 - Sensitive Information Exposure via var_export Fatal Error Handling

Title source: llm

Description

The var_export function in PHP 5.2 before 5.2.14 and 5.3 before 5.3.3 flushes the output buffer to the user when certain fatal errors occur, even if display_errors is off, which allows remote attackers to obtain sensitive information by causing the application to exceed limits for memory, execution time, or recursion.

References (18)

Core 18

Core References

Third Party Advisory x_refsource_confirm

http://support.apple.com/kb/HT4435

Mailing List, Third Party Advisory vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=133469208622507&w=2

Mailing List, Third Party Advisory vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=130331363227777&w=2

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2010/07/16/3

Vendor Advisory x_refsource_confirm

http://svn.php.net/viewvc/php/php-src/trunk/ext/standard/tests/general_functions/var_export_error2.phpt?view=log&pathrev=301143

Issue Tracking, Third Party Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=617673

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2011/dsa-2266

Mailing List, Third Party Advisory vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html

Third Party Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2010-0919.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2010//Aug/msg00003.html

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2010/07/13/1

Vendor Advisory x_refsource_confirm

http://www.php.net/archive/2010.php#id2010-07-22-2

Third Party Advisory x_refsource_confirm

http://support.apple.com/kb/HT4312

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/42410

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html

Vendor Advisory x_refsource_confirm

http://www.php.net/archive/2010.php#id2010-07-22-1

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00000.html

Permissions Required vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2010/3081

Scores

EPSS 0.0571

EPSS Percentile 90.5%

Details

CWE

CWE-200

Status published

Products (3)

debian/debian_linux 5.0

debian/debian_linux 6.0

php/php 5.2.0 - 5.2.14

Published Aug 20, 2010

Tracked Since Feb 18, 2026