PHP — популярный язык сценариев общего назначения, особенно подходящий для веб-разработки.
Релизный цикл, информация об уязвимостях
График релизов
Количество 3 867
GHSA-xc5f-pfpm-hrw6
** DISPUTED ** PHP treats unknown methods such as "PoSt" as a GET request, which could allow attackers to intended access restrictions if PHP is running on a server that passes on all methods, such as Apache httpd 2.0, as demonstrated using a Limit directive. NOTE: this issue has been disputed by the Apache security team, saying "It is by design that PHP allows scripts to process any request method. A script which does not explicitly verify the request method will hence be processed as normal for arbitrary methods. It is therefore expected behaviour that one cannot implement per-method access control using the Apache configuration alone, which is the assumption made in this report."
GHSA-jwhh-h5m8-hcgh
Buffer overflow in openlog function for PHP 4.3.1 on Windows operating system, and possibly other OSes, allows remote attackers to cause a crash and possibly execute arbitrary code via a long filename argument.
GHSA-4xfp-7xc2-6c73
Integer signedness error in emalloc() function for PHP before 4.3.2 allow remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via negative arguments to functions such as (1) socket_recv, (2) socket_recvfrom, and possibly other functions.
GHSA-wfpc-v3c5-rxcq
Unknown vulnerability in CGI module for PHP 4.3.0 allows attackers to access arbitrary files as the PHP user, and possibly execute PHP code, by bypassing the CGI force redirect settings (cgi.force_redirect or --enable-force-cgi-redirect).
GHSA-g49p-q335-6257
regcomp in the BSD implementation of libc is vulnerable to denial of service due to stack exhaustion.
GHSA-v2wg-2jpv-87h6
SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6.
GHSA-mx27-jhrp-2gfm
PHP5 before 5.4.4 allows passing invalid utf-8 strings via the xmlTextWriterWriteAttribute, which are then misparsed by libxml2. This results in memory leak into the resulting output.
BDU:2022-01596
Уязвимость функции filter_var интерпретатора языка PHP, позволяющая нарушителю выполнить произвольный код
SUSE-SU-2022:0847-1
Security update for php7
openSUSE-SU-2022:0847-1
Security update for php7
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-xc5f-pfpm-hrw6 ** DISPUTED ** PHP treats unknown methods such as "PoSt" as a GET request, which could allow attackers to intended access restrictions if PHP is running on a server that passes on all methods, such as Apache httpd 2.0, as demonstrated using a Limit directive. NOTE: this issue has been disputed by the Apache security team, saying "It is by design that PHP allows scripts to process any request method. A script which does not explicitly verify the request method will hence be processed as normal for arbitrary methods. It is therefore expected behaviour that one cannot implement per-method access control using the Apache configuration alone, which is the assumption made in this report." | 1% Низкий | больше 3 лет назад | |
| GHSA-jwhh-h5m8-hcgh Buffer overflow in openlog function for PHP 4.3.1 on Windows operating system, and possibly other OSes, allows remote attackers to cause a crash and possibly execute arbitrary code via a long filename argument. | 22% Средний | больше 3 лет назад | |
| GHSA-4xfp-7xc2-6c73 Integer signedness error in emalloc() function for PHP before 4.3.2 allow remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via negative arguments to functions such as (1) socket_recv, (2) socket_recvfrom, and possibly other functions. | 27% Средний | больше 3 лет назад | |
| GHSA-wfpc-v3c5-rxcq Unknown vulnerability in CGI module for PHP 4.3.0 allows attackers to access arbitrary files as the PHP user, and possibly execute PHP code, by bypassing the CGI force redirect settings (cgi.force_redirect or --enable-force-cgi-redirect). | 0% Низкий | больше 3 лет назад | |
| GHSA-g49p-q335-6257 regcomp in the BSD implementation of libc is vulnerable to denial of service due to stack exhaustion. | 25% Средний | больше 3 лет назад | |
| GHSA-v2wg-2jpv-87h6 SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6. | CVSS3: 9.8 | 9% Низкий | больше 3 лет назад |
| GHSA-mx27-jhrp-2gfm PHP5 before 5.4.4 allows passing invalid utf-8 strings via the xmlTextWriterWriteAttribute, which are then misparsed by libxml2. This results in memory leak into the resulting output. | CVSS3: 7.5 | 2% Низкий | больше 3 лет назад |
 | BDU:2022-01596 Уязвимость функции filter_var интерпретатора языка PHP, позволяющая нарушителю выполнить произвольный код | CVSS3: 7.5 | больше 3 лет назад | |
 | SUSE-SU-2022:0847-1 Security update for php7 | 0% Низкий | больше 3 лет назад | |
| openSUSE-SU-2022:0847-1 Security update for php7 | 0% Низкий | больше 3 лет назад |
Уязвимостей на страницу