Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2002-0986

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2002-0986
Last Modified 05 Sep 2008 04:29:28
Published 24 Sep 2002 12:00:00
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2002-0986

Summary

The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a "spam proxy."

Vulnerable Systems

Application

  • Php 3.0.18

  • Php 4.0

  • Php 4.0.1

  • Php 4.0.2

  • Php 4.0.3

  • Php 4.0.4

  • Php 4.0.5

  • Php 4.0.6

  • Php 4.0.7

  • Php 4.1.0

  • Php 4.1.1

  • Php 4.1.2

  • Php 4.2.0

  • Php 4.2.1

  • Php 4.2.2


References

CERT-VN - VU#410609

BID - 5562

XF - php-mail-ascii-injection(9959)

BUGTRAQ - 20020823 PHP: Bypass safe_mode and inject ASCII control chars with mail()

REDHAT - RHSA-2003:159

REDHAT - RHSA-2002:248

REDHAT - RHSA-2002:244

REDHAT - RHSA-2002:243

REDHAT - RHSA-2002:214

REDHAT - RHSA-2002:213

OSVDB - 2160

SUSE - SuSE-SA:2002:036

MANDRAKE - MDKSA-2003:082

DEBIAN - DSA-168

BUGTRAQ - 20030707 [OpenPKG-SA-2003.032] OpenPKG Security Advisory (php)

CONECTIVA - CLA-2002:545

CALDERA - CSSA-2003-008.0


Last Updated: 27 May 2016 10:37:09