CVE-2005-3390

HIGH severity · CVSS 7.5

7.5CVSS HIGH

Summary

The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when register_globals is enabled, allows remote attackers to modify the GLOBALS array and bypass security protections of PHP applications via a multipart/form-data POST request with a "GLOBALS" fileupload field.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges required—

User interaction—

Confidentiality impact—

Integrity impact—

Availability impact—

Exploit probability (EPSS)65%

AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected products we track (1)

PHP

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: http://secunia.com/advisories/17371 ↗

Additional information

NVD record
http://secunia.com/advisories/17371Patch
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00786522
http://rhn.redhat.com/errata/RHSA-2006-0549.html
http://secunia.com/advisories/17490
http://secunia.com/advisories/17510
http://secunia.com/advisories/17531
http://secunia.com/advisories/17557
http://secunia.com/advisories/17559