National Cyber Awareness System

Vulnerability Summary for CVE-2007-4658

Overview

The money_format function in PHP 5 before 5.2.4, and PHP 4 before 4.4.8, permits multiple (1) %i and (2) %n tokens, which has unknown impact and attack vectors, possibly related to a format string vulnerability.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

Vendor Statements (disclaimer)

Official Statement from Red Hat (09/05/2007)

This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: http://www.php.net/ChangeLog-5.php#5.2.4

Type: Patch Information

Hyperlink:http://www.php.net/ChangeLog-5.php#5.2.4

External Source: SECUNIA

Name: 26642

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/26642

External Source: FEDORA

Name: FEDORA-2007-709

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00354.html

External Source: CONFIRM

Name: https://launchpad.net/bugs/173043

Hyperlink:https://launchpad.net/bugs/173043

External Source: CONFIRM

Name: https://issues.rpath.com/browse/RPL-1702

Hyperlink:https://issues.rpath.com/browse/RPL-1702

External Source: CONFIRM

Name: https://issues.rpath.com/browse/RPL-1693

Hyperlink:https://issues.rpath.com/browse/RPL-1693

External Source: XF

Name: php-moneyformat-unspecified(36377)

Hyperlink:http://xforce.iss.net/xforce/xfdb/36377

External Source: VUPEN

Name: ADV-2008-0059

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2008/0059

External Source: VUPEN

Name: ADV-2007-3023

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2007/3023

External Source: UBUNTU

Name: USN-549-1

Hyperlink:http://www.ubuntulinux.org/support/documentation/usn/usn-549-1

External Source: UBUNTU

Name: USN-549-2

Hyperlink:http://www.ubuntu.com/usn/usn-549-2

External Source: TRUSTIX

Name: 2007-0026

Hyperlink:http://www.trustix.org/errata/2007/0026/

External Source: REDHAT

Name: RHSA-2007:0891

Hyperlink:http://www.redhat.com/support/errata/RHSA-2007-0891.html

External Source: REDHAT

Name: RHSA-2007:0890

Hyperlink:http://www.redhat.com/support/errata/RHSA-2007-0890.html

External Source: CONFIRM

Name: http://www.php.net/releases/5_2_4.php

Hyperlink:http://www.php.net/releases/5_2_4.php

External Source: CONFIRM

Name: http://www.php.net/releases/4_4_8.php

Hyperlink:http://www.php.net/releases/4_4_8.php

External Source: CONFIRM

Name: http://www.php.net/ChangeLog-4.php

Hyperlink:http://www.php.net/ChangeLog-4.php

External Source: MANDRIVA

Name: MDKSA-2007:187

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2007:187

External Source: GENTOO

Name: GLSA-200710-02

Hyperlink:http://www.gentoo.org/security/en/glsa/glsa-200710-02.xml

External Source: DEBIAN

Name: DSA-1444

Hyperlink:http://www.debian.org/security/2008/dsa-1444

External Source: CONFIRM

Name: http://support.avaya.com/elmodocs2/security/ASA-2007-449.htm

Hyperlink:http://support.avaya.com/elmodocs2/security/ASA-2007-449.htm

External Source: SLACKWARE

Name: SSA:2008-045-03

Hyperlink:http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.335136

External Source: SECUNIA

Name: 28936

Type: Advisory

Hyperlink:http://secunia.com/advisories/28936

External Source: SECUNIA

Name: 28658

Type: Advisory

Hyperlink:http://secunia.com/advisories/28658

External Source: SECUNIA

Name: 28249

Type: Advisory

Hyperlink:http://secunia.com/advisories/28249

External Source: SECUNIA

Name: 27864

Type: Advisory

Hyperlink:http://secunia.com/advisories/27864

External Source: SECUNIA

Name: 27545

Type: Advisory

Hyperlink:http://secunia.com/advisories/27545

External Source: SECUNIA

Name: 27377

Type: Advisory

Hyperlink:http://secunia.com/advisories/27377

External Source: SECUNIA

Name: 27102

Type: Advisory

Hyperlink:http://secunia.com/advisories/27102

External Source: SECUNIA

Name: 26967

Type: Advisory

Hyperlink:http://secunia.com/advisories/26967

External Source: SECUNIA

Name: 26930

Type: Advisory

Hyperlink:http://secunia.com/advisories/26930

External Source: SECUNIA

Name: 26895

Type: Advisory

Hyperlink:http://secunia.com/advisories/26895

External Source: SECUNIA

Name: 26871

Type: Advisory

Hyperlink:http://secunia.com/advisories/26871

External Source: SECUNIA

Name: 26838

Type: Advisory

Hyperlink:http://secunia.com/advisories/26838

External Source: SECUNIA

Name: 26822

Type: Advisory

Hyperlink:http://secunia.com/advisories/26822

External Source: REDHAT

Name: RHSA-2007:0889

Hyperlink:http://rhn.redhat.com/errata/RHSA-2007-0889.html

External Source: OVAL

Name: oval:org.mitre.oval:def:10363

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10363

External Source: SUSE

Name: SUSE-SA:2008:004

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2008-01/msg00006.html

References to Check Content

Identifier:oval:org.mitre.oval:def:10363

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10363