Intrusion Prevention

PHP.Error.Logging.Format.String

Description

It indicates a possible Format string vulnerability in PHP based application.


A format string vulnerability is reported in PHP code that handles error logging. An attacker can craft a string containing malicious format and pass it to logging functions syslog() and vsnprintf() as part of error log. As a result of this an attacker can write arbitrary data to the system and gain access to the system with privilege of web server.

Affected Products

PHP 3.0 and 4.0.

Impact

Gain access to the system.

Recommended Actions

Apply appropriate patch or upgrade to PHP 4.0.3 or higher.

CVE References

CVE-2000-0967