Vulnerability Description
The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the register_globals directive via inputs that cause a request to be terminated due to the memory_limit setting, which causes PHP to set an internal flag that enables register_globals and allows attackers to exploit vulnerabilities in PHP applications that would otherwise be protected.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Php | Php | 4.0.0 |
References
- http://itrc.hp.com/service/cki/docDisplay.do?docId=c00786522
- http://rhn.redhat.com/errata/RHSA-2006-0549.html
- http://secunia.com/advisories/17371PatchVendor Advisory
- http://secunia.com/advisories/17490Vendor Advisory
- http://secunia.com/advisories/17510Vendor Advisory
- http://secunia.com/advisories/17531Vendor Advisory
- http://secunia.com/advisories/17557Vendor Advisory
- http://secunia.com/advisories/17559Vendor Advisory
- http://secunia.com/advisories/18054Vendor Advisory
- http://secunia.com/advisories/18198Vendor Advisory
- http://secunia.com/advisories/18669Vendor Advisory
- http://secunia.com/advisories/21252Vendor Advisory
- http://secunia.com/advisories/22691Vendor Advisory
- http://securityreason.com/securityalert/134
- http://securitytracker.com/id?1015131
FAQ
What is CVE-2005-3389?
CVE-2005-3389 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the register_globals directive via inputs that cause a request...
How severe is CVE-2005-3389?
CVE-2005-3389 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2005-3389?
Check the references section above for vendor advisories and patch information. Affected products include: Php Php.