Vulnerability Details : CVE-2009-0754
PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server.
Vulnerability category: Overflow
Exploit prediction scoring system (EPSS) score for CVE-2009-0754
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ % EPSS Score History EPSS FAQ
CVSS scores for CVE-2009-0754
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:N/I:P/A:N |
3.9
|
2.9
|
NIST |
CWE ids for CVE-2009-0754
-
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-0754
-
http://www.debian.org/security/2009/dsa-1789
[SECURITY] [DSA 1789-1] New php5 packages fix several vulnerabilities
-
http://www.openwall.com/lists/oss-security/2009/02/25/3
-
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:008 - openSUSE Security Announce - openSUSE Mailing Lists
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01465.html
-
http://www.securitytracker.com/id?1021979
- http://www.redhat.com/support/errata/RHSA-2009-0350.html
- https://usn.ubuntu.com/761-1/
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11035
-
http://www.openwall.com/lists/oss-security/2009/01/30/1
-
http://www.openwall.com/lists/oss-security/2009/02/03/3
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01451.html
-
http://bugs.php.net/bug.php?id=27421
Exploit;Vendor Advisory
Products affected by CVE-2009-0754
- cpe:2.3:a:php:php:5.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.4.4:*:*:*:*:*:*:*