CVE-2010-4156 : The mb_strcut function in Libmbfl 1.1.0, as used in PHP 5.3.x through 5.3.3, allows context-dependent attackers to obtai

The mb_strcut function in Libmbfl 1.1.0, as used in PHP 5.3.x through 5.3.3, allows context-dependent attackers to obtain potentially sensitive information via a large value of the third parameter (aka the length parameter).

Published 2010-11-10 03:00:03

Updated 2011-05-04 02:52:13

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Input validation

Exploit prediction scoring system (EPSS) score for CVE-2010-4156

Probability of exploitation activity in the next 30 days: 1.23%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 84 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2010-4156

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2010-4156

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2010-4156

http://marc.info/?l=bugtraq&m=130331363227777&w=2

'[security bulletin] HPSBMA02662 SSRT100409 rev.1 - HP System Management Homepage (SMH) for Linux and' - MARC

CVEs referencing this url
http://www.vupen.com/english/advisories/2011/0021

Webmail | OVH- OVH

CVEs referencing this url
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052836.html

[SECURITY] Fedora 13 Update: maniadrive-1.2-23.fc13

CVEs referencing this url
http://www.securityfocus.com/bid/44727

PHP 'mb_strcut()' Function Information Disclosure Vulnerability
Exploit
http://pastie.org/1279682

404 Not Found
Patch
http://pastie.org/1279428

pastie.org | 521: Web server is down
Patch
http://www.mandriva.com/security/advisories?name=MDVSA-2010:225

mandriva.com
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052845.html

[SECURITY] Fedora 14 Update: maniadrive-1.2-23.fc14

CVEs referencing this url
http://www.redhat.com/support/errata/RHSA-2011-0196.html

Support

CVEs referencing this url
http://www.ubuntu.com/usn/USN-1042-1

USN-1042-1: PHP vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://www.php.net/ChangeLog-5.php

PHP: PHP 5 ChangeLog

CVEs referencing this url
http://www.vupen.com/english/advisories/2011/0020

Webmail | OVH- OVH

CVEs referencing this url
http://www.vupen.com/english/advisories/2011/0077

Webmail | OVH- OVH

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2010/11/08/13

oss-security - Re: CVE Request: PHP 5.3.3, libmbfl, mb_strcut
Exploit;Patch
http://www.openwall.com/lists/oss-security/2010/11/07/2

oss-security - CVE Request: PHP 5.3.3, libmbfl, mb_strcut
Exploit;Patch

Products affected by CVE-2010-4156

Scottmac » Libmbfl » Version: 1.1.0
cpe:2.3:a:scottmac:libmbfl:1.1.0:*:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.0
When used together with: PHP » PHP » Version: 5.3.1
When used together with: PHP » PHP » Version: 5.3.2
When used together with: PHP » PHP » Version: 5.3.3

Vulnerability Details : CVE-2010-4156

Exploit prediction scoring system (EPSS) score for CVE-2010-4156

CVSS scores for CVE-2010-4156

CWE ids for CVE-2010-4156

References for CVE-2010-4156

Products affected by CVE-2010-4156