Vulnerability Name: CVE-2008-3660 (CCN-44402) Assigned: 2008-08-06 Published: 2008-08-06 Updated: 2018-10-11 Summary: PHP 4.4.x before 4.4.9, and 5.x through 5.2.6, when used as a FastCGI module, allows remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension, as demonstrated using foo..php. CVSS v3 Severity: 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Low
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P 3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P 3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Partial
Vulnerability Type: CWE-20 Vulnerability Consequences: Other References: Source: CCNdev-lang/php < 5.2.6-r6: arbitrary code execution, DoS, safe_mode bypass (CVE-2008-{3658,3659,3660}) http://bugs.gentoo.org/show_bug.cgi?id=234102 CVE-2008-3660 HP-UX Running Apache Web Server Suite, Remote Denial of Service (DoS), Execution of Arbitrary Code APPLE-SA-2009-05-12 SUSE-SR:2008:018 SSRT090085 HPSBUX02465 Moderate: php security update Moderate: php security update Moderate: php security update PHP Multiple Vulnerabilities 31982 32148 32746 Apple Mac OS X Security Update Fixes Multiple Vulnerabilities 35074 35306 HP-UX Apache Web Server Suite Multiple Vulnerabilities 35650 GLSA-200811-05 PHP FastCGI Module Request Processing Bug Lets Remote Users Deny Service About the security content of Security Update 2009-002 / Mac OS X v10.5.7 http://support.apple.com/kb/HT3549 php security update (RHSA-2009-0337) HPSBUX02431 SSRT090085 rev.1 - HP-UX Running Apache Web Server SuiteRemote Denial of Service (DoS) Execution of Arbitrary Code http://wiki.rpath.com/Advisories:rPSA-2009-0035 DSA-1647 php5 -- several vulnerabilities PHP: Multiple vulnerabilities MDVSA-2009:021 MDVSA-2009:022 MDVSA-2009:023 MDVSA-2009:024 [oss-security] 20080808 CVE request: php-5.2.6 overflow issues [oss-security] 20080813 Re: CVE request: php-5.2.6 overflow issues PHP 4.4.9 released! Version 4.4.9 PHP 4.4.9 RHSA-2009:0350 20090302 rPSA-2009-0035-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl PHP FastCGI Module File Extension Denial Of Service Vulnerabilities 1020994 Multiple vulnerabilities exist in php PHP vulnerabilities TA09-133A ADV-2008-2336 ADV-2009-1297 php-fastcgi-dos(44402) php-curl-unspecified(44402) oval:org.mitre.oval:def:9597 FEDORA-2009-3768 FEDORA-2009-3848 SUSE Security Summary Report Vulnerable Configuration: Configuration 1 :cpe:/a:php:php:4.4.0:-:*:*:*:*:*:* OR cpe:/a:php:php:4.4.1:-:*:*:*:*:*:* OR cpe:/a:php:php:4.4.2:-:*:*:*:*:*:* OR cpe:/a:php:php:4.4.3:-:*:*:*:*:*:* OR cpe:/a:php:php:4.4.4:-:*:*:*:*:*:* OR cpe:/a:php:php:4.4.5:-:*:*:*:*:*:* OR cpe:/a:php:php:4.4.6:-:*:*:*:*:*:* OR cpe:/a:php:php:4.4.7:-:*:*:*:*:*:* OR cpe:/a:php:php:4.4.8:-:*:*:*:*:*:* OR cpe:/a:php:php:5.2.0:*:*:*:*:*:*:* OR cpe:/a:php:php:5.2.1:-:*:*:*:*:*:* OR cpe:/a:php:php:5.2.2:-:*:*:*:*:*:* OR cpe:/a:php:php:5.2.3:-:*:*:*:*:*:* OR cpe:/a:php:php:5.2.4:-:*:*:*:*:*:* OR cpe:/a:php:php:5.2.5:-:*:*:*:*:*:* OR cpe:/a:php:php:5.2.6:-:*:*:*:*:*:* Configuration RedHat 1 :cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:* Configuration RedHat 2 :cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:* Configuration RedHat 3 :cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:* Configuration RedHat 4 :cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:* Configuration RedHat 5 :cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:* Configuration RedHat 6 :cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:* Configuration RedHat 7 :cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:* Configuration RedHat 8 :cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:* Configuration CCN 1 :cpe:/a:php:php:4.4.0:-:*:*:*:*:*:* OR cpe:/a:php:php:4.4.2:-:*:*:*:*:*:* OR cpe:/a:php:php:4.4.3:-:*:*:*:*:*:* OR cpe:/a:php:php:5.2.0:*:*:*:*:*:*:* OR cpe:/a:php:php:5.2.1:-:*:*:*:*:*:* OR cpe:/a:php:php:4.4.6:-:*:*:*:*:*:* OR cpe:/a:php:php:4.4.5:-:*:*:*:*:*:* OR cpe:/a:php:php:4.4.7:-:*:*:*:*:*:* OR cpe:/a:php:php:5.2.3:-:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x:10.5:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x_server:10.5:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x:10.5.1:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x_server:10.5.1:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x:10.5.2:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x_server:10.5.2:*:*:*:*:*:*:* OR cpe:/a:php:php:4.4.1:-:*:*:*:*:*:* OR cpe:/a:php:php:4.4.4:-:*:*:*:*:*:* OR cpe:/a:php:php:5.2.2:-:*:*:*:*:*:* OR cpe:/a:php:php:5.2.4:-:*:*:*:*:*:* OR cpe:/a:php:php:5.2.5:-:*:*:*:*:*:* OR cpe:/a:php:php:5.2.6:-:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x_server:10.5.3:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x:10.5.3:*:*:*:*:*:*:* OR cpe:/a:php:php:4.4.8:-:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x:10.5.4:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x_server:10.5.4:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x:10.5.5:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x_server:10.5.5:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x:10.5.6:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x_server:10.5.6:*:*:*:*:*:*:* AND cpe:/o:gentoo:linux:*:*:*:*:*:*:*:* OR cpe:/o:hp:hp-ux:b.11.11:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:* OR cpe:/o:hp:hp-ux:b.11.23:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:* OR cpe:/a:mandrakesoft:mandrake_multi_network_firewall:2.0:*:*:*:*:*:*:* OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:* OR cpe:/o:turbolinux:turbolinux:fuji:*:*:*:*:*:*:* OR cpe:/o:turbolinux:turbolinux:*:*:personal:*:*:*:*:* OR cpe:/o:turbolinux:turbolinux:*:*:multimedia:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:5:*:client_workstation:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:2008.0::x86-64:*:*:*:*:* OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:* OR cpe:/o:hp:hp-ux:b.11.31:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:2.0.59:*:*:*:*:*:*:* OR cpe:/o:canonical:ubuntu:7.10:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:2008.1:x86_64:*:*:*:*:*:* OR cpe:/a:redhat:rhel_application_stack:2:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:2008.1:*:*:*:*:*:*:* OR cpe:/o:canonical:ubuntu:8.04::lts:*:*:*:*:* OR cpe:/a:apache:http_server:2.2.8:*:*:*:*:*:*:* OR cpe:/o:mandriva:linux:2009.0:*:*:*:*:*:*:* OR cpe:/o:mandriva:linux:2009.0:-:x86_64:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.27:*:*:*:*:*:*:* Oval Definitions BACK
php php 4.4.0
php php 4.4.1
php php 4.4.2
php php 4.4.3
php php 4.4.4
php php 4.4.5
php php 4.4.6
php php 4.4.7
php php 4.4.8
php php 5.2.0
php php 5.2.1
php php 5.2.2
php php 5.2.3
php php 5.2.4
php php 5.2.5
php php 5.2.6
php php 4.4.0
php php 4.4.2
php php 4.4.3
php php 5.2.0
php php 5.2.1
php php 4.4.6
php php 4.4.5
php php 4.4.7
php php 5.2.3
apple mac os x 10.5
apple mac os x server 10.5
apple mac os x 10.5.1
apple mac os x server 10.5.1
apple mac os x 10.5.2
apple mac os x server 10.5.2
php php 4.4.1
php php 4.4.4
php php 5.2.2
php php 5.2.4
php php 5.2.5
php php 5.2.6
apple mac os x server 10.5.3
apple mac os x 10.5.3
php php 4.4.8
apple mac os x 10.5.4
apple mac os x server 10.5.4
apple mac os x 10.5.5
apple mac os x server 10.5.5
apple mac os x 10.5.6
apple mac os x server 10.5.6
gentoo linux *
hp hp-ux b.11.11
redhat enterprise linux 3
redhat enterprise linux 3
redhat enterprise linux 3
redhat enterprise linux 3
hp hp-ux b.11.23
mandrakesoft mandrake linux corporate server 3.0
redhat enterprise linux 4
redhat enterprise linux 4
redhat enterprise linux 4
redhat enterprise linux 4
mandrakesoft mandrake multi network firewall 2.0
canonical ubuntu 6.06
mandrakesoft mandrake linux corporate server 4.0
mandrakesoft mandrake linux corporate server 4.0
mandrakesoft mandrake linux corporate server 3.0
turbolinux turbolinux fuji
turbolinux turbolinux personal *
turbolinux turbolinux multimedia *
redhat enterprise linux 5
redhat enterprise linux 5
mandrakesoft mandrake linux 2008.0
debian debian linux 4.0
hp hp-ux b.11.31
apache http server 2.0.59
canonical ubuntu 7.10
mandrakesoft mandrake linux 2008.0
mandrakesoft mandrake linux 2008.1 x86_64
redhat rhel application stack 2
mandrakesoft mandrake linux 2008.1
canonical ubuntu 8.04
apache http server 2.2.8
mandriva linux 2009.0
mandriva linux 2009.0 -
apache tomcat 5.5.27
Denotes that component is vulnerable