Vulnerability CVE-2007-2509
Published: 2007-05-08   Modified: 2012-02-12

Description:
CRLF injection vulnerability in the ftp_putcmd function in PHP before 4.4.7, and 5.x before 5.2.2 allows remote attackers to inject arbitrary FTP commands via CRLF sequences in the parameters to earlier FTP commands.

See advisories in our WLB2 database:
Topic
Author
Date
Low
CRLF injection in PHP ftp function
fangxiaodun
12.05.2007

Type:

CWE-20

 (Improper Input Validation)

CVSS2 => (AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
2.6/10
2.9/10
4.9/10
Exploit range
Attack complexity
Authentication
Remote
High
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
PHP -> PHP 

 References:
http://lists.opensuse.org/opensuse-security-announce/2007-07/msg00006.html
http://rhn.redhat.com/errata/RHSA-2007-0889.html
http://security.gentoo.org/glsa/glsa-200705-19.xml
http://securityreason.com/securityalert/2672
http://support.avaya.com/elmodocs2/security/ASA-2007-231.htm
http://us2.php.net/releases/4_4_7.php
http://us2.php.net/releases/5_2_2.php
http://www.debian.org/security/2007/dsa-1295
http://www.debian.org/security/2007/dsa-1296
http://www.mandriva.com/security/advisories?name=MDKSA-2007:102
http://www.mandriva.com/security/advisories?name=MDKSA-2007:103
http://www.redhat.com/support/errata/RHSA-2007-0349.html
http://www.redhat.com/support/errata/RHSA-2007-0355.html
http://www.redhat.com/support/errata/RHSA-2007-0888.html
http://www.securityfocus.com/archive/1/463596/100/0/threaded
http://www.securityfocus.com/bid/23813
http://www.securityfocus.com/bid/23818
http://www.securitytracker.com/id?1018022
http://www.trustix.org/errata/2007/0017/
http://www.ubuntu.com/usn/usn-462-1
http://www.vupen.com/english/advisories/2007/2187
https://exchange.xforce.ibmcloud.com/vulnerabilities/34413
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10839
https://rhn.redhat.com/errata/RHSA-2007-0348.html
Copyright 2024, cxsecurity.com

 

Back to Top