Description

The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 sets the internal register_globals flag and does not disable it in certain cases when a script terminates, which allows remote attackers to invoke available PHP scripts with register_globals functionality that is not detectable by these scripts, as demonstrated by forcing a memory_limit violation.

Remediation

References

CVE-2007-1583

Related Vulnerabilities

WordPress 3.8.x Multiple Vulnerabilities (3.8 - 3.8.33)

WordPress 5.1.x Multiple Vulnerabilities (5.1 - 5.1.5)

Frontaccounting Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2020-21244)

Drupal Core 5.x Multiple Vulnerabilities (5.0 - 5.9)

Piwigo Improper Access Control Vulnerability (CVE-2016-10105)

Severity

Medium

Classification

CVE-2007-1583

Tags

Missing Update Known Vulnerabilities