10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
php is vulnerable to arbitrary command execution. The vulnerability exists as it was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue.
lists.apple.com/archives/security-announce//2008/Jul/msg00003.html
lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html
secunia.com/advisories/30048
secunia.com/advisories/30083
secunia.com/advisories/30158
secunia.com/advisories/30288
secunia.com/advisories/30345
secunia.com/advisories/30411
secunia.com/advisories/30757
secunia.com/advisories/30828
secunia.com/advisories/30967
secunia.com/advisories/31119
secunia.com/advisories/31124
secunia.com/advisories/31200
secunia.com/advisories/31326
secunia.com/advisories/32746
security.gentoo.org/glsa/glsa-200811-05.xml
wiki.rpath.com/wiki/Advisories:rPSA-2008-0176
wiki.rpath.com/wiki/Advisories:rPSA-2008-0178
www.debian.org/security/2008/dsa-1572
www.debian.org/security/2008/dsa-1578
www.mandriva.com/security/advisories?name=MDVSA-2008:125
www.mandriva.com/security/advisories?name=MDVSA-2008:126
www.mandriva.com/security/advisories?name=MDVSA-2008:127
www.mandriva.com/security/advisories?name=MDVSA-2008:128
www.openwall.com/lists/oss-security/2008/05/02/2
www.php.net/ChangeLog-5.php
www.redhat.com/docs/en-US/Red_Hat_Application_Stack/2.1/html-single/Release_Notes/
www.redhat.com/security/updates/classification/#moderate
www.redhat.com/support/errata/RHSA-2008-0505.html
www.redhat.com/support/errata/RHSA-2008-0544.html
www.redhat.com/support/errata/RHSA-2008-0545.html
www.redhat.com/support/errata/RHSA-2008-0546.html
www.redhat.com/support/errata/RHSA-2008-0582.html
www.securityfocus.com/archive/1/492535/100/0/threaded
www.securityfocus.com/archive/1/492671/100/0/threaded
www.securityfocus.com/bid/29009
www.slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.488951
www.ubuntu.com/usn/usn-628-1
www.vupen.com/english/advisories/2008/1412
www.vupen.com/english/advisories/2008/2268
access.redhat.com/errata/RHSA-2008:0505
issues.rpath.com/browse/RPL-2503
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10256
www.redhat.com/archives/fedora-package-announce/2008-June/msg00773.html
www.redhat.com/archives/fedora-package-announce/2008-June/msg00779.html